NIST identifies good and bad points of biometrics
Craig Watson of NIST's IT Lab examines one of millions of fingerprints used to evaluate accuracy of biometric identifiers.
The National Institute of Standards and Technology is busy wrapping up an evaluation of biometric technology for Congress, as mandated by the USA Patriot Act of 2001.
The act calls for biometric identifiers on noncitizens' travel documents by October 2004, and 'it's going to happen whether you like it or not,' said Charlie Wilson, manager of the Imaging Group in the NIST IT Lab's Information Access Division.
NIST came to four preliminary conclusions:
- Iris scans rely on proprietary technology that makes evaluation of their accuracy difficult.
- Fingerprints work pretty well, but accuracy needs to be better for widescale use.
- Facial recognition technologies aren't mature yet.
- No biometric technology works well enough to be relied on by itself.
Although courts have accepted fingerprints as positive identification for more than a century, automating the use of unique physical identifiers remains problematic.
Biometric identifiers 'always look stronger and easier in theory than they are in practice,' author and security consultant Richard Smith said. 'Effective enrollment is difficult, and physical spoofing is a lot easier than we would like.'
Smith, who has worked on a number of federal IT security projects, described the challenges of biometric identification at the Black Hat Briefings in Las Vegas last month.
'As a practical matter, simply using biometrics by itself doesn't work,' he said, because all biometric systems make errors. If sensitivity is reduced to make a system user-friendly, the number of false acceptances rises, hindering security.
Likewise, increasing sensitivity to heighten security results in high numbers of false rejections and inconvenience for users.
Multiple readings are necessary to create an accurate enough biometric pattern to confirm identity. That makes enrollment time-consuming and expensive for large numbers of people, Smith said.Keep tabs on cards
If biometric identifiers are stored on a token such as a smart card, they must be managed so that issuance, validity and revocation can be tracked.
If authentication happens over a network, data potentially could be intercepted and replayed to gain illicit admission. And, unlike a password, a fingerprint cannot be changed if compromised.
It's even possible to fool some fingerprint readers with fake fingers or prints lifted on tape.
Wilson, however, called such spoofing nonsense. It might work in a lab environment, he said, but in real-world use, say, at immigration checkpoints, spoofing would be impractical if not impossible.
'The market for the next two or three years is going to be homeland defense,' he said. 'Anybody who can't get into homeland defense is going to go out of business.'
International biometric standards for travel documents call for using iris scans, fingerprints or facial recognition. Wilson said Iridian Technologies Inc. of Moorestown, N.J., owns all the patents for iris scanning, and there are no large data samples to work with. 'Right now, we don't even know what data they take in,' he said.
To prepare the report for Congress, due in November, NIST cooperated with 13 other U.S. agencies, the Canadian Passport Office and the U.K. Biometric Working Group to conduct Face Recognition Vendor Test 2002.
The team tested products from 14 companies. Fingerprint testing was the most comprehensive because of the large samples available.
'I have two, and probably will have three, million-fingerprint databases,' Wilson said.
The ability to quickly pick out a single print from among millions is crucial if prints are to work satisfactorily for entry and exit documents at border stations. There are about 500 million documented border crossings in the United States each year, Wilson said, with about 8 million new people crossing.Many, many fingers
'That's a very large number compared to any law enforcement database,' he said. It took decades to accumulate the 40 million prints in the FBI's Automated Fingerprint Identification System.
Facial recognition systems now have about an 80 percent chance of properly recognizing a subject and a 1 percent chance of a false positive, Wilson said. Fingerprints have a 95 percent chance of recognition with 1 percent false positives.
The false positives create a security vulnerability, but lowering that figure is difficult.
Whatever the approach, the agencies involved will not discuss their accuracy rates.
'The rule on homeland security is, data on operational systems is not to be made public,' Wilson said.