More work needed for biometrics

Biometrics Catalog

There is still plenty of work to be done on standards, testing and interoperability to make biometrics a fully functional security solution for government agencies, officials said today.

Most agencies that are investigating the use of biometrics as part of a larger authentication and authorization infrastructure are focusing on fingerprint technology, which is the most established technology so far, although facial recognition and iris scanning are not too far behind. The commercial solutions range widely in both accuracy and reliability, however, and one of the top current challenges for the National Institute of Standards and Technology is to develop an independent test for comparing the effectiveness of those solutions, said Martin Herman, chief of NIST's Information Access Division in the Information Technology Lab.

Fingerprints are currently the core of the visa solution used by the Homeland Security Department's U.S. Visitor and Immigrant Status Indicator Technology program, which much of the NIST biometric work supports. However, one problem when it comes to using fingerprint biometrics is that the impact of the quality of the original scan and the scan at the time of use has a significant impact on the reliability of the biometric.

"It's extremely tricky because it depends so much on the quality of data that you're using," Herman said. "If you can control the quality of the data collected, that makes a huge difference.

The White House's Office of Science and Technology Policy coordinates much of the work that goes on in research and standards, bringing together experts from across government, including NIST, in its Interagency Working Group on Biometrics, said Kevin Hurst, a senior policy analyst at OSTP and chairman of the working group.

One of the subgroups under Hurst is working on how to fuse different biometrics into a single solution, since checking two or more is much more secure than checking a single factor, he said.

Other subgroups are working on improving the human interface for these systems, addressing the legal, privacy and policy issues surrounding biometrics, and developing an international testing and evaluation structure, "to be able to include some consistency and make biometrics a science rather than an ad hoc collection of vendor products," Hurst said. The subgroups are now drafting plans that will be put up on the Biometrics Catalog Web site within the next three to four months for everyone to view, he said.

Determining all of these details, and increasing the reliability of biometric solutions, will be a big step forward for agencies that are attempting to implement them, such as the Veterans Affairs Department. VA will start to roll out its smart card program this July, issuing cards to more than 500,000 people, including employees, contractors and doctors, said Fred Catoe, program manager for the department's authentication and authorization infrastructure project.

Right now, those smart cards simply have a container that will hold biometric information for a subset of the users, since not everyone needs the higher level of security afforded by biometrics on top of a digital certificate, Catoe said. The difficult decision that VA officials face is which biometric solutions to use.

Department officials are working closely with the standards groups within NIST and the Defense Department, and are evaluating both fingerprint and iris scan solutions, he said.

All were speaking at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.