Widgets for digits
Interoperability and policy issues still hamper HSPD-12 deployments of fingerprint technology
- By David Essex
- Mar 18, 2007
NIST's Patrick Grother
Electronic fingerprint verification is emerging as the biometric technology of choice for federal identification badges. And as deadlines loom for agencies to deploy interoperable smart cards that must communicate with back-end computer systems'as mandated by Homeland Security Presidential Directive 12'technology and standards surrounding electronic fingerprint verification have taken center stage.
Fingerprints are a good fit for HSPD-12. Fingerprinting has a proven track record with its use by law enforcement, and the technology can easily be deployed and managed on personal-identity verification cards, advocates say.
Yet some experts are skeptical of fingerprints as the most reliable biometric, noting that prints are susceptible to damage. They advocate a multiple-biometric approach that includes technology such as facial recognition to assure a person's identity. Others point out that fingerprint technologies have a way to go in meeting federal standards for interoperability, and that the HSPD-12 policies themselves still must be clarified.
'There is a significant amount of interest in the agencies wanting to do this [HSPD-12],' said Bill Willis, executive vice president of ImageWare Systems Inc. of San Diego, a maker of multibiometric identity management platforms. 'They're a little hamstrung because it is a nonfunded mandate, but we're seeing an uptick in contracts. In 2007, you will see adoption, and you will see it at a significant level.'
Until late 2005, a debate raged within the federal government over whether PIV cards' fingerprint biometric should be based on a complete image of the prints, or instead on mathematical representations called minutia. The decision was in favor of minutia, and the National Institute of Standards and Technology soon issued guidance in Special Publication 800-76-1, updated this past January and titled Biometric Data Specification for Personal Identity Verification.
800-76-1 incorporates, by reference, a sort of hierarchy of current fingerprint and biometric standards. Just below HSPD-12 is Federal Information Processing Standard 201, which defines how the identity of applicants is verified, how PIV cards are issued and used, and means of encrypting biometric data on the cards.
The NIST document itself is dedicated to interoperability of two types of biometrics: facial and fingerprint. The agency is devoting most of its attention to the latter and relies on an existing standard for fingerprint minutia templates developed by the American National Standards Institute, called ANSI 378.
NIST's 800-76-1 also specifies in great detail separate requirements for the types of images of all 10 fingers that are acceptable. The goal is not just to create the minutiae but also offer guidance for storing the full images at agencies or sending them out for background checks. Once the person is granted clearance, a smaller, one- or two-finger minutia file gets written to the card's memory chip. The NIST standard doesn't require more than one finger.
Some Experts are skeptical of fingerprints as the most reliable biometric, noting that prints are susceptible to damage.
The advantages in file size and processing efficiency between PIV cards and readers are striking. Full images typically take 7 kilobytes of storage space, while minutia templates can fit in fewer than 40 bytes, said Patrick Grother, a NIST computer scientist who co-authored 800-76-1. 'The storage on the card wasn't the limiting factor,' Grother said. 'It was moving the data across the interface.'
The interoperability issue focuses on establishing links between fingerprint-scanning systems and associated software called template generators, and template matchers that judge the similarities between templates claimed to be for the same person. To test the interoperability of vendors' template-generating and -matching software, NIST developed the Minutiae Interoperability Exchange Test. 'MINEX is like a big benchmark,' Grother said, 'a test of how good the 378 template is, how interoperable it is and how it performs against image-based interoperability.'
In March 2006 MINEX tests of products from 14 vendors using fingerprint images from a quarter-million people, Grother reported, vendors' proprietary, single-finger templates were at least twice as accurate as one of two types of INCITS 378 templates. He also found, however, that the standard templates had comparable reliability when two fingerprints were taken from each person. The tests also showed an effect typical of most standards: an inverse relationship between the number of products that interoperate and the minimum threshold for accuracy. Lower the accuracy requirements, and more products will read each other's templates.
While Grother called INCITS 378 interoperability between template generators and matchers 'pretty good' in a recent interview, he admitted that it allows some leeway. 'A system will find the minutia, put the two together, and each vendor will do it in a slightly different way. That leads to template generation that is a little idiosyncratic.' He said NIST is considering improvements to the standard, including creating a single set of reference data that vendors can benchmark against. A standardized algorithm for minutia generation would also help, but Grother said that would require substantial research and development. 'It's not a trivial task. Companies know how to do this, but all that technology is proprietary.'
One solution might be for a vendor to release its software code to the open-source development community. NIST itself has such an open-source minutia algorithm, but it was written before the 800-76-1 standard, Grother said.
FIPS-201 prescribes safeguards throughout the entire process for issuing a PIV card, from capturing fingerprints at enrollment stations, to background checks, to security procedures at the companies that make the cards and to validating that the minutia on the card constitute an accurate representation of the person's fingerprint. Some observers say the system is less than airtight. 'OK, this fingerprint is captured in the enrollment process,' said Tom Greco, vice president of enabling infrastructure at Cybertrust, a Herndon, Va.-based digital-certificates service provider listed on General Services Administration Schedule 70 for PIV cards. 'Where does it go, and who holds it? Is there someone maintaining a long-term database?'
The Office of Management and Budget requires all federal employees and contractors being issued cards to have background checks by Oct. 27 of this year, although those with at least 15 years' service have another year to comply. But this part of the FIPS-201 process may have a loophole, since it treats people already enrolled in the system differently by allowing their previous background checks to be used, Greco said. 'How are you assured that the person who enrolled in the process is really the person whose fingerprint is on the card?' he asked. 'The way to do that is to do it all in one process rather than try to leverage historic information.'
Further cracks could be opened by an upcoming second generation of cards that will store more of the individual's authentication information needed for verification (called 'match on card'). 'One of the issues is: The smart card is everything,' said Ivan Hurtt, Novell's director of federal solutions product management, which partners with ImageWare and Honeywell on what it claims is an end-to-end PIV system meeting FIPS-201 requirements. 'If your fingerprint has been taken off your card and captured on another machine, another person with the same kind of clearance level is able to spoof that.'
Another mild skeptic about the PIV program's reliance on fingerprints is Tony Cieri, a former 37-year Department of Defense employee who ran the Navy's smart-card program, now a consultant on a PIV project for first responders connected with the National Capitol Region Coordination Office. 'How would we know how far along we are if we've never run not tests, but actual exercises,' Cieri said. 'If someone tells you that's been done, they're lying.' Cieri said that by also allowing passwords, FIPS-201 actually enables three-factor authentication, and that multiple biometrics'including the securely hashed, digitized photo on many cards'are needed to ensure interoperability across jurisdictions. 'The answer, to me, is not to depend on any one thing,' he said, adding that this is true, in part, because some people can't have a good fingerprint taken from them.Fingerprints as Web services
In truth, fingerprint interoperability issues extend beyond the level of template matching.
'I think a lot of work needs to be done on standards, especially Web services standards,' said Mike Daconta, vice president of enterprise data management at Oberon Associates, a Washington-area consultancy that has worked on a Biometrics Automated Toolkit that the Army and Marine Corps use for various screening operations. Daconta criticized the standards for allowing vendors too much leeway in implementation. 'The standards need to try to not be so flexible that they're hard to implement,' he said.
Daconta, who led development of the national Data Reference Model, pointed to a need for a higher-level standard for how federal agencies share fingerprint data and maintain biometric watch lists that can correctly identify security threats. He said the U.S. Visit program is doing promising work with industry standard development tools to create biometric Web services.
'It's the one the law enforcement community is migrating to,' Daconta said.
Still, the basic fingerprint standards are in place and the necessary technology easily available for agencies to implement PIV cards today. Yet despite deadlines that have already passed and two October deadlines looming, agencies are still in tire-kicking and planning mode. 'There are a lot of pilots out there,' Hurtt said.David Essex is a freelance technology writer based in Antrim, N.H.