Agencies don't buy biometrics yet

Agencies don't buy biometrics yet

SecuGen's fingerprint device checks identities at O'Hare International Airport.

Rival standards and reliability concerns lead many buyers to take a wait-and-see attitude

Although biometric products are hot in the marketplace, agencies are waiting for them to mature, said Judith Spencer, who chairs the General Services Administration's Public-key Infrastructure Steering Committee.

Spencer said she expects to see biometric products used for more than access to facilities. If an identifier such as a fingerprint can activate a private key, there is no need for anyone to manage the biometric information: 'I am only sharing my biometric with myself,' Spencer said. 'It's a perfect marriage with PKI.'

A few pioneers

But so far, she said, biometric products seem unreliable, incompatible and lacking standards. Indeed, in a recent GCN Reader Survey (see Page 23), 84 percent of respondents said their agencies don't use biometric technologies, and only 17 percent of them said their agencies planned to add biometrics in the next two years.

But some agencies are forging ahead. Late last month, the administration asked Congress to give the FBI $5.8 million to install biometric identification systems at 30 points of entry into the United States, to be linked to the FBI's Integrated Automated Fingerprint Identification System.

States have been showing interest, too.

Early last week, the Michigan Lottery began a pilot using 20 fingerprint devices for employee access to networks, and the Michigan state police are watching the results, said Steven Lennox, director of technical services at SecuGen Corp. of Milpitas, Calif. He said Pennsylvania's Treasury Department is considering fingerprint devices to secure PC applications.

Last year the Biometric Consortium, led by the National Institute of Standards and Technology, approved two open standards for biometric products [GCN, Jan. 7, Page 1]. The American National Standards Institute last month adopted one of them, the BioAPI.

An ANSI affiliate, the International Committee for IT Standards, is promoting the BioAPI standard abroad.

GSA and the Defense Department are among the few federal agencies considering large-scale deployment of biometric technologies that adhere to BioAPI, according to the consortium.

GSA's universal smart card will incorporate a two-dimensional bar code called 2D Superscript, from Datastrip Inc. of Exton, Pa. The company's DS Verify 2D offline reader can check identities via fingerprint templates without connecting to a central database.

Catherine Tilton, who chairs the industry's BioAPI Consortium in Washington, said many developers are not following either of the two existing standards.

Microsoft Corp. initially was a founder of the Biometric Consortium but pulled out because of rivalry between BioAPI and the Biometric Application Programming Interface (BAPI) developed by I/O Software Inc., of Riverside, Calif. Tilton said Microsoft is now augmenting BAPI to integrate with its Windows operating systems.

'Until they put it into a beta release, nobody knows what it's going to look like,' she said.

Biometric devices following BioAPI will work with any Microsoft Windows OS except Windows CE. Future devices built to the BioAPI standard will have software versions for Unix, Linux, Mac OS and Java systems. Devices using Microsoft's API will work only with Windows systems, Tilton said.

'Invariably, Microsoft will do what they always do,' she said.

Because both BioAPI and BAPI are evolving, 'Microsoft felt BAPI was more appropriate for what they want to do,' a company executive said. 'It would be feasible to create some mapping between BioAPI and BAPI.'

Yet another standard, the Common Biometric Exchange File Format approved by the Biometric Consortium last December, lets agencies transfer files among themselves. The Microsoft API will not be CBEFF-compliant, either.

Fourteen companies are developing devices and biometric software using the BAPI standard, eight are following the BioAPI standard and 12 to 15 others are moving in the direction of BioAPI, Tilton said.

'The good news is, we know that,' she said. The consortium is urging vendors to develop for both standards.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.