July 15-17, 2004
Hong Kong

Biometrics is about bringing personal identity to a digital infrastructure. It became clear at ICBA that many biometric applications are emerging. At the same time, in spite of 40 years of research, the practical use of the technology is still in narrow applications. Biometrics has many dimensions: technology, privacy, security, scalability and ubiquity, which are barriers for use. This is the discussion here at ICBA.

First International Conference on Biometric Authentication, ICBA 2004

It is not mere coincidence that the first ICBA is being held in Asia. Hong Kong, with a population of 6M is leading in research and applications of biometrics. This is the biometric parallel of broadband in Korea. The conference is being held at the Hong Kong Polytechnic University. Its Biometric Research Center is headed by Professor David Zhang. An example of their research is in palm prints, palm biometrics done in real time. Further, the laboratory will have a book published in 2005 on biometric fusion. The work on real time palm biometrics has received numerous technical awards. There is also a close linkage between the universities here and the practical applications of biometrics by the Hong Kong government.

The welcoming address was given by Marion Lai, Acting Permanent Secretary, Commerce Industry and Technology, Hong Kong Government. She described the Smart ID project to provide a secure smart card with embedded biometrics to each of the Hong Kong citizens and residents over the next 4 years. It is expected that 6.3M cards will be issued. But the card is more than a government ID card. It is a means to support e-commerce and many other functions that rely on personal identity and authentication. This is a use of biometrics which will place Hong Kong in a leading position as a digital infrastructure city.

ICBA 2004 has 160 participants from 24 countries. This reflects not only the diversity of efforts in biometrics but the role that Hong Kong plays in the technology.

Biometrics as a Grand Challenge

Anil Jain, Professor, Michigan State University, opened the first session. He made a statement that many in the U.S. government see biometrics, even fingerprints, as a solved problem. Wrong. It is his view that this is far from the case and that there should be continuing research to develop the technology and its use it in practical applications. The WAVE spoke with Professor Jain about his view that “Biometrics: A Grand Challenge” should be frame of reference for regarding the research needs to extend biometrics usage. He is delivering a paper on this topic at the International Conference on Pattern Recognition in August 2004. Key points that Professor Jain made include:

Identifying individuals has been critical to the fabric of human society.

As society becomes electronically connected to form one large global community, it is increasingly necessary to carry out reliable person recognition, often remotely and through automatic means. Surrogate representations such as passwords and cards, such as credit cards, no longer suffice.

Biometrics, which refers to the automatic recognition of individuals based on their distinctive anatomical and behavioral characteristics, could become an essential component of effective person identification solutions. This translates into three functionalities which use biometrics:

Positive Identification
Large Scale Identification
Screening

However, the complexity of designing a biometric system is based on three factors:

Accuracy
Scale – size of the database and
Usability

This leads to the following challenges:

Accuracy

A biometric system will have a low false match and false non-match rate. It is Professors Jain’s view that there is a gap between the accuracy of biometric systems and what is needed.

Scale

In short, how does the number of identities in the enrolled data base affect the speed and accuracy of the system? This can further be seen in terms of two applications. The 1:1 match problem where one person is compared against one set of enrolled records. This is not seen as a database problem. However, the much more practical condition is 1:N where there is the need to uniquely identify and individual among many in a database. The problem is one of scaling.

Security

Security is expected when a biometric sample is presented by its true owner and this is matched by the biometric system. The shortfalls include the ability of an attacker of a biometric system to gain acceptance of a false identity. The second condition is one where the individual biometric identity has changed, such as scarred fingerprints, and the individual is not recognized.

Privacy

There are many issues here that go well beyond biometrics. They include concerns that an individual’s actions can be tracked and that personal records can be compromised.

Professor Jain classifies biometrics as a Grand Challenge. Under the HPCC program of the government such a challenge is:

“a fundamental problem in science and engineering with broad economic and scientific impact.”

Biometrics Attack a BIG Problem

Professor Jim Wayman, San Jose State University gave an overview of the applications and performance of biometric systems. One system he highlighted was US–VISIT. This provides one of the best examples of the scale of a biometrics program which has high value:

US–VISIT to use a biometrics based system for the entry, status and exit of foreign nationals into the U.S.

The U.S. has nearly 1B border crossings a year that include both entry and exit. The Mexican border land crossings alone are over 200M.

The US–Visit program exists to collect, identify and verify foreign nationals entering and exiting the U.S. This program is already in place at major airports. The video cam, for the taking of pictures, and fingerprint readers, are present at the immigration entry counters.

The U.S. has also mandated a biometric based passport for foreign nationals entering the U.S. This is years away, however.

ISO has also in process a Biometric standard: ISO/IEC JTCI SC37. There are 6 working groups divided into the following areas:

WG1 – Vocabulary Harmonization
WG2 – Technical Interfaces
WG3 – Data Interchange Formats
WG4 – Application Profiles
WG5 – Test and Reporting
WG6 – Societal and Cross-jurisdictional aspects

Work has been underway since December 2002. Portions of the standard could be out in 1 – 2 years.

Fingerprint Competition – This is a hard problem.

D. Malo, University of Balogne, presented the results of FVC~2004, the 3rd Fingerprint Verification Competition. This competition was on algorithms, not complete systems. There were 43 participants, 6 from academia, 8 independent developers, 29 companies and 19 who were anonymous. The results were evaluated using 7 indicators which were grouped in the following: accuracy, efficiency and memory use. What was most striking was that an individual scored the best against all the corporations. Much more remains to be done in fingerprint biometrics. The competition was but an example of the point made earlier – biometrics is not a solved problem.

Bimodal Biometrics Applications – Big or Small

There are many forms of biometrics. Here at the conference the following were cited: DNA, fingerprint, signature, face, iris, palm, voice, teeth, feet, typing styles, gaits and odors. In terms of applications, these technologies only fall within two bins in terms of scale: big or small. Big means large scale, 1M or greater, enrolled participants and usually 1 to many for identification. Thus, an individual can be determined from the biometric out of the total population of enrolled. Small applies to data sets which are usually 250 or less. The various competitions seen here at ICBA in fingerprints, face and signature have been done with these small training and test sets. A number of applications and commercial deployments have been described. One conclusion stands out. The only biometric technology which supports the big criteria is the fingerprint. Second, and a very distant second, is facial recognition, yet, in spite of trials, it has no large scale deployment. There is only one biometric that is widely accepted for mass deployment – fingerprints.

Biometrics – The Foundation of Trusted Identification and Verification of Individuals

As we discussed earlier in this report there is a missing component in a digital infrastructure – personal identity. This also has a scale dimension from small to big. For computer security, such as log on, the biometric problem is trivial. This is a small scale verification problem. However, the verification of an individual who logs onto a computer will not suffice for the big scale requirements in a digital infrastructure. For example, one of the issues is the independent verification that the individual with the biometric is the same person that is present in the digital infrastructure. There are many other factors such as the quality of the biometric, the creation of a trusted source of the biometric identity that assures that the person enrolled is the same as that represented, speed of response and cost. It is here where the big implementations of biometric applications set the standard for performance and usability. One might ask – what has US-VISIT to do with biometrics for networked computer implementation and operations? US-VISIT operates on a large scale. Hong Kong Immigration establishes a trusted identity on a large scale.

Based on the papers at ICBA and the WAVE’s conversations with individuals at the event, we list in a table below some of the attributes of biometrics. One can turn this column of attributes into a matrix of biometric technologies by adding columns to the right which represent each type of biometric. Examples, include DNA, fingerprint, Iris, facial and more. The development of the matrix allows one then to evaluate a biometric against applications and to do a comparative assessment of biometric technologies.

Attributes

Enrollment

Time
Quality
Failure to Enroll
Invasiveness
Verification
Production
Operations

Verification/Authentication (1:1)

Time
Accuracy
Quality
Invasiveness
Remote Operations

Identification (1:N)

Time
Accuracy
Quality
Invasiveness
Verification
Remote Operations

Extensibility
Scalability
System Integration
Standards
Experience Base
User Acceptance
Privacy
Cost

Enroll
Operations

We will examine this table to better understand how this relates to a digital infrastructure.

Enrollment is the collection of the biometric and the verification that the individual being represented is actually that individual. The enrollment process does much to determine its practicality. For example, DNA is a unique identifier but the invasiveness of collecting body samples and the time to process are major impediments, in spite of its accuracy. But, facial biometrics are easily collected, even unknowingly.

We separate Authentication/Verification from Identification. The latter is the ability to take a biometric and identify the individual. While Authentication is the determination that the individual is or is not the one being represented. This has significant implications in the implementation of a system to accomplish each. The certainty of the identification is more complex. Identification based on a fingerprint is the determination of the individual from just this biometric. For many applications the time and cost of these functions will determine if they are acceptable. Some fingerprint identification operations are being accomplished in seconds against a database of 1M or more.

One must also consider the underlying technology to grasp the implications of this table. For example, as we discussed above, fingerprints are the only biometric that has scaled upward to large. This is invasive in that in the enrollment process the individual has to consent to its collection. Yet, history and experience have determined that quality fingerprints are a reliable biometric. Facial photographs are much less invasive but they suffer from low reliability. That is, the high degree of variation in both the enrollment and identification process results in significant questions if it is capable of large scale application. The quality of a facial image as a biometric varies by lighting, resolution, optical distortions, age and facial characteristics which can be changed by the individual, such as glasses and shaving by males. The iris is seen as just a reliable a biometric as fingerprint but it is much more invasive.

If we assume a biometric has acceptable quality and the public will use it, such as fingerprints or iris, the next set of considerations, as shown in lower portion of the table, will determine if the a biometric is practical. This includes the complexity of the implementation and its cost. Another factor is the ease, and cost, within which the system can be designed, implemented and operated. For example, the Hong Kong Smart ID card is a replacement for an existing ID card but not tied to criminality. While US–VISIT has a responsibility to do identity against travelers but to also check against undesirable persons, i.e., terrorists.

Our discussion to this point is focused on a single biometric. Yet, as we will see below, multimode biometrics or fusion biometrics are seen to have considerable value. Combining one or more biometrics could lead to more effective use of biometrics. The problem is that little research has been conducted in this area to validate such a conclusion.

Hong Kong Immigration – Making Biometrics Work

Raymond Wong of the Immigration Department of the Hong Kong government showed how biometrics can have practical application on a large scale. At the center is the Smart ID card, which has embedded in it two fingerprints, the thumbs, and a photo. The only biometric supported, however, are the fingerprints, while the photo is only for visual verification. The smart card is capable of being extended to support other functions that they call e-cert. Such extensions are at the option of the card holder. This being a trusted document, the design and implementation is more robust than money printing. One element which is different is the cryptographic key management to ensure a card which is impossible to copy. What is impressive about the Smart ID card is that it is one component of an overall system that has at its center biometrics for authentication of the individual.

Some of Raymond’s points include:

For a biometric system to be practical it must:

Support identification,
Support verification,
Be accurate and fast, and
Be automated.

The Hong Kong Immigration Department has broad responsibilities. These include not only entry and exit but birth, death and marriages.

Identity cards have existed here since 1949. With the Smart ID card, we are now on our 6th generation card.

The enrollment phase includes two visual inspections of the person and the papers. Enrollment can be scheduled on the Internet prior to visiting the Immigration Tower where all the processing takes place.

ID card production takes about 10 days and over 1M Smart ID cards have been generated to date.

The ID cards have extensive security measures from the embedded optical content, the printing of the information on the card and the cryptographic key system.

One of the first applications of the Smart ID card will be at the border crossing point with mainland China. At the Lo Wu crossing, 100,000 individuals pass a day. By the end of 2004 an automatic passenger clearance system will be installed. There will be 120 of these automated gates that will check the individual using the Smart ID card with a finger print scan.

Also to be installed is an automated system at the truck crossing point. This allows a truck driver to cross the border without leaving the cab of the truck.

Experiments are also being conducted with a facial recognition system. A prototype system has been assembled that uses a Tablet PC. This is enclosed in a portable case that has an OCR passport reader. Immigration inspectors can walk up to an individual, scan the passport, retrieve the facial image and visually assess if the individual matches the one on the passport.

Efforts are underway on the e-Passport. The plan is to get approval for this project by end of 2004 and to implement by the end of 2006 or early 2007. The e-Passport would have a photo and fingerprint on the inside cover page. [It was implied that the design would be similar to the Smart ID card.]

For biometric technology to be sustainable, it needs to meet this criteria:

Robustness – will not change over time
Distinctiveness – unique among the population
Availability – easy to obtain
Acceptability – non-intrusive
Mature – well established
Culture – fit with the culture of the users
Hygiene – be hygienic in use
Processing Speed – fast in operations
User Safety – safe to use

Making Biometrics Research Relevant

Much of the discussion of ICBA has been from an Asian perspective. Yet, surprisingly there are quite a few from the U.S. here – possibly as many as 20. Edwin Rood, of the Biometric Knowledge Center, West Virginia University, gave an interesting talk about directions for biometrics research in the U.S. His points included the following:

There is a problem in biometrics research. It is an interdisciplinary technology and does not fit well within the departmental structure of research in universities. As a result, it has not received adequate research funding.

The research issues which need to be addressed include:

Technologies
Measures of Effectiveness
Societal Implications
Economics and Workforce

To examine these issues, NSF held a workshop in April 2003 to examine the Biometric Research Agenda. This workshop produced a report from 50 individuals that assembled for this purpose in Morgantown, WV, over 3 days.

http://www.wvu.edu/~bknc/BiometricResearchAgenda.pdf

The driving conclusion was the critical need to understand and exploit existing biometric technologies with respect to modeling and scaling, quality of biometric data, fusion of modality and results and system performance.

This means there is enough data on existing biometric methods but we do not have adequate information on how it can be used effectively. The bottom line then became:

Modeling and Scaling,
Quality of Biometric Data,
Fusion of Modality and results, and
System performance.

[Note how many of these related to the big systems discussed earlier.]

From this, Edwin extracted that tends in research should lead to fewer efforts on single mode biometrics and greater activity in multimodal, systems, measures of effectiveness, societal effectiveness and economics and workforce.

A rather interesting analysis was then performed. Edwin reviewed the papers presented at the biometrics conferences, including ICBA, and found the trends wonting. That is, the papers presented are almost exclusively focused on single mode biometric technologies. Systems issues, such as those addressed by Hong Kong Immigration Department and US-VISIT are not addressed in the research efforts.

To respond to this need, the Center for Identification Technology Research (CITeR) has been founded. Its members include:

St. Lawrence University
West Virginia University
Michigan State University
Clarkson University
University of Pittsburg

The research portfolio at CITeR has some interesting efforts, such as:

Multimodal Biometric Systems
Statistical Basis for Multimodal Systems
Socio-Legal Assessment Study
Biometrics Business Case Study
Strategic Business Directions in Biometrics

Challenge of Biometric Fusion

Josef Kittle, University of Surrey, UK, gave a keynote presentation on “Fusion of Intramodal and Multimodal Biometric Experts.” It was one of the most interesting of the conference. One example in facial recognition was based on color channels. Three different methods related to the color channels netted TER, total error rates, of 5.8, 5.8 and 4.8. But when combined using a fusion process, the TER dropped to 1.9. This is an intramodal fusion because the same biometric modality was used, i.e., facial. Another example used face, voice and lips for the biometrics. In this case the HTER (1/2 TER) varied from .74 to 13.3. When it was fused and all modalities were used, the HTER dropped to .15. The last example was the fusion of face and voice with the HTER of 1.8 and 1.23. But the fused HTER was only .28.

Logic draws us to the expectation that the use of more than one and even multiple biometric measures would result in lower error rates. Professor Kittle showed that. The real challenge comes in operational environments. In these environments:

Not all sensors are assumed to be able to collect their respective biometric for every individual in the authentication/identification process,

The potential for fusion is limited to the number of biometrics used at the time of enrollment, and

Some biometrics are of higher reliability that others.

Operational expectations are that the use of biometrics will force the evaluation in the direction of the biometric with the highest confidence. Note that this is the case with Hong Kong Immigration which has both finger prints and images. The images are not used as a biometric. In fusion, we would expect that the weights applied to the sensors used for authentication/ identification should be based on the reliability of the biometric. The WAVE asked the question: How does one compensate for these issues in operational environments? In response, it was stated this is one of the issues to be addressed in the R&D of multimodal systems.

The promise of fusion also carries with it the need for more research.

Sensors for Biometrics

The WAVE spoke with Jean-Francois Mainguet, the developer of the swipe sensor. This is embedded in the HO iPAC h5450 and h5550 PDAs. All the major fingerprint systems use either an area or swipe sensor.

His perspective was interesting:

In consumer or PC related products, price is the driver over everything, including security and functionality.

There are many kinds of silicon sensors to detect fingerprints. These rely on capacitive effects, imaging, thermal and RF to detect the ridges in the finger. Sensors can be area or linear. In the case of linear, the fingerprint recording is reliant on the motion of the finger over the sensor. This motion creates the area image of the finger. While area sensors rely on a fixed finger position, usually over a glass surface.

The linear, swipe sensor, has the advantage of smaller silicon die area. This means lower costs.

There are compromises that drive the area sensor to smaller die area. ASIC chips are purchased from the fab based on the cost of a full wafer. The larger the sensor, the more the die area used per chip and thus the higher the sensor cost. In an effort to drive the costs down, the active sensor area may be reduce. This lowers the area of the finger imaged. Some sensor areas have been reduced to the point that the quality of the fingerprint sensing has been compromised. This only increases the probably that the sensor can be spoofed and an impostor can gain access.

There is nothing such as absolute security.

The silicon sensors are all subject to being fooled, i.e., the acceptance of an impostor. Some of the techniques are simply based on materials applied to the finger before imaging. If the same sensor is used for enrollment as for authentication the ability to spoof rises.

The expectation of decreasing imaging sensor costs are difficult. For example, using N-1 and N-2 semiconductor fabs to reduce costs can be futile. As the process technology continues to advance there is less incentive to use the older fabs. Futher, the imaging sensor has also become a platform for integrating electronics on the die. This can include USB interface for example. Thus, there is no Moore’s Law for sensors. The reason is that the die area, in both the area and linear sensors, is fixed by the need to directly image the finger.

The fingerprint sensors are in the early states of development.

WAVE Comments

A 100 year old technology is going digital. This was an excellent event to gain insights into the status of biometric research. Research plays an important role for providing the technology base for emerging applications of biometrics. At ICBA we saw projects both big and small built on biometrics research.

Biometrics based on fingerprints is only the beginning. The recent big scale biometric projects discussed here are examples where biometrics can have a societal contribution. We note that there is a close coupling between biometrics research and these practical projects. Hong Kong is a leader in both research and application. The U.S. is struggling with its research agenda while some of the signs are positive as reflected in the NSF funded assessment.

It is clear that biometrics can have value when applied on a mass scale. At the same time this is where the challenges lie. Earlier we spoke of the Grand Challenge which is posed by biometrics and the presentations only reinforced this. However, this will not happen in a vacuum. Much of the core science is missing. Many of the practical business issues have also not been addressed. Paramount in the mind of the public is privacy issues.

Given that the digital infrastructure will not become less hostile, biometrics is likely to play an increasing role. Yet, the challenges for the application of this technology remain formidable. Only a big project will have the necessary impact. As we have seen at ICBA, this crosses political, geographic and cultural boundaries. In reality, the technical issues may be minor compared to the latter boundaries.