Biometrics points to greater security

Biometrics, an automated method of recognizing a person based on physical or behavioral attributes, has long been used by the government's super-secret agencies for access-control applications and by law enforcement for large-scale fingerprint applications.

Now, as the cost of the technology has decreased and biometrics increasingly is integrated into keyboards and mice, federal agencies are expanding the technology's use into applications such as battling entitlement fraud.

As biometrics finds its way into more applications, agencies have begun to embrace a wider range of technologies, including iris and retina scanning, facial and voice recognition, and hand geometry.

"We are out of the proof-of-concept stage," said Paul Collier, director of civilian and government operations at San Bruno, Calif.-based Identicator Technology, a division of Identix Inc. "We are halfway through the pilot stage. It's just a matter of funds for the deployment stage in the federal government."

Still, experts warn that users should not blindly jump into biometrics, citing security and interoperability concerns.

Making Its Mark

Much of the new activity involving biometrics technology in the federal government has been limited to pilot tests. For example, the Army's Fort Sill in Lawton, Okla., has tested Identicator's technology in conjunction with smart cards to allow tens of thousands of recruits to securely purchase personal items from more than 40 locations on the base.

The FBI has begun using the technology to replace handwritten signatures to secure the "chain of custody" for criminal records.

The Defense Department has begun capturing finger images of all active, reserve and retired military personnel during the routine issuance of military identification cards. DOD stores the images in a database, which can be accessed if there are questions about a person's identity and her right to receive retirement benefits.

"It does provide a positive verification that the person is who she is supposed to be," said Ken Scheflen, director of DOD's Defense Manpower Data Center.

The Department of Veterans Affairs also is planning to use fingerprint biometrics to combat entitlement fraud, said Jim Gaughran, the VA's program director for benefits fraud. The VA plans to use fingerprint biometrics to verify the identities of employees who are sending invoices to the VA's main payment center, he said.

"We've got to look at it for how we're going to do business in the 21st century, which will be on the computer," Gaughran said. "I think we're going to eliminate a lot of fraud, waste and abuse."

PC vendors have picked up on the trend and now offer Identicator fingerprint scanners and client software to their customers. Compaq Computer Corp. offers the fingerprint technology compatible with its Deskpro, Armada and Professional Workstation products, and Unisys Corp. offers scanners built into keyboards as part of its Single Point Security solution.

"The question has not been recently whether [finger imaging biometrics] works; that was put to bed," Collier said. "The question is, how much does it cost?"

The answer is that biometrics technology costs dramatically less than it did just two years ago. While Identicator's finger imaging software plus the scanner now costs $99, two years ago it would have cost about $500. And five years ago it would have cost about $3,000.

While some companies integrate biometrics security into mainstream products such as keyboards, others combine multiple biometrics technologies. SAFLINK Corp., Tampa, Fla., recently debuted client/server software that supports fingerprint imaging, facial recognition and voice recognition, said Walter Hamilton, SAFLINK's director of business development.

"The enterprise manager has the freedom of choice to mix and match the biometrics of preference," Hamilton said. "They are centrally managed functions that make it easy to add and manage biometrics features for users as part of their normal administrative functions."

The Army, the Air Force and the Social Security Administration are among the federal agencies testing the product, Hamilton said.

Peter Higgins, principal consultant at Washington, D.C.-based Higgins & Associates International, noted that many agencies focus on fingerprint imaging when considering biometrics because such imaging has been in use longer than other methods and because it boasts the most deployed applications.

"If you don't have very many people, then hand geometry and facial recognition are going to work very well," Higgins said. "[However], they don't have a track record for 10 million people, whereas fingerprint systems do."

Fingerprint biometrics also holds an advantage over other methods because its roots involve people classifying fingerprints manually, he said. Therefore, fingerprint imaging is easier to verify in court, for example, because an expert could concur with the match of fingerprint biometrics software.

However, facial and eye scanning are advantageous because these methods do not require a person to touch a piece of equipment, and therefore are perceived as less intrusive. And they do not require the cooperation of the person whose face or eyes are scanned.

Beyond Fingerprints

Agencies are testing or researching the use of Wellesley, Mass.-based Miros Inc.'s facial recognition products for applications such as time and attendance verification, physical access control, network security and criminal identification, said company president Keith Angell.

The departments of Transportation, Interior and Defense either have begun testing or have proposed the use of Miros' TrueFace product for access control to buildings, Angell said. The Energy Department's Sandia National Laboratories is testing the product for employee time and attendance applications. The Immigration and Naturalization Service has tested the product at a port of entry south of San Diego.

Miros' software is based on neural networking technology, and it learns from experience what faces are matches. The core technology can find a face in any background, Angell said, including a person walking in a crowd. The software creates a template of a face and compares that live image against whatever database the application requires, such as one containing photos of known felons.

"Bad guys don't just walk up and give their fingerprints," Angell said. "They're not going to stand still long enough or close enough to do an eye scan. Not only can we compare you against your passport picture, but we can compare you against a database of terrorists moving around the world."

Agencies also are examining the use of biometrics involving the scanning of a person's retina or iris. Kelly Gates, marketing director of Marlton, N.J.-based IriScan Inc., said the company will be launching in the next few weeks some federal demonstration projects for secure access to particular rooms containing sensitive systems.

IriScan's product works by taking an image of a pattern in a person's iris, encoding the image and storing it. While there is no physical contact between the person and the camera recording the image, a person must look in the direction of the camera for a couple of seconds and stand three to 36 inches from the camera.

The product has a higher accuracy rate than DNA analysis, Gates said, with a one in 1.2 million chance that an unauthorized person will be allowed access or that an authorized person will be denied access.

Security and Interoperability

While biometrics may seem like a "security silver bullet" because it is based on physical attributes that are much more difficult to bypass in a security system than passwords and personal identification numbers, the technology does have drawbacks.

Richard Guida, champion for security issues at the Government Information Technology Services Board, said he would be very cautious about advising the use of biometrics technology until studies have been published detailing the technology's ability to withstand attacks from hackers or other unauthorized users.

"In a nonsmart card environment, [the biometric image] is stored somewhere on your hard disk," Guida said. "That means it can be attacked in some fashion."

In addition, the technology has been hampered by interoperability problems because most products are based on proprietary standards. Jackie Fenn, vice president and research director of advanced technologies at Gartner Group, said she has seen mostly "tentative adoption" because of interoperability concerns. She said the technology has been used mainly in pilot programs using only 10 to 20 scanners.

"The technology is changing pretty fast," Fenn said. "If you roll out a thousand units of anybody's fingerprint scanner, that's going to be obsolete in a year or two."

While biometrics has been plagued by interoperability problems in the past, two recent developments bode well for the interoperability of various biometrics devices and software.

First, Biometric Identification Inc., Sherman Oaks, Calif., announced in May a new algorithm that would allow various biometrics devices to work together and would adjust fingerprint systems to allow for real-world conditions, such as swollen, aged, scarred or cut fingers. The algorithm stemmed from an application that the company developed for DOD to secure handguns.

Julia Webb, director of marketing at Biometric Identification, said more than 100 biometrics companies have committed to integrating the interoperability component into their products. Integrators are interested because they do not want to be tied to one product, and users are interested because they want to be able to use biometrics devices from a variety of manufacturers, she said.

In addition, an industry consortium called BioAPI plans to release during the last quarter of this calendar year standard application programming interfaces that can be incorporated into operating systems and applications hardware and that are geared toward providing interoperability.

While industry works out the interoperability kinks, biometrics technology may be boosted because of its compatibility with another security mechanism: public-key technology. Identicator's Collier said combining biometrics with smart cards and public-key technology will jump-start the use of biometrics in the federal government arena.

In a traditional public-key scenario, passwords and personal identification numbers are used to unlock the private key used to digitally sign documents. However, a smart card containing a biometric identifier such as a fingerprint could provide much stronger user authentication, Collier said.

-- Harreld is a free-lance writer based in Cary, N.C.

*****

AT A GLANCE

* Status: The use of biometrics has grown since the days when agencies used fingerprint scanning strictly for access control and law enforcement. Now agencies are experimenting with new types of biometrics, such as facial recognition and retina scanning, and are expanding the technology into applications such as fighting entitlement fraud.

* Issues: While the use of biometrics is growing, some observers question whether the technology is truly safe from hackers and other unauthorized parties. In addition, the industry has only begun to address interoperability problems that affect biometrics systems from different vendors.

* Outlook: Good. The industry has shown a willingness to address the interoperability issues through a common algorithm and a standard application programming interface. The future of biometrics also may receive a boost from its burgeoning use in conjunction with public-key technology.