Feds aim to make biometrics useful

The National Institute of Standards and Technology is working with other federal agencies that will develop an independent test to help agency officials determine if their commercial biometric fingerprinting systems are accurate and reliable.

Agencies are most interested in fingerprint technology — the most established form of biometrics — although facial recognition and iris scanning are not far behind. But the commercial solutions vary widely in both accuracy and reliability, which is why independent tests are needed, said Martin Herman, chief of NIST's Information Access Division in the Information Technology Lab.

Numerous factors can affect the reliability of fingerprint biometrics, such as the quality of the original scan and of additional scans, and the changing conditions in which they are taken.

"It's extremely tricky because it depends so much on the quality of data that you're using," Herman said. "If you can control the quality of the data collected, that makes a huge

difference."

Developing standards for biometric data collection is only one of NIST's current projects. The goal is to improve the likelihood that agencies will be able to rely on biometrics.

Most agencies are investigating the use of biometrics as part of a larger authentication and authorization infrastructure. This includes the Homeland Security Department's U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program, which launched in January, and the Department of Veterans Affairs' enterprisewide deployment of smart cards, which begins in July.

The White House's Office of Science and Technology Policy coordinates much of the biometric work governmentwide through its Interagency Working Group on Biometrics, chaired by Kevin Hurst, a senior policy analyst in the office.

Subgroups of the working group are drafting plans to improve the interface for biometric systems to address the legal, privacy and policy issues. They also are developing an international testing and evaluation structure "to be able to include some consistency and make biometrics a science rather than an ad hoc collection of vendor products," Hurst said.

The plans will be available on the Biometrics Catalog Web site within the next three to four months, he said.

One of the top priorities of the working group is to figure out how to fuse different biometric data, often called modalities, within a single multimodal solution. Using more than one biometric tool raises the authentication level, and officials know that every biometric can be imitated.

"Each type of biometric definitely has its pros and cons," Hurst said. "One idea that we're looking at then is to combine multiple biometrics."

For the US-VISIT program, DHS officials are requiring two fingerprints for visas. In the future, however, they are looking to use multiple biometrics, according to undersecretary Charles McQueary, testifying before a House subcommittee last month. DHS, which has a close relationship with NIST, will be helping officials determine which biometric types would best serve the program's needs, he said.

VA officials will start their smart card program this July, issuing cards to more than 500,000 people, including employees, contractors and doctors, said Fred Catoe, program manager for the department's

authentication and authorization infrastructure project.

Right now, the smart cards simply hold biometric information for a subset of users, because not everyone needs the higher level of security afforded by biometrics on top of a digital certificate, Catoe said.

The difficult decision that VA officials face is which biometric solutions to use, he said. Officials are evaluating fingerprint and iris scan solutions, and they are also involved with the initiatives under way at NIST to make sure that whatever technology officials choose fits with governmentwide standards, Catoe said.