Biometrics World Conference 2005
By John Latta, WAVE
London , England
October 20 – 22, 2005
This is the 8th year for the World Conference and Exhibition
on the Practical Application of Biometrics (Biometrics 2005). It was
claimed that each of the last 2 years have shown substantial increases
in attendance. The venue is small, the Queen Elizabeth II Conference
Centre in the center of London. The attendees are focused on just biometrics
and its application. Even the exhibitors told the WAVE that you would
be surprised at the range of interests in biometrics seen by the attendees.
What is important about this event in Europe is that it provides a different
perspective in the market. It is easy to fall into a US only context
and miss much of what is taking place in the rest of the world.
Big Picture on Biometrics Technology
Forget EoC+ToC+MoC; it is SoC (System on Card). The WAVE
saw 3 SOC products. But no one was gushing about the market. All are
waiting for that magic moment went the big order comes in that will trip
the market to large scale use.
Given all that was collected, it is important to summarize
the essential elements of the information.
Every vendor stated that the enterprise use of biometrics
for logical access has not taken off and it could well be 2 years
before that ramp fully develops. All are looking for the major “trip
buy” which sets an example for players in the same industry. “If
only HSBC placed a major order the rest of London’s financial
district would follow suit…”
If biometrics can show a compelling proposition in commercial
retail, and thus be supplied to customers, the cost to the consumers
must be ZERO.
ID Management is a layer above the authentication technology
provided by biometrics but ID Management is based on proprietary solutions.
Vendors are seeking to keep existing customers, such as Sun, with their
product offering or to establish a strong position in the early market.
ID Management is immature.
System on a Card (SoC) is rapidly developing. The WAVE
saw products from:
Giesecke & Devrient – Smart Card
Giesecke & Devrient – USB
Fingerprint Cards – USB
These all provide ToC, MoC and EoC. The Giesecke & Devrient
Smart Card was impressive with the fingerprint sensor built into a
thin smart card. The problem is that smart card SoC will only take
off with large single customer orders. Minimum production run is 1m
units to recover the factory production start-up and production costs.
Further, experience has shown that every SoC is uniquely tailored to
each customer based on the application. This is the reason that USB
based SoC is more responsive to the market because these can be produced
economically in units of 1,000’s. The market has no single SoC
which meets all or even many of the requirements which are surfacing
from enterprise buyers – nor is this expected. Yet, the USB products
are new to the market and all whom that the WAVE spoke with characterized
the market as risky and uncertain. The advantage of the USB SoC is
that it lowers the total entry cost for an application but the SoC
units themselves are still expensive - $100 - $150.
SentriNet is on V. 3.0 of their biometric domain log
on software that is 7 years old. Its supports both Microsoft and Novell
networks. The software is easy to use and has extensive implementation
including support for multi-factor log on. Yet, only 10,000 licenses
have been sold.
Wide support for BioAPI was detected and version 2.0
is the only credible version if any multi-factor authentication is
to be accomplished.
BMS Biometrics Ltd. – Making Biometric Log-On Real
This is a Nottingham, England, based software development
company. It provides an impressive scalable biometric log-on and more
SentriNet can be installed on the client or the server
on the domain. It operates through AD and extends the schema. A total
of 11 elements are added – one for each finger and profiler information.
The client software can be remotely deployed. There are a number of
options for enrollment. This can be done remotely or with supervision.
The software allows for:
Log-on based on local cache
Log-on match with the server
Further, the user may be designated to have no PSW, biometric
with PSW or biometric for only specific applications. A part of this “application
launch” happens when a finger placed on the reader.
The licensing model and software design allows for individual “hot
desks.” That is a user may walk up to a client, touch the fingerprint
reader and launch TS or Citrix so that the screen seen is that of the
desktop of the individual which just logged in.
Multifactor authentication is supported. This includes:
Pin + PSW
Smart Card + Pin
Biometrics + SC
Biometrics and NO SC
BioAPI 2.0 is the biometric device interface and it is
the only interface with multi-factor. There remain interoperability
issues. One way to address this is with Profiles, such as used by Bluetooth.
Currently the software does not authenticate the biometric
device. Thus, a feature where all the biometric readers can be uniquely
identified with a user is not supported. No demand was the response
The current MS fingerprint reader keyboard is being integrated
into the system. This should take only one week of one software engineer.
All communications between the client and the server
is over a RPC tunnel and signed.
10,000 licenses are in use. The license model is based
on the number of users not on the equipment, such as the number of
clients on a workstation, for example.
The license price is:
10 users 75£
1,000 users 30£
BMS has not seen the market take off. It will likely require
a large purchase by a major company which establishes a path to follow.
What is different in the biometrics marketing environment today is that
we are getting serious inquiries.
The WAVE watched the log-on. It was smooth and worked very
Giesecke & Devrient – Driving Biometric Security
Giesecke & Devrient is a $1.2B company and ½ of
its sales come from smart cards. It has a strong position in the banking
market, through its sales of financial paper for banks and financial
institutions. The company is also a large supplier of IT and government
In the booth was StarSign Bio Token. This is a USB SoC
which was only released in October. StarSign Bio Token is a general biometric
hardware device that can be tailored to many enterprise environments.
The application implemented on the card is what defines the card can
do. Here are additional points.
Within the SoC is an Arm7 processor. USB provides the
power to StarSign Bio Token.
The SoC can provide as output a PIN number to the host
computer or a PSW and more. This is on part of the application which
would reside on the SOC. One application in the booth was one touch
digital signing. This product by mysignature.co.uk allows an individual
to sign a document on line, for a banking transaction, for example.
This can only be accomplished when authentication is done with StarSign
Behind the hardware is a suite of software tools called
StarSign. This includes card OS and middleware.
The price of the BioToken is 150€.
There is also a smart card operating system StarCos 3.0.
It is tailored to support security applications on the smart cards.
At another booth, the WAVE saw a SoC with the name of Giesecke & Devrient
on it. We went back to Giesecke & Devrient to find out more.
The SoC which was seen earlier was the result of a research
effort. Yes, it does have a fingerprint reader and all the other components
of a Smart Card. But there are a number of impediments which must get
addressed to make this practical in the market. First the fingerprint
sensor is much too fragile. What is required are flexible sensors in
order to hold up to the abuse heaped on smart cards. In addition, the
implementation of the card is difficult. A cable must run from the
sensor to the smart card chip, for example.
The concept of SoC is not new. 3 years ago at Cartes
the first SoC was shown but it went nowhere. This had a metal ring
around the sensor to protect the sensor.
The other problem with SoC is cost. A card like what
you saw, even in high volumes, would cost $100. This is too much for
virtually all buyers. We see the potential that a mass market can be
opened with cards in the $20 - $30 range. If banks are to pass these
out to consumers, the price must come down to $3 - $4. We believe enterprises
will buy these cards when the price is $30 - $40.
It is uneconomical to make less than 1m units of a smart
card. Thus, the entry point of SoC is high and, without an application
which mandates the use of a fingerprint, the market will not launch.
Our product, StarSign Bio Token, is more like a System
on a Token (SoT) than a SoC. No longer are we held to the strict confines
of the card dimensions and the token has enough physical rigidity to
hold the fingerprint reader. One of the advantages of the SoT is that
the unit quantities can be much smaller – it is more like traditional
electronics. We never expect to make millions of the SoT.
The role of applications is very important in driving
biometrics. For example, we would not have come out with StarSign Bio
Token without a need, that is, a lead customer which would justify
the development and production expense. In this case, mysignature.co.uk
wanted a biometric token that enables an individual to sign a document
on line, for a banking transaction.
In this case price paid a very important role. A token
costs 10 € while the fingerprint token is 100 €. There is
no way that the unit quantities for the fingerprint token with match
For the last 5 years biometric technology was just not
ready. Now the technology is sufficiently mature that it can enter
the enterprise space. But we still do not have any more than token
use. There are two types of users: Innovators and Hesitators. The hesitators
are not first and will wait until the innovators have proven the technology
in use. With this transition in the market we must sell the applications,
that is what solution does it provide, NOT the biometric technology.
In the enterprise market, biometrics does not make much
sense unless the enterprise has a full PKI infrastructure in place.
Then we have the chance for a solution.
Fingerprint Cards – Creating Sensors and more for
Fingerprint Cards (Sweden), and its investor company, Technoimagia
(Japan), have developed itube. This is a USB SoC which uses the recognition
technology developed by Fingerprint Cards. Fingerprint Cards have developed
software for fingerprint recognition and the hardware sensors. It participates
in large projects but only as a subcontractor supplying hardware or software.
The applications for the SoC include:
Web based authentication
PC security functions including document security and single sign on
The itube costs $100 for the log on solution.
A summary of the discussion on the market includes:
The market for SoC has just not developed yet. One must
keep in mind that seldom will a company such as ours seek out the banking
industry. We would get called by these large integration companies
which supply turn key solutions to the bank. As one works vertical
markets, the supply chain for solutions is very important and a means
We have progressively seen a rise in the market but it
has been so low that this rise is not yet significant in terms of market
size. Based the slope we have experienced, it is likely 2 years before
the market takes off.
Cherry – In a strong position with little market
Cherry had on display a keyboard with SC and independent
fingerprint reader. The discussion included:
We are seeing a rise in the pockets of interest in biometrics
but the market has not taken off. We expect that there will be a trip
function, that is, a major buy by a large corporation. This will raise
visibility and open the market.
Fujitsu – PalmVein
Having seen the palmvein technology of Fujitsu at three
events, it has been useful to get additional perspective on the product
at each event. Here are tidbits from Biometrics 2005.
Yes, the next generation device will be 1/4 the size
of the current generation. But it may not really have a place in notebooks.
One problem is the depth of the sensor and optics. Given the trend
to smaller and thinner notebooks, even the small size sensor may not
be a good fit.
Fujitsu is working with ISO for recognition of palmvein
biometric technology. This is the first step to get the technology
recognized, tested and evaluated by many. And we recognize there is
a window where Fujitsu can have an impact on the market with palmvein.
Other biometrics are moving at a rapid pace for commercialization.
An example, is the increasing presence of fingerprint readers on notebooks.
One area which we have an advantage is the difficulty
in spoofing the palmvein biometric. Liveness detection is not an issue.
SecuriMetrics – Putting Iris in the Hand
SecuriMetrics showed one of the most impressive uses of
biometrics the WAVE has seen. This is to support the securing of Fallujah,
Iraq. When the US forces overwhelmed the city in November 2004, it was
emptied of its population. In order to return, every individual had to
be biometrically identified, iris scanned, and enrolled. Now on a daily
basis to enter the city, they have to be identified and individuals of
questionable background are denied entry. This is all accomplished on
a portable hand held iris reader which can enroll and authentic. It will
store up to 100,000 individuals and respond immediately.
Held in the palm of the hand was Pier 2-3, a portable iris
enrollment and authentication device. It is being used in Fallujah, Iraq
by the US Army today. The device holds 100,000 identities with both eyes
supported. Software to control the device resides in a laptop. Currently
the device is connected via USB. There are 2,000 units deployed and the
cost is $4,800.
The next generation device was very interesting. It can
2 X iris
10 X finger
1 X face
GPS for location
Wireless connection to the network
The units are expected to cost $10,000. My biometrics were
captured with the unit. Impressive.
Neurotechnologija – Algorithms to Make Biometrics
This is a Vilnius, Lithuania, based company which provides
finger print and face recognition software. Its products include:
MegaMatcher – finger print matching for large scale
applications. Supports single prints to rolled 10 prints.
MegaMatcher SDK – Server cluster software for Linux
VeriFinger – fingerprint identification for system
VeriFinger SDK – Development environment for VeriFinger
FingerCell – fingerprint identification for embedded
Finger EDK – Embedded Development Kit for FingerCell
VeriLook – Face identification software
VeriLook SDK – SDK for VeriLook
Neurotechnologija has participated in multiple software
SDK competitions including NIST and claims high performance.
VeriFinger pricing on a per user basis varies from 61 € in
single unit quantities to 17 € up to 500 units.
Iris recognition coming to a PDA Near You
Iridian Technology was showing a prototype of a new iris
reader which plugs into the top of a PDA. This will be iris read only
but the size and integration with the PDA could open up an additional
market for iris.
LG – Iris is taking off
There are many indications that the iris biometric technology
is reaching a critical turning point. The WAVE had an extended discussion
with LG and the perspectives insightful.
LG feels that many of the enrollment issues are being
addressed with the 3rd generation iris scanner. In the booth was IrisAccess
4000, a sleek looking desktop device that supports multi-modality
and offers multi-variant two factor authentication. I was enrolled
and impressed with the many features to make the enrollment easy and
accurate. What was interesting is that my enrollment was done without
glasses to get the highest enrollment score, i.e., quality. However,
in authentication I could use my glasses. It worked well.
The IrisAccess 4000 costs $3,500.
LG feels that the market corner has been turned with
their project in India. This is based on the 3000 model. A summary
of this project follows:
The Government of Andhra Pradesh state has a program
in place to control and manage the distribution of state-issued food
ration cards. This will require that 20 million persons be enrolled
in the first stage. When the program concludes, the user base will
total 80 million persons. The 20 million enrolled in stage one will
represent a database more than twenty times larger than the next
largest iris recognition program ever done. It is anticipated that
the program will be the largest biometric authentication program
The Andhra Pradesh Government reports iris authentication
will ensure the proper correspondence between the number of cards
issued and individuals or families eligible to receive them. Dr.
Y. S. Rajasekhara Reddy, Chief Minister of the State of Andhra Pradesh,
commented, “All eligible people in Andhra Pradesh state will
be given iris-based ration cards within a period of two months. To
date we have issued about 10.06 lakhs (1,006,000) new ration cards.” According
to LG, incidence of misuse of the ration cards has declined.
There are 611 sites with the iris machines. Although
LG would not say how many are in use, they hinted from 3 – 4
per site. The production of some 2,000 2nd generation machines has
actually delayed the full scale production of the 3rd generation
The iris grand challenge at NIST is a major opportunity
for the industry. In early 2005, the US patent for iris recognition
technology expired, that is the Iridian Technology patent no longer
supports exclusivity via its licensing. As a result many companies
are seeking to have their own algorithms to improve the process. This
will all come to the surface as companies seek to make iris a mainstream
The work at Sarnoff with Iris on the Move, seen for the
first time at the Biometric Consortium conference, is also a major
step forward. This is based in part on the LG technology, which is
used for enrollment.
The iris reader for PDAs by Iridian Technology is a toy.
The WAVE could understand such a comment after seeing the 4000 operate.
If the PDA iris reader is successful in the market remains to be seen.
LG claims that iris is a technology which is better suited
for one to many matching than any other. (The AFIS community would
disagree with this.) In support of the claim, its authentication algorithms
will run on an IBM blade server. One blade can do 1m matches/sec. With
12 blades in a rack they estimate that 10m matches/sec is a reasonable
through put rate.
NEC – Looking for the big Enterprise Sale
NEC has long been a major player in biometrics authentication.
Its fingerprint recognition algorithms scored #1 in the NIST testing.
It has a scope of involvement of the technology, based on work in Japan,
which predates many companies. NEC has, as a result, had a long involvement
in AFIS. The WAVE sat down to look at the SafeSign enterprise biometrics
solution and its BlueX identity management product. The discussion netted
more than information about these products.
The BlueX product will support template-on-computer or
template-on-server based on where the authentication is to take place.
Template on a server basically does a 1 to N match while on the computer,
i.e., cached mode, it is 1 to 1.
It was stressed that biometrics is but one element in
the identity chain.
Product licensing varies based on need. There are per
computer models, per user models and per use models, for example.
NEC core technology strength is its fingerprint matching
NEC is working on BioAPI 2.0 compatibility and agrees
that this is essential for multi-factor biometrics.
Enterprise biometrics has not yet reached a tipping point.
There is a great deal more serious interest in the enterprise but many
are watching for the progress on the major national biometric projects
before making any commitment.
One of the important issues is that biometrics has an
ROI barrier. That is, in an enterprise environment how can the technology
be justified? In the case of password resets, the ROI is easy to justify
but outside of this the ROI is marginal at best.
We believe that biometrics has created its own barrier
to the market. That is, there has been too much emphasis on the technology
and not the solutions it provides. That is, NEC has found that soft
factors can be as much as a barrier to adoption as the performance
of the technology. In many cases internal politics can kill a project.
For example, BA had a major biometrics project which was eventually
scrapped due to union resistance.
The message on the enterprise use of biometrics was loud
and clear from Biometrics 2005. Based on excellent booth discussions
with leaders in the industry we surmise the following.
There are no major questions about if the technology for
biometrics exists. We saw interesting examples of SoC which brings biometrics
to a new level and opens up additional applications. There is, for example,
a credible supplier of a domain log-on solution which is integrated into
Windows client and server. What else can the technology do? Document
authentication and financial services are other possibilities. However,
each one requires independent development on the SoC, at a minimum and
likely much more. This is not the basis for rapid deployment even if
the market existed.
Price points for SoC remain too high - >$100, precluding
consumer use in the near term. One supplier was adamant that only free
consumer devices will work in the market. The enterprise market for biometrics
has not yet broken out of its cocoon. Yes, there are a few promising
signs of a growing biometrics market. But to date, it is been a hard
Biometrics is only a path to market as part of an enterprise
solution. This solution is frequently based on enhanced security. But
one must define an implementation of enhanced corporate IT security which
is tailored to that organization. Thus, it is largely a custom project
on a company by company basis. As with the major national projects, experienced
systems integrators to address the enterprise need is essential.
Biometrics may have been its own worst enemy in establishing
the market. In the last 5 years the interest has focused on the technology
but this created no significant enterprise sales. Biometrics by itself
solves no problems that cannot largely be achieved by other means at
much less cost – today that is tokens. Now in order to achieve
a market, the hard work has begun – finding enterprise applications
using biometrics which net an ROI. This is further compounded by the
reality that any solution must be integrated into the existing enterprise
IT and user infrastructure. Each enterprise is its own mini-national
The bottom line: Let the supplier beware.