Click here to Subscribe

Biometrics Consortium
By John Latta, WAVE 0541 10/14/05

Arlington , VA
September 19 – 21, 2005

The Biometrics Consortium event is run by various departments in the U.S. Government. It is not often that there is a conference which spans academia, many branches of government and the commercial sector. Yet, the unusual nature of this event is a reflection of the scope of biometrics and the role that it plays in government and beyond. There are multiple tracks on applications, standards, research and technology. With each year the exhibit improves and this year a number of companies are from overseas.

Biometrics To Enter the Mass Market

In one of the most bullish reports on the applications of biometrics to commercial and consumer markets, AuthenTec’s President and CEO, Scott Moody, predicted that there would be 10 – 20m computers equipped with biometrics in a few years. In a novel twist he predicted that the fingerprint sensor would provide navigation on notebooks which has joystick-like operation and scroll wheel control.

Scott claims that 2006 will be the year that biometrics achieves critical mass in consumer and commercial markets.

For a technology to reach critical mass the following must fall into place:

Technology maturity
Low cost
Small Size
Demonstrated Compelling need
Value to the buyers

And, time for the market to develop.

This latter factor is now happening. AuthenTec is seeing this in the sales of its sensors for fingerprint readers.

There are now over 25 notebooks with fingerprint sensors. Some companies will have them on every notebook in the line. Likewise there are over 75 PCs and peripherals with fingerprint sensors.

4m cell phones have been shipped with fingerprint sensors built in. The action in this sector is in Asia.

Initial PC applications for biometrics include:

Secure Pre-Booth Authentication
Password Replacement
File and folder Encryption

Scott expanded considerably the potential use of the biometric sensor
.

Independent fingers could be used to launch specific applications – Speed launch

Independent fingers could be used to go to specific web sites

Movement of a finger over the sensor emulates a mouse and scroll wheel. Scott went so far to claim that this control with the finger could replace other pointing devices on the notebook.

Initial mobile applications include:

Phone startup
Dial Lock and unlock
File protection
Hot keys
Speed dial

In Japan biometrics already plays an important role in m-payments. The NTT DoCoMo F900iC phone can be used in many places in Japan to make micro payments. This includes many soft drink vending machines in Japan. The cell phone is like a wallet.

The power of touch summarized his major points:

Biometrics improves security by protecting your devices and data

Biometrics allow for personalization – it is about you

Biometrics enables navigation – your finger becomes your mouse

Biometrics is about convenience – it makes your products easier to use.

Rather lofty goals and claims but plausible if biometrics, i.e. fingerprint sensors, become ubiquitous.

Consider this.  What if fingerprint sensors were used for navigation? This would not only accomplish identification but the persistence of the finger on the sensor for navigation would assure presence and an unbroken use of the machine since log on.

Interesting.

NIST – Setting the Standard in Biometrics Technology and Application

The WAVE reported from last year’s Biometrics Consortium event, the FRGC (Face Recognition Grand Challenge), whose goal was to improve facial recognition performance by a factor of 10 – getting close to fingerprints. In an early report, Jonathon Phillips, NIST (National Institute of Standards and Technology), reported on impressive improvements.

NIST has been at the forefront of being an independent test, evaluation and standards supporter of biometric technology. Much of this has been driven by the Patriot Act. Shashi Phoha, Director, Information Technology Laboratory, NIST put NIST’s role in context:

To make biometrics a mature technology.

We seldom hear someone advocate accelerating the rate at which a technology reaches maturity. But in the case of NIST and the application of biometrics, this is logical. That is, the technology is widely available, the prices have been driven to the lowest points and standards are mature. Thus, it is possible to deploy large scale systems which focus on use and not the technology.

Jonathon described a number of initiatives at NIST. The FRGC program has an objective and goal of:

Promote and advance face recognition and develop still and 3D algorithms to improve performance an order of magnitude over FRVT 2002.

The FRGC effort has many components:

Sensory accuracy;
Preprocessing/Reconstruction and Compression
Image Quality Measures
Algorithms
Metadata such as eye coordinates, pose and gender

The modes examined included:

Single still
Multiple stills
Outdoor/Indoor
Single 3D view
3D full face

The baseline performance in from FRVT, Face Recognition Vendor Tests, 2002, was a TAR of 80% with a FAR of .1%. Initial results from FRGC show:

Multi-Still – 99.99%
High Resolution Single Still – 99%
Three Dimensional – 97%

There will be a Face Recognition Advanced Study Workshop, November 11 – 14, 2005, at West Virginia University, Morgantown, WV. The objective is to identify the next steps in face recognition.

The other effort described is ICE – Iris Challenge Evaluation. Its gorals include the assessment of the technology and facility technology development. It will be modeled after FRGC and FRVT 2005. The end result is hoped to be improved recognition algorithms.

Christopher Miles, NIST, described a number of activities at NIST. These include:

NIST has posted public domain fingerprint image software whose performance exceeds many commercial algorithms.

NIST now has sample fingerprints (>95m) available for testing

NIST has developed new measures of fingerprint quality and made available algorithms to measure it.

Serious consideration is being given to another revision of the Fingerprint Interchange Standard which was last revised in 2004 – ANSI/NIST-ITL 1-2000.

Large Scale Biometric Systems

Joseph Atick, President and CEO, Identix gave a thoughtful and interesting presentation. Some of the key points included:

There is no such thing as a small biometric system. Once systems are launched they rapidly grow to become large. It is my view that biometric programs are more likely to fail due to lack of scalability and inefficiency than because of fundamental technology limitations.

One of the problems with today’s metrics is the focus on fixed values of TAR and FAR. Masked in this is the role of quality. For example, in finger print TAR performance this varies from 27.8% with the lowest quality, NIST scale of NFIQ, while the value rises to 99.4% at the highest quality. FAR is 1%.

What is important is to consider PmF – Probability mass Function. This is the distribution of quality of the fingerprints. With a sample of 500,000 fingers there are over 20% of the fingers and images of them which are considered poor quality.

A strategy to overcome some of these limitations it to use more than one finger when the quality of the first finger is low.

Identix suggest the five factors are responsible for facial quality (FCERT):

Faceness
Compression
Exposure
Resolution
Texture

DigitalDefense – Is this the first Ambient Biometrics product?

DigitalDefense was showing an impressive smart card which seemed to have it all. It is a non-contact smart card, with enrollment on card (EOC), template on card (TOC) and match on card (MOC) for $149. It was claimed that a “large” deal for mass market use will be announced in January.

The specifications are impressive.

Finger print reader on card
200MHz processor with 400MHz optional
8MB Flash with 16MB of RAM (Flash file to 1GB)
Size 85.6mm X 54mm X 4.5mm
Interoperable with HID 125KHz readers
Interoperable with MIFARE 13.56MHz readers
Proprietary wireless capable of 10m range
3DES encryption
Finger authentication in <1sec
No contacts on the card
Retail price $149.

It was stated that these cards are well suited for FIPS 201. One of the advantages of the card is that since it is completely held by the individual privacy is not an issue. The card can output, based on MOC, whatever is required by the application. This includes a PIN, Log on id and much more.

Pricing is quite sensitive to volume and DigitalDefense recognizes that mass markets must be a far lower prices.

Standards and Testing

The scope of biometrics standards is extensive. What was impressive is the progress in the last year. The government is driving the standards process to avoid vendor lock in and to have consistent repeatable performance. This is the same as that which enterprise users of biometrics will eventually demand.

Consistent with the NIST intent to drive biometrics to maturity, the standards process is making headway. One of the most interesting is the adoption of profiles, as part of the INCITS M1 standards process, similar to what was so effective in Bluetooth. Two interesting ones are for Point of Sale Biometric Identification and Commercial Biometric Access Control. With the progress being made in e-Authentication, we wonder if domain logon is on the horizon for this as a candidate profile.

There were many presentations on standards and testing. Key points will be highlighted.

In order to do accurate testing, NIST recommends that the sample size be 60,000 individuals for one-to-one biometric matching and 1,000,000 with one-to-many testing.

Tests have been run on fingerprint matching SDKs to evaluate performance. Five vendors have been tested with 11 SDKs. Equal error rates, FAR = FRR, of .001 are possible with single fingerprints. When 2 fingers are used, the FRR can be less than .01 with a FAR of .0001. With a FAR of .0001, the best single finger TAR was .9918 and this rose to .9987 when two fingers were used.

The standard interchange format for fingerprints is being reviewed by NIST and is expected to be updated by ANSI. This is also the defacto standard at ISO. It is also similar to the commercial M1 standard. One of the objectives of the review is to harmonize both M1 and ANSI/NIST versions. Areas of extension include the use of XML and 3D facial.

The Presidential directive that all employees and contractors of the federal government carry cards is known as HSPD 12. This is responsible for the PIV initiative (Personal Identity Verification). Compliance with the standard is to begin by October 27, 2006. This includes the issuance of cards that support both physical and logical access. It is a requirement that these be interoperable among all branches of the government. The card will also be required to access government computers. Each card will have two fingerprints.  The use of this biometric has not been defined. The document which describes the role of biometrics is SP800-76 and it is in preparation now. One of the issues is that if fingerprint image data is stored, this would consume 40k on a 64k card.

e-Authentication remains an area of activity. This is in part driven by OMB M-04-04 Policy Guidance. The document SP800-63 provides the technical framework for remote authentication. OMB M-04-04 defines 4 levels of security. The exact role of biometrics remains to be determined. Some have discussed that this fits in level 3 and 4 as one factor in a multi-factor authentication. There has been formed an Ad Hoc group under INCITS M1 to resolve a number of issues to be addressed on e-authentication over open networks. However, persistence of the identity has not become a part of the e-Authentication deliberations.

The U.S. standards activity is being done under INCITS – M1. International standards are under ISC and IEC are part of SC37 group. The M1 standards have become comprehensive and include:

Interchange formats for individual biometrics
Conformance testing for the Interchange formations
Application profiles
Performance Testing and Reporting
Interface Standards – Including the BioAPI
Conformance Testing Methodology (for the BioAPI)

New Projects under M1 include:

Changes to BioAPI to support biometric fusion
BioAPI “Lite”
Biometric Sample Quality
Face Template based on MPEG-7

Version 2.0 of the BioAPI is expected to be approved in 4Q 2005 or 1Q 2006. This supports external biometrics so that multiple biometrics can be managed independently.

BioAPI “Lite” is to support reduced functionality and minimum overhead devices. This can include personal devices, remote controls and authentication tokens.

On the Exhibit Floor -

Sarnoff Makes Iris Real

Sarnoff showed the much anticipated Iris-at-a-distance technology. One just walks through a portal slightly larger than a standard airport magnetometer. Bingo. One is authenticated or rejected.

There have been rumors on the Iris portal and now it is real. It is called Iris on the Move (IOM). This will support up to 20 individuals a minute. One only has to open one’s eyes as they walk through – some will have to remove glasses. It will support gaze as much as 15 degrees off axis. Individual’s varying in height from 5’3” to 6’3” can be accommodated. Sarnoff is looking for a partner to commercialize the technology. As shown on the exhibit floor is looked commercial grade.

Fujitsu – Palm Vein Recognition Makes U.S. Landing

Fujitsu is using autofocus technology to image palm veins into is notebook domain log on sensor.

The IR sensor being advocated for use in notebooks is 1” X 1” by ¾” (deep). What is key is that there is autofocus built in which is claimed to negate the need for a hand placement jig. Thus, an individual only needs to move the hand up and down in proximity of the sensor and it will autofocus at right location to detect the full palm.

Verifi Touts Enterprise Support for Fingerprint Readers

Touting a driver embedded in Windows XP, Verifi was showing their USB fingerprint readers. This uses the AuthenTec sensor in a robust metal case. It is claimed that the sensor can be moved from system to system and perform identification as required. Further, there is also a waterproof case available. Price is $70 in 1,000 unit quantities.

Digent – Optical Fingerprint Reader on a Mouse

This Korean based company has the IZZIX VM 1000 optical mouse with an optical fingerprint sensor. It images to 500 dpi and creates a template of 480 bytes. An SDK is available for use on Windows and costs $2,000. The IZZIX Secure PC software package provides for:

Windows logon
Fingerprint document encryption
File encryption

This software comes with the mouse.

The sensor is on the side of the mouse and best suited for the right hand thumb.

All 22,000 Samsung employees are using this product.

Pricing is $60 for 10,000 units FOB Korea.

Nevenvision – Portable ID Device

Slightly larger than a PDA, the Mobile Identifier contains an impressive set of capabilities:

Face recognition
Fingerprint sensor
Skin Analysis
License plate recognition
Tattoo recognition

The unit is only 13.6 oz and has a battery life of 8 hours. Communications include: Bluetooth, USB and 802.11g.

WAVE Comments

There were significant promising results from the Biometric Consortium conference. In particular, standards are having the impact of lessening vendor lock-on and the drive for standards-based components and systems is even reaching the enterprise level. Governments and high volume users of biometrics are driving the role of standards. As NIST stated, we want biometrics to be a mature technology. This is counter to what many companies seek to achieve with proprietary solutions and technology. At the Biometrics Consortium conference the buyers are winning.

There are early indications that mass market use of biometrics could happen in 2006 just as there are indications that biometrics is achieving greater public acceptance. Biometrics for access, be it borders or physical buildings, is accepted. The implementation varies based on need and technology used. These are high volume applications where the use of standards-based components has increasingly become the norm. And, biometrics for logical access is starting to achieve acceptance. However, its role over Open Networks has yet to be established.

The WAVE has discussed the notion of ambient biometrics and we saw the first serious examples of this at the Biometrics Consortium in the form of a suggested Identity Phone and smart cards.

But, what is missing? There needs to be a clear solution to the eAuthentication problem, from levels 1 to 4 – be it with or without biometrics. Is there logical access with persistence? We were told that this is not yet on the radar of the standards process. And, what is especially missing is the integration of enterprise use in the standards and especially its own profile.

Comments?
E-mail webmaster
Page updated 1/24/07
Copyright 4th Wave Inc, 2007