WAVE Report

Biometrics World Conference 2005
By John Latta, WAVE 0545 11/11/05

London , England
October 20 – 22, 2005

This is the 8th year for the World Conference and Exhibition on the Practical Application of Biometrics (Biometrics 2005). It was claimed that each of the last 2 years have shown substantial increases in attendance. The venue is small, the Queen Elizabeth II Conference Centre in the center of London. The attendees are focused on just biometrics and its application. Even the exhibitors told the WAVE that you would be surprised at the range of interests in biometrics seen by the attendees. What is important about this event in Europe is that it provides a different perspective in the market. It is easy to fall into a US only context and miss much of what is taking place in the rest of the world.

Big Picture on Biometrics Technology

Forget EoC+ToC+MoC; it is SoC (System on Card). The WAVE saw 3 SOC products. But no one was gushing about the market. All are waiting for that magic moment went the big order comes in that will trip the market to large scale use.

Given all that was collected, it is important to summarize the essential elements of the information.

Every vendor stated that the enterprise use of biometrics for logical access has not taken off and it could well be 2  years before that ramp fully develops. All are looking for the major “trip buy” which sets an example for players in  the same industry. “If only HSBC placed a major order the rest of London’s financial district would follow suit…”

If biometrics can show a compelling proposition in commercial retail, and thus be supplied to customers, the cost to the consumers must be ZERO.

ID Management is a layer above the authentication technology provided by biometrics but ID Management is based on proprietary solutions. Vendors are seeking to keep existing customers, such as Sun, with their product offering or to establish a strong position in the early market. ID Management is immature.

System on a Card (SoC) is rapidly developing. The WAVE saw products from:

Giesecke & Devrient – Smart Card
Giesecke & Devrient – USB
Fingerprint Cards – USB

These all provide ToC, MoC and EoC. The Giesecke & Devrient Smart Card was impressive with the fingerprint sensor built into a thin smart card. The problem is that smart card SoC will only take off with large single customer orders. Minimum production run is 1m units to recover the factory production start-up and production costs. Further, experience has shown that every SoC is uniquely tailored to each customer based on the application. This is the reason that USB based SoC is more responsive to the market because these can be produced economically in units of 1,000’s. The market has no single SoC which meets all or even many of the requirements which are surfacing from enterprise buyers – nor is this expected. Yet, the USB products are new to the market and all whom that the WAVE spoke with characterized the market as risky and uncertain. The advantage of the USB SoC is that it lowers the total entry cost for an application but the SoC units themselves are still expensive  - $100 - $150.

SentriNet is on V. 3.0 of their biometric domain log on software that is 7 years old. Its supports both Microsoft and Novell networks. The software is easy to use and has extensive implementation including support for multi-factor log on. Yet, only 10,000 licenses have been sold.

Wide support for BioAPI was detected and version 2.0 is the only credible version if any multi-factor authentication is to be accomplished.


BMS Biometrics Ltd. – Making Biometric Log-On Real

This is a Nottingham, England, based software development company. It provides an impressive scalable biometric log-on and more enterprise solution.

SentriNet can be installed on the client or the server on the domain. It operates through AD and extends the schema. A total of 11 elements are added – one for each finger and profiler information. The client software can be remotely deployed. There are a number of options for enrollment. This can be done remotely or with supervision.

The software allows for:

Log-on based on local cache
Log-on match with the server

Further, the user may be designated to have no PSW, biometric with PSW or biometric for only specific applications. A part of this “application launch” happens when a finger placed on the reader.

The licensing model and software design allows for individual “hot desks.” That is a user may walk up to a client, touch the fingerprint reader and launch TS or Citrix so that the screen seen is that of the desktop of the individual which just logged in.

Multifactor authentication is supported. This includes:

Pin + PSW
Smart Card + Pin
Biometrics + SC
Biometrics and NO SC

BioAPI 2.0 is the biometric device interface and it is the only interface with multi-factor. There remain interoperability issues. One way to address this is with Profiles, such as used by Bluetooth.

Currently the software does not authenticate the biometric device. Thus, a feature where all the biometric readers can be uniquely identified with a user is not supported. No demand was the response for why.

The current MS fingerprint reader keyboard is being integrated into the system. This should take only one week of one software engineer.

All communications between the client and the server is over a RPC tunnel and signed.

10,000 licenses are in use. The license model is based on the number of users not on the equipment, such as the number of clients on a workstation, for example.

The license price is:

10 users 75£
1,000 users 30£

BMS has not seen the market take off. It will likely require a large purchase by a major company which establishes a path to follow. What is different in the biometrics marketing environment today is that we are getting serious inquiries.

The WAVE watched the log-on. It was smooth and worked very well.


Giesecke & Devrient – Driving Biometric Security Solutions

Giesecke & Devrient is a $1.2B company and ½ of its sales come from smart cards. It has a strong position in the banking market, through its sales of financial paper for banks and financial institutions.  The company is also a large supplier of IT and government security solutions.

In the booth was StarSign Bio Token. This is a USB SoC which was only released in October. StarSign Bio Token is a general biometric hardware device that can be tailored to many enterprise environments. The application implemented on the card is what defines the card can do. Here are additional points.

Within the SoC is an Arm7 processor. USB provides the power to StarSign Bio Token.

The SoC can provide as output a PIN number to the host computer or a PSW and more. This is on part of the application which would reside on the SOC. One application in the booth was one touch digital signing. This product by mysignature.co.uk allows an individual to sign a document on line, for a banking transaction, for example. This can only be accomplished when authentication is done with StarSign Bio Token.

Behind the hardware is a suite of software tools called StarSign. This includes card OS and middleware.

The price of the BioToken is 150€.

There is also a smart card operating system StarCos 3.0. It is tailored to support security applications on the smart cards.

At another booth, the WAVE saw a SoC with the name of Giesecke & Devrient on it. We went back to Giesecke & Devrient to find out more.

The SoC which was seen earlier was the result of a research effort. Yes, it does have a fingerprint reader and all the other components of a Smart Card. But there are a number of impediments which must get addressed to make this practical in the market. First the fingerprint sensor is much too fragile. What is required are flexible sensors in order to hold up to the abuse heaped on smart cards. In addition, the implementation of the card is difficult. A cable must run from the sensor to the smart card chip, for example.

The concept of SoC is not new. 3 years ago at Cartes the first SoC was shown but it went nowhere. This had a metal ring around the sensor to protect the sensor.

The other problem with SoC is cost. A card like what you saw, even in high volumes, would cost $100. This is too much for virtually all buyers. We see the potential that a mass market can be opened with cards in the $20 - $30 range. If banks are to pass these out to consumers, the price must come down to $3 - $4. We believe enterprises will buy these cards when the price is $30 - $40.

It is uneconomical to make less than 1m units of a smart card. Thus, the entry point of SoC is high and, without an application which mandates the use of a fingerprint, the market will not launch.

Our product, StarSign Bio Token, is more like a System on a Token (SoT) than a SoC. No longer are we held to the strict confines of the card dimensions and the token has enough physical rigidity to hold the fingerprint reader. One of the advantages of the SoT is that the unit quantities can be much smaller – it is more like traditional electronics. We never expect to make millions of the SoT.

The role of applications is very important in driving biometrics. For example, we would not have come out with StarSign Bio Token without a need, that is, a lead customer which would justify the development and production expense. In this case, mysignature.co.uk wanted a biometric token that enables an individual to sign a document on line, for a banking transaction.

In this case price paid a very important role. A token costs 10 € while the fingerprint token is 100 €. There is no way that the unit quantities for the fingerprint token with match regular tokens.

For the last 5 years biometric technology was just not ready. Now the technology is sufficiently mature that it can enter the enterprise space. But we still do not have any more than token use. There are two types of users: Innovators and Hesitators. The hesitators are not first and will wait until the innovators have proven the technology in use. With this transition in the market we must sell the applications, that is what solution does it provide, NOT the biometric technology.

In the enterprise market, biometrics does not make much sense unless the enterprise has a full PKI infrastructure in place. Then we have the chance for a solution.


Fingerprint Cards – Creating Sensors and more for Biometrics

Fingerprint Cards (Sweden), and its investor company, Technoimagia (Japan), have developed itube. This is a USB SoC which uses the recognition technology developed by Fingerprint Cards. Fingerprint Cards have developed software for fingerprint recognition and the hardware sensors. It participates in large projects but only as a subcontractor supplying hardware or software.

The applications for the SoC include:

Secure logon
Secure e-mail
Web based authentication
PC security functions including document security and single sign on

The itube costs $100 for the log on solution.

A summary of the discussion on the market includes:

The market for SoC has just not developed yet. One must keep in mind that seldom will a company such as ours seek out the banking industry. We would get called by these large integration companies which supply turn key solutions to the bank. As one works vertical markets, the supply chain for solutions is very important and a means of access.

We have progressively seen a rise in the market but it has been so low that this rise is not yet significant in terms of market size. Based the slope we have experienced, it is likely 2 years before the market takes off.


Cherry – In a strong position with little market

Cherry had on display a keyboard with SC and independent fingerprint reader. The discussion included:

We are seeing a rise in the pockets of interest in biometrics but the market has not taken off. We expect that there will be a trip function, that is, a major buy by a large corporation. This will raise visibility and open the market.


Fujitsu – PalmVein

Having seen the palmvein technology of Fujitsu at three events, it has been useful to get additional perspective on the product at each event. Here are tidbits from Biometrics 2005.

Yes, the next generation device will be 1/4 the size of the current generation. But it may not really have a place in notebooks. One problem is the depth of the sensor and optics. Given the trend to smaller and thinner notebooks, even the small size sensor may not be a good fit.

Fujitsu is working with ISO for recognition of palmvein biometric technology. This is the first step to get the technology recognized, tested and evaluated by many. And we recognize there is a window where Fujitsu can have an impact on the market with palmvein. Other biometrics are moving at a rapid pace for commercialization. An example, is the increasing presence of fingerprint readers on notebooks.

One area which we have an advantage is the difficulty in spoofing the palmvein biometric. Liveness detection is not an issue.


SecuriMetrics – Putting Iris in the Hand

SecuriMetrics showed one of the most impressive uses of biometrics the WAVE has seen. This is to support the securing of Fallujah, Iraq. When the US forces overwhelmed the city in November 2004, it was emptied of its population. In order to return, every individual had to be biometrically identified, iris scanned, and enrolled. Now on a daily basis to enter the city, they have to be identified and individuals of questionable background are denied entry. This is all accomplished on a portable hand held iris reader which can enroll and authentic. It will store up to 100,000 individuals and respond immediately.

Held in the palm of the hand was Pier 2-3, a portable iris enrollment and authentication device. It is being used in Fallujah, Iraq by the US Army today. The device holds 100,000 identities with both eyes supported. Software to control the device resides in a laptop. Currently the device is connected via USB. There are 2,000 units deployed and the cost is $4,800.

The next generation device was very interesting. It can support:

2 X iris
10 X finger
1 X face

GPS for location

Wireless connection to the network

The units are expected to cost $10,000. My biometrics were captured with the unit. Impressive.


Neurotechnologija – Algorithms to Make Biometrics Work

This is a Vilnius, Lithuania, based company which provides finger print and face recognition software. Its products include:

MegaMatcher – finger print matching for large scale applications. Supports single prints to rolled 10 prints.

MegaMatcher SDK – Server cluster software for Linux and Windows.

VeriFinger – fingerprint identification for system integrators.

VeriFinger SDK – Development environment for VeriFinger

FingerCell – fingerprint identification for embedded devices

Finger EDK – Embedded Development Kit for FingerCell

VeriLook – Face identification software

VeriLook SDK – SDK for VeriLook

Neurotechnologija has participated in multiple software SDK competitions including NIST and claims high performance.

VeriFinger pricing on a per user basis varies from 61 € in single unit quantities to 17 € up to 500 units.


Iris recognition coming to a PDA Near You

Iridian Technology was showing a prototype of a new iris reader which plugs into the top of a PDA. This will be iris read only but the size and integration with the PDA could open up an additional market for iris.


LG – Iris is taking off

There are many indications that the iris biometric technology is reaching a critical turning point. The WAVE had an extended discussion with LG and the perspectives insightful.

LG feels that many of the enrollment issues are being addressed with the 3rd generation iris scanner. In the booth was IrisAccess 4000, a sleek looking desktop device that supports multi-modality and offers multi-variant two factor authentication. I was enrolled and impressed with the many features to make the enrollment easy and accurate. What was interesting is that my enrollment was done without glasses to get the highest enrollment score, i.e., quality. However, in authentication I could use my glasses. It worked well.

The IrisAccess 4000 costs $3,500.

LG feels that the market corner has been turned with their project in India. This is based on the 3000 model. A summary of this project follows:

The Government of Andhra Pradesh state has a program in place to control and manage the distribution of state-issued food ration cards. This will require that 20 million persons be enrolled in the first stage. When the program concludes, the user base will total 80 million persons. The 20 million enrolled in stage one will represent a database more than twenty times larger than the next largest iris recognition program ever done. It is anticipated that the program will be the largest biometric authentication program ever implemented.

The Andhra Pradesh Government reports iris authentication will ensure the proper correspondence between the number of cards issued and individuals or families eligible to receive them. Dr. Y. S. Rajasekhara Reddy, Chief Minister of the State of Andhra Pradesh, commented, “All eligible people in Andhra Pradesh state will be given iris-based ration cards within a period of two months. To date we have issued about 10.06 lakhs (1,006,000) new ration cards.” According to LG, incidence of misuse of the ration cards has declined.

There are 611 sites with the iris machines. Although LG would not say how many are in use, they hinted from 3 – 4 per site. The production of some 2,000 2nd generation machines has actually delayed the full scale production of the 3rd generation model 4000.

The iris grand challenge at NIST is a major opportunity for the industry. In early 2005, the US patent for iris recognition technology expired, that is the Iridian Technology patent no longer supports exclusivity via its licensing. As a result many companies are seeking to have their own algorithms to improve the process. This will all come to the surface as companies seek to make iris a mainstream biometric.

The work at Sarnoff with Iris on the Move, seen for the first time at the Biometric Consortium conference, is also a major step forward. This is based in part on the LG technology, which is used for enrollment.

The iris reader for PDAs by Iridian Technology is a toy. The WAVE could understand such a comment after seeing the 4000 operate. If the PDA iris reader is successful in the market remains to be seen.

LG claims that iris is a technology which is better suited for one to many matching than any other. (The AFIS community   would disagree with this.) In support of the claim, its authentication algorithms will run on an IBM blade server. One blade can do 1m matches/sec. With 12 blades in a rack they estimate that 10m matches/sec is a reasonable through put rate.


NEC – Looking for the big Enterprise Sale

NEC has long been a major player in biometrics authentication. Its fingerprint recognition algorithms scored #1 in the NIST testing. It has a scope of involvement of the technology, based on work in Japan, which predates many companies. NEC has, as a result, had a long involvement in AFIS. The WAVE sat down to look at the SafeSign enterprise biometrics solution and its BlueX identity management product. The discussion netted more than information about these products.

The BlueX product will support template-on-computer or template-on-server based on where the authentication is to take place. Template on a server basically does a 1 to N match while on the computer, i.e., cached mode, it is 1 to 1.

It was stressed that biometrics is but one element in the identity chain.

Product licensing varies based on need. There are per computer models, per user models and per use models, for example.

NEC core technology strength is its fingerprint matching algorithms.

NEC is working on BioAPI 2.0 compatibility and agrees that this is essential for multi-factor biometrics.

Enterprise biometrics has not yet reached a tipping point. There is a great deal more serious interest in the enterprise but many are watching for the progress on the major national biometric projects before making any commitment.

One of the important issues is that biometrics has an ROI barrier. That is, in an enterprise environment how can the technology be justified? In the case of password resets, the ROI is easy to justify but outside of this the ROI is marginal at best.

We believe that biometrics has created its own barrier to the market. That is, there has been too much emphasis on the technology and not the solutions it provides. That is, NEC has found that soft factors can be as much as a barrier to adoption as the performance of the technology. In many cases internal politics can kill a project. For example, BA had a major biometrics project which was eventually scrapped due to union resistance.


WAVE Comments

The message on the enterprise use of biometrics was loud and clear from Biometrics 2005. Based on excellent booth discussions with leaders in the industry we surmise the following.

There are no major questions about if the technology for biometrics exists. We saw interesting examples of SoC which brings biometrics to a new level and opens up additional applications. There is, for example, a credible supplier of a domain log-on solution which is integrated into Windows client and server.  What else can the technology do? Document authentication and financial services are other possibilities. However, each one requires independent development on the SoC, at a minimum and likely much more. This is not the basis for rapid deployment even if the market existed.

Price points for SoC remain too high - >$100, precluding consumer use in the near term. One supplier was adamant that only free consumer devices will work in the market. The enterprise market for biometrics has not yet broken out of its cocoon. Yes, there are a few promising signs of a growing biometrics market. But to date, it is been a hard road.

Biometrics is only a path to market as part of an enterprise solution. This solution is frequently based on enhanced security. But one must define an implementation of enhanced corporate IT security which is tailored to that organization. Thus, it is largely a custom project on a company by company basis. As with the major national projects, experienced systems integrators to address the enterprise need is essential.

Biometrics may have been its own worst enemy in establishing the market. In the last 5 years the interest has focused on the technology but this created no significant enterprise sales. Biometrics by itself solves no problems that cannot largely be achieved by other means at much less cost – today that is tokens. Now in order to achieve a market, the hard work has begun – finding enterprise applications using biometrics which net an ROI. This is further compounded by the reality that any solution must be integrated into the existing enterprise IT and user infrastructure. Each enterprise is its own mini-national project.

The bottom line: Let the supplier beware.