Smart ID to offer options for iris scanning, on-card fingerprint matching
- By William Jackson
- Jul 17, 2013
Updated specifications for the government’s interoperable smart ID card now include an option for using iris scans in addition to fingerprints for authentication, along with on-card matching of fingerprints.
The changes are included in the latest release of Biometric Specifications for Personal Identity Verification, Special Publication 800-76-2, by the National Institute of Standards and Technology.
They reflect changes in biometric interchange technology since the original publication of the document in 2005. The goal of the specifications is high performance and interoperability in the cards, which are intended to be used across agency lines.
“The introduction of iris and face specifications into the current edition adds alternative modalities for biometric authentication and extends coverage to persons for whom fingerprinting is problematic,” the authors write in the publication. “The addition of on-card comparison offers an alternative to PIN-mediated card activation as well as an additional authentication method.”
The new document is part of ongoing standards development for interoperable government identity credentials that are used for physical and logical access. The PIV card was mandated in Homeland Security Presidential Directive 12 and contains a PIN and digital certificate, as well as biometric data for authentication. PIV standards are laid out in the Federal Information Processing Standard 201. SP 800-76 describes technical acquisition and formatting specifications for the PIV system and card, and it establishes minimum accuracy specifications for biometric authentication.
Fingerprint data and the ability to match fingerprint on a device separate from the card still are mandatory for PIV cards issued by all agencies. But an algorithm to enable fingerprint comparison to be done on the card itself now can be added to the card. Compact templates for prints from one or two fingers are stored on the card, along with the recognition algorithm. This on-card matching can be used as an alternative to entering a PIN number when using the card, as well as for an alternative for authenticating identity. This gives a stronger authentication than using the PIN and protects privacy by keeping biometric data on the card itself rather than sending it to a second system.
Iris recognition is primarily an alternative to fingerprint authentication when fingerprints are not practical. The specifications call for a standardized iris image template of no more than 3 kilobits. It takes advantage of NIST research on biometrics to enable reliable recognition with a small compressed image. The compression and recognition standards are included in the ISO/IEC 19794-6 iris standard published in late 2011.
The use of international standards for fingerprint and iris recognition helps ensure interoperability across vendors of cameras and readers. The specifications are suitable for one-to-one authentication with the PIV environment, but the authors warn that use of the templates with other applications could degrade accuracy of the comparison. They would not be suitable for one-to-many matching -- that is, matching a PIV print or iris scan template against a biometric database for identification.
NIST is working with the Homeland Security Department to develop a certification program for iris cameras that can be used for enrolling and matching images. NIST research on changes to the iris over time shows no significant deterioration in the ability to recognize and match images over the course of a decade. This meets PIV reenrollment requirements that biometric data be viable for at least 12 years.
A PIN number is needed to release biometric templates for off-card authentication with fingerprints and for iris matching, so this biometric matching constitutes multi-factor authentication. Because no PIN is required to release the compact fingerprint template for on-card fingerprint comparison, this is an alternative to use of a PIN and is not considered multifactor authentication.