Biometrics: The Body's Keys
The use of biometrics such as face, iris, and fingerprint is becoming one of the most effective ways to provide secure access control, yet the lack of significant government funding is slowing the growth of the technology.
by John McHale
The use of biometrics such as face, iris, and fingerprint is becoming one of the most effective ways to provide secure access control, yet the lack of significant government funding is slowing the growth of the technology.
Keeping secrets "under lock and key" has a different meaning these days from what it had in the past. No longer is a simple double-bolted lock considered secure enough to keep our most precious secrets and facilities safe from intruders; neither are personal identification numbers (PINs) and other numerical codes enough to do the job anymore. Instead, security officials worldwide are turning toward locks that use biometrics — characteristics of the human body — as keys.
Since the Sept. 11 terrorist attacks, the global war on terrorism has sharpened the focus on biometric technology to identify and track suspected terrorists and other criminals at airports, sporting events, nuclear power plants, and other high-profile facilities.
A biometric is a measurable, physical characteristic or personal behavioral trait to recognize the identity — or verify the claimed identity — of an enrollee, according to the U.S. Department of Homeland Security (DHS) in Washington, D.C. Among the measurable features are faces, fingerprints, hand geometries, handwriting, irises, retinas, veins, and voices. Biometric technologies are the basis of an extensive array of secure identification and personal verification solutions.
The most popular and widely used biometric is the fingerprint, says Trevor Prout, director of marketing for the International Biometric Group in New York, a biometric integration and consulting firm that addresses the identification and authentication needs of mid- to large-size organizations.
Fingerprint is "one-to-one" verification — or using a fingerprint as a password, Prout explains. The most well-known fingerprint system is the FBI's Automated Fingerprint Identification System (AFIS) criminal database, which is a "one-to-many" application where the fingerprint is the identification and the password. Fingerprints are not a foolproof means of identification, however. They might not work for people who have had their fingerprints worn off due to hard labor or medical trauma.
Hand geometry, meanwhile, refers to the size and dimensions of the hand and has been around since the 1980s, Prout says.
Experts at Lumidigm Inc. in Albuquerque, N.M., in fact, are working on solutions to discern a live hand or finger from a dead one, Prout says. Lumidigm engineers have developed a new biometric method of identifying people based on optical skin-tissue measurements, and have been awarded a development contract by Unisys Corp. in Blue Bell, Pa.
This contract is part of a Research and Development Task Order that Unisys officials have with the U.S. Department of Defense (DOD) for Biometrics research. Lumidigm experts will use their LumiGuard technology to develop an antispoofing sensor called LumiSure to measure "liveness" and other properties of live human tissue.
Systems integrators will integrate the LumiSure sensor with fingerprint and hand-geometry sensors to reduce or eliminate the potential of fraud, Lumidigm officials say. Lumidigm is to deliver the first prototype sensor early next year.
Voice recognition is most common in telephone business transactions but is subject to behavior affecting the voice and bad cellular phone connections, Prout says.
No biometric is flawless, but iris recognition is considered to be the most accurate. Still, cataracts may foil an iris scan. Retina scanning has also been developed, but the retina is in the back of the eye and scans of it are much more intrusive than iris scans and are therefore not as common, Prout says
Facial recognition has also gained recognition through its successful and unsuccessful performance at several airports, Prout says. It is the only biometric that can currently be used for surveillance applications. Facial recognition is most accurate when a subject willingly looks directly into a camera. However, the technology may not be able to differentiate between twins or see through plastic surgery, Prout says.
Companies are also working on multimodal applications, which use several biometric approaches. Multimode can be especially effective if subjects are registered under fingerprint biometric and face, and vice versa, Prout says.
A program called Human Identification at a Distance at the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., is looking at gait recognition at a distance like those used in the Tom Cruise movie "Minority Report," Prout says. Gait is simply the way a person walks.
The Sept. 11 terrorist attacks did not so much increase the biometrics business as it increased awareness of it. Despite the publicity, good and bad, business is growing slowly because not much money is coming out of DHS, Prout says. He says he expects that to change, and when it does the government will lead the way in providing the money necessary to nurture biometrics technology development.
Analysts at market analyst Frost & Sullivan in San Jose, Calif., predict biometric revenues from commercial applications (not including the government's AFIS program) will grow from $93.4 million in 2001 to $2.05 billion by 2006. That is up from the $700 million that Frost & Sullivan predicted before the Sept. 11 attacks. For more information on the biometrics market see "Government sector will lead vertical market for biometrics through 2007" on page 19.
The US-VISIT program under DHS will incorporate biometrics such as face and fingerprint, but has yet to begin requests for proposals, Prout says. The program will provide the capability to record the entry and exit of non-U.S. citizens into and out of the United States, and provide officials with information about persons who are in the United States in violation of the terms of their admission, DHS officials say. There is also a U.S. Immigration and Naturalization Service (INS) pass for people like pilots who leave the country frequently.
The INS Passenger Accelerated Service System (INSPASS) is an automated system intended to reduce immigration inspection processing time for authorized travelers. INSPASS combines automation with a hand geometry biometric image to validate the claimed identity of an individual. Eligible frequent travelers may enroll in the program at any INSPASS enrollment office. For more information go online at uscis.gov/graphics/shared/ lawenfor/bmgmt/inspect/inspass.htm.
The US-VISIT program will use the face biometric. The International Civil Aviation Authority (ICAO) in Montreal has determined face recognition to be the preferred biometric for machine-readable transportation documents such as passports. ICAO says airport authorities may use fingerprint and iris to support face recognition, but does not require anything other than face recognition, Prout says.
DHS Secretary Tom Ridge announced that US-VISIT must have the capability to collect biometrics — initially fingerprints and photographs — at air and sea ports of entry by the end of this month.
Congress requires the secretaries of State and Homeland Security to work together to establish document-authentication and biometric-identifier standards on visas and other travel and entry documents. Officials at the National Institutes of Standards and Technology (NIST) recommended fingerprints and photographs as the biometrics for US-VISIT.
Currently, only biographic data such as a visitor's name is compared against watch lists of suspected terrorists, criminals, and other violators. The use of biometric identifiers in addition to biographic data will make it more difficult for suspects to hide their true identities to escape detection and enter the United States illegally.
Biometric identifiers also protect legitimate visitors because it makes it virtually impossible for anyone else to assume their identity by stealing travel documents. Biometric identifiers will also reduce fraud and abuse of the immigration system, DHS officials claim. By combining these entry and exit processes, and by securely storing the travel records, DHS officials say they can account for visitors who are required to travel here on a visa.
By next fall, Congress will require biometric equipment and software at all points of entry to compare and authenticate all U.S visas and other travel and entry documents.
U.S. citizens will not be required to be electronically fingerprinted or photographed upon entering the United States. U.S. citizens wishing to participate in the Dedicated Commuter Lane (DCL) programs such as SENTRI and NEXUS or other expedited processing programs may voluntarily submit biographic and biometric data to expedite their travel. The Department of State will begin issuing machine-readable U.S. passports that include facial recognition technology in the future, DHS officials say.
Other pending legislation includes biometrics not only for a national driver's license, but also for health information that requires secure access to all patients' records.
The Deputy Secretary of Defense formally appointed the Army as the DOD's executive agent for developing and implementing biometrics technology. The DOD Biometrics Management Office (BMO) is the department's central entity for leading, consolidating, and coordinating the development, adoption and institutionalization of biometric technologies for combatant commands, Services and Agencies, to enhance Joint Service interoperability and warfighter operational effectiveness. The Biometrics Fusion Center (BFC) is the test and evaluation unit of the BMO.
BFC officials recently announced that they are opening a public version of their DOD Biometrics Knowledgebase System (DBKS). Complementing the restricted DBKS — which is accessible only to government users with .gov or .mil addresses — the public version will host more general information on biometrics, technology tutorials, and consolidated media coverage of biometrics in the government and DOD.
"As public interest in biometrics continues to escalate, it is important that both DOD and nongovernment users can access timely information in order to help make informed decisions toward biometric technology adoption," says Maj. Stephen Ferrell, acting director of the DOD BFC.
Identix is one of several companies that supply fingerprint readers for localized systems using pattern matching or other techniques.
The unrestricted DBKS web site, www.bfc-kno.army.mil, offers public access to specific biometric policies and usage tutorials, and also guides users on applying for information from the DOD BFC through the Freedom of Information Act (FOIA). In the future, the site will host web-enabled surveys for all federally funded research and development centers (FFRDC), academic test centers, and vendors with a biometrics focus. Visitors to the public DBKS site will also be able to navigate through various news articles and summaries on biometrics, DOD officials say.
One of the biggest biometric programs for the DOD is the Common Access Card program, otherwise known as CAC, which involves putting biometric technology on a new smart identification card
A smart card is a credit-card-size device that contains one or more integrated circuits and may also employ one or more of the following technologies: magnetic stripe; barcodes, linear or two-dimensional; noncontact and radio frequency transmitters; biometric information; encryption and authentication; or photo identification.
"The Common Access Card is the first DOD-wide implementation of smart-card technology," says Jim Lynch, program manager of the CAC/Public Key Infrastructure (PKI) at Maden Tech Consulting Inc. in Arlington, Va. The PKI component of CAC uses encryption and digital signatures to safeguard information, he says
The CAC has five primary functions:
- replace the existing DOD identification card
- identify active-duty military personnel (to include the Selected Reserve), DOD civilian employees, and eligible contractor personnel;
- give physical access to buildings and controlled spaces;
- allow computer network and system access; and
- authenticate the Public Key Infrastructure.
"Retirees and military dependents will not receive the CAC, but will continue receiving the current identification card, Lynch says.
"With a CAC application, many paper-based processes will become automated, therefore, what may have taken days to do may now take just hours," Lynch continues. "Military Service members may use the CAC to enter their installation, log onto computers, or verify medical benefits eligibility, or gain dining facility privileges. As the technology matures, the CAC will perform even more functions, thereby enhancing readiness and saving time and money for all personnel.
"PKI supports specific functions such as secure single sign-on access control, digitally signing electronic documents, and encrypting e-mail. Eventually, all DOD computers will have a card reader allowing network access using the CAC," Lynch says. "PKI adds an extra layer of security, because without your CAC, no one can log onto your computer even if they have your name and password. PKI authentication also provides the DOD another weapon to foil the attacks of computer hackers on DOD computer systems. With PKI, personal privacy is better protected and national security is also strengthened."
Smart-card technology may streamline business processes, as well as help share and protect information, Lynch explains. "For instance, because smart cards can securely store and carry information about military personnel, organizations can minimize paper-based, labor-intensive processes, thus saving money and time," he says. "Additionally, because smart card technology supports multiple applications on one platform, the number of cards issued to service personnel will be reduced.
DOD officials also recently acquired 1,300 U.are.U Pro fingerprint recognition systems from DigitalPersona in Redwood City, Calif., to enhance network security at desktops within its Washington, D.C. offices and integrates with Common Access Cards. Leveraging U.are.U Pro's integration with Microsoft Active Directory, the installation provides an added layer of security for network logons.
By implementing this solution, the DOD will cut costs on authentication administration costs by taking PINs and passwords out of the hands of end-users, DigitalPersona officials claim.
High-resolution fingerprint scans for the FBI's Automated Fingerprint Identification System (AFIS) database (above) like the "ten printer" imager shown here can capture digital images of each finger simultaneously.
"Incorporating DigitalPersona's solution improves network authentication while reducing the expense and productivity problems related to forgotten PINs and passwords, because users no longer have to remember them," says Jim Ward, president of EyeIT.com Inc. in Alexandria, Va., which participated in the design and the implementation of the system. "Now, you can use the strongest passwords allowed by the system without compromising usability or performance for the users. Costly and productivity-robbing efforts to have incorrectly entered or forgotten PINs and passwords unlocked and reset are virtually eliminated."
The DigitalPersona solution addresses two objectives: it advances the strategic objective to achieve tighter security through multifactor credentials incorporating biometric verification and it reduces the administrative and productivity burdens caused by forgotten passwords and PINs, company officials say.
Prior to the incorporation of DigitalPersona's fingerprint authentication solution, users had to use several keystrokes and type in a complex password when prompted before they could log on to the network. "Once on the network, several more iterations of traditional password authentications were needed for subsequent application access," says Harvey Bondar, vice president of worldwide marketing for DigitalPersona.
Users no longer have to enter or remember their PINs or passwords. Instead, they log on by placing a finger on a DigitalPersona U.are.U 4000 sensor, after which the system verifies who they are by matching their fingerprint with the fingerprint template on record. Administrators benefit by eliminating lost or shared passwords and PINs from their list of potential security risks and by the ability to redeploy resources previously required for password management support to more critical initiatives, DigitalPersona officials say.
Organizations and companies
Government sector will lead vertical market for biometrics through 2007
Government will lead biometric system purchases through 2007 with $1.2 billion in annual buys, according to the Biometric Market Report 2003 to 2007 from the International Biometrics Group (IBG) in New York.
The financial sector and travel and transportation follow with $672 million and $556 million, respectively, in 2007. The various scenarios in which government agencies must identify and authenticate citizens and employees, particularly subsequent to the Sept. 11 terrorist attacks, is a critical growth factor, IBG officials state in the report.
Global 2002 industry revenues of $601 million are expected to reach $4.04 billion by 2007, driven by large-scale public sector biometric deployments, the emergence of transactional revenue models, and the adoption of standardized biometric infrastructures and data formats, the IBG report states.
Fingerprint-based technologies, including finger-scan and automated fingerprint identification systems (AFIS) are projected to account for $467 million of 2002 industry revenues, far and away the largest technology segment. This growth is because of the wide range of applications in which fingerprint-based solutions operate effectively, the IBG report states.
Among emerging biometric technologies, sales of facial recognition and software that enables biometric technology are to reach $200 million and $215 million, respectively, in annual revenues in 2005. Iris-scan is projected to reach $210 million in annual revenue in 2007, IBG officials state in the report.
According to the report civil identification and PC/network access will be the leading biometric applications over the next five years, expected to account for nearly $2 billion in combined annual revenues in 2007. Physical access/time and attendance will reach $245 million in annual revenues by 2004, with surveillance and screening applications projected to reach $49 million in annual revenue in 2004.
For more information on IBG and their industry report go online at www.biometricgroup.com.
Smarte Carte uses biometrics to secure lockers at U.S. airports
Officials at Smarte Carte in St. Paul, Minn., saw their rental business at 42 U.S. airports — which represented some $4 million in annual sales — disappear after Sept. 11, 2001, when the U.S. Federal Aviation Administration (FAA) closed all locker facilities at U.S. airports. Company officials needed to make their lockers more secure so they turned to fingerprint authentication technology from DigitalPersona in Redwood City, Calif.
The company's Smarte Locke electronic locker system had featured a central touch-screen rental station where customers chose a locker number, paid the rental fee, and then received a ticket with an unlock code. Customers would simply store their items and close the locker door to secure it, and then use the unlock code to open the locker when they returned, Smarte Carte officials say.
Even though Smarte Carte's lockers were located inside security checkpoints at U.S. facilities, the immediate FAA concern was that an airport worker could rent a locker, put a weapon in it, and then give the locker's code to a ticketed traveler who could pick it up before boarding a flight, company officials say.
To consider reopening airport locker systems, the U.S. Transportation Security Agency (TSA) required that the lockers have a "single-user" mechanism by which only the person who rented it could open it, thereby eliminating the risk of giving access to the locker to another party, Smarte Carte officials say.
Company officials say they quickly eliminated retinal scanning, voice recognition, and handprints as too costly or difficult to deploy. "We looked at bar codes and other identity systems, but they didn't have the same level of security and nontransferability as biometrics," says Keith Amdahl, Smarte Carte's director of engineering.
Amdahl's engineering team evaluated products from more than half a dozen vendors of biometric fingerprint recognition systems, and chose DigitalPersona's U.are.U 4000 sensor. "We chose DigitalPersona's technology because they had the most accurate recognition system and their solution was the easiest to integrate with our existing rental station hardware and software," says Bob Veitch, systems designer/programmer at Smarte Carte.
Over a six-month integration phase, Smarte Carte's team worked to enhance the security of the company's Smarte Locke locker rental system by incorporating DigitalPersona's fingerprint recognition technology as the access key for lockers. "It was a very smooth process," says Veitch. "DigitalPersona's support people were very easy to work with, and the software integration only required us to add a couple of new screens to our touch-screen application."
In September 2002, officials from Smarte Carte and the TSA began a five-month test of the new biometric lockers at the Minneapolis/St. Paul International Airport. With the new biometric Smarte Locke system, locker customers register their fingerprint during the rental process, and then use their fingerprint, in addition to their unlock code, to open the locker when they return.
TSA officials deemed the Minneapolis test a success and relaxed their restriction on lockers at airports in February 2003, giving Smarte Carte the green light to work with local TSA representatives at each airport to begin reopening locker facilities, Smarte Carte officials say.
Since each U.S. airport is governed by the FAA and TSA as well as by local government agencies, it will take time to negotiate deployment and reopening of the advanced locker rental system across the country, company officials say.
The deployment of DigitalPersona's biometric solution also promises to increase Smarte Carte's sales to amusement parks and other high-traffic facilities where managers are concerned with security and where keys or tickets with unlock codes can be a problem.
"At water parks or amusement parks with water rides, for example, it is difficult for locker customers to keep track of a key or paper ticket while they are swimming or on a water ride," says Tammi Phippen, Smarte Carte's manager of marketing communications.
"In the past, facilities that have the traditional keyed mechanical lockers have tried to put keys on wristbands, but then the keys were damaging pool linings and water slides," Phippen says. "Electronic lockers could provide a ticket with an unlock code or allow the customer to make up and memorize their own code, but tickets could be lost and memorized codes could be forgotten, and then the customer would have to call our customer service to get the door opened. You can't lose a fingerprint, so we've eliminated that issue completely, making the process more convenient for the customer."
Iris recognition in Canada
The Canada Customs and Revenue Agency (CCRA) in Ottawa is using an iris-recognition solution from Iridian Technologies in Moorestown, N.J., for the CANPASS–Air program for travelers at Vancouver International Airport in Vancouver, British Columbia.
CANPASS–Air allows preapproved travelers to clear customs and immigration quickly and securely by using iris-recognition technology. A total of eight airports in Canada are expected to implement this new security measure.
The CANPASS–Air program is a joint initiative of the CCRA and Citizenship and Immigration Canada to facilitate efficient and secure entry into Canada for pre-approved, low-risk air travelers. The program is open to citizens and permanent residents of the United States or Canada. It will be extended to other visa-exempt countries and the North American Free Trade Agreement business travelers in the future.
CANPASS–Air allows preapproved travelers to clear customs by simply looking into a camera that recognizes the iris of their eyes as proof of identity. Prescreened, frequent travelers are identified quickly, allowing enforcement activities to be targeted on high-risk travelers.
IIn just five seconds, the iris image is captured with a black-and-white camera from a comfortable distance, without bright lights or lasers. Members receive an encoded identification card to use at CANPASS–Air kiosks in Canada's international airports where they insert their card into a slot, provide an iris scan, and enter Canada without further interaction with customs unless selected randomly for inspection.
"Iridian Technologies, our Canadian partner RYCOM, and IBM Global Services teamed up with the Canada Customs and Revenue Agency to deploy iris recognition at Vancouver International Airport in order to streamline security operations with iris recognition," says C.B. Kuhla, chief executive officer and president of Iridian Technologies. The company is looking to expand the use of iris recognition on the border between the United States and Canada, Kuhla adds.
The program will initially be open to citizens or permanent residents of the United States or Canada. It will extend to other visa-exempt countries and North American Free Trade Agreement business travelers in the future.
CANPASS–Air members must complete an application form, go through security checks at registration and every year upon renewal, and provide a digital photograph of their irises.
A member or applicant can be disqualified from the program if, at any time, the member or applicant has been found guilty of a criminal offence or charged with a customs or immigration offence, has been declared inadmissible to Canada, or has provided false or incomplete information.
AFIS — Automated Fingerprint Identification System
BFC — Biometrics Fusion Center
BMO — DOD Biometrics Management Office
CAC — Common Access Card program
CCRA — Canada Customs and Revenue Agency
DARPA — U.S. Defense Advanced Research Projects Agency
DBKS — DOD Biometrics Knowledgebase System
DCL — Dedicated Commuter Lane
DHS — Department of Homeland Security
DOD — U.S. Department of Defense
FAA — Federal Aviation Administration
FFRDC — federally funded research and development centers
FOIA — Freedom of Information Act
IBG — International Biometrics Group
ICAO — International Civil Aviation Authority
INS — Immigration and Naturalization Service
INSPASS — INS Passenger Accelerated Service System
NIST — National Institutes of Standards and Technology
PIN — personal identification numbers
PKI — CAC/Public Key Infrastructure
TSA — Transportation Security Agency