New spec lets any mobile device swap biometrics

The National Institute of Standards and Technology has released new specifications that could enable any mobile device connected to the Internet to exchange biometric data.

The specs, which use a Web services architecture, are "device- and operating system-agnostic,” said Kevin Mangold, a computer scientist at NIST and one of the authors of the Web Services-Biometric Devices protocol. “Any device that is Internet capable is able to use WS-BD.”

Related coverage:

Next PIV card could include iris recognition


The specifications were released in Special Publication 500-288 and are the product of the Biometric Web Services project, sponsored by NIST, the FBI and the Homeland Security Department, to make biometric technology interoperable and easier to use.

Biometrics unique physical features or traits are increasingly being used for automated identity authentication. Fingerprints, iris scans and facial recognition are among the most commonly used traits. Usually, a sensor linked to the system requiring authentication captures biometric data from the subject and compares it with templates stored elsewhere. The template can be stored within the system or on a token held by the subject, such as the government’s Personal Identity Verification and Common Access Cards.

But the technology is largely proprietary, so that components of different systems cannot be used with each other and require the use of middleware to link sensors gathering the data to other devices for transmission, comparison and matching. This limits the convenience of the systems, increases costs and inhibits improvement because systems cannot be easily upgraded or best-of-breed tools integrated.

“It’s a tough market to move forward,” Mangold said. “Before industry will move to a new protocol, it has to be required” by customers, such as the FBI or DHS’s Transportation Security Administration. “But before the protocol can be required, it has to exist. It’s a Catch-22.”

The Biometric Web Services project is an effort to break the impasse by developing the needed protocols. WS-BD addresses the sensor and client side of the equation and is one of two major programs the project is working on. The Biometric Identity Assurance Services implementation addresses communications with the authentication server on the other side. NIST also has released a reference implementation of the OASIS BIAS specification.

Development of specifications for interoperable biometrics goes back about 10 years, Mangold said. With the emergence of Web Services, which support interoperable machine-to-machine interaction over an IP network, earlier efforts were moved to a new architecture using HTTP and HTTPS, Simple Object Access Protocol, and Extensible Markup Language.

The specifications, if implemented by vendors, could allow system designers to mix and match modular components, making design easier and allowing the easy replacement of unsupported equipment and updating with improved products. The current lack of interoperability is “a big hurdle the systems integrators have to go through,” Mangold said. “This adds flexibility in the designers’ choices.”

NIST is soliciting a small business to develop a handheld device implementing WS-BD. That project is expected to take about two years, Mangold said.

“One of the team’s concerns was usability,” he said. “We put a lot of work into making the specifications easy to implement.”

The development team is considering the adoption of WS-BD as an industry standard through the Organization for the Advancement of Structured Information Standards (OASIS), an open standards development body, but that process has not started. In the near term, the Biometric Web Services team expects to publish a reference implementation for the specifications, and the specs themselves will be updated with conformance testing and security guidelines in future releases.

The team also is soliciting feedback on the current specifications. Comments, questions and suggestions can be sent to 500-288comments@nist.gov.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above