Federal ID cards: Iris imaging in, fingerprint swiping out
Updated technical specs for biometric data on federal ID cards include new options for using iris imaging in lieu of fingerprints and dropping swipe sensors as a means of gathering fingerprints for federal employees.
The National Institute of Standards and Technology has released for comment a second draft of Special Publication 800-76-2, Biometric Specifications for Personal Identity Verification
. The document supports the revised Federal Information Processing Standard 201-2, also now in draft form, and when finalized will replace the current 2007 version of the specs.
Related coverage:PIV card specs to account for mobile, other new factors
SP 800-76 spells out the technical requirements for biometric data that is used for authentication on PIV cards used by federal workers and contactors. The interoperable electronic IDs were mandated by Homeland Security Presidential Directive 12 and are supposed to be used both for physical and logical access.
The specifications describe technical acquisition and formatting requirements for the PIV system and establish minimum accuracy requirements for biometric authentication. Fingerprint templates remain the primary means of PIV biometric authentication, but options are being expanded.
“The addition of iris and face specifications . . . adds an alternative modality for biometric authentication and extends coverage to persons for whom fingerprinting is problematic,” the draft says. FIPS 201 allows the use of iris recognition although it is not required, and technical specification had not before been developed. “The recommendation to agencies to install and operate iris equipment in its PIV issuance processes allows agencies to additionally populate PIV cards with iris as an alternative authentication factor.”
Use of iris images is optional and not required. The latest draft of SP 800-76 modifies some specifications for the camera used to gather iris images and removes specs for image capture and recognition interfaces until technical standards are developed.
Another significant change in the current draft is the elimination of swipe sensors for gathering fingerprints for PIV authentication.
The previous draft, released in 2011, included a provisional specification for the use of swipe fingerprint sensors with on-card comparison of fingerprints. Swipe sensors gather data about a print as the finger is moved over a small sensor, rather than recording optical data from a stationary finger on a larger “flat” sensor.
Swipe sensors are smaller and inexpensive, making them a good option for large-scale deployments on consumer devices, but they don’t work well under all conditions and do not gather as much information. Optical flat scanners are more robust and less sensitive to environmental conditions, but algorithms for the two methods are not always interoperable.
“Swipe is attractive on grounds of cost and possibly on grounds of spoof resistance,” the 2011 draft said. But, “NIST has little empirical data on which to safely include swipe matching into PIV,” and “all swipe-related specifications may be withdrawn in the next version of this draft.”
Swipe specs were dropped because of differences with existing PIV deployments. Currently, interoperation between the two technologies reduces accuracy of the matches, making them incompatible. NIST expects that these problems eventually will be mitigated, making it possible to include new specifications in the future.
Comments on the second draft of SP 800-76-2 should be sent by noon, Aug. 15, to firstname.lastname@example.org
, using the comments template