Sensing the future of security

Once exotic, biometric technology may be heading for a desktop near you

Until recently, widespread use of biometric technology was more likely to occur in spy flicks than in everyday government operations.

Biometric systems, which measure physical or behavioral characteristics to verify a person's identity, have seen sporadic use in the federal sector. The technology has been most prominently used to track criminals and secure access to sensitive military facilities and government labs.

But today, biometric technologies are on the cusp of becoming a mass-market phenomenon. The nation's interest in biometrics has surged since the Sept. 11, 2001, terrorist attacks prompted greater security concerns. And the technology is poised to play a role in border security and other homeland defense initiatives.

In the federal workplace, biometric identifiers will augment or replace passwords and personal identification numbers as ways to obtain access to facilities or computer networks. Such technologies are even being tested as a way to facilitate e-government applications.

The market's potential has encouraged new vendor entrants, boosting competition and broadening the range of available technology. In addition to the well-established fields of fingerprint and hand-geometry biometrics, vendor offerings now cover facial recognition, iris recognition and voice authentication. A number of experimental methods may further broaden the available options (see "Scents and sensibility").

Overall, those options are getting cheaper and smaller (see sidebar). Silicon-based sensors will enable biometrics to be deployed on wireless phones and personal digital assistants. The technology that was once exotic may well become ubiquitous.

"Prior to [Sept. 11], private enterprise was the main target of biometrics," said Prianka Chopra, an industry analyst with Frost & Sullivan. "After [Sept. 11], it's the government." Chopra said the government has both the resources and the incentive to emerge as the largest vertical market for biometric solutions.

Where the Action Is

The fingerprint is the oldest and most widely used biometric identifier. Fingerprint-based biometric products accounted for around 80 percent of the market in 2002, according to the International Biometric Group LLC, a biometric consulting and technology services firm.

This branch of biometric technology relies on sensors that take a digital imprint when a person places a finger or fingers on a scanner. The electronic image is scoured for unique features, which are extracted and stored as a mathematical template. A matching algorithm is used to compare the template with subsequent fingerprint scans.

Fingerprint-based biometric solutions come in two forms. Automated fingerprint identification systems (AFIS) are used in law enforcement agencies. Such systems search an arrested person's fingerprint or a latent print collected at a crime scene against a fingerprint database. In the case of the FBI's Integrated Automated Fingerprint Identification System (IAFIS), the repository contains 43 million sets of fingerprints.

AFIS vendors include Printrak, NEC Solutions America Inc. and Sagem Morpho Inc. Printrak, a Motorola Inc. company, pioneered the market, delivering a commercial AFIS to the FBI in 1975. NEC's AFIS is used in the Western Identification Network Inc., which involves several states and a database of more than 17 million fingerprint records. Sagem Morpho's software has been deployed in the FBI's IAFIS system.

From such large-scale, forensic systems evolved a second category of fingerprint biometrics: finger-scan. This technology is used to authenticate a person's identity and may be used to control access to facilities, computer networks or individual computing devices. With finger-scan products, a user's finger is scanned, a template created and subsequent finger scans matched against the original template. Vendors refer to this scenario as one-to-one matching, as opposed to the one-to-many matching required of a high-end AFIS.

Vendors in this space include Bioscrypt Inc., Cross Match Technologies Inc., DigitalPersona Inc. and Identix Inc.

The Defense Manpower Data Center uses finger-scan as part of the issuing procedure for the Common Access Card (CAC), which is becoming the standard ID badge for all active-duty personnel.

A cardholder's fingerprint is scanned, which helps protect the card and the public-key infrastructure certificate it contains. The scan serves to authenticate the cardholder when he or she is reissued a card or seeks to set a new PIN. The Pentagon is evaluating the actual storage of biometric templates on the cards.

Fingerprint scanning "seems to be the most mature and most stable of [biometric] products," said Bill Boggess, technical integration manager at the Defense Manpower Data Center.

Indeed, the maturity of fingerprint technology is among its strengths. On the AFIS side, fingerprint systems have demonstrated their ability to conduct one-to-many matches in enormous databases, according to industry analysts. Fingerprints, in general, are widely accepted as a means of identification.

The standards built around fingerprint technology also are well established, compared with other biometrics. The American National Standards Institute/National Institute of Standards and Technology (NIST) standard for fingerprint images, which debuted in 1993, describes 16 record types.

"There are so many standards that fingerprints comply to," said Art Sands, chief operating officer at AC Technology Inc., which integrates biometric solutions for environments based on Sun Microsystems Inc.'s Solaris. Today, standards govern how fingerprints are scanned, compressed and exchanged among systems.

Another fingerprint plus is accuracy. In biometric systems, performance measures include the false acceptance rate (the number of times a system identifies the wrong person) and the false rejection rate (the number of times a system fails to authenticate the right person).

High-end AFIS are considered the most accurate. Such systems scan all 10 fingers and take flat and rolled impressions. As a result, "the failure-to-match rate is very close to zero as is the false match rate," according to "Biometrics: Identity Assurance in the Information Age," a book whose authors include Peter Higgins, a former FBI official and a key player in IAFIS.

Accuracy, however, depends on the matching algorithm a given fingerprint system uses. A test of 31 algorithms at the University of Bologna reported false match rates from .15 percent to greater than 10 percent. The 2002 Fingerprint Verification Competition, as the test is called, examined both commercial and experimental algorithms.

"All of the fingerprint identification vendors continue to evolve the algorithms," said Glen McNeil, senior director of strategic engineering at Sagem Morpho.

Algorithms based on minutiae — places on a fingerprint in which ridges end or split — have been the most prevalent. Such algorithms continue to be common, but vendors have also adopted other approaches.

Bioscrypt, for instance, focuses on comparing entire ridge patterns. Chris Crump, director of sales engineering at Bioscrypt, said this method provides a data-rich template and greater accuracy.

One limitation of the fingerprint biometric is that it can't be universally applied. The fingerprints of people who work in building trades, for example, may be too worn to use as biometric identifiers. All in all, industry executives say fingerprint systems won't work with about 2 percent of the population. This issue — called failure to enroll — has caused some organizations to consider the use of more than one biometric.

Beyond Prints

One such biometric technology is facial recognition. In this method, facial images are captured (from video or digital photos, for example) and compared to stored images. Facial recognition is the fourth largest biometric market, following AFIS, finger scanning and middleware, according to the International Biometric Group. From 2002 to 2007, the facial-recognition sector is expected to see a 12-fold increase in revenue, according to the group.

As with fingerprints, facial images are converted to templates through various means. Those include local feature analysis, eigenface, neural networks and graph matching. The approaches vary, but they all produce mathematical representations of facial characteristics.

Identix Inc.'s FaceIt facial-recognition engine uses local feature analysis, which synthesizes a facial image from a set of 12 to 40 characteristic "building elements." The result is a faceprint.

Viisage Inc., meanwhile, employs eigenface, which "translates the characteristics of a face into a unique set of numbers," according to the company.

Some companies are starting to combine different recognition and matching methods. Viisage, for example, earlier this year began working with ZN Vision Technologies AG, a German company that uses graph-matching technology. ZN Vision's facial-recognition technology uses about 1,700 features to characterize a face.

For demonstration purposes, Viisage and ZN Vision fused their algorithms and found that the recognition results were "significantly better" than when each approach was used on its own, according to Bernard Bailey, president and chief executive officer of Viisage. Since the demo, Viisage has agreed to acquire ZN Vision in a deal expected to close in July.

Greater accuracy is a key pursuit among facial-recognition suppliers. But performance has been mixed in that regard. In general, facial-recognition systems that use images taken indoors, where environmental conditions can be better controlled, are more accurate than those using images taken outdoors.

The government-sponsored Face Recognition Vendor Test (FRVT) 2002 studied the indoor vs. outdoor issue. The test evaluated 10 participants on indoor datasets and found that the best facial-recognition systems had a 90 percent verification rate with a 1 percent false acceptance rate. That performance is comparable to 1998 fingerprint matching technologies, according to a NIST bulletin.

For faces captured outdoors, the test showed that the best systems had a recognition rate of 50 percent with a 1 percent false acceptance rate. "Thus, face recognition from outdoor imagery remains a research challenge area," researchers noted in a summary of the results.

The test found that as database size doubles, performance drops by two to three percentage points. The test also found that a system with an 85 percent identification rate on a database of 800 had an identification rate of 73 percent of a database of 37,437.

The results have implications for such applications as surveillance systems, which compare faces in a crowd against watch list databases. Jonathon Phillips, a NIST research scientist, said that for watch lists, smaller is better when it comes to databases.

Still, Viisage's Bailey said his company has "seen a lot of success using facial [recognition] as a data-mining tool." He said facial recognition could be used to detect identity fraud, for example. The technology can also comb through a database of identities to locate duplicates, he said.

However, facial-recognition technology has advanced in some respects. In one FRVT 2002 evaluation, such systems had managed a 50 percent reduction in error rates since a comparable 2000 test.

Hands On

Pushing the algorithm envelope isn't an issue in another widely used biometric: hand geometry. "Hand geometry is stable," said Trevor Prout, director of marketing at the International Biometric Group.

Hand geometry systems measure such characteristics as surface area and length. A hand is scanned via digital camera and the characteristics recorded as a template. The largest supplier is Recognition Systems, a unit of Ingersoll-Rand Co.

Access control applications are typical of hand geometry. The features gleaned from a hand, however, are not distinctive enough for other identification purposes. "Hand geometry can't be used for one-to-many" matching, Frost & Sullivan's Chopra said.

An Eye for Detail

Iris recognition is one of the fastest growing areas of biometric technology. This approach takes advantage of the extraordinary amount of detail in the pigmented membrane surrounding the pupil. Because of the wealth of detail, analysts deem iris recognition the most accurate biometric identifier.

Iris recognition involves capturing an iris image and storing a record of the iris pattern. Prout said the technology could play a role in high-security, access control applications.

Last year, the House of Representatives' Office of Legislative Counsel installed an iris-recognition system to control access to working documents, said Matt Shannon, director of public-sector sales at Saflink Corp., a biometric software vendor.

Iris technology plays a role in authentication via one-to-one matches. Prout said that iris-recognition systems are "theoretically capable of doing one-to-many" matches. But for this technology, the stumbling block is the lack of an extensive database to search against. Unlike the fingerprint and facial fields, iris recognition lacks an extensive repository of iris data.

For this reason, Tim Corcoran, senior systems engineer at Northrop Grumman IT, calls iris recognition a "day-forward application." He says an organization enrolling individuals in a biometric system may start with a fingerprint to run an immediate criminal history check and then capture an iris for future use.

Retinal scanning is another eye-based biometric approach. This method examines the blood vessel patterns in the retina, located in the back of the eye. Due to the location of the retina, users must place their eye close to the imaging device used to capture features.

"Retinal is more intrusive... and I think it makes people nervous," Sagem Morpho's McNeil said. With iris recognition, subjects "can sit back at comfortable distances," he added.

Covering All Bases

Using a combination of technologies is becoming more common as vendors seek to extend their biometric reach. In one example, fingerprint player Identix last year merged with Visionics Corp. and its facial-recognition technology. And in May, Markland Technologies Inc. agreed to acquire BioDentity Systems Corp., a facial-recognition vendor. Markland is involved in border security projects with the U.S. government.

What's behind this push for multimodal biometrics? For one, there's a growing sense in the biometric community that more methods make for a more robust biometric system.

In a February report to Congress, NIST recommended the use of both fingerprint and facial-recognition technology as the best option for the nation's entry/exit system (now called the U.S. Visitor and Immigrant Status Indication Technology), a Homeland Security Department effort. The objective is greater accuracy, NIST's Phillips said.

The use of multimodal biometrics parallels how humans naturally identify one another, said Dominic Fedronic, senior vice president of research and development at ActivCard Corp., which makes identity management software for smart card solutions.

"To identify a person we use different perspectives — face, eyes, voice — and we corroborate and correlate measurements to...come up with the identity of a person," he said. "If there are not enough perspectives, we fail."

The ability to improve enrollment rates is another incentive to go multimodal. Organizations had "better plan for a percentage of the population that you'll never be capable of enrolling robustly for a given biometric method," Fedronic said.

Researchers now are grappling with the best way to orchestrate different biometric approaches. Fusion is "an open research question that the biometric community is just starting to seriously address," Phillips said.

While the labs puzzle over such problems, federal agencies weigh a range of biometric implementation options. Complex systems, particularly those requiring links to other applications, still require a systems integrator. But smaller, departmental deployments, though still not plug-and-play, are moving in that direction, according to some vendors.

Meanwhile, biometric technology is headed for governmentwide IT buys.

Robert Bates, business development specialist with the National Institutes of Health's Information Technology Acquisition and Assessment Center, said four vendors provide biometric technology on the Electronic Commodity Store III contract: Dynamic Decisions Inc., Government Micro Resources Inc., GTSI Corp. and Phoenix Systems Inc. ECS III is billed as a vehicle for homeland security- related IT requirements.

Biometric technology will increasingly surface as a standard feature built into everyday computing and communication tools. Samsung Electronics Co. Ltd. recently unveiled a notebook computer with an integrated fingerprint sensor and touchpad from AuthenTec Inc. and Synaptics Inc. respectively.

And Gateway Inc. last month announced the bundling of DigitalPersona's fingerprint biometric solution with its corporate desktop line. DigitalPersona's fingerprint reader attaches to a PC through the USB port and integrates with Microsoft Corp.'s Active Directory.

For biometrics, the transition from foreign to familiar is well under way.

Moore is a freelance writer based in Syracuse, N.Y.

NEXT STORY: PeopleSoft presses Edwards bid