Widgets for digits

 

Connecting state and local government leaders

Fingerprint technology is a logical choice for ID cards, but interoperability questions stand in the way.

Electronic fingerprint verification is emerging as the biometric technology of choice for federal identification badges. And as deadlines loom for agencies to deploy interoperable smart cards that must communicate with back-end computer systems'as mandated by Homeland Security Presidential Directive 12'technology and standards surrounding electronic fingerprint verification have taken center stage.Fingerprints are a good fit for HSPD-12. Fingerprinting has a proven track record with its use by law enforcement, and the technology can easily be deployed and managed on personal-identity verification cards, advocates say.Yet some experts are skeptical of fingerprints as the most reliable biometric, noting that prints are susceptible to damage. They advocate a multiple-biometric approach that includes technology such as facial recognition to assure a person's identity. Others point out that fingerprint technologies have a way to go in meeting federal standards for interoperability, and that the HSPD-12 policies themselves still must be clarified.'There is a significant amount of interest in the agencies wanting to do this [HSPD-12],' said Bill Willis, executive vice president of ImageWare Systems Inc. of San Diego, a maker of multibiometric identity management platforms. 'They're a little hamstrung because it is a nonfunded mandate, but we're seeing an uptick in contracts. In 2007, you will see adoption, and you will see it at a significant level.'Until late 2005, a debate raged within the federal government over whether PIV cards' fingerprint biometric should be based on a complete image of the prints, or instead on mathematical representations called minutia. The decision was in favor of minutia, and the National Institute of Standards and Technology soon issued guidance in Special Publication 800-76-1, updated this past January and titled Biometric Data Specification for Personal Identity Verification.800-76-1 incorporates, by reference, a sort of hierarchy of current fingerprint and biometric standards. Just below HSPD-12 is Federal Information Processing Standard 201, which defines how the identity of applicants is verified, how PIV cards are issued and used, and means of encrypting biometric data on the cards.The NIST document itself is dedicated to interoperability of two types of biometrics: facial and fingerprint. The agency is devoting most of its attention to the latter and relies on an existing standard for fingerprint minutia templates developed by the American National Standards Institute, called ANSI 378.NIST's 800-76-1 also specifies in great detail separate requirements for the types of images of all 10 fingers that are acceptable. The goal is not just to create the minutiae but also offer guidance for storing the full images at agencies or sending them out for background checks. Once the person is granted clearance, a smaller, one- or two-finger minutia file gets written to the card's memory chip. The NIST standard doesn't require more than one finger.The advantages in file size and processing efficiency between PIV cards and readers are striking. Full images typically take 7 kilobytes of storage space, while minutia templates can fit in fewer than 40 bytes, said Patrick Grother, a NIST computer scientist who co-authored 800-76-1. 'The storage on the card wasn't the limiting factor,' Grother said. 'It was moving the data across the interface.'The interoperability issue focuses on establishing links between fingerprint-scanning systems and associated software called template generators, and template matchers that judge the similarities between templates claimed to be for the same person. To test the interoperability of vendors' template-generating and -matching software, NIST developed the Minutiae Interoperability Exchange Test. 'MINEX is like a big benchmark,' Grother said, 'a test of how good the 378 template is, how interoperable it is and how it performs against image-based interoperability.'In March 2006 MINEX tests of products from 14 vendors using fingerprint images from a quarter-million people, Grother reported, vendors' proprietary, single-finger templates were at least twice as accurate as one of two types of INCITS 378 templates. He also found, however, that the standard templates had comparable reliability when two fingerprints were taken from each person. The tests also showed an effect typical of most standards: an inverse relationship between the number of products that interoperate and the minimum threshold for accuracy. Lower the accuracy requirements, and more products will read each other's templates.While Grother called INCITS 378 interoperability between template generators and matchers 'pretty good' in a recent interview, he admitted that it allows some leeway. 'A system will find the minutia, put the two together, and each vendor will do it in a slightly different way. That leads to template generation that is a little idiosyncratic.' He said NIST is considering improvements to the standard, including creating a single set of reference data that vendors can benchmark against. A standardized algorithm for minutia generation would also help, but Grother said that would require substantial research and development. 'It's not a trivial task. Companies know how to do this, but all that technology is proprietary.'One solution might be for a vendor to release its software code to the open-source development community. NIST itself has such an open-source minutia algorithm, but it was written before the 800-76-1 standard, Grother said.FIPS-201 prescribes safeguards throughout the entire process for issuing a PIV card, from capturing fingerprints at enrollment stations, to background checks, to security procedures at the companies that make the cards and to validating that the minutia on the card constitute an accurate representation of the person's fingerprint. Some observers say the system is less than airtight. 'OK, this fingerprint is captured in the enrollment process,' said Tom Greco, vice president of enabling infrastructure at Cybertrust, a Herndon, Va.-based digital-certificates service provider listed on General Services Administration Schedule 70 for PIV cards. 'Where does it go, and who holds it? Is there someone maintaining a long-term database?'The Office of Management and Budget requires all federal employees and contractors being issued cards to have background checks by Oct. 27 of this year, although those with at least 15 years' service have another year to comply. But this part of the FIPS-201 process may have a loophole, since it treats people already enrolled in the system differently by allowing their previous background checks to be used, Greco said. 'How are you assured that the person who enrolled in the process is really the person whose fingerprint is on the card?' he asked. 'The way to do that is to do it all in one process rather than try to leverage historic information.'Further cracks could be opened by an upcoming second generation of cards that will store more of the individual's authentication information needed for verification (called 'match on card'). 'One of the issues is: The smart card is everything,' said Ivan Hurtt, Novell's director of federal solutions product management, which partners with ImageWare and Honeywell on what it claims is an end-to-end PIV system meeting FIPS-201 requirements. 'If your fingerprint has been taken off your card and captured on another machine, another person with the same kind of clearance level is able to spoof that.'Another mild skeptic about the PIV program's reliance on fingerprints is Tony Cieri, a former 37-year Department of Defense employee who ran the Navy's smart-card program, now a consultant on a PIV project for first responders connected with the National Capitol Region Coordination Office. 'How would we know how far along we are if we've never run not tests, but actual exercises,' Cieri said. 'If someone tells you that's been done, they're lying.' Cieri said that by also allowing passwords, FIPS-201 actually enables three-factor authentication, and that multiple biometrics'including the securely hashed, digitized photo on many cards'are needed to ensure interoperability across jurisdictions. 'The answer, to me, is not to depend on any one thing,' he said, adding that this is true, in part, because some people can't have a good fingerprint taken from them.In truth, fingerprint interoperability issues extend beyond the level of template matching.'I think a lot of work needs to be done on standards, especially Web services standards,' said Mike Daconta, vice president of enterprise data management at Oberon Associates, a Washington-area consultancy that has worked on a Biometrics Automated Toolkit that the Army and Marine Corps use for various screening operations. Daconta criticized the standards for allowing vendors too much leeway in implementation. 'The standards need to try to not be so flexible that they're hard to implement,' he said.Daconta, who led development of the national Data Reference Model, pointed to a need for a higher-level standard for how federal agencies share fingerprint data and maintain biometric watch lists that can correctly identify security threats. He said the U.S. Visit program is doing promising work with industry standard development tools to create biometric Web services.'It's the one the law enforcement community is migrating to,' Daconta said.Still, the basic fingerprint standards are in place and the necessary technology easily available for agencies to implement PIV cards today. Yet despite deadlines that have already passed and two October deadlines looming, agencies are still in tire-kicking and planning mode. 'There are a lot of pilots out there,' Hurtt said.

NIST's Patrick Grother

Rick Steele

















Some Experts are skeptical of fingerprints as the most reliable biometric, noting that prints are susceptible to damage.




















Fingerprints as Web services










David Essex is a freelance technology writer based in Antrim, N.H.

NEXT STORY: HSPD-12's final stretch

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.