The Customer wishes to implement a high-security personnel identification system using biometrics to establish an imposter-free identity database and to verify the identity of authorized persons. The biometric system will support a centralized enrollment process to establish that each person enrolled in the system is unique; that is, that no other record in the database represents the same person regardless of differences in name or demographic information. Autonomous biometric sample capture and analysis devices will be used in the field to verify a subject’s claimed identity

Fingerprint 1:N (one-to-many) match techniques will be used for the enrollment identity uniqueness match function because this technology has a proven record of accuracy in systems using large databases. In addition, fingerprint biometric technology is already used by a number of US federal agencies (e.g., the FBI, INS, Department of State), ensuring that complementarities will exist between these national interest systems and the Customer.

In conjunction with the fingerprint 1:N matching, a second (to be determined) 1:N biometric-based match technique will be used to ensure the enrollment identity uniqueness. Both the fingerprint and the second biometric match processes will occur in parallel at the Customer’s enrollment center. If either technique results in a potential match candidate list, verification operators at the Center will review the results and make a yes/no determination of match.

Both fingerprints and one or more additional biometric technologies ¾ such as the analysis of iris striations, hand geometry, or voice patterns ¾ will be used for supporting 1:1 identification verification functions in the field. At the time of enrollment, all biometric samples will be captured in a single session.

Enrolled individuals will be given a personalized identity “SmartCard” that can contain (encrypted) date in on-board memory; this smartcard may also contain a processor, program and data memory, and a crypto coprocessor. The Customer’s smartcard ID will support software libraries for enabling biometric feature matching, data access security, public key infrastructure, and cryptographic functions. In the field, users will verify their claimed identity by submitting one or more biometric samples to a local scanning device linked to the user’s smartcard ID.

The scanner will obtain an image of the biometric sample(s), perform an encryption function on the image data, and pass these data via a secure dialog mode to the smartcard. The smartcard’s data will be decrypted (or the card’s on-board crypto coprocessor will decrypt the data) and the data will be passed to the card’s CPU, which will then perform a 1:1 match operation to verify or deny the user’s claimed identity. The results of this match operation, together with the user’s authority levels, access permissions, etc. will then be forwarded, encrypted, to an authorized terminal for human inspection and action.

Ideally, the smartcard will contain a programmable processor, program memory, data memory, and a crypto coprocessor capable of supporting triple-DES and RSA cryptographic functions. Applications will run in the card under the Microsoft Windows for Smartcards operating system. The smartcard media will be polycarbonate material with a lifespan of at least ten years. The smartcard will display printed text and image information on its surface (e.g., the demographics and color portrait of the person authorized to possess the card) and this information will be protected by a high-security laminate material with holographic features to guarantee authenticity and highlight attempts at card tampering.

Data stored in the card will be hashed using a one-way hash function, encrypted, and then signed using a public key infrastructure (PKI) private key by the card’s processing elements. Other keys will be used to verify the authenticity of external input/output elements (e.g., scanners and upstream processors or terminals).

In order to mitigate the effectiveness of an attack on the scanning and processing elements of system clients (e.g., remote terminals), the reader/processor technologies will make maximum use of available tamperproof or tamper-resistant modules. Until a truly tamperproof scanner/processor becomes available, as it is expected to within the next two years as an embodiment of CMOS technology, remote clients will employ a tamper-resistant scanner/processor “package” consisting of a solid-state scanner chip and an outboard ASIC processor device potted together in a tell-tale substrate that will instantly reveal an attempt to penetrate the potting material in order to hack the module’s I/O leads.

The rationale and criteria used for selecting this approach to the problem of providing highly secure personnel identification instruments is described below in Sections I.1 and I.2.

2. Requirements for a High-Security ID System (Go To TOC)

2.1 General Requirements

High-security personnel identification applications require that the selected ID system architecture support each of the following general functional requirements:

[Note: These general requirements apply equally to commercial point-of-sales (PoS) and point-of-transaction (PoT) operations, except that the FRR and FAR values required for these opportunities are much lower than those for ID applications. Commercial service providers are likely to take a much more liberal view of permitting unauthorized subjects to commit fraud in their systems since these costs can be passed along to the legitimate user community in the form of higher fees. In addition, commercial providers of ID verification card systems are much more likely to emphasize customer acceptance (e.g., low FRR values) than are government managers of benefits or privilege systems such as welfare or driver’s license operations.]

Wide-scope confirmation of the uniqueness of each enrollee’s identity before issuing the primary ID document (e.g., the system must ensure that each document holder has the ability to obtain one, and only one, ID card of the type controlled by the issuing agency).

Robust data security features that guarantee a high degree of data te performance -- e.g., an overall False Acceptance Rate (FAR) equal to or less than 1:10,000.

Moderate false reject rate performance -- e.g., a False Reject Rate (FRR) equal to or less than 1:100.

2.1.1 Desirable Characteristics of a Human Identifier (Go To TOC)

In the Table below we describe set of criteria that were used to assess alternative means of personal identification. [Note: These objectives exhibit internal conflicts that must be resolved during the design phase of system implementation.]

Under ideal conditions, a human identification system will exhibit each of the following characteristics (i.e., “The perfect human identifer will be …”):

Universal ¾ every relevant person should have an identifier.

Unique ¾ (a) each relevant person should have only one identifier and (b) no two people should have the same identifier.

Permanent ¾ the identifier should not change, nor be changeable.

Indispensability ¾ the identifier should be one or more natural characteristics, which each person has and retains. If artificial, it should be possible to enforce the identifier to be available at all times.

Collectible ¾ the identifier should be collectible by anyone on any occasion.

Storable ¾ the identifier should capable of being stored.

Exclusive ¾ no other form of identification should be necessary or used.

Precise ¾ every identifier should be sufficiently different from every other identifier that mistakes are unlikely.

Simple ¾ recording and transmission should be easy and not error-prone.

Cost-Effective ¾ measuring and storing the identifier should not be unreasonably costly within the context of the application and associated risk.

Convenient ¾ measuring and storing the identifier should not be unduly inconvenient or time-consuming.

Acceptable ¾ its use should conform to contemporary social standards.

2.1.2 Required ID System Performance and Features (Go To TOC)

The following assumptions underlie the technology trade-off analyses presented later in this Section:

Every user must first be determined to be unique before he is enrolled in the system. That is, regardless of the name claimed by the subject, a check will always be required to determine that each person enrolled in the system has never been enrolled previously, either using the current given name or any other.

This necessarily implies that the “uniqueness check” must be conducted against the entire database of previously enrolled clients, and that unique identifiers, other than name, are used to verify that the current enrollee is not already in the system. This implies that some form of identification technology is used that measures intrinsic, tamper-proof aspects of the subject, such as biometrics. For this reason, an underlying assumption of this analysis is that some form of biometrics would be used for the enrollment operations carried out by the Customer.

An identification instrument, such as an ID card, will always be issued to every client registered to the system, even though it may not be required to conduct any given identity verification transaction (e.g., because the point-of-sale/transaction terminal initiating the operation is directly connected to a central database).

Personal data ¾ including biometric information, account data, and other information unique to the subject ¾ may be both embedded in the ID card itself and stored at the Customer’s headquarters site. Storing these data in a centralized location enables the field agent to carry out an additional check of the card’s data integrity by comparing its data set to the secure version stored at the headquarters site.

However, in order to reduce network traffic and to decrease the cost of buying and installing the terminal-readers necessary to both read ID card and capture biometric information, the assumption is made that many, if not all, local identity verification transactions will be based on reference to the data carried by the card itself, and not to an external source. [Of course, either method is possible if the data is in the card; solutions that that lead to the issuance of data-less cards, on the other hand, can never support standalone local operations and are limited in terms of their ability to be used in novel applications or to be extended to other markets.]

To provide the greatest possible flexibility and extensibility of the solution design, therefore, a key assumption is that every identification card will carry all of the information necessary to carry out local identity verification procedures and to initiate system-related transactions. This implied a design that will incorporate low-cost elements for enabling secure data storage, biometric capture/processing, and transaction processing within the card itself.

In every transaction, the ID card, the data it stores, and the subject’s identity will be considered equally questionable until proven “genuine” according to accepted procedures and at the levels required or permitted for each type of transaction.

This assumption implies that methods for analyzing and certifying the genuineness of both the card itself and its data are made intrinsic, undefeatable elements of the solution design. For the purposes of implementing this assumption, any data elements that may be obtained from external (non-card) resources or processes that are carried out outside the card will be considered to be suspect unless certified by internal (on-card) decryption routines (e.g., using public key / private key protocols, hashing, and strong encryption). In regard to card/external source data reliability, it is further assumed that any interface between the card and an external process (such as a reader, central data source, or external processor) can and will be hacked unless it is secured by strong encryption features and the exchange of machine-machine digital signatures to verify both the authenticity of the originator and the integrity of the exchanged data.

A secondary assumption is that any dialog required between the point-of-transaction terminal and a central database must be made secure, and that data obtained by means of this dialog must be subjected to rigorous security evaluation at the point-of-transaction before it is used to implement the identity verification itself (i.e., the binary conclusion that the subject-claimant is or is not the person she/he claims to be) or the fundamental elements of the transaction (e.g., the issuance of security-approved tokens, access to data or facilities, etc.).

The requirements for initial enrollment (i.e., uniqueness-checking) imply high FRR performance; in other words, the biometric matching system will rarely (ideally, never) report that the biometric record(s) for a previously-enrolled person is not in the database .

The use of multiple biometric solutions also has the benefit of increasing the cost of successfully defrauding the system, since the attacker would have to develop solutions to more than one obstacle. A key secondary assumption is, therefore, that multiple biometric technologies will be employed in the final solution design.

2.1.3 Selection Criteria (Go To TOC)

Biometrics include fingerprint and palmprint systems based on friction ridge minutiae, iris and retinal feature matching, facial feature matching (thermal patterns, feature patterns, eigenfaces), hand and finger geometry matching, micro-DNA sample matching, etc. The selection of a “best” biometric identification technique for use by the Customer is difficult (as regards the issue of the adopted solution’s political acceptability, civil authorities have more leeway in selecting an appropriate means of personal identification since the benefits dispersal systems they manage are not dependent on “customer approval”). In selecting between biometric approaches consistent with the requirements set forth in Section I.1.2, two additional considerations must be added to those presented in Table I.1-1:

Open Search Capable ¾ the biometric can be used to guarantee the uniqueness of a database through open (one-to-many) searching and results verification.

Closed Search Capable ¾ the biometric can be used to verify a subject’s claimed identity through closed (one-to-one) searches resulting in an automatic binary (Yes/No) results verification.

The best solution for the Customer’s security requirements is to implement a system that supports multiple biometric modalities, e.g., using different biometric techniques for enrollment and “Point of Transaction” (PoT) operations or, in the alternative, one that combines multiple techniques for point-of-transaction and a dissimilar biometric identification model for enrollment.

In addition, as determined by an analysis of the system performance and feature requirements described in Section I.1.2, other important issues concerning the selection of technologies to incorporate in the design solution for the Customer emerge as follows:

► What means will be used to assure the genuineness of the ID instrument itself?

► What means will be used to protect and secure the data?

► What means will be used to protect the integrity of the identification transaction process (e.g., from external hacking)?

2.1.4 Enrollment (Go To TOC)

To enable enrollment of the widest possible number of potential users and to guarantee database uniqueness, the selected biometric must:

► Be captured at minimal expense.

► Be made available either (i) in multiple instances for each subject (e.g., 10 fingers per person) or (ii) be intrinsic to the definition of an allowed subject/candidate (e.g., each subject must have a face).

► Support open search techniques with overall FAR performance (e.g., FAR equal to or less than 1:10,000).

► Support a reliable “lights out” or “exception only” post-search results verification operation that minimizes labor-intensive human verification operations while at the same time maintaining an acceptable level of accuracy.

2.1.5 Verification (Go To TOC)

To support efficient field identity verification operations, the selected biometric data capture subsystem and its supporting biometric matching techniques must:

Support at least two dissimilar biometric techniques on the same card; one designated the nominal primary and the other the nominal secondary.

The application user must have the ability to designate which one (or both) of the biometric techniques will be used for any given class of transaction.

Some applications may permit the secondary biometric to be used in cases where the match on the primary fails or where the subject is unable to provide the sample required to support a match operation on the primary biometric (e.g., an eye or finger is bandaged).

2.1.6 Local point-of-transaction biometric operations (Go To TOC)

The ability of the underlying card technology used to support the on-site (point-of-transaction) verification process requires a cost-effective on-card data storage capability. Given the need to store two dissimilar biometrics and the possibility that all ten fingerprint 1:1 verification match templates might be stored on the card, an ID card data storage capacity budget of at least 10 Kbytes data memory is suggested.

Local readers must read both the subject’s “live” biometric at the point-of-transaction as well as the PIN, biometric, or other data essential to the transaction.

Using “dumb” smartcards ¾ that is, smartcards capable only of supporting data memory ¾ all biometric matching operations (1:1 or 1:N) will be carried out in the local reader device.

Using “bright” smartcards ¾ that is, smartcards with processing capabilities, application memory, and data memory ¾ 1:1 ID verification matching will be carried out in the card itself, independent of a centralized database.

2.1.7 FAR / FRR performance (Go To TOC)

Support high FAR performance (e.g., the combination of biometric techniques must yield a FAR of at least 1:10,000)

Some security applications may require higher FAR performance (e.g., >1:10,000), in which case the concatenation of FARs for both biometrics should yield the desired performance level.

3. Card Design (Go To TOC)

3.1 Features

Individuals enrolled in the Customer’s system will be given a personalized identity card containing a processor, program and data memory, and a crypto coprocessor. The smartcard will contain a programmable processor, program memory, data memory, and a crypto coprocessor capable of supporting triple-DES and RSA cryptographic functions. Applications will run in the card under the Microsoft Windows for Smartcards operating system. The smartcard media will be polycarbonate material with a lifespan of at least ten years. The smartcard will display printed text and image information on its surface (e.g., the demographics and color portrait of the person authorized to possess the card) and this information will be protected by a high-security laminate material with holographic features to guarantee authenticity and highlight attempts at card tampering.

The smartcard will support software libraries for enabling biometric feature matching, data access security, public key infrastructure, and cryptographic functions. In the field, users will verify their claimed identity by submitting one or more biometric samples to a local scanning device linked to the user’s smartcard ID. The scanner will obtain an image of the biometric sample(s), perform an encryption function on the image data, and pass these data via a secure dialog mode to the smartcard.

The card’s crypto coprocessor will decrypt the data and pass it to the card’s internal CPU, which will then perform a 1:1 match operation to verify or deny the user’s claimed identity. The results of this match operation, together with the user’s authority levels, access permissions, etc. will then be forwarded, encrypted, to an authorized terminal for human inspection and action. In this high-security scenario, two identity checks are made independently.

3.2 Ensuring Card & Data “Genuineness” (Go To TOC)

Even if the cardholder is determined to be the “true” holder of the card, it is still possible to defeat a security system by generating counterfeit cards using compatible biometric technologies. Combined with genuine data from the system-held file of an authorized client, these cards would appear to be genuine, and their holder could prove his identity on the basis of an ability to match the biometric files contained in card memory. In such cases, the holder would be given access to protected assets despite the fact that he is a fraud.

Therefore, card and data security are just as important as personal identity verification. Several techniques are available to protect the genuineness of card stock and embedded card data; at least two of these approaches should be used in combination:

Data Encryption: Data can be encrypted and written to the card using public/private key techniques. Once written, the counterfeit will have to overcome the encryption barrier in order to associate the impostor’s biometric and PIN data with the correct “key,” making it difficult or impossible to decrypt the biometric data on the card and initiate the biometric match sequence necessary to complete the transaction.

Card Tagents: RFID tagents can be inserted into the card’s substrate during manufacture, then encoded with a random number that uniquely identifies each card as it emerges from production. Encrypted in the header file of the user’s embedded PIN (e.g., on magnetic stripe, bar code, or internal ROM), this number must match the encoded number read from the card at the point-of-transaction or the transaction will be terminated.

Hidden Card ID Numbers: Card ID information can be “hidden” in any object printed on the card itself, such as bar codes, photos, or even text. Visible only to the reader device, this information verifies the genuineness of the card by generating an RSA-encrypted Card ID Number that uses the PIN as the seed to spawn the RSA public key code. The card reader compares the hidden number to the private RSA key; if they are compatible, the card is determined to be genuine and the transaction proceeds.

Magnetic Stripe “Watermarks:” A data watermark is encoded data encrypted in the data stored on the magnetic stripe. The watermark provides a certification of authenticity function for the magnetically encoded data.

Security Laminates and Holographs: Security laminates provide a physical protection against forgery by either chemical or holographic ‘engraving’ measures, making it difficult, impossible, or unfeasibly expensive to tamper with the underlying card substrates (e.g., the layers that carry data) without destroying the card or rendering it obviously compromised.

3.3 Smartcard trade-off analysis (Go To TOC)

The following trade-off analysis is presented to help the Customer determine the “best” instrument for use in the Customer’s personnel security system:

Technology	Cost	Resistance to Attack	Storage Capacity	Processing Capability
Magnetic Stripe Card
Magnetic Stripe Only	Very Low	Low	Low	None
Magnetic Stripe + 1-D Barcode	Low	Low	Low	None
Magnetic Stripe + 2-D Barcode	Low	Moderate	Moderate	None

Contact-Smartcard
Data Storage Only	Low – Moderate (depends on capacity)	Low	Low - High	None
Data Storage EEPROM	Moderate	Low	Low - High	None
Data Storage EEPROM + RAM + Processor	High	Moderate	Low - High	Yes
Data Storage EEPROM + RAM + Processor + Crypto Coprocessor	Very High	High	Low - High	Yes

Contactless Smartcard
Data Storage Only	Low	Low	Low - High	None
Data Storage + EEPROM	Moderate	Low	Low - High	None
Data Storage EEPROM + RAM + Processor	High	High	Low - High	Yes
Data Storage EEPROM + RAM + Processor + Crypto Coprocessor	Very High	Very High	Low - High	Yes

Table 3.3: ID Instrument Type/Features Evaluations

Typically, the Customer’s identity card will require high resistance to attack, moderate to high storage capacity, and internal processing capabilities for both ID application management and cryptographic functions. With these requirements in mind, the appropriate choice for an identity card appears to be either the contact or contactless smartcard with data and program memory (EEPROM) and an internal processor and crypto coprocessor.

The minimum requirement for the purposes of the Customer’s secure ID program is a card with an 8-bit CPU, 16-bit crypto coprocessor, and 32 Kbytes each of RAM and EEPROM. The current price for smartcards meeting these specifications is ~$5 in quantities of 1 million units. This price is expected to drop substantially over time, or if larger quantities of cards are ordered. Smartcards supporting 64 Kbyte RAM/EEPROM chips and 32-bit CPUs are already on the market, and as these advanced products move into mainstream production the cost of products meeting the minimum specification set forth above will further decline.

3.4 Key Design Assumptions (Go To TOC)

The following key design assumptions are the foundation of a recommended plan for the Customer’s system:

Fingerprints will be used exclusively for the initial enrollment open search. In order to keep the cost for the system as low as possible, the capability to accept digital (livescan) fingerprint data from applicants will be provided.

Whenever possible, a secondary biometric alternative ¾ iris striation analysis ¾ will be used to improve false acceptance rate performance in high-security transactions and to eliminate client rejection by improving false rejection rate performance.

Facial feature data will also be obtained from each enrollee. If supported by the scanning techniques used to capture the enrollee’s facial image, these image data will be processed to yield both eigenfaces information and the iris pattern data from both eyes.

Face or iris features might also be used to assist in the elimination of non-matching candidates generated during the initial (enrollment) fingerprint open search. Whenever secondary biometric information is available, the opportunity exists to perform “2 of 3” voting, using the binary match verification results of both iris matches and the facial feature match. If the system is networked, or if a smartcard is used and all match result data can be logged and audited, the system will flag successive failures to match a specific biometric feature (e.g., face or either iris, or a combination of these). Successive failures indicate the need for re-enrollment of the failure-prone feature.

Signatures and static photographs will be exhibited on the surface of the ID card, but this information will not be considered reliable for the purposes of automatic, hands-off personal identity matching.

Hand geometry, voice patterns, and signature dynamics data will also be collected at the time of enrollment. These data will be stored with the enrollee’s central site record and may also be recorded on the individual’s ID card, as required.

3.5 Concept of Operation (Go To TOC)

The integrity of a card secured by a combination of the above described biometric and encryption techniques will be formidable. Combined with biometrics for personal identification of card holders, as described in the Figure below, the cost to defeat such systems would be very high and would therefore establish a barrier to fraud that could be overcome only with great difficulty.

Figure 3.5: Overview of Identity Verification Functions

Note that the key elements of the identity verification functional flow are not limited to personal identity verification alone (i.e., biometric matching), but to an interlinked, four-level series of identity verification procedures that analyze the authenticity of the person, the transaction, and the identity card itself. In addition, the use of multiple biometric identification techniques based on dissimilar feature encoding and matching using the same basic image (e.g., the face) will serve to further frustrate any attempt to breach the integrity of the verification process.

This approach not only establishes the highest possible barrier against fraud, it enables the identity document (and its associated identity verification functions) to be used in a wide variety of low-, medium-, and high-security applications. For example, under certain circumstances, some transaction might be allowed to proceed once the card and its data were determined to be genuine. Transactions may or may not require biometric verification, or, if they do, might require a check of either the primary or secondary biometric alone. Some transaction requests might be assumed valid if initiated after a successful logon involving an ID verification while others ¾ particularly in cases where there may be multiple or alternative transaction types supported by the system ¾ may require that the subject must not only have authorization to access one or more transaction types carried out in the same on-line session but must also re-verify his identity for each transaction type.

Finally, the system must process the transaction itself or hand off a control code to an external processor that signifies that the subject has passed all required card and data integrity tests, has passed any and all required personal identity verification procedures, and has the necessary authorization to initiate the requested transaction.

4. Biometric ID Technology Trade-off Analyses (Go To TOC)

This Section will present an overview of identification techniques based on biometric technologies.

4.1 General Issues Regarding Biometric Identification

Biometric user authentication techniques require a user to present identifying information based on an unchangeable personal feature. This may be a physical characteristic, such as a fingerprint or iris features. Or it may be a characteristic behavior, such as a signature or voice pattern. By various means, the system ‘reads’ this characteristic and converts it to a digital representation. This is compared to a stored biometric ‘profile’ for the user. For example, a user can place their index finger on a sensor that reads their fingerprint and summarizes it in a small data set called a “template.” This representation is compared to the fingerprint template(s) for that user stored in a database or encoded on the user’s authentication card. A good match authenticates the user.

The use of biometrics to authenticate an individual is distinct from their traditional role in identifying individuals. Facial features, fingerprints, iris characteristics and, more recently, DNA have been used to identify an unknown individual; that is, to answer the question “Who is this person?” Identification requires comparing an individual’s biometric templates with a set of many stored profiles and finding the best match. In contrast, authentication involves a one-to-one matching of an individual’s live reading and his or her stored profile. The latter case asks the question, “Is this person who he or she claims to be?”

The chief virtue of biometric authenticators is that they are intrinsically linked to an individual, and are therefore hard to fake. An authentication token such as a card can be borrowed, lost, or stolen. An individual can easily compromise a knowledge-based authenticator by passing this knowledge to another person or being observed while entering it. Anyone who obtains an authentication token or a knowledge-based authenticator can fool the system into believing that he or she is the authentic user. In contrast, biometric authentication systems can be ‘spoofed’ only with great difficulty.

However, the use of biometrics has several disadvantages. Human factors issues, for example, are a major consideration. The human body is, unfortunately, constantly subject to physical changes; injury, normal “wear and tear,” effects of the environment, etc. In addition, different categories of users will have difficulty with some biometrics. Physically disabled users could have difficulty with authentication systems based on fingerprints, hand geometry, or signatures.

There are also practical problems associated with biometrics. Some of these technologies are not yet on the market. In addition, not all marketed technologies are equally effective, and it is often hard to determine which technique is the most suitable for a given application since no two vendors use the same reference specifications (or, when they do, do not base these specifications on standardized tests). Objective, controlled comparisons of technologies are hard to find. Also, the ability of different technologies to withstand environmental hazards such as dirt and vandalism over long periods of time have not been determined.

Cost is another practical issue. Appropriate hardware and software for registering and evaluating biometric data must be purchased and installed in every system. Users must be enrolled individually, perhaps at a substantial labor cost . Biometric templates may be encoded on cards rather than a central database; in such cases, both the cards and the readers used to interrogate the data stored on the cards represent an additional, often substantial, cost factor.

Another problem is that not every biometric authentication technique may be completely spoof-proof. If biometric data are stolen or sold, it may be possible to use them to execute a successful masquerade. A perpetrator might be able to build spoofing devices, such as fake hands for a hand geometry reader or a synthetic speech generator that matches a particular voice profile. More realistically, a skilled hacker might be able to feed a biometric digital signal directly into a system, circumventing the normal ‘reading’ process entirely. This problem is especially serious because of the intrinsic linkage between individuals and their biometric authenticators. A theft of the Customer’s centrally held biometric data would compromise any other company security systems that rely on the stolen biometrics. For example, if Jane Doe’s employer uses hand geometry templates to let its workers into a secure site, and her templates are stolen from the employer’s database, this would compromise her employer’s security as well as the employer’s.

Fortunately, this last weakness can be easily addressed. The simplest solution is to encrypt critical biometric data regardless of where they are stored since encrypted templates – left as encrypted data -- cannot be used to spoof an authentication system. In addition, different authentication systems can use different encryption schemes, so that a compromise of one dataset would not affect the other.

The following subsections describe several biometric authentication systems in more detail.

4.1.1 Fingerprints (Go To TOC)

Fingerprinting is one of the oldest and certainly the most widespread means of identification in use today. An individual’s fingerprints are defined by a complex combination of patterns: lines, arches, loops, and whorls. One type of fingerprint reader reads in the fingerprint by flashing light through a glass plate, on which the user has placed his finger, and digitizing the reflections. All fingers may be analyzed, or just one or two. Computer software exists to encode the distinctive patterns found in the digitized image. The resulting templates can be optionally encrypted, and stored on a central database or on each user’s card individually.

Fingerprint data can be obtained in several ways. The common procedure involves capturing an inked image of the print; this is impractical for a civil identification system implementation. It is also possible to optically scan fingerprints. A scanner records and analyzes an image of a finger placed on a glass plate. While much more convenient than inkpads, this optics-based “livescan” approach can be unreliable because of dirt, grime, and other foreign matter that may cause distortions in the image.

Other non-optical capture methods include the CMOS technology currently marketed by several firms, including Lucent, Thomson CSF, Siemans, and STMicroelectronics. This technology incorporates live finger scanning and image processing capabilities into a single chip wafer, providing direct digital output of detected fingerpad minutiae.

Please see the following web page for a current, independent evaluation of fingerprint technology (FVC2000): http://bias.csr.unibo.it/fvc2000/default.asp. [Note: This link will also give you a link to the (newer) FVC2002 evaluation.]

“The aim of [the FVC2000 initiative (Fingerprint Verification Competition 2000)] is to take the first steps toward the establishment of a common basis, both for academia and industry, to better understand the state-of-the-art and what can be expected from this technology in the future.” “[B]efore this initiative, only a few benchmarks have been available for comparing developments in this area and developers usually perform internal tests over self-collected databases. The lack of standards has unavoidably lead to the dissemination of confusing, incomparable and irreproducible results, sometimes embedded in research papers and sometimes enriching the commercial claims of marketing brochures.”

“FVC2000 is the First International Competition for Fingerprint Verification Algorithms. The first evaluation session was held in August 2000 and the results of the eleven participants were presented at 15^th ICPR (International Conference on Pattern Recognition). This initiative is organized by D. Maio, D. Maltoni, R. Cappelli from Biometric Systems Lab (University of Bologna), J. L. Wayman from the U.S. National Biometric Test Center (San Jose State University) and A. K. Jain from the Pattern Recognition and Image Processing Laboratory of Michigan State University.”

Advantages of fingerprinting:

► Each person’s fingerprints are unique.

► Fingerprints remain the same throughout a person’s lifetime.

► Huge databases are already in existence.

► A large amount of research & development money has been expended to perfect fingerprint processing (template definition, image capture, matching, “hit” and “no-hit” thresholds, etc.).

► Non-intrusive. Placing one’s hand in a reader is neither inherently frightening nor disconcerting.

► The EER (Equal Error Rate) for fingerprint match algorithms can be very low.

Disadvantages:

► Performing a 1:N search of a huge database can be slow, unless many separate matchers are ganged together to process the workload; this disadvantage is not unique to fingerprints – all other biometric techniques suffer from the same processing requirements.

► Livescan images may become blurred due to injury, dirt on the finger or dirt on the scanner platen.

► The size (in bytes) of a fingerprint template is relatively large (~256 to 512 bytes per finger image) when compared to the data size for some of the other biometrics.

4.1.2 Hand geometry (Go To TOC)

A hand scanner is a fairly simple device that measures hand geometry to obtain a template of the user’s hand. The user puts his or her hand in a small device (weighing about 4.5 kg), positions his or her fingers according to a set of pins on the device, and waits for approximately 1.2 seconds. A solid-state digital camera captures side and top views of the hand, and sends the data to a microprocessor for analysis. The data are compressed down to about 9 bytes worth of essential information (all other information about the hand is essentially the same for each person) and compared against a stored profile. If the comparison score is low, then the hands are nearly the same. New users can be enrolled easily. A new user places his hand on the device three times and is then ready for identification. The memory space required to store the template is typically very small - on the order of 9 bytes, which could easily fit on a magnetic stripe of a card. Correct positioning of the hand in one device by using guide pins simplifies the processing needed.

The low cost and high performance of this simple device makes it a popular choice among small organizations. Over 3,500 hand scanners are in use today.

The outstanding success today is the ID3D Handkey system, made by Recognition Systems Inc. of Campbell California. Recognition Systems produced their first hand scanner in 1986 and is now in its third generation. In their latest system, the user punches in their PIN code on a simple keypad, then places their hand on a plate with the fingers separated by guide pins. A black and white CCD digital camera captures an image of the hand and, via a mirror, additionally obtains a concurrent side view of the hand. The processor (a built-in HD64180 based on a Z80-based chip) measures various hand geometry features -- e.g., length and width of fingers, total area, etc. -- to produce a 96-byte result. Template generation software reduces this to 9 bytes. The resultant 9-byte template is compared with the stored record matching the person’s PIN code for verification.

Other companies trying to get into the hand geometry industry are Biomet Partners, Biometrics, Pideac, and Dactylometrics International.

Sandia Laboratories found hand geometry highly accurate, with both false accept and false reject rates less than 0.1%. Russell and Gangemi ranked hand geometry third in accuracy out of the six biometric devices they compared based on “surveys” (vagueness theirs).

San Francisco International Airport’s experience with hand readers suggests that they may be vulnerable to environmental problems, both deliberate and not. Shortly after the readers were installed there were several vandalism incidents, such as vandals’ snubbing out cigarette butts on the hand reading area, or smashing keypads. These incidents have subsided overtime. Cleanliness has been a consistent problem: machine oil frequently accumulates in areas that are difficult to clean, causing calibration problems. As a result, the hand readers require frequent maintenance.

Advantages of hand geometry:

► Small template size.

► Non-intrusive. Placing one’s hand in a reader is neither inherently frightening nor disconcerting.

► 1:1 match accuracy (FRR/FAR) for most medium-security applications.

Disadvantages:

► No open search (1:N) capability.

► Readers are relatively large, easily damaged.

► Readers are expensive.

4.1.3 Facial recognition (Go To TOC)

Face recognition systems are up against an enormous task, due to the ever-changing appearances of a person’s face. Some factors, such as facial expressions, facial hair, head position, camera angles, and lighting, can vary enough between the template and the current sample to make accurate recognition very difficult. Law enforcement agencies, which currently maintain large databases of ‘mug shots’, are showing an interest in face recognition technology.

Most current facial recognition systems use standard (e.g., low-cost, 8-bit) black and white video cameras to scan a user. Software then automatically locates the user’s face, scales and rotates the facial image, compensates for lighting differences, and then reduces the image to a set of floating-point feature vectors. The systems differ in how these data are used.

One facial feature recognition vendor, Image Verification Systems, takes a low-resolution black and white photo of the subject and compress the resultant data down to only 50 bytes, a file small enough to be stored on a credit card. When, for example, a verification operator reads the card, special hardware decompresses the 50 bytes of data to display a crude photo image of the customer. If the faces match, the operation proceeds. Of course, this system requires the verification operator to have some type of display capable of crude graphics.

In the system developed and marketed by NeuroMetric Vision Systems, Inc., of Pompano Beach, Florida, the facial data are input to an adaptive computation program that predicts the user’s identity. NeuroMetric’s system performs the task of face recognition by first capturing the image, then scaling and rotating the face image, as necessary. The gray scale of the image is enhanced to compensate for any change in lighting. Further processing is performed to reduce the captured facial image to a set of floating point vectors (“eigenfaces”). If this facial image template matches the user’s supposed identity, as read from a card or input to a keyboard, the user is validated.

From a computational perspective, the NeuroMetric system is quite complicated. The new user’s facial templates are added to a neural network program’s set of inputs, his or her identity is added to the program’s set of outputs, and the neural network ‘retrains’ or adapts itself to accommodate the new user. Each time a database is modified, every remote terminal’s database must also be updated and synchronized in order for authorized users to be authenticated at different locations. In addition, users need to re-enroll if their appearance changes significantly enough to cause an incorrect output from the neural network program. The NeuroMetric system also has a substantial human factors disadvantage in that the neural network program is designed to accommodate only around 20,000 users. This limitation could force the system to be designed so that each user can only use a specific system whose neural network ‘knows’ the user. This would limit the user’s flexibility in using the system.

From the user’s perspective enrollment is simple, requiring a single facial scan which typically takes only a few seconds. NeuroMetric claims their system can search a database of 50,000 faces in less than a second. The hardware required for NeuroMetric’s system is a Pentium PC, a digital signal-processing (DSP) card, a frame grabber card, and a video camera.

Facial templates abstract across differences in facial expression, hair, and position, as well as lighting. Sunglasses or other eyewear may cause problems. MIT ‘s facial feature recognition system developers claim a false rejection rate of 1.5% and a false acceptance rate of 0.01%.

Please see the following web page for a current, independent evaluation of facial recognition matching technology (FERET-2000): http://www.dodcounterdrug.com/facialrecognition/FERET/feret.htm.

To view the Facial recognition Vendor Test 2000 – Evaluation Report, published February 16, 2001 (in Acrobat Reader PDF format) please click on this link.

Order form is in PDF format, click on the icon to download Acrobat Reader.

“The Department of Defense (DoD) Counterdrug Technology Development Program Office sponsored the Face Recognition Technology (FERET) program. The goal of the FERET program was to develop automatic face recognition capabilities that could be employed to assist security, intelligence, and law enforcement personnel in the performance of their duties. The program consisted of three major elements:

· Sponsoring research

· Collecting the FERET database

· Performing the FERET evaluations

The goal of the sponsored research was to develop face recognition algorithms. The FERET database was collected to support the sponsored research and the FERET evaluations. The FERET evaluations were performed to measure progress in algorithm development and identify future research directions. The FERET program started in September of 1993, with Dr. P. Jonathon Phillips, Army Research Laboratory, Adelphi, Maryland, serving as technical agent. Initially, the FERET program consisted of three phases, each one year in length. The goals of the first phase were to establish the viability of automatic face recognition algorithms and to establish a performance baseline against which to measure future progress. The goals of phases 2 and 3 were to further develop face recognition technology. After the successful conclusion of phase 2, the DoD Counterdrug Technology Development Program Office initiated the FERET demonstration effort. The goals of this effort were to port FERET evaluated algorithms to real-time experimental/demonstration systems.”

Advantages of face recognition systems:

► Non-intrusive. The subject can be several feet away from the camera. A clear shot of the face, however, is ideal.

Disadvantages:

► Can be fooled by identical twins.

► A recent test performed by the editors of PC Magazine found that at least one popular facial feature recognition system can be fooled by imposters holding in front of their faces a full-size, color picture of the person they are trying to impersonate, cutting a hole for their nose to add an artificial depth quality to the imaged “face.”

► The EER (Equal Error Rate) for facial recognition algorithms can be very high when compared to other types of biometrics. This is especially true for potential matches against a database consisting of facial records that are 12 or more months “older” than the search data.

4.1.4 Iris recognition (Go To TOC)

The iris is the colorful part of the eye between the white (sclera) and the pupil. Its uniqueness in every person stems from variations in features such as furrows, striations, pits, collagenous fibers, filaments, crypts (darkened areas), serpentine vasculature, rings, and freckles.

Iris recognition is fast, non-invasive, and non-threatening (especially compared to retina recognition, below). It is appropriate for all users with intact corneas without cornea disease. Current technology requires the user to be within 18 inches of the sensing video camera; later models will be capable of capturing usable iris data from a distance of 24 inches (IrisScan claims that its goal is to achieve a stand-off scanning distance of 36 inches).

Unlike the retinal scanner, the iris scanner can be placed 12 to 18 inches away from the person using it, a much more comfortable distance (this is an important factor to consider in those cases when the biometric device is to be used daily, or more often). To perform the measurement, the subjects are placed at a constant distance from the camera lens. The more this aspect is allowed to change, the more difficult it is to make consistent measurements. The light should be diffusing, to reduce reflections. A high-fidelity camera with low light capability is used to minimize the amount of light (and discomfort to the user).

As with facial geometry, the user is passive; a video camera automatically locates and scans the user’s iris. Special software uses complex mathematical algorithms to reduce the iris pattern to a 256-byte data pattern. This is compared to a stored version of the user’s iris pattern stored on the user’s identification card or in a central database. A good match authenticates the user. User enrollment amounts to scanning the iris and recording the user’s iris templates.

Iris recognition is extremely effective. In terms of FAR, it may be better than fingerprints. Human iris patterns are stable over a lifetime, are protected from damage by the cornea, and have six times as many distinguishable characteristics as a fingerprint. The iris also responds to light by automatically constricting (e.g., the diameter of the pupil narrows) and this autonomic response can be used as a test against artifice (e.g., to determine whether the scanned iris is not only attached to a living eye, but also whether the eye in question is attached to a person under stress, is drugged, etc. [Measuring the reaction of the iris to a strobe light emission is diagnostic of stress and drug use.]

Advantages of the iris scanner:

► The iris is more unique than the fingerprint (but less so than the retina).

► Input is stable. Iris patterns do not change over a person’s lifetime.

► Non-intrusive. The subject can be at a comfortable range from the scanner (but not too far away).

Disadvantages:

► IriScan device generates a fairly large template, 256 bytes. With the dramatic drop in computer memory cost, however, this does not seem to be much of a problem.

► Tests conducted by independent third parties suggest that iris recognition may yield a FRR performance of ~12% because of various practical (e.g., field) conditions such as the inability of the automated image segmentation routines to distinguish between the straight-line features found in images --- such as eyebrows or eyelashes -- and the iris, resulting in an improperly focused image. At this level of performance, users are likely to become frustrated with repeated denials of their legitimate identity claims.

► Single-source. IriScan holds patents to the key elements of iris identification. Its sole licensee is SENSAR.

► High cost. IriScan started selling systems for $3000 to $5000 in early ‘95.

► The iris biometric has not been proven a 1:N match capability.

4.1.5 Retina recognition (Go To TOC)

The retina, the backside of the eyeball, has unique patterns of blood vessels.

User enrollment amounts to scanning the retina and recording the user’s retinal templates. An infrared beam scans the user’s retina and the reflected light is recorded by a CCD camera. The scanner may be stationary, in which case the user must position himself correctly in front of the scanner. Or the scanner may be hand-held, in which case the user must aim it correctly. Once the retina is scanned, special software creates a digital profile of the user’s unique pattern of blood vessels. The image is processed and reduced from 16k bytes to 48 bytes. This profile is compared to a profile stored on the user’s identification card or in a central database. A good match authenticates the user. Verification takes about 4 to 7 seconds.

Sandia’s test of EyeDentify, Inc.’s model 8.5 produced had no false accepts, and it exhibited a 0.4% false reject rate when each user was given three tries at validation.

Advantages of the retinal scanners:

► Small template size.

► Input is stable. Retinal patterns do not change over a person’s lifetime, except in the case of certan degenerative retinal diseases.

► Fast verification.

Disadvantages:

► Intrusive. To obtain a measurement, a person must place his eye within 2 to 3 inches of the scanner. This is too high a discomfort level for many people.

► Subject must cooperate with reader; refusal to cooperate is not apparent to the tester.

► Single source. Presently, Eyedentify Inc. is the only vendor for these products.

► No proven ability to carry out 1:N searching.

4.1.6 Facial Thermogram (Go To TOC)

The variation of branching blood vessels throughout one’s face creates a different ‘thermal’ image from person to person; even identical twins have different facial thermograms. Facial thermograms apparently do not change during a person’s lifetime and are not affected by surface or cosmetic changes to the face; even plastic surgery won’t change the thermogram unless it goes so deep as to redirect the flow of blood.

Thermogram images can be obtained without contact with the imaging device. The technology is still too immature to evaluate other human factors, such as the operator interface.

Advantages of the facial thermogram system:

► Non-intrusive. The user need not insert a hand or a finger into a reading device.

► Input is stable.

► Subjects can be evaluated covertly, without the subject’s knowledge.

Disadvantages:

► High cost. Current prices for infrared cameras are high, but are expected to drop dramatically in the next few years.

► Large template size; between 2,000 and 3,000 bytes. This can make for slow searching in large databases. Further development and video compression techniques may solve this problem in the future.

4.1.7 Signature Recognition (Go To TOC)

Signature is not new; it has long been the means by which we validate all our legal documents. However, absolute validation of signatures is a different matter, one that is much more difficult.

Some systems use pens with motion-sensing and pressure-sensing devices inside. In this case, a special pen is used that contains a bi-axial accelerometer to measure changes in force in the x and y direction. A force sensor measures the variations in downward (z-axis) force. A person enrolls into the system by signing his or her name a number of times. The computer reads and analyzes the dynamic motions produced by the signer during each signature. Software senses the pen’s movements and extracts significant templates. These may include signing speed, sharpness of loops, and changes in pressure. These templates form a profile that is compared to a profile stored on the user’s card or in a central database. A good match validates the user. The profile self-updates each time a citizen uses the system; this means that citizens do not have to re-enroll as their signatures change with aging.

Other biometric signature systems use a magnetic tip pen with a sensitive tablet. These systems analyze only the dynamic changes in the x and y directions, and as a result the hardware required is much simpler. As more and more of the same signature is entered into the system, the system ‘learns’ the more consistent and more varying parts of the signature. The user’s template data can be stored in a database or on a smartcard.

Signature recognition was the least effective biometric authenticator out of the six that Russell & Gangemi surveyed. In Sandia’s test, signature recognition had a 9% false reject rate after one try; though this dropped to 2% after two tries. False accepts were 0.7% after three tries.

Signature recognition technology has recently (yr. 2002) undergone vast improvements in accuracy, repeatability, and product maturity. Signature recognition is, in our judgment, a viable alternative to fingerprint or iris 1:1 identity verification. The technology is supported by low-cost, mass-produced hardware (writing tablet); this significantly improves the cost efficiency of this biometric without suffering a commensurate loss in the ability of the biometric to perform at high accuracy levels. Moreover, since the concept of a signature or “personal mark” has been in human culture for eons, the signature biometric can be integrated into systems that solve person identity “business requirements” with very little change in the current policies and procedures of the ongoing business model of the company or institution.

We predict that signature recognition will become a standard for 1:1 identity verification applications and may even supplant and/or augment current digital “ID Keys” and digital “watermarks” in e-commerce.

Advantages of signature recognition systems:

► Each person’s signature is very unique, to include the actual letters and the writing style.

► Very little special hardware is needed to implement a signature recognition system.

► Low cost. SigBio of Vancouver, BC offers a signature recognition tablet and software for under $100.

► In the latest (yr. 2002) technology for this biometric, the actual, visible signature (that is seen on the document) is not recorded or stored; only the “dynamics” of the construction (writing) of the signature are actually recorded in digital format. This record can, in turn, be encrypted to prevent tampering and/or copying. Since the actual signature itself is not recorded, most, if not all, of the ever-important privacy concerns are avoided.

Disadvantages:

► A person’s signature may vary so much that the machine may not always recognize it. In which case, further attempts must be made. However, the latest developments in signature recognition technology (yr. 2002) seem to have overcome most, if not all, of the “enrollment,” or capture, of the signature biometric.

4.1.8 Voice Recognition (Go To TOC)

One of the simplest systems is voice recognition. The changes in a person’s voice are somewhat due to physical attributes, but mostly due to behavior patterns. Vocal cords vibrate at about 80 times per second for men, 400 times per second for women. These vibrations are modified by the size of the jaw opening and by tongue and lip shape and position ¾ factors that make each person’s voice unique.

In these systems, the user speaks a specific word into a microphone attached to the system. Software analyzes his or her voice and abstracts significant measures on roughly twenty parameters (pitch, speech, energy density, waveforms, etc.). This live profile is compared against a profile stored on a central database or the user’s card. A good match authenticates the user.

To enroll in the system, the user must repeat the key word several times. This enables a profile to be developed that is general enough to handle normal variations in speaking. From a physical perspective, voice recognition represents a problem for individuals with disabilities or aging factors that affect speech. A significant change in speaking characteristics would require that the user re-enroll.

Sandia’s testing of two voice recognition systems (Alpha Microsystems’ Ver-a-Tel and International Electronics’ VoiceKey) rated the method low in user acceptance. Ver-a-Tel was relatively slow ¾ 19.5 seconds on average, compared to 6.6 seconds for VoiceKey, which is comparable to Sandia’s times for fingerprint, hand geometry, and retina recognition. Enrollment was difficult for both systems. The high rate of false rejectswas frustrating for many users.

Evaluations of voice recognition differ. Russell and Gangemi ranked it third out of six biometric technologies in accuracy. Sandia found that the two systems it tested did poorly. Ver-a-Tel had a high false reject rate, with 5.1 percent of valid users rejected after three tries, and false accept rate, with 2.8% of invalid users accepted after three tries. VoiceKey did somewhat better, but still not great: 4.3% false rejects after three tries, and 0.9% false accepts after one try.

Advantages of voice recognition systems:

► Easy to use.

► Non-intrusive. A person need only speak into a microphone.

► Can be used with existing phone systems.

► Utilizes existing speech processing software.

Disadvantages:

► Computers have difficulty with background noise.

► A person’s voice will vary with their mood; depression, excitement, anger, etc.

► A person’s voice changes when they have a cold or flu.

► They can easily be deceived. All it takes is a simple tape recorder to capture a person speaking their password.

4.1.9 Other Biometrics (Go To TOC)

Other biometrics not discussed in this Summary Report are:

Typing rhythms

Odor

Vein

Knuckle crease

4.2 Summary (Go To TOC)

Unfortunately there can be no definitive conclusions, because there are constantly new developments that require reconsideration. However, currently there are only a few candidates that can offer an operational system with adequate performance.

A solution that is acceptable for a high-security access control systems may not be suitable for systems meant for a more general public use such as border control or automated financial transactions. For example, consider the following design trade-off and selection scenario:

For border control, both fingerprint identification and hand geometry are viable and proven solutions. The false rejection rate for the hand geometry is slightly better then the false rejection for fingerprint identification. With respect to false acceptance, the fingerprint identification is superior. It is often argued that false acceptance is less important, because for a potential intruder it makes no difference if he has a chance of 1 in 10000 or 1 in 100 of getting through. In both cases he will probably be discouraged and think twice before attempting to intrude.

Yet it is also the case that identical twins have identical hands and will experience no trouble in being identified as each other with the hand geometry method. The false acceptance rate for the hand geometry between family-relations is probably much larger then the false acceptance for randomly chosen people. Fingerprints on the other hand, are formed in the womb as the result of a random fetal development process, and fingerprints of identical twins or other family relations have absolutely no correlation. Therefore when choosing between fingerprints or hand geometry, the designer is likely to be biased in favor of fingerprints.

As this example illustrates, the choice between methods is by no means straightforward. In fact, there may be many cases where the vagaries of procedure, user acceptance, and control over security aspects of the system dictate that a mix of biometrics, sometimes used together, may be the ‘best’ solution.

The guidelines set forth in Federal Information Processing Standards Publication 190 (1994 September 28) illustrate the complexity of these decisions:

When choosing a biometric authentication system, performance should be of importance. The performance of biometric authentication systems can be categorized by two measures, the False Acceptance Rate (FAR) and the False Rejection Rate (FRR). The FAR, also called type 2 errors, represents the percentage of unauthorized users who are incorrectly identified as valid users. The FRR, also called type 1 errors, represents the percentage of authorized users who are incorrectly rejected. The levels set in the comparison algorithm have a direct effect on these rates. How these rates are determined is fundamental to the operation of any biometric system, and therefore should be considered a primary factor when evaluating a biometric system. Some caution should be given to the FAR and FRR numbers from manufacturers because these numbers are extrapolated from small user sets and the assumptions for the extrapolations are sometimes erroneous. The physiological biometrics tend to have a better false acceptance rate because of the stability of the measured characteristic and because a behavioral characteristic is more likely able to be duplicated by other users.

These performance factors should be coupled with the type of users that will use the biometric. Some user factors may include learning curve and alternate access for those who may not be able to use the biometric. For each device the user must become familiar with the device for proper live scans to be taken. A nominal time that users take before the false rejection rate drops off is two weeks. Another user consideration is that not all users may be able to use the biometric. A user may have an impairment which prevents them from taking an acceptable scan. An alternate method is needed to grant those users access, or a biometric should be selected based on the needs of each set of users. When selecting a biometric, user acceptance should also be considered. Some biometrics have met with resistance from users because they are too invasive.

An ideal biometric is a non-invasive biometric with continuous authentication. In other words, the user does not need to take any additional action to be authenticated, and because it is non-invasive, the live scan may be done continuously. The continuous authentication will ensure another individual is not allowed access after an individual authenticated for access. Video facial scans and typing pattern biometrics are techniques which lend themselves to continuous authentication.

Once the type of biometric authentication mechanism has been established, the authentication mechanism must be attached to the access mechanism in the system. Typically, the sensor is an external hardware box with the analog to digital converter in it. The data compression and comparison algorithm is implemented with a combination of hardware and software. The path between the comparison algorithm to the access mechanism must be a trusted path. The output of most comparison algorithms is a pass or fail response which may be duplicated if the path is available. Also note if the sensor is shared for access to several systems, each system should have its own comparison algorithm and template data base.

5. Competing biometric technology performance and costs (Go To TOC)

5.1 Technical and Cost Trade-Off Analysis

In order to determine the best combination of primary and secondary biometrics to use for the Customer’s identification system, a trade-off analysis of competing biometric technologies was conducted, with the following results:

Biometric Type	Relative FAR (Estimated open search performance)	Relative FRR (Estimated for single search instance)	Enrollment Failure (Estimated)	TemplateFile Size (Kbytes per sample)	Reader Cost ($K)	Reader Fragility (Low is best)	Matcher Cost ($K)
Fingerprints (minutiae-based, using optical scanners)	Very Low (0.001%) [2 fingers + 10-finger classification]	Low (<1%) [single finger]	<1% enrollment 1.5% verification	0.3	0.5 (specialized COTS)	High	3-100 (depends on application)
Fingerprints (minutiae-based, using solid-state scanners)	Very Low (0.001%) [2 fingers + 10-finger classification]	Low (<1%) [single finger]	<1% enrollment 1.5% verification	0.25-0.3	0.2 (specialized COTS)	High	~ 0.1 (depends on application)
Retinal Vessels	Low (0.1%)	Moderate (1-5%)	3%	0.05	1.5 (specialized COTS)	High	N/A (included in reader)
Iris Structures	Very Low (zero if captured “correctly”)	Very High (~12%)	10% on first try, >1% on subsequent tries	0.4	0.1 (COTS grayscale video camera)	Moderate (external camera)	~ 3 (PC or adapter w/CPU)
Hand Geometry (whole hand)	High [0.1% over 3 tries]	High [0.1% over 3 tries]	>1%	0.009	2.2 (specialized COTS)	Low	N/A (included in reader)
Hand Geometry (two fingers)	High (0.1%)	High (0.1%)	>2%	0.018	1.6 (specialized COTS)	Low	N/A (included in reader)
Hand Vein	Unknown	Unknown	Unknown	0.05	0.1 (COTS grayscale video camera)	Low	~ 3 (PC or adapter w/CPU)
Finger Joint Creases	Unknown	Unknown	Unknown	0.10	0.2 (Specialized COTS)	Low	~ 3 (PC or adapter w/CPU)
Palm Creases	Very Low (0.0000025%)	High (1%)	Unknown (but probably low)	0.25	4 (Specialized COTS)	Moderate	N/A (included in reader)
Facial Features (landmark feature measurements)	High (>0.1%)	High (>0.1%)	>1%	0.25	0.2 (COTS grayscale video camera)	Low	~ 3 (PC or adapter w/CPU)
Facial Features (infrared pattern measurements)	Unknown	Unknown	Unknown	0.40	50 (Specialized COTS infrared camera)	Very High	~ 5 (PC w/ infrared adapter)
Voice	Very High (10%+)	Very High (15%+)	1-30% (depending on conditions)	0.02	>0.2 (COTS microphone)	Low	~ 3 (PC or adapter w/CPU)
Signature	High (5%+)	High (10%+)	N/A (0%)	0.01	0.5 (Specialized COTS)	High	N/A (included in reader)
Hand Topography (finger creases + single palm)	High (0.2%)	High (0.2%)	Unknown	0.2	0.3-0.5 (Specialized COTS)	Moderate	N/A (included in reader)

Table 5.1: Biometric Type Trades

5.2 Suitability for the Customer’s Mission (Go To TOC)

The following table examines the suitability of the above-described biometric techniques with respect to the selection criteria enumerated in Sections 2.1.2 and 2.1.3.

[Note: If a field is marked “Yes,” at least one supplier of the technology has presented convincing proof that the biometric in question is capable of meeting the criterion. If marked “No,” the technology is either not designed to support the requirement or environmental and other conditions may negate the possibility that the technology could meet the criterion (e.g., an individual’s hand geometry might be affected by amputations, rendering that biometric approach untenable as regards “permanence”). If marked “?,” the information is either not available from the manufacturer or is suspect (e.g., as might be the case where the develop0er of a new technology unrealistically claims capabilities for the technology that can not be proven).]

Selection Criteria[1][1]

Universal

Unique

Permanent

Indespen-sible

Collectible

Storable

Exclusive

Precise

Simple

Cost Effective

Convenient

Acceptable

Open Search Capable

Static Regis-tration

Closed Search Capable

Fingerprints

Yes

Retina

Yes

Iris

Yes

Hand Geometry

Yes

Finger Geometry

Yes

Hand Vein

Yes

Finger Joint

Yes

Palm Creases

Yes

Facial

Yes

Face Infrared

Yes

Voice

Yes

Signature

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Table 5.2: Biometric Identity Verification Alternative Criterion Trades

These evaluations are judgment calls and may therefore appear to be occasionally inconsistent. For example, in the table above, fingerprint biometrics are given a “No” rating for both “Simple” and “Cost Effective” because the operation of this biometric in a point-of-transaction environment requires the use of automated finger scanners; in practice, these devices have proven difficult to maintain and are relatively expensive (the cost of a livescan reader can range between $500 to $25,000 depending on the application. Although low-cost livescan fingerprint readers are either being developed by or are already available from several sources, these devices require constant maintenance and frequently break down in the field. In addition, the requirement to capture good quality fingerpad image detail is frequently defeated by environmental and user conditions, such as dirt on the reader platen and uncooperative or careless subject-users). Likewise, the ability of systems based on retinal scans to accommodate serious eye injury or common diseases such as glaucoma (which can affect the pattern of blood vessels on the fovea) is suspect.

In many cases, the ability of a given biometric to meet the criterion’s challenge is simply not proven; these cases are marked “Unknown.” In our opinion, the biometrics so marked are likely never to be developed or tested to the point where they can compete successfully, if only because proven techniques (such as fingerprints, hand geometry, and facial feature matching) are already so reliable and, in some cases, very cheap.

6. Conclusions (Go To TOC)

A wide variety of competing technology solutions exist to solve the problem of human identification, and the number of competing technologies in the field of automated ID systems has increased tremendously. However, fingerprints remain, with hand geometry techniques, the most widely used automated biometric technology.

Current fingerprint-based systems offer fully mature technologies for capturing, encoding, storing, matching, and verifying searches against large databases. In addition, they are one of only two biometrics ¾ the other is facial feature recognition ¾ that can support enrollment (e.g., via paper forms such as photographs or, in the case of fingerprints, by means of inked or livescan-printed fingerprint cards).

As regards the closed search capabilities needed for point-of-transaction identification, virtually all biometric approaches share a common ability to meet this requirement. However, only facial feature and iris striation matching are competent with respect to all of the other selection criteria listed in Sections 3.1.2 and 3.1.3. Thus, even if facial feature or iris matching proves incompetent with respect to open searches (and the developers of both technologies claim that open searching is possible using these approaches), they are still well suited for use in point-of-transaction operations.

An additional benefit of facial feature and iris matching is that both biometrics can be obtained from a single image scan of the subject’s face. It is possible, although it has not been proven, that a matchable iris biometric template can be produced using a static image (e.g., a photograph). Iris features can be distinguished using very low-resolution cameras, and it is reasonable to suppose that a competent image of the iris could be clipped from a modestly high-resolution printed copy of a facial image.

Several factors favor the use of fingerprints for the purposes of the Customer’s high-security identification system:

For all practical purposes, it can be assumed that all humans have at least ten fingers that are capable of being processed and matched for identification purposes.

Fingerprints are not easily forged, and are absolutely unique to each individual.

Fingerprint ridge details are relatively robust. Since they originate several layers under the outside layer of skin, they can withstand attempts to erase them by chemical or physical means. In addition, even though a portion of the fingerprint may be so damaged as to be unreadable, modern fingerprint matching systems require only a small portion of the fingerpad to carry out accurate identification operations.

Fingerprint data capture is straightforward and can be accomplished by a variety of means (e.g., reflected light optical or CMOS scanners, solid-state capacitive inductance scanners, ultrasound scanners, micropad pressure sensors, polarized multi-frequency infrared illumination, etc.), although the means to accomplish such capture vary in terms of convenience, cost, and accuracy.

Fingerprint image processing and matching systems are mature; automated fingerprint identification operations have been in place within large federal, state, and local law enforcement agencies for decades and the these technologies have been proven reliable in literally tens of thousands of search events. Likewise, commercial systems using single finger searches and simple match algorithms have demonstrated a proven record of acceptable 1:1 identity verification performance.

However, there are also certain liabilities attached to the use of fingerprints as a human identification biometric:

Fingerprint capture devices are typically contact-based and are therefore prone to failure over time by reason of capture surface failure caused by repeated use. [Exceptions exist: polarized infrared or ultrasound scanning devices can interrogate fingerpad ridge structures without coming into contact with the finger. However, such scanners currently are impractically expensive.]

Over time, repeated use of the capture device begins to degrade the quality of the image the device is meant to capture, resulting in errors due to out-of-specification image data quality.

Open search (1:N) fingerprint matching techniques are acceptably accurate in detecting impostors only when multiple finger samples are taken as part of the enrollment process, increasing the cost of the system.

Fingerprint files are relatively large (on the order of 0.5-1Kbyte) as compared to other biometrics such as hand geometry (which typically require less than 25 bytes per sample). This has created problems for installing fingerprint biometric data on portable ID cards, forcing integrators to establish either local databases at each verification site or to provide the means to download data to a central site for matching; both alternative increase cost and slow processing.

6.1 Near Term Trends (Year 2000 through Year 2003) (Go To TOC)

6.1.1 Fingerprints

Given the number of competitors in this field, advancements in fingerprint biometric technologies are assured; the best estimate is that there are more than 90 companies competing in this industry, including giants such as Lockheed Martin, SAGEM, IBM, Siemans, Thomson CSF, Lucent, NEC, and Unisys.

Traditional minutiae-based image processing and feature matching DLLs will continue to become more efficient. Highly accurate coding and minutiae matching algorithms are now available that operate in a RAM space of less than 64 Kbytes yet maintain forensic-level accuracy performance, and the trend is to find even more efficient ways to reduce RAM requirements without sacrificing accuracy performance. [RAM is the most expensive element in CMOS designs. Reducing RAM requirements lowers costs by simplifying chip design and boosting silicon wafer yield.]

Image feature analysis techniques are also improving in more fundamental ways; that is, by incorporating non-minutia data in an attempt either to improve match speed or accuracy, or both. New, more efficient means of finger ridge pattern analysis are being considered and tested that will substantially improve the overall effectiveness of fingerprint matching operations by lowering costs and increasing speed and accuracy.

Other significant advances will be made in the area of CMOS technologies that integrate image capture, image decomposition (template analysis), and image matching functions on the same silicon chip. Since this technology will reduce processing gate and memory storage to micron-sized elements, such devices are inherently tamperproof (i.e., they cannot be hacked). Fully integrated silicon-based sensor/processor chips will be available in production quantities by the end of 2001.

Capacitive inductance silicon sensor technologies are available today in OEM packages with form factors less than 2.5 cm², enabling their deployment in a wide variety of security access environments, terminals, physical security access locks, wireless secure telephones, keyboards, etc. Low-cost fingerprint scanning devices will improve in terms of cost performance and their ability to support accurate, fast 1:1 match operations in autonomous (remote) sites.

Advances will also be made in the miniaturization of optical sensors using CCD/CMOS cameras. Optical sensors have certain inherent advantages over silicon-based sensors; they are relatively cheap because they use simple sensing components, and the sensing components themselves exhibit high signal-to-noise ratios enabling them ¾ when coupled with advanced image processing DLLs ¾ to produce high-quality image data. The critical problems associated with optical-based fingerprint image sensors are cost and size, and these seem to be amenable to further improvement, as recent product announcements have shown. [Optical sensors having a thickness of 4.5 mm are already commercially available for a price, in large quantities, > $100).

6.1.2 Iris (Go To TOC)

Iris matching technology is expected to evolve considerably within the next three years, despite the fact that there are only two companies currently active in this field; IriScan and SENSAR (whose technology is based on a license from IriScan).

Passive iris scanning techniques will be improved to the point that the individual being scanned does not have to actively cooperate with the scan process; this will improve the ease of use of the system and will make the scan process unobtrusive – perhaps even unnoticed. Along these lines, the imaging subsystem used to capture the iris image will be miniaturized and made more affordable; SENSAR is already selling an OEM device that can be incorporated into an ATM machine and has announced a new low-cost sensor assembly.

The OPEN search (one-to-many) search capabilities of iris technology may improve to the point that it is equal to fingerprint technology in terms of accuracy and speed (the ability of iris technology to meet this objective has yet to be proven, however).

6.1.3 Face (Go To TOC)

Facial feature matching technologies are developed and sold by several companies today, and the number of companies competing in this field is not expected to increase dramatically for at least the next several years. One of the major factors inhibiting commercial development investment in this area is the number of facial feature DLLs developed by academia (MIT, Rensaeler Polytechnic, etc.) available on public Web sites.

Probably the single most significant problem with facial recognition match algorithms is the inability to correctly match facial images – taken from the same person – that are widely spaced in time. From the FERET 2000 test and from tests performed by San Jose (Jim Wayman, et. al.), the False Rejection Rate (FRR) for facial imaging climbs to ~50% after twelve months. Facial imaging works reasonably well when the facial database is constantly kept “up to date” with recent facial images.

Some companies that produce facial recognition products are listed in the following table.

AcSys Biometrics	http://www.acsysbiometrics.com/
Biometrica Systems	http://www.biometrica.com/
Cognitec Vision Systems	http://www.cognitec-ag.de/
C-VIS Computer Vision and Automation	http://www.facesnap.de/
ID Arts	http://www.idarts.com/
Image Metrics	http://www.image-metrics.com/
Imagis Cascade	http://www.imagis-cascade.com/
Malin Systems	http://www.malinsystems.com/
SpotIt!	http://spotit.itc.it/
Viisage	http://www.viisage.com/
Visionics (Digital Biometrics, Inc.)	http://www.faceit.com/
VisionSphere Technologies	http://www.visionspheretech.com/
ZN Vision Technologies	http://www.zn-ag.com/

Face matching applications will increasingly be integrated with fingerprint scanning applications in law enforcement, as part of the integrated booking concept that is now taking root in agencies across the country. While fingerprints will remain the primary identification method for these agencies, mugshot booking data may be used to track inmates in lockups, jails, and prisons in a real-time mode ¾ e.g., as the subject moves within the facility.

These market forces will motivate the further development and improvement of real-time facial feature recognition. In addition, the cost and complexity of face image scanning technologies ¾ which is already quite low ¾ is likely to be further reduced, as are the costs of the facial feature DLLs themselves.

6.1.4 Hand geometry (Go To TOC)

Hand geometry technology has basically been developed by a single entity, Recognition Systems, Inc. Given its dominance in this field and the niche nature of hand geometry applications (while it has been adopted by many government agencies and the Recognition Systems arguably sells the most biometric terminals of any vendor in this industry) the product has never been a commercial success owing to its high cost and limited capabilities.

Owing to the nature of the biometric being sampled (i.e., the hand), it is unlikely that hand geometry readers will be made smaller, although it is possible that they could be manufactured more cheaply and sold at a lower cost. However, there is no apparent demand for either a smaller form factor or cheaper systems (hand geometry readers are typically sold in small lots), so our best guess is that significant changes in this biometric technology are going to occur, at least ion the short term.

6.1.5 Signature Recognition (Go To TOC)

Signature recognition technology has recently (yr 2002) undergone vast improvements in accuracy, repeatability, and product maturity. Signature recognition is, in our judgment, a viable alternative to fingerprint or iris 1:1 identity verification. The technology is supported by low-cost, mass-produced hardware (writing tablet); this significantly improves the cost efficiency of this biometric without suffering a commensurate loss in the ability of the biometric to perform at high accuracy levels. Moreover, since the concept of a signature or “personal mark” has been in human culture for eons, the signature biometric can be integrated into systems that solve person identity “business requirements” with very little change in the current policies and procedures of the ongoing business model of the company or institution.