Click here to Subscribe

Biometrics Summit 2005
By John Latta, WAVE 0511 3/18/05

Miami, Florida
February 23 - 24, 2005

The Biometrics Summit is a small conference focused on how to use biometrics. Many in the audience come from local governments seeking to understand how to apply the technology. The speakers have described practical issues of making biometrics work. The result is a practical conference which attracts a broad cross section of users or potential users of the technology. Networking happens throughout the event as learning is an objective of the Advanced Learning Institute, who manages this conference. This is one of the few events which focuses on real case studies and as a result is quite insightful in the practical applications of biometrics.

Making Biometrics Learn in Large Projects

Joseph Atick, President and CEO, Identix reviewed the state of biometrics. He presented a summary of the major on-going efforts to apply biometrics. There are many success stories, some failures but the acceptance of biometrics continues to increase. He counseled that biometrics is not the means to the end but the real issue is human identity. To address these issues he proposed a “Universal Model of Identity Management.”

As lead speaker, Joseph Atick has many years experience in biometrics. His presentation looked at many projects, mostly large government ones, to critically assess the state of the industry. It had many interesting points which go well beyond just government projects.

USVISIT was described as a great success story. This uses 2 prints as the biometric but a photo is also taken for US entry and exit. (In a subsequent talk Neal Latta, stated that 20m individuals have been processed by USVISIT.)

Saudi Arabia has begun the CAFIS program which takes 10 prints and will enroll 30m individuals.

Jordon will begin a NationalID program which uses face, finger and IRIS.

The UK has a passport program which will also uses face, finger and IRIS. This was described as what to do wrong. The Human Factors issues were underestimated, the systems integrator lacked motivation and experience and as a result a large number of individuals could not enroll. The effort is being changed and it was described as back on track.

At the other end of the spectrum is the Swedish Passport program which is largely self service. It is based on finger and face biometrics and deployment is underway.

A bad eye was cast on the UAE deportation and visa program – the pun fits. This relied on IRIS scans and has demonstrated how difficult this is to accomplish. The problem is a high failure to enroll rate for IRIS. As a result, the effort is shifting to finger. Also in the UAE is eGate which is based on finger and this has worked very well.

Results were presented for facial which imply a new sense of confidence in the scalability of the technology.

There is a view that Tri-biometric enrollment: face, finger and IRIS, will provide for completeness. But this was countered that IRIS is only buying insurance with the expectation that it would improve. In other words – it may get better in the future.

Considerable emphasis was placed on the quality of the enrollment biometric and its subsequent collection. This certainly applies to finger and there is renewed emphasis on confidence in facial, based in part on image quality improvements. Along these lines a quality factor is being defined called “faceness” which is the closeness of the facial expression to an expressionless frontal view.

Joseph Atick went so far as to state that facial screening is coming back. Tried in the past this was a failure due to the high level of false positives.

When it comes to systems architecture, a significant case was made for the end of “proprietary end-to-end systems.” The elements of this approach include:

The integration of small su bsystems to form a larger system;

The components work to a Standards based API;

The system is not tied to a specific vendor;

The SI is about a process and not technology.

In these large systems the biometrics is well down the systems stack.

This led Joseph to state that biometrics is only a means and not the end. At the heart of these systems is human identity. Yet, because this is about identity the problems created relate to: fake identity, aliases, theft and mistrust.

From this Joseph outlined a “Universal Model of Identity Management.” This has four components: Trust, Identity, Actions and Reputation. All of these interact. Biometrics fits because this is a way to handle identity problems. Another factor is Knowledge Discovery – the finding of duplicate entries and uncovering risky identities. Feared is the dreaded “identity laundering” which is a bad identity getting into a identity management system.

Many of these issues are first being faced in ePassports. One of the contributions is that interoperability is a key requirement. Unfortunately the deadline of October 2005 is unrealistic and will likely not be met. For example, something as simple as readers is holding up progress. Further, there are many challenges such as identity laundering, compliance and trust across jurisdictional boundaries to be worked.

Joseph went so far as to suggest a “circle of trust” concept between countries. This is a difficult concept to accept. But he suggested that the visa waver program is similar in concept.

The bottom line is that Joseph feels we are 5 – 10 years away from these interoperable identity systems. But the only way to get there is to begin.

Beyond Physical Access Control

IBM described their Service Delivery Centers (another name for data centers). They gave a standard presentation on how a secure a data center installation can be accomplished with biometrics. Biometrics is essential to entry and exit. The focus is on effectively using biometrics and physical controls. In response to a question from the WAVE, it was stated that, yes, the tools used for physical access are also being used by some for logical access. That is, the biometrics for entry will work on both the physical space and the network log on.

Yet, this did not address logical access to the systems within the data center. When further asked by the WAVE, IBM stated this is a real issue. They have taken the same biometrics technology used for physical access and also use it for access to the network. However, at the present time its use is optional based on the individual.

When seen in the context of an Identity Management system this makes sense. That is, the ability to create identity problems such as a fake identity, aliases, theft and mistrust is severely limited when the physical controls are place. Thus, in this IBM example, logical access uses biometrics with high confidence when physical access controls are strong. The practical application of this approach is limited because most will not tolerate such physical controls.

Making Face Recognition work on the Street - Illinois

Illinois is a pioneer in that it was the first state to use a biometric in a driver’s license. Beth Langen of the Illinois Office of the Secretary of State described their efforts to apply facial recognition in driver license and identity card issuance. One of the problems is that the DL/ID (driver’s license and ID document) have become the de facto national identity document. In spite of the fear of many that this would happen, the process is already underway. As a result, the issuance of these documents is a gateway to crime. Thus, criminals are using fraud to gain one or more such documents to carry out other crimes. The expectation of society is that these documents are to be trusted since they are being issues by a government agency. What Illinois has done is to seek to increase the quality of the documents but applying a biometric and to improve the processes for their issuance.

When it comes to the issuance of the DL/ID the following are to be addressed:

Minimize traffic safety threats such as underage drinking;

Identity theft and fraud;

Balancing cardholder privacy with public and business interests; and

Public safety.

To increase the security of the cards, Illinois began in 1997, with first operational deployment in 1999, the use of facial biometrics. There has been nearly 100% enrollment. The implementation has not been static. For example:

2000 – Began to use “binning” to improve performance

2001 – The eye finding and processing algorithms improved and

2005 – The technology went from eigenvalues to Hierarchical Graph Matching (HGM) with a web based application.

The work flow in Illinois is that the DL/ID cards are issued on the spot but the fraud detection processing happens after the card was issued. If this should be changed is being considered.

The system captures 8,000 – 12,000 new images a day, of these 400 – 500 duplicates are detected. So far, the state has identified 1,800 fraud cases.

Some of the most interesting issues came from the description of future changes. Illinois cannot have a contract with one company for the same project for more than 10 years. As a result they are preparing to rebid this project and could well change the biometric being used. One of the reasons for the facial biometric was in 1997 this was the only biometric which was readily accepted by the public. That has now changed.

National Identity

The National Intelligence Reform Act, which was driven by the recommendation of the 9/11 Commission, set new standards for identity documents and this includes:

Proof of identity;

Verification of documents; and

Card security.

There is a requirement for compliance in 2 years. Many see this as setting the de facto DL/ID document in that the federal government can withhold funds for non-compliance.

All of this pales in comparison to the impacts of the REAL ID Act of 2005, (H.R. 418), if it is passed by the Senate. The bill has already passed the House and the President has voiced support.

H.R.418

REAL ID Act of 2005

Title: To establish and rapidly implement regulations for State driver's license and identification document security standards, to prevent terrorists from abusing the asylum laws of the United States, to unify terrorism-related grounds for inadmissibility and removal, and to ensure expeditious construction of the San Diego border fence.

Sponsor: Rep Sensenbrenner, F. James, Jr.

This, if law, would supersede the requirements of the National Intelligence Reform Act and be much more stringent. Individuals would have to have such a card to get access to any federal facilities – it would become a de facto national ID card. The use of biometrics has not been decided yet.

(Editor Note: particulars of the bill may be read at http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.00418:)

Enterprise Biometrics – Are the promises outpacing delivery?

Two cases studies were presented which used biometrics to secure a corporate environment: one inside and the other outside. Digital Persona, supplier for one of these case studies, is focused on the “password problem” and claims that “biometrics allows up to lock down the network.” Yet, we came away troubled – is this a solution or marketing?

There was little doubt about the value of a “biometrics solution” as expressed here. The words were appealing:

The password is going out of style.

Biometrics is a virtual smart card

Biometrics resulted in a 90% decrease in support calls; and

Better security is required, by mandates such as Sarbanes- Oxley, and biometrics provides what is needed.

Yet, when we asked the presenters of one of the case studies “have you done a risk assessment?” The response was “Testing has started of a post deployment testing of risk.” It seems obvious that confidence in risk reduction would not be possible without understanding the risks.

Locking Down ERP with Biometrics

Molded Fiber Glass (MFG) Companies worked with its vendor SAFLINK to implement a biometric protected access to its ERP application. At the same time this also implemented the domain log on. The context is that there was no security, other than a common group password, to access the corporate wide ERP software. The company was being hit each year by its outside auditor for the lack of security. It was felt that biometrics provided for:

It was easy to integrate and Install;

User Friendly;

Remotely administered;

Strong authentication; and

Standards based.

SAFLINK was chosen because it provided for the necessary network administration, allowed for different biometrics and had an SDK which could be integrated into the operations at MFG. The integration was accomplished in less than 3 days. The net result was that passwords have been eliminated. The solution was also used for active directory log on.

The cost per system was estimated to be $350 - $400 per desktop.

No risk assessment was performed.

Making online Banking Secure with Biometrics

United Bankers’s Bank and Digital Persona described how the latter’s technology was used to secure online access to bank accounts. Note that United Banker’s Bank is a commercial bank that offers services to other banks, similar to the Federal Reserve but on a smaller local scale in the mid-west. The contrast was striking. The FED access systems were described as onerous with multiple passwords and complex logons. However, most banks that use Banker’s Bank find that passwords are written down, shared, easily guessed, inconvenient and stolen. Further, a Trojan – BankHookA – will specifically target the logging of passwords used for bank accounts. In spite of the fact that more secure solutions exist one must balance cryptographic strength with the user. That is, how to get the user to participate in the security process and system. It was the experience of Banker’s Bank that a fingerprint augments secret-based authentication (passwords and smartcards) since it does not rely on the user.

Banker’s Bank selected Digital Persona because of its ease of use and ability to integrate into their environment. The product U.are.U online operates like a virtual smartcard which binds a fingerprint to a key pair. It can be readily integrated into web applications. A patented architecture ensures separation of fingerprint data from the user record.

The implementation of the online application used these additional security features:

TCP/IP Filtering

Sensor digital serial number filtering

Two long ons required

Time Limits for access

Transaction amount limits

User Lockouts

Backup dial up network

Catalog pricing was quoted as:

Host software - $25,000

User License - $13.33 each

Annual Maintenance

Persona fingerprint devices - $129

The bank gave to the customer one fingerprint reader per account and the customer bank had to buy any additional units.

Digital Persona quotes their False Accept rate at 1 in 100,000. But this company has not been shown on the NIST test activities and it is not clear that this performance has been independently tested. The company claims that 400,000 to 500,000 sensors have been deployed. The company has implemented a system within the Pentagon with 7,000 workstations in the Office of the Secretary of Defense and they claim a reduction of 90% in support calls.

WAVE Comments

Improvement of the security environment is a long term issue. In spite of the individual focus on biometrics elements such as an API, biometric, device, middleware or standards, the real issue of digital infrastructure security is that it is used by individuals and organizations to reduce risks from threats and damaging actions.

The intent of biometrics is the coupling of individuals with their actions or potential for action. It also recognizes that single individuals can cause significant harm. Reduced to its most basic form, biometrics, as it is evolving today, is about interfacing an aspect of personal identity to a digital infrastructure. It is assumed that the biometric used is not easily modified and can be readily reduced to a template which allows for ready transport and comparison across many biometric systems anywhere in a network. One’s description and its associated template, that is assumed unique to the individual, is a network directory component or a SQL data base entry.

Compared to other components of the digital infrastructure, biometrics has much higher failure rates. That is, false accept rates are much higher and the ability to spoof biometric systems is relatively easy. If any improvements in overall security system failure rates are to be accomplished, biometrics must be complemented with other forms of physical and logical security.

There are two different worlds of biometrics: public and private. The government uses biometrics to include identity documents, criminals, punishment for crimes, security of government transactions and comparison to established identity records. Business uses of biometrics include commerce, internal operations and network security. The reality is that the public use of biometrics is way ahead of the private use. For one, the government is making large investments from research to system deployment. The private sector has done little which compares. Yet, there are many forces to increase private use of biometrics and these relate to cost reduction, improved security and time saving. Unfortunately these savings have not been assessed. The impact on overall security has not been addressed.

When looking at the state of biometrics, as a technology, it is early in the technology life cycle. Consider these measures of immaturity:

The Understanding of the human factors use issues including enrollment and use is early in the life cycle;

Interoperability, based on thorough testing, is quite limited even between sensors of the same biometric;

There is very little multimodal testing;

Error rate assessment has been developed by NIST but not widely used other than in the government;

Risk assessment processes are poorly developed; and

Systems integration has just begun and again the public sector is leading.

Biometrics as the only measure to determine identity is risky as the primary means of risk reduction. In most cases, biometrics is combined with other biometrics and with physical and logical security. Many of these factors are assumed or taken for granted that they create a more secure environment. In the public sector other factors include seeing an individual along with a fingerprint – it may be a crude multimodal biometric but better than one biometric. In the private sector it may include restrictions on the access to a computer – physical constraints raise the security bar.

Missing from most private deployments of biometrics is a thorough assessment of risk vs. gain vs. cost. Unfortunately, the ease of use of a fingerprint biometric creates a perception that “security is for free.” That is not the case.

It should be noted that today’s security environment has major vulnerabilities. Frequent mandated password changes may make administrators comfortable along with stringent rules for password use but this is useless if the passwords are written down and the char force picks them up. Thus, as others have noticed security with biometrics has two sides: before and after biometrics. This is to be considered in the Risk assessment but as seen at the Biometrics Summit this was only simple observations. We saw no example of a thorough risk assessment.

The use of standards is critical for interoperability. Further, everyone but the vendors believe that no one vendor should drive system implementation. There are many standards efforts and the ones cited most frequently include INCITS M1 and JTC 1 SC 37.

Finally, privacy issues are everywhere. Even in enterprise use of biometrics, the question surfaced – will my fingerprint get sent outside of the company? As the public sector has responded with privacy plans we expect that this will be the case with private deployments, even if in-house within an enterprise.

Return to the top

Comments?
E-mail webmaster
Page updated 1/24/07
Copyright 4th Wave Inc, 2007