4/7/2008 1 B B i i o o m m e e t t r r i i c c T T e e c c h h n n o o l l o o g g y y A A p p p p l l i i c c a a t t i i o o n n M M a a n n u u a a l l V V o o l l u u m m e e 2 2 : : A A p p p p l l y y i i n n g g B B i i o o m m e e t t r r i i c c s s [Draft Version] C C o o m m p p i i l l e e d d a a n n d d P P u u b b l l i i s s h h e e d d b b y y : : N N a a t t i i o o n n a a l l B B i i o o m m e e t t r r i i c c S S e e c c u u r r i i t t y y P P r r o o j j e e c c t t W W i i n n t t e e r r 2 2 0 0 0 0 8 8
About the National Biometric Security Project ...................................................... 3 Abstract 4 FORWARD............................................................................................................. 8
Section 9 – Biometrics Applications..................................................................... 9 Section 10 – System Requirements and Selection................................................ 23 Section 11 – System Engineering, Integration, and Implementation.................... 64 Section 12 – Operations and Management ........................................................... 79 Section 13 – Maintenance, Services, and Warranties ........................................... 85 Section 14 – Training............................................................................................ 88
Case Studies Case Study A – India: Ration Card Program....................................................... 97 Case Study B – State of Illinois: Driver Licensing............................................ 103 Case Study E – University of Georgia: Student ID/Access Control.................. 115 Case Study F – St. Vincent Hospital: Desktop Computer Access..................... 118 Case Study G – Beaumont Hospital: Medical Records Security........................ 122 Case Study H – Pinellas County Sheriff’s Office: Arrestee Identification......... 127 Case Study I – U.A.E.: Iris Expellees Tracking and Border Control System... 133
Appendix A – Biometric Selection/Application Checklist ................................. 138 Appendix B – Miscellaneous Resources............................................................. 139 Appendix C – Biometric Publications ................................................................ 146 Appendix D – Education/Training Resources .................................................... 170
Bibliography and References.............................................................................. 173 Acknowledgements............................................................................................. 176
4/7/2008 3
About the National Biometric Security Project The National Biometric Security Project (NBSP) is a tax exempt, nonprofit 501(c)(3) organization incorporated and headquartered in Washington, DC. Its mission is to enhance the practice and effectiveness of identity assurance in government and the private sector, through the application of biometrics, for the purpose of deterring and detecting terrorist and criminal attacks on the national infrastructure. NBSP was formed in the immediate aftermath of 9/11 and has been consistently supported by the Congress to enhance government-wide use of biometrics and improve the capability of the industrial base. To reflect its expanded biometric application services, NBSP recently re-established its Test, Research and Data Center under the new name Biometric Services International, LLC (BSI). Located in Morgantown, West Virginia, BSI is a wholly owned, non-profit subsidiary of NBSP and is the only laboratory, exclusively focused on biometrics, to achieve the coveted ISO/IEC 17025:2005 accreditation for testing. BSI’s biometric application services have been expanded to address biometric deployment considerations such as requirements definition, articulation of program goals and objectives, vulnerability assessments, application impact studies, life-cycle cost analyses and privacy impact assessments just to name a few. NBSP BSI adds dimension to its biometric application services with robust Testing, Training and Research capabilities. BSI adds dimension to its biometric application services with robust Testing, Training and Research capabilities. Performance Testing assures that biometric products under consideration for an application will meet manufacturers’ claims and meet or exceed published biometric performance metrics. Conformance Testing evaluates a biometric product’s conformance to applicable, published ISO/IEC standards. Products that pass the performance and the applicable conformance tests become part of BSI’s “Qualified Products List”, which provides potential users with an independent source of evaluation. Custom Testing includes, for example, vulnerability assessments, comparative testing, algorithm testing, sensor testing, product development tests, and interoperability testing. Our Introduction to Biometrics Course, Biometric Operations Course and Biometric Technical Training Course provide a unique three-course curriculum. Additionally, all students are eligible for Continuing Education Units (CEU) upon completion of any BSI training course. BSI conducts research into the social impacts of biometrics, including detailed analyses of U.S. and international privacy laws and their effect on the use of biometrics. A semi-annual update of all published and emerging biometric standards is also available as a resource to anyone interested in learning more about standards progress. NBSP’s permanent staff is efficiently supplemented, as required, by external organizations contracted to perform substantive research and technical work, highly specialized and experienced consultants, and research organizations focused on biometrics or identity matters. These include West Virginia University and other academic institutions associated with the Center for Identification Research (CITeR), as well as other reputable U.S. and international sources.
4/7/2008 4
Abstract About the Biometric Technology Application Manual (BTAM) Published by the National Biometric Security Project (NBSP), the Biometric Technology Application Manual (BTAM) is a comprehensive reference manual on biometric technology applications. This reference book, in two volumes, has been compiled for biometric technology users and for those who are evaluating biometrics as an enabling technology within an integrated system or program for security and identification assurance. The BTAM is intended to be a rational and practical tool for those who specify, buy, integrate, operate, and manage biometric technology-based systems. The experienced biometric practitioner will see much that is familiar in the BTAM. The publication is not intended to provide all new (never before published) scientific information. Rather, it is a compilation of published and experience-based information designed to inform the rapidly growing community of new users, integrators, and designers, and assist them in their search for practical application solutions. Hopefully, it will prove to be the standard desktop reference on the subject of biometrics for all levels of interest and experience. Generally, this manual has been compiled and is intended for individuals and organizations that have responsibility for protection of the civil infrastructure and related applications. These include, but are not limited to:
• Civil infrastructure agencies • Other government agencies • Private sector organizations and businesses • Academic institutions • International organizations, businesses, groups, and governments • Consultants and practitioners in biometrics • Security and identity management administrators
There is a significant volume of valuable work on the subject of biometrics by many authors. The BTAM was not published to replace that body of work, but rather to compile some of the best of that content in an organized and focused product with emphasis on the user. Equally important, the objective of the BTAM is to help solve the issue of short shelf-life of biometrics publications in a rapidly evolving technology base by including a process for regular updating of each volume. In researching and compiling the BTAM, the authors relied heavily on secondary research from published, public sources. For a list of the reference materials, authors, publications, and other sources used and referenced in this compilation, please see appropriate footnotes as well as the Bibliography.
4/7/2008 5
Purpose and Objectives The BTAM is intended to assist the reader in:
• Comparing how various biometric technologies perform and have performed in real-world applications (both successfully and unsuccessfully), and why.
• Providing a means to evaluate various biometric solutions based on specific
application parameters and requirements. • Determining where, when, and why a biometric-based solution is a good fit, or
not.
• Supporting technology evaluation by defining the questions to ask, identifying other considerations that may exist, and understanding the issues generated by the need for interoperability.
• Answering such questions as: How do I write a requirement? How do I evaluate
various systems? How do I integrate/apply the technology? How do I use the technology? What is the best technology for my application?
Summary Volume 1 – Biometrics Basics Although the overriding purpose and objectives of the two-volume set are similar, Volume 1 was developed to be more of a primer on biometrics as it presents and defines biometrics on a fundamental level, including:
• Fundamentals of Biometrics An entire Section of Volume 1 provides an introduction to biometrics so the reader has a basic foundation and generic understanding of the science behind the technology. Beginning with the origins of biometrics, and taking the reader through explanations of the terminology, elements, and performance criteria, this Section provides a solid foundation for those who are just learning about these technologies.
• Types of Biometric Technologies. Some biometric technologies (or modalities)
are better known than others, but this Section presents information about how 11 different technologies work. Presented both in text and easy reference matrix format, it is an important Section intended to help readers understand why one technology might fit their needs more than another.
• Biometric System Design. This Section presents guidance and insight as to how
system requirements should be defined and the appropriate performance specifications documented. Issues such as technical requirements, operational capabilities, performance expectations, architectural aspects, and other related concepts are presented in this Section.
4/7/2008 6
• Biometrics Standards and Best Practices provides an overview on biometrics
standards development. The development and adoption of standards is important for the biometrics industry to become mainstream and more fully integrated into our critical infrastructure. This Section provides the reader with information as to the current state of standards development, enabling insight into the various types of biometric technologies and their vendors – where they are in terms of complying with industry-approved standards – and explaining why biometrics standards are critical to integrating full-solution systems.
• Testing and Evaluation. Insight regarding testing protocols and system
evaluation is presented in this Section. Issues such as understanding system performance, scalability, and usability, standards compliance, performance measurement and comparison, and evaluations are discussed, providing the reader with a very practical guide for evaluating various biometric solutions.
• Biometric Social and Cultural Implications. This Section presents
considerations on three key societal issues: legality, privacy, and user acceptance. An appreciation for these issues is critical to successfully implementing a biometric-based security and identification management solution. From the legal perspective, an understanding of U.S. law and how it applies to the application is just as important as understanding the laws of foreign countries, particularly if the application will cross international lines. Privacy is a central and current issue in the deployment of biometrics. Users and detractors are rightly concerned about “big brother” and identity theft, and need to be certain their personal information is adequately protected within the systems that purport to safeguard it from external sources. Lastly, user acceptance is an often overlooked, but extremely important factor in the success or failure of a biometric system. If users do not accept and understand the system, they will not use it. User education and the development of a work-around for those who cannot or will not use a biometric are imperative for success.
• Trends and Implications. The final Section of Volume 1 presents some key
trends and implications for biometrics in general, and sets the stage for follow-on information and additional detail in Volume 2.
Disclaimer The National Biometric Security Project (NBSP) and the Biometric Technology Application Manual (BTAM) do not and cannot provide any legal advice nor is the BTAM a substitute for professional engineering design support. The information in this publication is for general information purposes only. None of the information contained in this manual, Volume 1 or Volume 2, is intended to be or should be relied upon as specific or definitive to the design of a particular program, or system, or process, or legal policy. The reader should obtain the advice of a suitably qualified engineer, attorney, or
4/7/2008 7
experienced practitioner before taking any action in the application and use of any of the information contained in this publication. Updates and Errata NBSP intends to regularly update the BTAM with new and revised material from all relevant sources. NBSP is also very interested in the comments and feedback of its readers. Readers are encouraged to share their thoughts and impressions on the BTAM – either Volume 1 or Volume 2 – as well as any suggestions for content corrections, typos, or errors of omission. Please send feedback to:
National Biometric Security Project Attention: BTAM Editor
601 Thirteenth Street, NW, Suite 390 South Washington, DC 20005
[email protected] Every effort has been made to contact copyright holders for content and images used in this manual. The publisher apologizes in advance for any unintentional omissions and will insert appropriate acknowledgements in subsequent editions of this publication when so advised.
4/7/2008 8
FORWARD This Volume 2 of the BTAM continues the mission to provide a complete set of reference tools that are readily available to the biometric community regardless of the reader’s specialty or level of activity in the technology. Here, we examine “best practices” and even “not so best” practices, recognizing therein that the deployment and operation of biometrics systems is still a work in progress. Lessons learned in earlier deployment of new security technology apply to biometrics as well. One of the primary principles involves the “rising expectations” syndrome treated partially in Volume 1. This relates to the fact that some prospective users of biometrics will expect, even demand, that the technology perform to a level of accuracy or reliability that was impossible to achieve with the identity management systems it replaced. While this degree of confidence in new technology is admirable, it may not be realistic given the unlimited capability of the human mind to thwart even the best technical design by deliberate or accidental misuse. Statements such as “biometrics are not perfect” or “not yet ready for prime time” or even that they can be “easily spoofed” are strong indicators that the person quoted does not truly understand the practical realities of the technology deployment process, the vulnerabilities introduced by improper human intervention or use, the inevitable evolution of technical countermeasures arising from wider deployment and improved practice, and the serious and incurable deficiencies that exist in all identity management techniques that do not employ biometrics. A strong dose of reasoned and practical understanding will do much to help the user/operator and practitioner more effectively exploit the capabilities of biometric technology. Hopefully, this Volume 2 of the BTAM will assist in reaching that level of understanding. Finally, the reader is strongly encouraged to help make the BTAM a living and current tool by recommending changes and improvements in any area. All such recommendations will be carefully reviewed by NBSP Editors, and by an independent review Board constituted as required to address controversial proposals for change.
4/7/2008 9
Section 9 – Biometrics Applications A biometric device can be applied in virtually any scenario in which one might otherwise use keys, identification cards, security cards, personal identification numbers (PINs), or passwords to gain access to a physical facility, a virtual domain (information system), or a process, or to determine eligibility for a privilege. The real value of biometrics is the potential for use in applications where keys, ID cards, and passwords would be of no value whatsoever: the “negative identification” applications. The application of biometric technologies is increasing over a wide array of industries as organizations and individuals look for higher levels of security and identity assurance. Advances in biometric devices have made the technology more affordable and less intimidating for applications where high security, which was a compelling reason initially, is not the primary objective. More routine applications, such as access to school dining halls, are now joining the traditional high security applications such as access to military resources and nuclear power plants. In addition, with the advent of credible identification systems (the one-to-many process of comparing a submitted biometric sample against all of the biometric templates on file to determine whether it matches any of the templates), the breadth of applications which can be achieved has expanded greatly. Today we are not limited to applications where a claimant must provide a claim of identity such as a user name, PIN, or password to facilitate the recognition process. Thus a new class of applications such as refugee processing/control, watch lists, benefits eligibility determination, duplicate checks, repudiation prevention, forensic identification, and others not yet conceived or applied are available. 9.1. OVERVIEW OF APPLICATIONS We have provided a classification of applications below. However, in the process, we have concluded that such categorizations are largely arbitrary, and in the evolving field of biometrics, subject to debate, dispute, and revision. We do not hold our classifications out as the model, or the only logical way to classify applications. Indeed, Volume 1 of this manual pointed out Dr. James Wayman’s classification system as a useful way to analyze and better understand the functioning of biometric systems. Recall that applications were categorized as overt or covert systems, voluntary or involuntary systems, attended or non-attended systems, standard or non-standard operating environments, public or private systems, physical security and access control, cyber and computer/network security, and identification. Nonetheless, it is easier and perhaps more meaningful to persons new to the science to have some sort of organized structure with which to get an overview of the field – and so a classification system has been developed that covers most of what is being fielded today. It is important to point out that this classification is categorized by functional application, and is not organized on the basis of whom or what entity initiates them. It seems that categorizing applications as Federal, State, Local and Municipal government; Commercial, Private, or Transportation Sectors; Financial Sector; Manufacturing Sector; Healthcare Sector; Schools and Education; etc. was not particularly useful for persons interested in exploring how biometrics can help them. It is certainly true that all of these
4/7/2008 10
entities and sectors provide the settings in which biometrics may and must be applied. But it serves no useful purpose beyond identifying the policy, funding, and contractual hoops and wickets that implementers must pass through on their journey to implementing a biometric system. The important issue is how one functionally applies biometrics to solve a problem, or improve an existing operation that requires positive human identification. Further clouding the issue of biometric classification is the opportunity to implement multiple, different functional applications within the same “biometric system”. For example, a biometric implementation in a facility may be categorized as a Physical Access Control application if biometric readers are located at or near the perimeter of the facility. It may also be an integrated system which uses the same server(s) for logical (virtual), access to work stations or partitioned and controlled segments of proprietary digital information. In a corrections environment as well, where the most important objective is to positively identify inmates before movement or release, an integrated system could be used to physically control access to spaces, cellblocks, etc. Likewise in a Drivers License application, applicants may have their biometric feature compared to the entire existing database of drivers in a 1:N search to determine their eligibility for the benefit of license issuance before they can be enrolled. That is a combination of a watch list and a benefits eligibility determination. Further, once issued a biometrically enabled license, when the driver uses it as a proof of age for buying tobacco or alcohol it becomes a Point Of Sale (POS) authenticator and may be used in a 1:1 application. The point is that trying to categorize a biometric system as a single, simple application is not always practical or realistic.
4/7/2008 11
A Functional Classification of applications (with generic examples)
Table 9-1 Application Type
Sub-Type Examples
Access Control Physical Access Control • National (border control)
• Area (campus control) • Facility • Room • Container
Logical (Virtual) Access Control • Distributed information sys.
• Local Area Network (LAN) • Stand-alone systems • Other computer-based sys. • Records
Following are selected examples of biometric technologies in use today. This section is not meant to be all-inclusive, but rather to present various biometric technologies in different usage applications. These examples are further supplemented by more detailed examples in the Case Studies section of this volume. 9.1.1. Access Control - Physical Access Control Yeager Airport in Charleston, West Virginia, is using hand geometry, specifically Recognition Systems’ HandReaders®, to control access to the control tower and sensitive equipment. The control tower is accessed (on average) every five minutes around the clock with hand readers that are networked to the airport's central security system computer. Yeager Airport's tower previously required 24-hour police protection for access control. This cost the airport $1,200 per day. The hand readers have eliminated the need for guards, saving the airport a substantial sum on access control. No change. San Francisco International Airport, the nation’s fifth busiest, uses hand geometry readers to verify TSA employees identities to ensure only authorized individuals access sensitive and secured areas. These hand readers are in addition to those previously employed at SFO. Since 1991, San Francisco International Airport has employed biometric hand geometry readers to secure its air operations area (AOA), allowing access to authorized individuals only. Additionally, in January 2006, a live test of e-passports, that contain contactless chips with biographic and biometric information and the readers that are capable of reading these e-passports began at Terminal G at SFO. This test was a collaborative effort between the United States, Australia, New Zealand, and Singapore that ran through April 2006. The test was successful. A total of 1,398 e-passports were interrogated and the systems’ performance pointed to significant progress in readability since the government first started testing e-passports in 2004. The U.S. Department of Homeland Security used the results of that test to determine which inlays (chips) to use in the e-passports issued to U.S. citizens. University of Georgia: see Case Studies section Rotterdam Seaport has included biometric access control as part of a modernization program. The seaport, the central hub for European commerce, handles more than 300 million tons of freight each year, accounting for 40% of all European cargo. Not surprisingly, more than 40% of all European Union trucking companies originate in The Netherlands. In 1999, a hand geometry system was deployed to control truck driver access to the port. It has proven effective in expediting the movement of cargo from marine vessels to the trucks, verifying the identities of “known” or trusted drivers and providing a detailed electronic audit trail for cargo. Drivers access the system’s hand recognition reader via their vehicle windows before they pass through the facility control gate. Their identities are verified if their live hand geometry matches the enrollment template stored on a radio frequency-activated smart card. The system serves more than 6,000 truck drivers and has successfully completed millions of transactions.
4/7/2008 13
A nuclear power plant in Japan has adopted a facial recognition system known as Face VACS (Cognitec Systems) to replace an older, manual system of access control. The advanced functionality allows employees to access high security areas in nuclear power plants faster, at lower cost, and with greater accuracy. At the access point, the face of every person is captured by a video camera, the facial features are extracted and translated into a mathematical representation on a template. That template is then compared in a 1:1 verification application with the enrolled template registered to the person the entrant claims to be. No change.
9.1.2. Logical (Virtual) Access Control
City of Glendale, California: See Case Studies section
HealthTransaction Network(R) is creating the first-ever nationwide health care provider network to connect health care providers and consumers using an electronic transaction network system that quickly, securely and efficiently facilitates and processes transactions between the parties. The Network includes a shared processing infrastructure, consumer cards and a new electronic transaction terminal device located at participating provider sites. The cards incorporate biometric technologies to ensure patient identification (e.g., fingerprint and signature verification), and may also be used as a stored value card. The types of services that will be available to consumers that subscribe to the Network include preventive, wellness and routine services such as physicals, dental cleanings, eye exams mammograms and x-rays. As of this writing two health systems in Western New York have signed on as the Network's first provider participants. TLC Health Network and Brooks Memorial Hospital will install Network transaction terminals at their many locations and will offer routine medical services beginning in the second quarter of 2008. HealthTransaction Network has plans to expand their electronic health care network in the northeast and ultimately throughout the United States. St. Vincent Hospital: See Case Studies section The U.S. Office of Legislative Council, which is the legislative drafting service of the U.S. House of Representatives, has deployed the SAF2000 enterprise biometric authentication software (by SAFLINK Corporation) on its computers. SAF2000 supports authentication through iris recognition, finger image identification, speaker verification, and facial recognition. It offers an event log for recording enrollment, changes to user profiles, workstation updates, and account deletions. The system supports multiple databases and director service protocols for secure storage of user profiles, and offers encrypted biometric algorithms designed to use the maximum number of available bits from the operating system. The biometric-based system was deployed to help protect the
4/7/2008 14
files and working documents the Office of Legislative Council is working on for the U.S. House of Representatives. No change. 9.1.3. Identification
UAE and Dubai: See Case Studies section State of Illinois: See Case Studies section The Port of Palm Beach, the 4th busiest container port in Florida and the 8th busiest in the continental U.S., has implemented a biometrically based visitor management program. The system logs entry and exit of 200-300 truck drivers as they bring goods in and out of the port, and others visiting the port each day with fingerprints and photographs using Cross Match Technologies' VisTrak(TM) and MV 100(TM) digital fingerprinting systems. The port uses a hand-held fingerprint and photograph capture system, with built in PDA, to log and transmit the data to a central database wirelessly. It also captures biometric and biographic information from visitors and checks it against a banned visitor list. The system enables the port to have an accurate audit trail of visitors, including fingerprints, photos, time and date of arrival and departure, demographic information, company, purpose and more, and provides visitors with temporary badges. The State of Florida has a rule allowing visitors to enter the port a maximum of five times within a 90-day period. The fingerprinting system automatically keeps track of frequency and flags any violators. No change.
Lancaster County, PA: See Case Studies section Sarasota County Florida demonstrates the capabilities of a 1:N iris recognition system that can identify individuals in a large population without prior claim of identity. While this specific example features a corrections-law enforcement application, it demonstrates biometric use outside typical standard access control or information security applications.
Typical of many county jails, the maximum security Sarasota County Detention Center in Sarasota, Florida, is the processing agent for more than 19,000 arrestees each year. The facility processes criminals for every police station in the county and provides a temporary holding place for people arrested for everything from open alcohol containers to homicide. Once they reach the jail, inmates are segregated according to the severity of the charges and are transported to the appropriate facilities. The facility itself is capable of housing 750 inmates.
Under the old system, arrestees were escorted to the booking area where they gave their name and other personal information and were fingerprinted and photographed. Though the ID system was computerized, the fingerprints were taken manually, and physically filed away. When inmates were released on work detail or on parole, prison personnel relied on the inmate's ID badge and his or her personal knowledge, such as a Social
4/7/2008 15
Security number or birthday, for identification. Comparing fingerprints was inefficient because positively matching inked fingerprints required calling in a forensic specialist.
With the new biometric system, arrestees are enrolled using iris recognition technology at a central enrollment station. The active database of persons currently incarcerated at the detention center is automatically searched in real time (1–2 seconds), and as processing continues, the archived database of former inmates or arrestees is searched off-line. The technology has the capacity and capability to search a 50-year history in seconds (although iris records have only been available for the past several years). Once an enrollment is in place, the system confirms the identity of all inmates who leave the facility, whether for court appearances, work crews, or at the time of their release.
As a result, in the first year of operation alone, the detention center detected seven escape attempts, most cases being inmates trading IDs to assume the identity of an inmate legally scheduled for release. In one case, Sarasota discovered an arrestee attempting to pretend to be his identical twin brother on commitment. He had been an inmate at the detention center sometime earlier in the year and was enrolled in the iris recognition system. After he was released, he went on a crime spree but was subsequently arrested on a minor charge. Realizing that there were warrants for his arrest on some very serious crimes, he attempted to pass himself off as his law-abiding brother. The system’s automatic archival search identified him out of several thousand former inmates under his true identity and he was prosecuted accordingly.
Such a recognition system also helps resolve disputes when released inmates are arrested for a violation of their parole. When individuals are brought in on warrants, they often claim there has been a case of mistaken identity. Names and Social Security numbers are sometimes jumbled on warrants, which further confuses the issue. The iris recognition system tracks the true identity of the individual, in one case establishing that police had indeed detained the wrong person.
9.1.4. Benefits Eligibility and Fraud Mitigation After the Afgan war, the United Nations High Commissioner for Refugees (UNHCR) used a biometric recognition system capable of high speed search of large databases (up to 1.5 million) to recognize returning refugees in Peshawar, Pakistan. The staff of the Takhta Baig Voluntary Repatriation Centre (VRC) performed a check on Afghan refugees who wished to return to their homeland. These refugees were entitled to a one-time assistance package, provided they had not been processed through the program before. The anonymous enrollment process in the iris recognition biometric system ensured that returnees were making their first visit to the VRC and that they are therefore legitimately entitled to the aid, by performing a near-instantaneous exhaustive search of the enrolled database. No PINs were required in the recognition system and the process was essentially a one-time procedure. Additionally, the system maintained the privacy of the Afghan refugees, as the only data recorded was the digitized template record. India Ration Card Program: See Case Studies section
4/7/2008 16
9.1.5. Commercial Transactions
A retail solutions manufacturer is using hand geometry to track the time and attendance for 400 hourly employees at its facility in Austin, Texas. The readers eliminate the need for an employee to carry a badge, thus eliminating the problem of lost or forgotten badges. Biometric time clocks also eliminate “buddy punching,” the practice of employees clocking in and out for each other. They provide more accurate information about who is working at any given moment and help companies eliminate mistakes or intentional fraud. Additionally, not requiring hourly employees to manually fill in their time card each pay period results in cumulative cost savings. Before installing the biometric solution, hourly employees completed paper timesheets, signing in and out each day. At the end of the pay period, employees had to complete paperwork and give it to their team leaders for verification prior to entering it into the payroll system. This process took about 15 minutes per worker—time that could be better spent on the manufacturing process.
Manufacturing costs are directly affected by the productivity of employees. With its 400 workers spread across four buildings at the Austin facility, the company needed a more efficient method of collecting time and attendance records and readying the information for payroll.
The biometric handreader system easily implemented the rules for labor collection and supported rules that allow the company to allocate time for 15 minutes in the morning and afternoon for breaks that could be charged directly to overhead, not to a product. This enables tracking of labor efficiency accurately and developing efficiency reports for accounting. The system can compare the amount of labor used to manufacture a product against the forecasted costs, providing management with up-to-the-minute data on their manufacturing process. This information helps the company plan its hiring, track overtime usage, and determine the output per person in each area.
The final benefit of the handreader-based system is that it works over the company’s existing Ethernet network, which eliminated the expense of having to install new wire. No change.
The following tables provide partial listings of selected usage examples in various application groups.
4/7/2008 17
Driver License Programs Table 9-2
4/7/2008 18
State Benefit Programs Table 9-3
4/7/2008 19
Law Enforcement Table 9-4
4/7/2008 20
Schools
Table 9-5
4/7/2008 21
Government Operations Table 9-6
4/7/2008 22
Casinos
Table 9-7
4/7/2008 23
Section 10 – System Requirements and Selection If the need for positive identification is, or will be, a part of an organization’s normal operations, then the basic requirement to define, design, and build a biometric component or subsystem for integration into that operation may be established. Section 10 focuses on development of a detailed requirements statement as a prelude to design of the subsystem, as well as the primary issues that should be considered in that design process. Section 11 and those that follow address the implementation process and long-term management of the biometric component. The BTAM is intended to provide guidelines for the design and build process, but will obviously not, in itself, provide adequate training or resources to prepare an untrained person to be a qualified practitioner/ designer, electrical engineer or systems integrator. Sections 10 and 11 are intended to help a qualified engineer, security systems designer, or technology practitioner include biometrics in program design and implementation. 10.1. DEFINING SECURITY NEEDS and PROGRAM OBJECTIVES Operational/Program Requirements When evaluating the use of biometric technology to meet operational needs for positive identification, it is first necessary to determine which functions are most appropriate for a particular operational need. It is important to look closely at what operating goals the technology is designed to achieve or what problem(s) the technology is supposed to solve, and then determine who will be using it, what interface the system will have with other components, what the interoperability requirements are, and what the anticipated scope and lifespan of the system are. Examples of basic operational/program requirements, as described in previous sections, are:
• Security program component; • Eligibility program component; • Administrative (work force management) program component; • Hybrid Application (designed for more than one function/application).
Risk/Vulnerability Assessment Fundamental to defining one’s security needs and program objectives is performing a comprehensive risk and vulnerability assessment. A good starting point is to describe the “current operational concept” as discussed in BTAM Volume 1, Section 4. When describing how the current security system/practices/procedures are structured, it is useful to ask why the current system is the way it is. What asset is being protected? People? Classified information? Customer personal information? Company proprietary information? High value resources? Hazardous or toxic materials? Other? If eligibility validation is the primary application or part of a hybrid operating requirement; similar threat issues must be considered. These include: nature and volume
4/7/2008 24
of fraudulent attempts; denial of service issues; process vulnerabilities in the current operation and so on. It is also necessary to consider what or who threatens these assets and eligibility programs. Is the operation subject to terrorist threat, competitors seeking knowledge of intellectual property, recipes, simple theft from outsiders, employee theft, fraudulent claims from authorized persons or non-authorized, etc.? Another useful tool in a risk/vulnerability assessment is a consequence evaluation. What are the consequences if an employee steals something? What are the consequences if someone sabotages a manufacturing process, or steals a batch of material that will be sold for subsequent construction? What are the consequences if an explosive device is introduced into the work operation? What is the impact if someone hacks into the network and gleans proprietary information? The answers to these questions, condensed in a clear Risk Assessment Summary, will help determine whether biometrics are only part of a solution, or are of critical importance to that solution. Coupled with scope issues (e.g., how many biometric readers will be necessary, how many persons will be enrolled in a biometric system), these answers will also provide insight into the performance characteristics of a biometric system and how much it may cost to integrate biometrics into an overall security or eligibility program. The Risk Summary will also be helpful in doing periodic re-evaluations of risks and threats to be sure that system performance is consistent with changing situations and conditions, as well as calculating a cost/benefit ratio. 10.2. SYSTEM DESIGN CONSIDERATIONS
A. Design Goals Seldom is a “biometric system” designed as a stand-alone objective. Normally, if one is using biometric tools, one is designing or updating a specified security or risk management, or eligibility system with biometric aspects or enhancements. Whether the intent is for a physical access control system in which only biometric devices are used to determine authority to enter a protected space, or one is designing a system using cards, keys, cipher codes, armed guards, mantraps, and some biometrics, biometrics remain a component of the larger system. Likewise, a welfare benefits program that uses biometrics to verify authorized beneficiaries from those attempting fraud is still a benefits system, not a “biometric system.” B. Design Considerations Regardless of the specific application to which one is applying biometric technologies, the design approach should consider the implications of at least the following issues:
4/7/2008 25
1. Functional 2. Operational 3. Legal 4. Environmental 5. Social 6. Business and Economic
At this stage of analysis, none of these is more important than any other. In each specific case, however, it will often develop that one or another of these becomes the driving force affecting the ultimate system design. The following discusses the key aspects of these six issues. B.1. Functional Issues This aspect of system design asks a basic question regarding the overall purpose or purposes of the system, a question often best answered by the journalistic questions: who, what, when, where, and why. Who is going to be using the system for what purpose at what time/day and at what location? What are the application considerations? B.1.a. Physical Security Systems At the simplest level, as noted above, one does not design a biometric security system, but a security system with biometric components principally designed to improve access control by enhancing the assurance of identity of and convenience for the persons requesting entry. In access control applications, the biometric device augments or replaces more traditional door control devices such as a cipher keypad or proximity card reader. Electrically, the function of the biometric device is identical to other control devices: Upon presentation of an approved credential, the device activates or causes the activation of a relay that releases the door strike. Referring to the following figure, in some system architectures, the biometric device itself energizes the door strike (see Figure 10-1) while, in other designs, the biometric device sends a captured biometric template to a central processor. If the template matches that of an enrolled person, the central processor activates or energizes the strike relay. A third variation is one in which an identity verification takes place at a remote door control mechanism. An option for integrating biometrics into existing access control systems is for the biometric device to communicate with an access control panel, using the same communications protocol as non-biometric devices, such as card readers or keypads.
4/7/2008 26
Fig.10-C
Fig. 10-B
Fig. 10-A
Secure Access
Security Control
Secure Access
Secure Access
Figure 10-1
4/7/2008 27
Which of these basic design approaches is most appropriate depends upon the overall system design and architecture, reliability and performance expectations, and budget and legacy system constraints. Examples of System Requirement statements that are typical of physical access control functional issues include:
* I need to move 450 employees into my facility through three portals between the hours of 0730 and 0830 each weekday morning. 80% of those employees use Portal A, 15% use Portal B, and 5% use Portal C.
• Given the size of my workforce, and the ongoing cost and operational disruption
of maintaining our current card-based security system, I want to eliminate cards. * Given the potential for a 30% expansion of the facility and employee population, I
want to be able to upgrade any biometric solution as circumstances dictate in the future. This could include designation of additional secure areas within my facilities with higher security requirements demanding different types of biometric systems.
• I have to protect my critical resources whose loss would adversely affect my
ability to provide needed equipment to the U.S. Federal Government for national security, so I cannot afford to have employees delayed getting to their work at a greater rate than currently experienced with our card system (8%).
Design Implications of Physical Access Control Systems In physical access control systems, the biometric device typically replaces a lock set, cipher lock, card reader, human controller or some other device controlling one or more doors. Architecturally, the primary security system design remains mostly unchanged with just the symbols designating a biometric device being inserted for the previous access control technology. There are issues that need to be resolved before the design can be completed, however. Some questions include:
• Will the biometric device of choice operate in a stand-alone mode in which all users are enrolled at the device. In this instance: o Does the device control the door via a relay or does it send a signal to a
separate door control mechanism? o Does the device record each entry for subsequent downloading? o Does the device have a mechanism for backing up the enrollment database?
• If enrollment is centralized and new enrollments are distributed through a network:
o Does the data flow into the primary security system or directly to a proprietary door control?
4/7/2008 28
o If biometric matching is performed at a central server, what happens when the network crashes?
• Should biometric enrollment data be stored on a card carried by the employee,
such that the need for storing biometric data in a door reader or central biometric database can be avoided?
• What are the power requirements and where are the power sources?
• What alarm reporting and response provisions does the system offer?
• Will the biometric be used in conjunction with a physical token/credential?
B.1.b. Logical Access Systems The use of biometrics to control access to logical systems is not new, but not nearly as mature as for physical access control. Most implementations are at the workstation level in which the biometric control is integrated into the physical case and electronics of the workstation, whether a “desktop” system or a “laptop.” Other systems use a plug-in biometric device, typically a fingerprint peripheral connected to a USB port or by embedding the fingerprint sensor directly in a laptop housing. Some time ago, a manufacturer marketed a plug-in, table-top device using iris recognition as the biometric of choice. Either integrated or USB plug-ins should be sufficient for most applications, but it is suspected that the plug-in devices would not be able to satisfy the higher levels of government secure computing protocols. Testing of the built-in or integrated devices by a Common Criteria Testing Laboratory (CCTL) would be required to verify the acceptability of these devices for high security computing. In virtually all cases, the biometric device authenticates the person touching (or looking at) it, and enables operation of the workstation. The computing system and anyone at a remote terminal communicating with the “secured” workstation assumes (and this is a very profound assumption to be aware of) that the keystrokes generated or the files accessed following authentication are the actions of the authenticated person. Some computing systems include a keystroke recognition sub-routine that portends to verify the user as he/she types by measuring typing rhythm and style as a form of behavioral biometric, once access is granted to the keyboard. In principle, this approach would establish continuing authentication of the user, but this implies a consistent matching accuracy level for keystroke dynamics yet to be independently validated. Another approach to continuous presence monitoring would be to use a constant video assessment confirming the presence of one person at the keyboard and that the person’s face or eye is recognized by a facial or iris recognition biometric, respectively.
B.1.c. Authentication Systems
4/7/2008 29
Authentication systems can also verify or recognize the identity of an individual for some useful purpose other than granting access to a physical or virtual asset. These include three main uses:
Communications Biometric systems can be used in communications as part of the data encryption process (a matter beyond the scope of this manual) and to authenticate users. As noted above, it is one thing to successfully activate the biometric device by an enrolled user, but quite another to ensure that the originally authenticated person is still operating the keyboard and not an unauthorized person sending or receiving sensitive data. Biometric identification alone, in this context, might not be sufficient for a truly secure system. At the same time, non-biometric subsystems, including encryption products such as public key infrastructure1 (PKI) are not a complete substitute for biometrics in identity validation of the actual user. Authorizations The number of specific uses of biometrics for an authorization function is extensive. Some examples currently using biometrics include processing and distribution of welfare benefits, issuing and examination of drivers licenses, access to medical records (under HIPAA), and validation of various government and private industry identification cards and credentials. It is important to note the difference between “authentication” and “authorization”. The role of biometrics is to support the latter by performing the former. Non-Repudiation In the areas of classified document production and control, financial transactions, and legal contracts, it is important to be able to affirm that a certain person did, in fact sign for or generate a particular document or transaction, thus providing a strong basis for non-repudiation, barring the individual from denying they signed the contract, published the document, removed it from secure storage, or participated in the transaction. Design Implications of Authentication Systems There are many different applications where biometrics may be used for authentication systems, each with their own peculiar design requirements that amply illustrate the guiding principle of design following function: much depends upon the specific purpose or application. Consequently, the primary implication is that the designer needs to understand very well the purposes for which the technology will be applied and to select the technology best suited for that application, being sensitive to the context of the
1 A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates
4/7/2008 30
application and the impact of its use. From past experiences, for example, the participation rate in an essential welfare program was much lower than expected when a new biometric system was adopted. On analysis, it was determined that the use of a fingerprint system had deterred many eligible participants who feared the data would be sent to law enforcement officials. In this case, a decision was made to use a hand geometry device instead. Participation immediately and dramatically increased. On the positive argument supporting reduced participation, the biometric-based system reduced the number of double- and triple-dippers, thereby eliminating duplicate or triplicate applications from a single person. B.1.d. Other Functional Issues To ensure most aspects of system design are addressed, it is worthwhile to return to the basic questions regarding the overall design and purpose of the system mentioned earlier: who, what, when, where, and why. Who is going to be using the system for what purpose at what time/day and at what location? A brief description of the ultimate system to be installed, addressing and including the answers to those questions is fundamental to developing a clear view of what remaining functional requirements one’s biometric system/component must perform.
Who? (Community Involved) It is critical to identify who will be involved with the system, both as users and operators. How knowledgeable will these people be? Which leads to: How much training and supervision needs to be planned and implemented? The demographics of the user population can affect many areas. For example, cultural issues and even how well a given modality might work.
How many? How many people will be using the system? The answer to this question will affect which technologies should be used or considered. If only a few people are going to use the system, then almost any biometric—all other issues being equal—will do. On the other hand, if there will be a very large number of users, then there will be a number of subsequent issues (see “Throughput”). Age? Age of the user population may be an important consideration depending on the type of biometric equipment that will be used. Age can impact the incidence of Failure to Enroll as well as cause training issues. The ability of some biometrics to function well is sometimes a function of the age of the subject. For example, the skin on the hands of older people tends to become very smooth and fine, making it very difficult for some fingerprint sensors to acquire a well-defined image of the fingerprint ridge pattern, thus making it difficult to enroll the subject into the system. Arthritis can also cause problems for those using hand geometry readers. If this is a major concern, other biometric technologies that feature easier enrollment and use (such as facial or iris recognition systems) may be an appropriate alternative. Other technologies may require users,
4/7/2008 31
relatively speaking, to pay greater attention to detail and process (such as some fingerprint and hand geometry systems) that involve precision in both finger or hand placement and the entry of a PIN, a requirement that may overly tax persons with declining physical and mental acuity. Race and Gender? As with age, race and gender may affect a person’s ability to enroll in some biometric systems. Some technologies are sensitive to features or characteristics that are more prevalent in one racial group than another. One example occurs in iris recognition in which very dark irises or those occluded (covered) by the eyelid may be difficult to enroll and authenticate. While these issues can usually be resolved, they should be considered. Similarly, in some populations, there is some evidence that Asian females have fingerprints that are very fine in their definition and may be difficult to acquire in some low-resolution fingerprint sensors. In all cases in defining Who, the issue is not whether the user group includes some persons who may challenge the system, but whether the group includes a majority of users who may challenge the system. It is important to understand that even if a majority of a user group can use a system, a significant minority with usage difficulties can bring the entire system down. An industrial plant may be assumed to provide shelter and work for a wide range of ages and races, as well as an even split on gender. On the other hand, a nursing home may compromise a number of users who will, unfortunately, challenge certain technologies, suggesting that, in such instances, some other biometric technology should be considered. If workplace protocol requires staff to always wear protective clothing, such as latex gloves, then fingerprint technology might not be an appropriate choice for routine authentication. What? What is the proposed technological solution of which the biometric device(s) are expected to be a part, and what is the problem the solution is designed to address? Additional “what” questions include:
Technology In what sort of technical environment will the biometric devices be employed? Will the biometric be the technical highlight of the system—such as in a benefits distribution center—or will it be overshadowed by a significant application of other technologies for identification, security, and other purposes? The level of training is most likely to be a function of the technical aptitude and experience of the operators and users, coupled with the complexity of the biometric technology. Adequate training for biometric use must be provided regardless of the overall complexity of the system, i.e. do not short-change biometric training simply because it may be a relatively minor component of the total system.
4/7/2008 32
Process In general, what is the system doing? Is it counting votes, distributing benefits, providing public vehicular law enforcement, processing information, or performing some other definable function? Specifically, to what use will the biometric device be put in the context of the operating system? Will it open doors? Will it allow access to information technology and/or activate software applications? Will it permit access to or activation of a machine? Even more specifically, what will the process be for the following biometric-related functions:
Enrollment How will users be enrolled? In one large group? Individually as users are registered into the larger process? Will the enrollment function be distributed to geographic locations close to the users? Will the user’s self-enroll or will the enrollment process be attended by a trusted agent? How much time can be dedicated to pre-enrollment instruction on the enrollment process and the subsequent everyday use of the technology? How much time can be dedicated per person for the actual enrollment process? What is the expected allowable Failure to Enroll rate for this technology and this population? What work-arounds are to be provided for those who cannot be enrolled for one reason or another? How does this work-around satisfy security requirements on a par with the biometrically based solution? Just the logistics of enrollment can be daunting. It is important to determine of enrollment will be supervised, self-enrollment, remote enrollment, etc.
User Training What amount of user training will be provided? What is the purpose or intent of the training? How often is this training to be offered?
Anticipated Problems In addition to enrollment failures, what other problems or anomalies might be encountered while using the biometric technology?
Termination of a User What are the rules for how a user’s access privilege is to be removed from the system? How does this process ensure a permanent removal and prevent the terminated user from subsequently gaining access?
When? What are the periods of operation and how often is the biometric to be employed? At what week(s) of the month or day(s) of the week shall enrolled persons be required to use the system? Is the use of the biometric component only required during periods of elevated threat levels? At what time of day do permissions begin and end? The answers to these questions relate to identifying biometric technologies that are appropriate to the internal or external environment they must tolerate, an approximation of the level of use required, and what sort of interaction with the control system is required.
4/7/2008 33
Time/Day
The time of day of expected use will determine whether consideration must be made for the effects of ambient light or other environmental factors related to time. Many biometric systems are basically imaging devices that can and will be adversely affected by sunlight or bright overhead light shining on the image collection device. This is also related to the more general issue of environmental conditions in which the device may be installed outdoors. The day(s) of the week the device will be used also has an influence on the determination of appropriate technologies. A system in which the device is used only one or two days a week can be more fragile or less demanding than an application in which the device is expected to function every day, 24 hours a day.
Excluded Period(s)/Location(s) Often, access control systems will be programmable to enable the exclusion of otherwise enrolled persons as a function of the time of day and/or the day of the week, month, or year. Such system may exclude persons on holidays, evenings, and/or weekends. For example, certain employees may have access on Monday through Friday from 8:00 a.m. to 5:00 p.m., but should not be in the facility during the weekend. The system should be configured or configurable to not only pass identification codes to the processor – whether centralized or localized – where the final pass/reject decision will be made, but also time and date information.
Where? Environment: The system description should give the designer a meaningful sense of the climate and weather conditions for the more challenging venues where the system will be employed. It should also indicate whether the device(s) are to be mounted outdoors or indoors as each of these factors affects the choice of technology. There are, of course, other environmental factors besides weather , including the degree of ruggedization required (i.e., shock and vibration) and sources of interference (background noise, etc.). Scope: Scope is essentially a very straightforward, but necessary, issue, the answer to which defines the size and impact of the installed system. Where, specifically, will the system be deployed and how extensively? In one city at one location or multiple cities and/or multiple locations? What is the total expected enrollment capacity? Is the system scalable across multiple locations and can it grow as additional users are added? The answers determine the capacities and communications requirements for the devices. Some products are good for small standalone applications, but falter in large, distributed systems. Other products are not effectively used unless they have thousands of enrolled templates and operate in complex communications environments.
Why? The answer to this question was addressed partially in applications issues above, but is worthy of a revisit to ensure that all purposes intended for the system as a whole are included in their varied form(s).
4/7/2008 34
• To prevent welfare fraud • To prevent unauthorized entry to a facility(ies) or area(s) • To ensure only authorized drivers are on the streets • To ensure known or suspected terrorists do not pass a border control point without
further screening • To ensure only ticketed persons board the aircraft
… and so on. This is a key question looking for an essential answer. Until the designer knows this answer, it is not possible to determine whether a given design approach is correct or “off the mark.” With this in hand, it is possible to evaluate a given design and determine whether that design will satisfy its primary function in an optimum manner. B.2. Operational Issues There are, in this category, four main operational considerations:
a. Performance b. Reliability c. Facility d. Training.
B.2.a. Performance
Performance includes several measures (metrics) of biometric systems. The end-user needs to understand these metrics, be able to determine what they need to be given the organizations security policies, and articulate them to the designer. B.2.a.1 Accuracy. The most commonly quoted performance rates in entry/access control applications (physical or virtual), are False Accept and False Reject. In these applications they equate to False Match Rate (FMR) and False Non-Match Rate (FNMR) and can be used interchangeably.
False Accept Rate (FAR) A False Accept occurs in an entry/access control application, when the biometric sample from an unauthorized person erroneously (or falsely) matches the template of an enrolled and authorized person, and the biometric system falsely accepts his premise that he is authorized. Obviously, this is the most critical error, and precisely the error that biometrics are intended to prevent. Acceptance of an imposter, either by deliberate attempt or accidental occurrence is a critical failure of the biometric and should be a very rare incident, and almost never repeatable. In modern biometric access control systems, it is rare (but possible) that the right combination of ambient light, humidity, temperature, feature or image position, etc., can
4/7/2008 35
combine to send an image to the processor that resembles an enrolled template closely enough to produce a False Accept. Normally, however, that event and combination of factors is virtually impossible to recreate closely enough to make it repeatable. For this reason, those who would attempt to by-pass a biometric system do not rely on False Accepts for access but a more deliberate attack, such as “spoofing”. It is difficult, if not impossible, to accurately measure the number of False Accepts in an operational setting (because, of course, the successful imposter is unlikely to report it), but it is possible to estimate the statistical probability of False Accepts during a pre-operations scenario test or technology test.
False Reject Rate (FRR) A False Rejection Rate (FRR) is the measure of the likelihood that a biometric security system will not match the template of an authorized user and thus falsely rejects an entry/access attempt. A system’s FRR typically is stated as the ratio of the number of false rejections divided by the number of identification attempts. False Rejects are an administrative and operational nuisance in physical or virtual access control applications, and do not directly cause or represent a security hazard. False Rejections contribute to weakened security, however, if the rate of False Rejects is so high that regular users start trying to find ways to circumvent the control—like leaving the door propped open. High FRRs also weaken security if the users’ objections influence the security manager to move an adjustable threshold to reduce the incidence of False Rejects, thus increasing the likelihood of a False Accept. The objective of the designer and the security manager is to select and use biometric devices that minimize False Accepts to an optimum level without increasing False Rejects to an unacceptable level.2 False Accept and False Reject rates are more fully discussed in Volume 1 of the Biometric Technology Application Manual. B.2.a.2 Spoof Resistance While managers often worry about the FAR, they often do so more than they should. For example, presume that the statistical probability of an imposter being able to randomly match the biometric of a legitimate identity purely by coincidence is 1 in 100 (1% FAR). Looked at from the other perspective, an imposter would have a 99% chance of being thwarted - not very attractive odds. Thus a biometric system acts as an effective deterrent to all but the most sophisticated and determined. As biometrics become more and more sophisticated, the likelihood of hostile forces successfully exploiting a device’s implicit
2 FAR and FRR are inversely related. That is, an adjustment in the sensitivity of the device that decreases the probability of a False Accept increases the probability of a False Reject. However, the relationship is not necessarily linear (that a 5% increase in one factor results in a 5% decrease in the other), but it is a performance factor that needs to be understood.
4/7/2008 36
FAR is very low. Managers should focus on direct attacks on the system, such as the device’s vulnerability to spoofing. There is a real and significant difference between a False Accept and an effective spoof. A true False Accept occurs when, during the matching process, the characteristic or feature that has just been presented and which is a faithful representation of that unauthorized person’s real biometric characteristics so closely resembles an enrolled person’s template that the system declares a match. It is an honest mistake properly anticipated by the device’s computed FAR. It is a statistic that tells the technology buyer what the chances are of the door being opened by a casual passerby (i.e., a zero effort attack). As noted above, such events can happen but are not likely to be routinely repeated, even seconds apart. A one-time accident/error does not constitute a useful tool for those with bad intentions. Spoofing, on the other hand, is a systematic and concerted attempt to fashion some sort of disguise, artifact, or fake biometric (a mask, a fake finger, a rubber hand, etc.) in a willful attempt to circumvent the biometric safeguards. It relates to the FAR in the sense that both events result, if the spoof is successful, in the device being sufficiently convinced of the similarity between the presented object and the enrolled template that it declares a match and allows entry to an unauthorized person. What the security manager really wants to know is to what extreme would a person have to go to purposefully fool or spoof the technology and thereby routinely gain unauthorized (and even repeatable) access. Theoretically, any system can be spoofed, provided enough time, labor, and money is contributed to the attack method. The security manager wants to know how much time, labor, and money is required to compromise the technology. If there were a convenient way to characterize this “spoofability” into a simple number like a FAR or FRR, it would readily become a key factor in product selection. At this time, we have no such magic bullet, but work is underway to produce a useful estimator of “spoofability”. It should also be noted that the biometric industry fully recognizes the exposure to spoofing techniques and senor manufacturers are continually developing sophisticated counter measures that would render many of the less sophisticated spoofing attacks ineffective.
B.2.a.3 Throughput rate
Throughput is the number of people who can be successfully processed and permitted to proceed beyond the biometric checkpoint in a given period of time (e.g., six people per minute). Throughput and False Rejects will often battle for the lead in user irritation in operating biometric systems and are a major source of system failure. A biometric screening device that works without errors of any type, but only allows 1 or 2 individuals to pass the checkpoint per hour (or even per minute) would not be accepted and installed in most applications. Consider also a user-sign-on application for a company with 10,000 employees who are logging on to their server system in the morning as they report to work. The system must be able to handle thousands of access requests that come in around the same time, otherwise there will be significant delays and False Rejects due to inability to process.
4/7/2008 37
Ultimately, however, throughput, like False Reject Rates, is an administrative or management issue. A low throughput rate or high reject rate is not, in and of itself, a security breech. It is an institutional nuisance that, in the worst case, motivates people to try to find ways to circumvent the irritant, such as propping the controlled door open all day, a practice that would allow unauthorized persons into the protected space. The “correct” value for throughput is subjectively established as a rate at least equal to one more person per unit of time than the minimum rate that management finds acceptable. The best achievable throughput is one in which there is no discernable delay in the movement of people passing a biometric checkpoint regardless of the number of people attempting simultaneous entry. A couple of factors will also impact throughput. These include population and flow pattern. Population Size A major factor affecting the assessment of throughput is the total number of people who must pass a biometric checkpoint in a specified period of time in a single file. If there are five doors into a facility and 1,500 people need to enter the facility, then each checkpoint device needs to process at least 300 people in the unit of time available for personnel entry. If that limit is 30 minutes, then the throughput needs to be at least 10 people per minute per portal. This example assumes that all 1,500 people will spontaneously distribute themselves so that exactly 300 arrive at each of the five separate doors at the same time – not a likely scenario. Therefore, when developing requirements that will guide the design of a biometric system, it’s important to observe and know the real-world flow pattern. For example, if only one of the doors is directly facing the primary parking lot and the other four are administrative doors allowing access from other interior spaces, then a primary door with a 10 person per minute throughput will only get 1/3 of the workforce into the facility in the allotted time. A system designer must either find a biometric device that processes 50 people per minute, or provide perhaps five biometric devices servicing that one primary door. Surge vs. Even Flow There are two ways a given population can routinely approach a controlled facility: in a surge of demand (often early in the morning), or in a constant flow throughout the day and night. Naturally, the minimum acceptable throughput is the one calculated on the normal or average number of entries at times other than “rush hour,” but a higher standard is set by the magnitude of entry demand at peak usage times. Therefore, it is important to understand the load distribution over time.
B.2.a.4 Other Related {Performance} Issues Failure to Enroll (FTE)
Failure to Enroll is a problem common to all biometric technologies and it refers to the fact that, for every technology there are at least a few individuals who lack sufficient unique, stable, measurable features to be recognized by that technology. The problem is compounded by the fact that many technologies impose higher quality criteria for enrollment samples than for authentication samples to assure acceptable False Reject performance. For example, a person without a voice cannot be registered or enrolled in a
4/7/2008 38
voice recognition biometric system. Likewise, a person with no hands cannot be enrolled into a fingerprint-based biometric system. At a more subtle level, fingerprints may be difficult to enroll from the elderly or from persons in certain racial, occupational, or geographical populations whose fingers may be too dry, too fine, or too smooth, thus offering poor input data. Individuals whose fingerprints are subject to extraordinary occupational wear and tear (e.g., brick layers, chemical workers, etc.) are often hard to enroll. Persons who simply cannot be enrolled in a given technology, however, may be quite able to be enrolled in another. There will also be instances where a person cannot interact with the device properly (e.g., a blind person is unable to focus his/her eye properly in front of an iris recognition reader). Even in the event a marginal quality enrollment is achieved, such an individual will experience more Failure to Acquire errors and often be rejected from entry. In these cases, an appropriate work-around or alternative identification mechanism should be provided.
Failure to Acquire (FTA) There is a subtle, but very important, difference between a False Reject and a Failure to Acquire. A false reject occurs when there are insufficient corresponding data points in a reasonably clear and accurate live sample of a biometric and the enrolled template of the same individual. This happens, most often, when an individual has biometric features that are, for a given biometric technology, only marginally sufficient to be well-measured and enrolled. For example, a person with very fine and smooth skin may be difficult to enroll or capture accurately by a fingerprint system. A Failure to Acquire occurs when a person who has been successfully enrolled, with a clear and useful enrollment record, cannot be recognized due to some temporary data acquisition difficulty. This very common error happens when the finger, for example, is moved on the platen during imaging or there is contamination on the platen obscuring or blurring too much of the current (presented) fingerprint. Another example is when a well-enrolled voice pattern cannot be matched when that individual attempts identification in an environment with disruptive background noise.
Another significant difference between False Rejects and FTA is that, with a good re-enrollment, user re-training and re-orientation, and appropriate reader device servicing and cleaning, the FTA rate may drop significantly, almost completely eliminating rejection errors. Little, however, can be achieved by using these techniques to sometimes reduce true False Rejects. In theory, if the sensitivity of a device is set to its “equal error point” or “Crossover Error Point,” (CEP) the FRR should equal the FAR. So, if the system is set at a CEP equal to 0.01%, yet demonstrates a FRR of 5.00%, the fair assumption is that FTA rate = 4.99% and FRR = 0.01%. As re-enrollments are made, re-training is given, and devices are better serviced, the remaining difference between theoretical FRR and observed rejection rates should be the measure of the continuing FTA rate.
B.2.b. Biometric System Reliability, Availability and Survivability
4/7/2008 39
End users in operational environments sometimes contend that reliability is an issue of greater importance than performance. They argue legitimately that reliability more often determines the success or failure of a biometric installation than a few percentage points difference in FAR and FRR discussed in the foregoing section. With equal validity, they point out that FAR and FRR are measures of the population behavior in a particular application environment, and thresholds can be set by the device administrator. Further, performance factors are negatively affected by the improper use of the biometric subsystem through poor quality enrollment, inadequate user training, environmental interference (e.g., variation in lighting), and poor maintenance. Reliability, in contrast, is largely inherent in the equipment, system design, and technology (modality), and thus deserves as much if not more attention and care during the design process. The overall term for this consideration is System Availability (SA). SA is a function of two main values: Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR). In more recent literature, discussions of System Availability have begun to include references to System Survivability, referring to the ability of a system to recover from an extraordinary event (such as a power outage) and continue functioning. B.2.b.1 MTBF The oldest, most familiar, and best-quantified measure of reliability is Mean Time Between Failures (MTBF). Through testing, failure rates of individual sensors, transmission means, servers, processors, human interfaces, and other components can be documented and validated. System MTBF is another matter, and many biometric vendors are seldom willing to make claims or commitments as to the system-MTBF and historically in the biometrics industry have not done so. In addition, it may be nearly impossible to quantify biometric system MTBF because of the mix of general –purpose equipment and components in a typical system over which the vendor has no control. Anecdotal research of existing systems may be the most practical way to derive data on which to make decisions in the design and selection process. B.2.b.2 MTTR MTTR refers to the mean time to repair or recover from an outage or failure. This value is even less frequently published, even if the manufacturer knows what it is. Biometric devices are normally always a part of a larger system comprising several different, unrelated components each with their own MTBF and MTTR. Often, it is much easier to swap out a defective biometric reader or device than to shut that part of the system down. Consequently, the effective MTTR is measured in just a few minutes, a trivial length of time in most circumstances. Often, there is little an end user can do to repair the device, requiring a return to the factory for repairs. With the availability of express courier services, effective MTTR becomes, at worst, 24 hours, more or less, from the time the device is determined to be defective and a replacement unit ordered from the vendor. B.2.b.3 System Availability Provided that we know both MTBF and MTTR, we can prepare an estimate of SA from:
4/7/2008 40
SA = MTBF / (MTBF + MTTR) If MTBF = 1000 hours and MTTR = 10 minutes (.167 hours), then: SA = 1000 / (1000 + .167) = 1000/1000.167 = 99.983% In more complex systems, management may elect to perform periodic maintenance (M) on the system, requiring the system to be taken out of service. This value is expressed as a percent of the total operational time. If, for example, the system is to be shut down for one hour every six months, then the value of M is 0.0002%. This value is added to the foregoing equation that becomes: SAm = MTBF /((1+M) x (MTBF + MTTR)) In the foregoing case, availability becomes: SAm = 1000 / ((1+.0002) x (1000 + 0.167)) = 1000 / (1.0002 x 1000.167) = 1000/ 1000.3670334 = 99.963% Sophisticated buyers of biometric systems will often specify a SA of 95.0 to 99.9%. As just demonstrated, these values may be difficult to attain and it is important to determine just what level of availability is being sought, simple or one including periodic maintenance. B2.b.4 Survivability3 Survivability has been defined as “the capability of a system to fulfill its mission in a timely manner, in the presence of attacks, failures, or accidents.” Survivability analysis is influenced by several important principles:
• Containment. Systems should be designed to minimize mission impact by containing the failure geographically or logically.
• Reconstitution. System designers should consider the time, effort, and skills required to restore an essential mission-critical infrastructure after a catastrophic event.
• Diversity. Systems that are based on multiple technologies, vendors, locations, or modes of operation could provide a degree of immunity to attacks, especially those targeted at only one aspect of the system.
• Continuity. It is the business of mission-critical functions that they must continue in the event of a catastrophic event, not any specific aspect of the system’s infrastructure.
B.2.c. Facilities and Systems
3 Ellison, R.J., et al. “Survivable Network Systems, an Emerging Discipline.” Technical Report CMU/SEI-97-TR-013, 1997.
4/7/2008 41
Consideration needs to be given to the physical and virtual environment into which the biometric components will be expected to function. This will either be done in the context of a new or an existing system.
New System New systems offer opportunity to prepare a well-considered design using the most current and cost-effective components and procedures available. The downside to a new system is that there is no baseline of performance for comparison and new systems often fail to work the first time they are activated, resulting in considerable troubleshooting activity before realizing success. One way to avoid unnecessary problems is to minimize the level of innovation throughout the system and avoid reliance on new, unproven, or untested equipment and technologies without a sound and rational reason. However, if the need for new technology is compelling, implementation can be staged to test each component of the technology in installation increments, or in phased pilot tests to determine that each subsystem is functioning properly before moving on to another new component or space.
Legacy System As often as not, the addition of a new biometric component to an access control system will be an integration into a well-established legacy system. This manual is not intended to be a comprehensive tutorial on systems integration, but it is essential to have a comprehensive understanding of the system into which the biometric technology will be introduced. Most often, compromises will be required and it will be the new, biometric addition that is expected to bend the most. As an example, there was an assignment to integrate an advanced biometric technology into a standard access control system providing protection to a new federal building under construction. From the documentation prepared by the general contractor, every element was considered and the conclusion was reached that the biometric technology would work, especially since the head end control software was to be a state-of-the-art access control system. However, the installer/integrator found two surprises.
1. The customer expected a combination proximity card/biometric solution and, 2. even later it was discovered, that the same customer had exercised its bargaining
power to acquire a control system that used a proprietary code approach. In short order, there was a challenge to determine a way to configure the chosen biometric technology to work with a proximity card. Fortunately, the manufacturer had anticipated this possibility in applications and had included the necessary capability to read proximity cards. The software, however, could not read the proximity card and forward the appropriate information through the system. The manufacturer was so committed to customer service and satisfaction that its lead software engineer spent 40-50 hours over a weekend rewriting the code to accommodate the proximity card information and to perform the ‘AND’ function for access control.
4/7/2008 42
Later, after the new, combined solution was demonstrated, the customer announced its credentials would no longer work since the code transmitted from its cards used a proprietary code format, instead of the format common to most access control systems. Fortunately, another software-adjustable feature allowed this latest surprise to be accommodated. The point here is that the system designer should not depend on the foresight and willingness of the manufacturer (whether hardware or software) to provide such prompt and face-saving solutions to even one problem, let alone several. Rather, sufficient information must be collected from the owner regarding the existing system (as well as any side procurements) so as to anticipate these problems and to engineer an appropriate solution prior to committing the design to specification and order.
B.2.d. Complexity of User Interface as it Impacts Training One factor having a significant input on the selection and performance of a particular biometric system is the quantity and quality of training the using agency is able to provide to both security system operators and system users in the proper method of enrollment and daily use of the biometric. As discussed above, rejection, whether it is a False Reject or a Failure to Acquire, along with the throughput rates, is one of the most disconcerting negative aspects of the application of a biometric technology, but is subject to significant improvement through effective operator and user training. Design of an effective biometric system should include a discussion of the training appropriate to the selected biometric technology and the proposed user population. Emphasis should be placed on the description of operator responsibilities to ensure that enthusiastic, well-trained operators conduct effective enrollments and user training to minimize poor quality enrollments and the likelihood of Failure to Acquire errors. See Section 14 of this manual for further information on training. B.3. Legal Issues Several legal aspects of the introduction of any security system must be anticipated and considered in the final design. These include privacy issues, especially those related to biometric systems, legislative issues and requirements, liability questions created by security systems, and compliance with the ADA regulations.
Privacy Rights Probably the most contentious aspect of biometric technologies is the question of whether the biometric chosen for a particular application will somehow compromise an individual’s privacy rights. For most biometric solutions today, the answer to the privacy question in the United States is that neither personal privacy compromise nor personal injury is a likely consequence of using a given biometric technology. This is true not only because few biometric technologies readily compromise personal information or represent a health
4/7/2008 43
threat, but because manufacturers have gone the extra step to build into their systems, safeguards that prevent any compromise of physical safety or privacy. It is essential, however, that security staff be trained in the technology, its operation, and the applicable law, so they can explain to agency personnel and visitors the nature of the biometric being used and why it should not compromise privacy and/or threaten personal health. Some organizations may have a policy that requires a comprehensive privacy impact assessment (PIA) for any proposed new system. Such an assessment should describe how biometric data is collected, stored, shared, and protected as well as how errors are addressed. Regardless of the current state of privacy laws of the United States or other countries, the general philosophy of NBSP and the biometric industry at large is to take the proactive view that a person’s biometric information is “personal” because it is personally identifiable information or unique to a person. Therefore, it is recommended that “biometric information” be treated “as if” it were entitled to privacy protection regardless of the applicable laws, which will vary from jurisdiction to jurisdiction. This approach circumvents the issue of whether or not an individual’s privacy has been violated. Similarly, even if the law of one jurisdiction does not treat a person’s biometric as private today, social standards are likely to dictate changes in privacy laws, including new legislation that could later mandate treating biometrics as private personal information entitled to privacy protection. In conclusion, it is recommended that biometric systems developed today be designed and engineered to safeguard biometric information privacy so that they are in compliance with developing privacy laws and regulations. Accordingly, it is recommended that companies managing biometric identification systems should adopt policies and procedures in proper use and safeguarding biometric identification. Such privacy policies should include such basic privacy principles as:
• notice to the individual about how their biometric information will be used, • separation of the biometric information from other personally identifiable
information to prevent linkage, • restrictions on access to biometric information, • transfer or sharing of the biometric information only with the individual’s
consent, • enforcement measures to ensure compliance with the foregoing, and • possibly, an individual’s choice to opt out of the system.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal statute requiring that medical records be carefully protected and that only authorized persons, having a need to know, be given access to personal medical information. Biometrics have been especially useful in implementing and maintaining compliance with HIPAA in that they can allow only authorized persons at authorized times and dates to gain access to biometrically controlled healthcare information and data. The control system can also record the date and time of access, thereby providing non-repudiation evidence of the accessing person’s identity. Other regulatory requirements such as Sarbanes-Oxley, Gramm-Leach Bliley Bank Modernization Act,
4/7/2008 44
Fair Credit and Reporting Act (FCRA), Federal Information Systems Security Act (FISMA), 21 CFR Part 11 Regulations for Pharmaceutical Electronic Record Keeping, etc. all have similar language to HIPAA that requires that system operators/owners take appropriate steps to insure against unauthorized access to sensitive data. Any of the organizations that fall under these regulatory controls should consider the benefits of biometric authentication to control user access.
Liability – Duty to Care Senior company or agency managers, as well as security managers, have a legal “duty to care” for the personnel and assets under their control and supervision. Biometric access control is an effective way to implement a security system and demonstrates recognition of this duty. In a number of cases, this duty can be quantified in this equation:
I = Ploss x Asset Value I = Insurance and Ploss = Probability of Loss] That is, a sufficient recognition of the duty to care is more or less equal to an appropriate investment in insurance or security systems equal to the probability of a loss of an asset times the value of that asset. The goal of the security manager or executive manager is to minimize both the likelihood of any threat and the value of the protected assets that might be lost. The compromise of essential, classified national security information or corporate intellectual property (e.g., the formula for Coca-Cola®), cannot normally be covered by conventional insurance, so the difference is often covered by one or more layers of manned and automated security solutions.
Implied Security In some ways, the existence of a security system is a double-edged sword. On one side, a security system is evidence of management’s recognition of its duty to care. The other side of the issue is that employees may construe the existence of various security products—access controls, video surveillance, entry controls—as absolute guarantees that they are safe from criminal attack or other illegal behaviors, and ignore common precautions.
ADA Compliance The Americans with Disabilities Act (ADA) requires that most public buildings, regardless of ownership, comply with an extensive list of rules governing building design and equipment used, especially for doors and access control. For example, although new biometric fingerprint readers are wall mounted more or less in the same location as proximity card readers, they are ergonomically difficult for wheelchair-bound individuals to reach and use properly. To be fair, those responsible for developing ADA standards are not especially well-trained or experienced in modern biometric technologies and are lagging along with the industry in promulgating meaningful standards outlining appropriate expectations for system designs.
4/7/2008 45
Section 508 Compliance Section 508, an amendment to the U.S. Workforce Rehabilitation Act of 1973, is a federal law mandating that all electronic and information technology developed, procured, maintained, or used by the federal government be accessible to people with disabilities. The scope of Section 508 is limited to the federal sector, and includes binding, enforceable standards, as well as compliance reporting requirements and a complaint procedure. Section 508 does not apply to the private sector, nor does it impose requirements on the recipients of federal funding. However, the U.S. Department of Education requires states funded by the Assistive Technology Act State Grant program (a grant program that supports consumer-driven state projects to improve access to assistive technology devices and services) to comply with Section 508. According to Section 508 criteria (1194.26 Desktop and portable computers), when biometric forms of user identification or control are used, an alternative form of identification or activation, which does not require the user to possess particular biological [biometric] characteristics, shall also be provided. Accessibility policies like Section 508 vary from country to country, but most countries, including the European Union, have adopted standards based on the Web Content Accessibility Guidelines of the World Wide Web Consortium. The SAFETY Act Homeland Security Subtitle G of Title VIII of the Homeland Security Act of 2002 – The Support of Anti-Terrorism by Fostering Effective Technologies Act of 2002, Public Law 107-296 As part of the Homeland Security Act of 2002, Congress enacted the SAFETY Act to provide risk management and litigation management protections for sellers of qualified anti-terrorism technologies and others in the supply and distribution chain. The aim of the Act is to encourage the development and deployment of anti-terrorism technologies that will substantially enhance the protection of the nation. Specifically, the SAFETY Act creates certain liability limitations for “claims arising out of, relating to, or resulting from an act of terrorism” where qualified anti-terrorism technologies have been deployed. The Act reflects the intent of Congress to ensure that the threat of liability does not deter potential sellers from developing and commercializing technologies that could significantly reduce the risk of, or mitigate the effect of, acts of terrorism. The SAFETY Act “Designation” and “Certification” protection classifications are designed to support effective technologies aimed at preventing, detecting, identifying, or deterring acts of terrorism, or limiting the harm that such acts might otherwise cause. All forms of technology, including products, software, services, and various forms of intellectual property, may qualify for SAFETY Act protection.
4/7/2008 46
If a technology has received a “Designation” as a Qualified Anti-Terrorism Technology (QATT), the following legal protections are available in relation to claims arising out of, relating to, or resulting from an act of terrorism:
• The manufacturer can be sued only in federal court • Liability will be limited to the amount of insurance coverage required by the
Department of Homeland Security (DHS) • No punitive damages will be allowed
If a technology has also received a “Certification” (described below), the following legal protections for such types of claims are also available.
• A broad government contractor’s defense will be available, as a rebuttable presumption
• Only a showing of fraud can defeat the government contractor’s defense Designation. In determining whether to grant a Designation, DHS exercises discretion and judgment in interpreting, weighing, and determining the overall significance of certain criteria, which include but are not limited to:
• Prior U.S. Government use or demonstrated substantial utility and effectiveness • Availability of the technology for immediate deployment in public and private
settings • Existence of extraordinarily large or un-quantifiable potential third-party liability
risk exposure to the seller (or other provider of the technology) • Substantial likelihood that the technology will not be deployed unless SAFETY
Act protections are extended • Magnitude of risk exposure to the public if the technology is not deployed • Evaluation of all scientific studies that can be feasibly conducted to assess the
capability of the technology to substantially reduce risks of harm • Whether the technology would be effective in facilitating the defense against acts
of terrorism A Designation is valid for five to eight years and automatically terminates if the Qualified Anti-Terrorism Technology (QATT) is significantly changed. Certification. Receipt of a Designation is a pre-requisite for Certification. Sellers may apply for a Certification either in conjunction with or subsequent to an application for Designation. In determining whether a QATT qualifies for a Certification, there are three additional criteria against which the QATT is evaluated:
• It must perform as intended • It must conform to the seller’s specifications • It must be safe for use as intended
4/7/2008 47
The Department of Homeland Security, specifically the Under Secretary for Science and Technology, is responsible for review and approval of applications for Designation and Certification of QATTs. Companies wishing to be awarded SAFETY Act protections must apply to the DHS using the forms provided by DHS, furnish all of the requisite supporting data and information, and successfully demonstrate compliance with the Act’s specific criteria. DHS will perform a comprehensive evaluation to determine eligibility for SAFETY Act Designation or Certification. The evaluation process typically takes about 120 days to complete. As of the time of BTAM publication, over 100 technologies are covered under SAFETY Act protection. For questions or help with submission of an application under the SAFETY Act, contact the Office of SAFETY Act Implementation at 1-866-788-9318 or email: [email protected]. B.4. Environmental Issues Biometric devices are not immune from weather conditions such as rain, snow, heat, cold, and light. They are also subject to wear and tear in interior environments. The following paragraphs examine a number of relevant environmental issues.
Indoor Interior environment concerns are generally based on the wear and tear to which biometric devices are subjected. Generally, the amount of direct contact with the device will increase the “wear” factor. These concerns will also vary from installation to installation. Office The most benign interior environment is the common office setting. Generally speaking, this environment is reasonably (or, at least relatively) clean and quiet. For physical access applications, the major issue is the volume of traffic through controlled checkpoints; this is a key factor in determining throughput demand. Expected throughput rate depends on the number of portals and employees, as well as the distribution of arrival and departure times. With greater traffic volume there is an inevitable increase in breakage and failures. Almost any biometric device manufactured should work well in this environment, although it is important to note that some people who handle a lot of paper can sometimes have issues with some fingerprint readers. Overhead or back lighting can also sometimes be an issue. Industrial In manufacturing environments, there is a concern not only for devices that can provide the throughput rate desired—a function of the number of people on staff—but on the consistent and reliable acquisition of the biometric characteristic by the sensor device. The hands and fingers are especially vulnerable to dirt, grease, injury, and loss; thus rendering fingerprint systems more difficult to employ effectively and efficiently than
4/7/2008 48
some other technologies. Also, manufacturing floors can often be noisy, and sometimes there is dust and other airborne particles in such environments. Educational School systems are beginning to adopt biometric access control for both the front door of the school4 and the dining room or cafeteria5. The controls at the front door provide security for both students and staff by admitting only those persons known to and trusted by the school system. The cafeteria controls are designed to streamline the process by which the students identify themselves as entitled to eat lunch and to access accounts from which the meal is paid. Hand geometry technology has been in use for food service applications at the University of Georgia for more than 30 years. [See University of Georgia Case Study in this BTAM.] The environment of a school is similar to a busy office building with many of the same issues. Due to the relatively large numbers of people using the system daily, the device of choice needs to be durable, quick, and reliable—the emphasis, perhaps, on the quick and durable at the expense of reliable. There are also occasional parental privacy concerns, most of which can be offset with a good parental orientation program on biometrics. Fingerprint technology is also gaining popularity in elementary and secondary school lunch programs. A number of school districts have implemented fingerprint technology for school lunch programs. Because it is impractical to expect young students to remember PINs or to carry ID cards, these fingerprint systems have been implemented as ‘identification’ applications rather than one-to-one verification applications. Each child presents their finger to the sensor and the system searches the entire population of enrolled fingerprints to find a match candidate rather than indexing to a specific enrolled record through a prior claim of identity as would be provided by an ID card or PIN entry. Recreational Iris recognition has been in use by the military at the Pentagon to control entry not only to highly classified briefings and restricted spaces, but to the gym, as well. Use is reported in commercial gyms as well. By using a biometric, gym users do not need to carry personal identification cards on them when they are dressed in their exercise clothing. One advantage of iris technology is its extraordinary accuracy and its database search-match speed. This means that a large database can be searched to determine identity rather than requiring a prior claim of identity for a match against a single known record.
4 Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb. www.techweb.com January 23, 2006. 5 Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December 10, 2005.
4/7/2008 49
Correctional Biometrics have been used in correctional facilities for some time.6,7 but not without resistance. Wardens and jailers tend to be technologically conservative. Few, if any wardens have been promoted based on their innovative adoption of state-of-the-art technology, but many have been relieved of duty for jail escapes. Hand geometry was one of the first technologies to be used in jails and prisons. More recently, fingerprint and iris recognition systems have been successfully employed. Due to its effectiveness in performing 1:N searches for individual recognition, iris recognition is often used in jails to prevent inadvertent and premature release of inmates exploiting identity confusion and theft. In one instance8, an arrestee with outstanding warrants was caught during booking attempting to use his identical but law-abiding twin brother’s name. [See Lancaster County Prison Case Study in this BTAM.] The foregoing example notwithstanding, the principal applications of biometrics in a correctional facility are to prevent escapes, control the movement of inmates within their facilities from one area to another, and to access controlled documents or medications. Despite the utility of biometrics in prison, the environment includes several unusual hazards. In most environments protected by biometrics, the users are willing participants and cooperate with the technology as a condition of employment and as a means to safeguard themselves and their work. Consequently, they treat the equipment with a reasonable amount of respect and care. In jails, inmates are constantly challenging anything that complicates their desire to be anywhere but in jail. A major East Coast correctional facility using fingerprint technology investigated iris recognition technology when they discovered inmates were using their fingernails to scrape away at the bar code on their wrist bands that contained their biometric template. If the technology could not read the bar code, then the staff had to use some other means to verify their identity prior to the inmate being allowed to pass certain check points. This resulted in excessive staff time and materials costs. Any lens type of surface, whether a fingerprint platen or an iris imaging lens, will be subject to repeated efforts to scratch and obscure the lens rendering the device useless until repaired.
Outdoor Biometric technologies are often challenged when employed in outdoor environments, normally the exterior door to protected buildings.
6 Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An Experiment in a Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253. January 2006. 7 Biometrics in Corrections. National Law Enforcement and Corrections Technology Center. TechBeat. Fall 2000. 8 Anderson, Teresa. The Eyes Have It. Security Management magazine.
4/7/2008 50
Climate There are few climate zones free from challenges to biometrics. At some time of the year, almost all regions are subject to extremes in temperature and humidity. The performance of electromechanical devices begins to deteriorate significantly in extreme cold or heat. When cold, moving parts tend to slow down and critical timings are often affected. In extreme heat, electrical circuits begin to fail. Likewise, although biometrics are usually not affected by the extremely low humidity in desert environments, blowing sand that often accompanies such conditions will prematurely age devices left exposed, as well as impair reader performance. Likewise, biometric devices are no different than other electromechanical systems when exposed to the elements. Prolonged exposure to sunshine will result in the degradation and ultimate disintegration of plastic cases and keypads. Exposure to any sort of moisture, especially wind-blown seawater, accelerates the corrosion of metal components. Melting snow, is another source of moisture contamination. As mentioned above, blowing sand will eventually degrade exposed devices. For biometric technology to function adequately in outdoor weather-exposed environments, it must be housed and protected from the elements in accordance with appropriate standards for such use. Neighborhood Environment Whenever biometric equipment is installed outdoors, the history of criminal in surrounding neighborhood should be examined. Is it a location with a high crime rate, including vandalism and other petty property crimes, or is it a relatively benign area? B.5. Social Issues Biometric technologies have been and continue to be ‘hot topics’ of discussion throughout society with the emphasis on religious, financial, and legal implications. Religious Concerns Some fundamentalist groups continue to challenge technology in general and biometrics in particular with references to the “mark of the beast”, as found in the Book of Revelations in the Bible, and the assignment of record numbers in access control databases. Why these groups do not realize that any type of access control system (biometric-based or not) does the same kind of database assignment is not clear. Perhaps it is just the relative novelty of biometrics. Another concern affecting the use of biometrics is the issue of the proscription of making “graven images.” In such cases, facial recognition systems or any other imaging system recording a recognizable image of the individual would be challenged. Whether imaging only portions of the individual, such as the fingerprints, eyes, ears, etc., constitutes graven images or not is a matter of local practice and culture and defies generalization. It is a question, however, the designer must address before proceeding with a particular biometric technology.
4/7/2008 51
Financial There is occasional resistance to the use of biometrics in financial applications, and it can be extremely strong, if not widespread. Identity theft in a financial context is different than in an access control context. In access control if someone steals my identity it’s not so personal. Sure, they can get access to my workplace, gym, or medical records, but 1) they then have to engage in some second tier, undefined skullduggery, 2) it may only affect my employer’s assets, or someone else and not me personally, and 3) the impact may be minimal such as a tightening of security procedures, or re-enrolling or getting another PIN. Stealing my identity in a financial context, however, could have an immediate and devastating impact on my entire financial well-being. There is often a basic misconception of how biometrics work as well, and thus unrealistic fears for identity theft. A persistent concern is the inherent, intrinsic nature of one’s own biometric(s) and the inability of an individual to revoke, change, or re-issue his/her biometric feature (10 fingers give the fingerprint modality an edge here). In truth, the use of biometrics can be a substantial deterrent or countermeasure to identity theft. For example, even though the biometric data cannot be easily revoked like a PIN, the two situations are not completely equivalent. The threat posed by the compromise of a PIN or stolen ID card is significantly greater than the compromise of a biometric simply because it is so easy to exploit. All the criminal has to do is enter the PIN and/or swipe the card in the reader and he has all the privileges of the rightful owner. If the criminal obtains the biometric data, however, he still has the non-trivial problem of how to exploit it.. In other words, the biometric sensor does not have the equivalent risk of the PIN pad or card reader. The biometric sensor is built to capture a specific type of information directly from the human body or based on the unique behavior of the individual. The compromised biometric data is, by definition, not in a form that can be entered into the system through the normal operation of the biometric sensor. In order for the situation with the stolen biometric data to result in equivalent vulnerability for the protected system, the criminal would have to have a way to submit the compromised data into the biometric processing path. This is much more difficult than entering a stolen PIN or presenting a stolen ID card to a reader. Additionally the potential for someone to “hack” into a system and obtain a biometric template has been overblown – not impossible, but simply overemphasized as both a threat and potential consequence. There are a multitude of IT security tools and practices available such as hashing, encryption, and even third-party anonymous authentication, that a properly-designed biometric system should possess. More fundamental is the irreversible nature of the mathematical representation of the biometric inherent in the template that prevents creation of an image from a template. Thus, a properly designed, constructed, and protected biometric system poses no greater threat in the financial context than in any other, and indeed, a much reduced threat when compared to the more traditional and pervasive PIN, card, and password systems in use today.
4/7/2008 52
Implications of Technology Biometric systems do not travel without some ‘baggage’ that needs to be recognized and accommodated. These generally have historical, criminal, or privacy issues associated with them. Historical Context A difficult aspect of designing and installing any new technology, including biometrics, is the experience and expectation users bring with them to meet the new technology. Prior to the introduction and use of retina scanning technologies, the public had been sensitized to the existence and perceived use of lasers for industrial applications. They were also sensitized to the potentially harmful effects of lasers on eyes. With the arrival of retina scanning, which did not use lasers, there was considerable user pushback based on an unfounded concern that using retina scanning would somehow place the user’s eye in jeopardy. The fact that the technology used a very low power infrared LED (light emitting diode) technology to illuminate and scan the retina blood vessel pattern was not well understood by the public and concerns about the safety to the eye became a major factor in the failure of the technology to become a successful, mainstream biometric technology. For years following the introduction of iris recognition, even these products met with considerable mistrust and apprehension out of concern for the potential risk to the organ of sight. A part of this was enormous confusion between the retina and iris (the colored area around the pupil), which still persists today. Slowly, the public has come to understand that iris recognition technology is based on a very benign video image of the iris illuminated, but not scanned, by unfocused infrared light. The lesson of all this, for the designer, is to be mindful of the historical path any product may have followed and to anticipate any concerns users may raise. Criminal Due to its long forensic association with crime and criminals, fingerprint-based systems often elevate user concerns that submitting their fingerprint(s) images into a system will somehow subject them to identification to or investigation by law enforcement officials. This is a real and serious issue. From a technical perspective, it is entirely feasible that a law enforcement official could acquire a company’s fingerprint database and examine the enrolled templates in a search for fugitives. The employee’s safeguards are not technical, but procedural. It is company policy, practice, and legal due process that stand between this exposure and a third-party search of the database. Persons designing applications that rely upon fingerprint technology should recognize this concern and develop meaningful policy safeguards and procedures to ensure that such searches can only take place in a lawful and strictly controlled manner (e.g., under subpoena). This user concern has contributed to the adoption of alternative non-fingerprint systems, such as iris, or hand geometry-based technologies, since these technologies do not currently relate to traditional law enforcement investigative tools like fingerprints.
4/7/2008 53
Other than face, none of the non-fingerprint technologies is used in large, central, criminally-oriented databases. Perceptual Concerns There are a variety of concerns that people raise in opposition to the use of biometrics. The extent to which these are true beliefs of the objecting persons or simply excuses for avoiding something new is undeterminable, and not necessarily germane when implementing a biometric system. The issue is to be prepared to address these concerns in a positive and sincere way to elicit a cooperative, rather than forced support of an impending biometric system. Some of these concerns and an appropriate response are itemized9,10 in the following table:
9 Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality. Reprinted from the December 2002 issue of Corrections Today, Vol. 64, No. 7 10 Misplaced Fears Impede Biometric Adoption. www.findbiometrics.com
4/7/2008 54
Table 10-2
Technology Concern Reality
Biometrics in general
Biometrics work in real-life just
like they do in spy novels and movies Biometric technologies will work
for everyone Companies and organizations
store biometric images. My movements can be tracked
through my biometrics.
Not usually, since the bad guy is often
able to beat the biometric system in the movies; this task is far more difficult – if not impossible – in reality. Not every biometric technology will work
for every person. Some people are missing hands and fingers, for example. Or their fingerprints are difficult to read. Not true. Biometric templates are not
“images”, but binary code that cannot be reverse-engineered. And, not all biometrics are image-based. Not true. Biometrics track only the
access of a person, who is knowingly enrolled, in a system or facility.
Fingerprint
Fingerprints can be used to
access personal law enforcement information. Fingerprints are used in law
enforcement to find criminals. Fake fingers can fool a fingerprint
authentication system.
True, but only with an appropriate
authorization and link to local or federal records. True, but there are many non-law
enforcement applications in use today. Not generally true. Today’s technology
uses algorithms that can detect 3-D structures so photocopies, transparencies, or latent images are not accepted. Mature technologies are adding various tests for liveness detection that are increasing the technologies’ protection against artifacts.
Iris Recognition
An examination of the iris will
reveal health-related information. The laser beams that go into my
eyes will cause damage.
Not true. Despite Iridologists claims to
the contrary, iris recognition does not reflect current health conditions or diseases. No current iris biometric device has any integrated diagnostic capability. No lasers are used for illumination in any
iris biometric system. Illumination is provided by extremely low-level, unfocused near IR, proven safe in scientific studies.
4/7/2008 55
Technology Concern Reality Hand Geometry
I don’t want to touch a surface
touched by others Hands are not distinct enough to
provide high security.
A hand geometry platen is no different
than touching doorknobs, escalator handrails, countertops, or keyboards. We are all exposed to these risks hundreds of times daily. The PIN required to claim identity is
another layer of security that makes hand geometry suitable for most medium security applications.
Facial Recognition
I don’t want my face to be made
available for law enforcement or other legal purposes.
This concern is focused on general and
unannounced capture of facial images. This is an issue that should be carefully addressed before a covert application is approved.
Signature Dynamics
I don’t want my signature to be
on file because it might be stolen and misused by someone.
Signatures are not on file. The
technology records dynamic movements and stores them in mathematical form. It does not store images of signatures that would be usable.
B.6. Business Issues It is sometimes difficult to make an effective business case for the use of biometrics in security applications on the basis of traditional business criteria such as cost trade-offs or Return on Investment (ROI). Biometric systems may cost more than conventional card-based systems, although some savings may be realized through avoiding card replacement and (in user authentication systems) resetting passwords and PINs. In biometric time and attendance applications, the cost difference can be rapidly made up through increased payroll accuracy. The use of biometrics in eligibility applications may, however, be a very different matter. A case for the adoption of biometrics is better made on the basis of increasing security to protect people and assets, avoid property loss, and improve business operations. An intangible benefit is the degree to which management has fulfilled its responsibility to stakeholders by introducing security improvements. There is no guarantee that implementation of a biometrically based access control system can or will prevent all
4/7/2008 56
incidents, accidents, and losses. There is, however, a presumption that doing something positive is evidence that management is forward-thinking and has the good of the employees and stakeholders as a high priority. Additionally, the economic aspects of biometrics are and will be constantly changing; consequently, it is not possible to state definitively and forever that a given biometric technology is or is not cost-effectively suited for a particular application. The best we can do is outline an approach for evaluating the cost-effectiveness and investment returns as the result of adopting a biometric solution for access control. Not many years ago, the application of a biometric solution to an access control problem was not generally cost-effective due to the acquisition and installation cost of biometric equipment. Conventional access control equipment, as recent as 5-10 years ago, would normally cost about $2,000 per door in a large facility. To add biometric devices at these doors would often add $5,000 to $15,000 to each door, depending on the technology adopted. To justify such an expense, security managers would often have to demonstrate that the cost to the company or the nation, should security be compromised, was far greater than the cost of the security equipment and that this difference was not just marginally greater, but greater by orders of magnitude. When people would elect not to install a reliable biometric door control at their personal homes, they would often say that it would be “technical overkill” to do so. In fact, the real reason was more likely to be an economic one. At a point in time where a common but quality door lock and key solution is $50-75/door, there is little justification for an automatic system costing $5,000 to $15,000 to implement. With the passage of time, however, the cost of reliable biometric solutions has fallen to a point where an effective front door lock and integrated biometric control is now less than $500-800 at retail. Within a few years, it is quite likely this solution will be available at a price comparable to the old key and lock solution. At this point, solution selection criteria cease to be either technical or economic, but a question of relative reliability and aesthetics.
Cost/Benefits The decision to install and use biometric technologies is both a security and investment decision and one complicated with many facets. It is one thing to collect the cost data and do a comparative analysis with an existing solution for a snapshot in time. It is far more difficult to factor in and account for the rapid decline in biometric prices, an increase in product reliability, and the fundamentally vague nature of the value of assets, especially intellectual property assets or the value of living assets such as rare animals or distinguished human personalities. For example, it is relatively easy to determine the appropriate duty to care if the protected asset is a valuable piece of jewelry: duty to care is satisfied if the cost of the protective actions (e.g., insurance, physical security, etc.) is some function of the value of the jewelry times the likelihood of a theft. The former is a matter of professional appraisal and the latter might be an estimate based on the historical crime rate in the vicinity of the jewelry.
4/7/2008 57
It is quite something else, however, to determine the proper level of the duty to care if the asset is the life of the President of the United States, the president of a university, or the manager of a day care center. Of course, we would not expect the investment for personal safeguards for the day care center operator to be the same as for the President of the United States. First, the likelihood of a serious personal attack is normally far greater for the latter. Second, the level of national disruption in the event of a successful attack on the day care operator is likely to be far less than a similar attack on the President. Nevertheless, by how much are the two scenarios different? Intuitively, it is understood and accepted that there is a difference and that it is not insignificant, but to quantify that is subjective, and nearly impossible. The valuation issues notwithstanding, the purpose of this section is to examine the various aspects involved in performing a meaningful return on investment (ROI) analysis.
Analysis
One approach to cost and ROI analysis is to start with known values and actual current data points. Once a baseline has been established, several alternative solutions should be modeled to help analyze the more difficult assumptions. The analysis then considers these factors in several biometric applications. Life-cycle Cost Analysis There are several costs for doing nothing. The first is the original cost to acquire and install the existing security solution [A]. (Do not forget the cost of labor in the installation component.) Next, there is a replacement cost of existing equipment as it ends its useful economic life [R]. Even good padlocks need to be replaced from time to time. This cost may be the same as the original equipment, it may be some appreciated amount recognizing inflation and product enhancements, or it may be a lesser cost recognition competitive pressures in the market and/or the lower cost of production. The life-cycle period in years [P] will be somewhere between the manufacturer’s warranty period and the length of time the IRS will impose for a useful life-cycle. Typically, the warranty period will be short (this protects the manufacturer from having to pay for normal wear and tear) and the IRS depreciation period will normally be long and the device will likely be ready for replacement before that time. For the purposes of this analysis, it is suggested that the sanctioned depreciation period be used. The third cost is the annual cost to maintain the device(s) throughout its life cycle [M]. This may be as simple as an annual dusting and lubrication, or it may involve a more frequent visit from a locksmith for disassembly, cleaning, and reassembly. Finally, there is the cost or value of the asset [V] if lost or compromised, times the likelihood or probability of loss or compromise [L]. This value says that, if custody of an asset is retained for a sufficient time, it will be stolen or compromised. Given the previous discussion, the life-cycle cost [LCC] to install and maintain a particular safeguard may be calculated from:
4/7/2008 58
LCC = A + R + PM + VL and the annualized value is = LCC/P.
(In this model, the legal ‘duty to care’ is more or less equal to VL and the remaining values represent steps taken to discharge that responsibility. So, it follows that VL will, in theory, at least, be less than or equal to A + R + PM, so LCC could be approximated by 2VL. But as the value of V becomes more and more subjective, the 2VL relationship becomes more speculative and loses its utility.) Cost/Benefits Trade-Off Analysis The financial argument for adopting a new (presumably biometric), security solution (LCCnew) is that in the long run, it will be less expensive than the current solution (LCCold), including the cost to remove the old system and to install the new system [N]. The security rationale is that, regardless of cost, due to the increased probability to detect and thwart an attack, the likelihood of the successful theft or destruction of the asset (VL) becomes smaller and smaller. Algebraically:
LCCnew <= LCCold + N In the case where LCCnew => LCCold + N, the decision to upgrade to the new system nonetheless would be rationalized by an expectation of a significant increase in M (the cost to maintain the old), and/or a likelihood that L (probability of loss) is, for some reason, expected to increase significantly in the near future. Factors Affecting Analysis A key factor that will affect this analysis is the falling cost of existing biometrics. Due to advances in manufacturing technology, increased demand for many biometric products, and increasing competitive pressures, the costs to acquire many biometric technologies are also falling. Along with the falling prices of equipment, there is also an increase in the reliability of these devices. ROI Analysis11 The computation of the return on investment (ROI) of security products is complicated by the absence of a direct revenue stream resulting from the investment. For this reason, middle management often views these investments as operating costs to be minimized, an approach which leads to a false sense of economy. One perspective is that middle management is preoccupied with the income statement portion of the corporate books that concentrates on revenues and expenses, the cost to acquire security equipment being one of the many costs to be managed. The benefits of investments in security, however, do not appear on the income statement. Senior management and the shareholders, however, are more involved with the balance sheet portion of the corporate books and it is here that upward changes or growth in net worth reflects the benefits of investments in security. It is on this part of the financial
11 “The biometric technologies business case: a systematic approach,” Richard A. Riley Jr, Virginia Franke Kleist, Information Management & Computer Security, Apr 2005 Volume: 13 Issue: 2 Page: 89 – 105.
4/7/2008 59
report the company will see its return for investing on security technology in the growth of net assets because of reduced theft or pilferage. The second problem with assessing the return aspect of investments in security, in ordinary industrial security applications, is to isolate that portion of increased net worth that can be attributed to security and not some other corporate action. Likewise, in a company with falling net assets due to non-security activities, it will be difficult to identify the loss diversion benefits without which the net worth losses would be even greater. In other applications, such as welfare fraud prevention, it may be possible to credit the application of new, biometrically based security with the reduction in the incidence of duplicate claims. Even in this case, though, there is an implicit assumption, not necessarily well-defended, that what is being measured is based only on what has been detected. ROI can be forecast to some degree with assumptions identifying current loss levels and the degree of security enhancement afforded by the new technology. These projections should be validated post-facto, however, to ensure expectations are being met. The analysis required to do this validation is useful not only for the peace of mind of the designer, but to identify any anomalies in the new system. Significant negative deviations from expected results will signify either a serious misstatement of the assumptions or an incorrect installation of the new system. Integration of the Issues The art and science of designing effective applications with biometric components requires the ability to skillfully integrate the six major issues that were explained previously in this Section:
1. Functional 2. Operational 3. Legal 4. Environmental 5. Social 6. Business
Ultimately, compromises may need to be made, but the goal is to specify a system that equitably recognizes owner’s security expectations; users’ physical limitations, legal concerns and social expectations; the operational environment; and the system’s interoperability requirements. Once designed, the system should be reviewed, briefly, as many as seven times in a complex design. During each of the initial reviews, the organization and the designer/integrator should ‘walk through’ the design from the perspective of each of the six main design factors. The first review, for example, should consider each design
4/7/2008 60
decision in the context of “Does this recognize the functional requirements of the system?” The second review should just concern itself with the question “Does this recognize the operational requirements of the system?” Etc., etc. The seventh review considers the system as an integrated whole. (See Design Process that follows.) 10.3. DEVELOPMENT OF THE STATEMENT OF WORK (SOW) AND SYSTEM SPECIFICATION A. Technical Specifications Once the operational/functional requirements are sound and complete, technical requirements should be defined for the SOW as a specification for vendors/integrators who may bid on the project. To the extent possible, these technical requirements should be specified in combination with technically oriented staff, the system designer and/or the system integrator (often the same entity). Technical requirements are nothing more than quantifiable expressions of the previously developed operational/functional requirements. Examples of technical requirements that correspond to the operational/functional requirements hypothesized previously are:
• The biometric system/device provided shall have a minimum throughput rate of 6
persons per minute (80% of 450 divided by 60 minutes – the throughput rate for the most demanding portal).
• The biometric system/device provided shall be an identification (1:N) system, and not require card, PIN, password, or token for entry.
• The biometric system, including servers, sensors, and remote units shall be sized to accommodate an expansion to a minimum of 585 persons and meet the previous throughput requirements without purchase of new equipment. Additionally, the biometric system shall be BioAPI12 and CBEFF13 compliant and meet the following criteria for interoperability:
The biometric system shall not exceed a .01% FAR while maintaining a FRR of ≤ 5%. [an example, not a standard]
B. Vendor/Supplier Evaluation and Selection as it Impacts the SOW By the time one has completed the foregoing tasks and the preparation of procurement documents is underway, one should have a reasonably good idea which technologies and systems will meet the described functional and technical requirements. Technology and product performance analyses should be a fundamental and parallel part of the processes described above. In some cases, enough information will have been analyzed to specify the biometric technology (modality) that will meet the stated functional and technical requirements. In other cases, more than one technology might be suitable, or 12 See BioAPI Consortium for more information. www.bioapi.org 13 Common Biometric Exchange File Format. See CBEFF (NISTIR 6529-A).
4/7/2008 61
procurement policy may dictate that procurements must be open to all technologies. In the latter case, the SOW and specification(s) should be written broadly enough to accommodate a variety of technologies and systems. In those cases a formal technology and product performance analysis can proceed when proposals have been received. Unfortunately, the biometric industry has not evolved to the point where this is a simple and straightforward process. There are test data available from a variety of sources, however it varies in credibility and reliability. Vendor claims are prone to be overly optimistic, not solely because of a profit motive, but also because the tests are generally conducted in the most optimum conditions, by the most knowledgeable people. Other testing as mentioned in BTAM Volume 1, Section 6, Testing and Evaluation is more rigorous, but is often conducted for a specific application which may be (but probably will not be) exactly the same as any other given implementation of a biometric program. (Please refer to Section 6 for more detailed information.) Should a technology and product performance analysis be conducted, the results should be provided to an independent system designer or integrator that has no formal affiliation with any particular technology or vendor to be assessed and evaluated. C. Need for Periodic and Final System Design Parameters/Reviews Throughout the foregoing processes the professional services of the referenced system designer or integrator should be sought, coupled with frequent formal reviews as the functional requirements are translated to technical requirements and system specifications. The primary purpose of these frequent reviews is to ensure the system design parameters accurately and adequately reflect the initial functional requirements. When including, making, or refining cost estimates in the SOW, there is value to understanding all the cost components of a biometric system and making some reasonably accurate estimates of the costs in order to facilitate trade-off decisions and budgeting. Potential designers, consultants, vendors, and suppliers should be aware of both direct and indirect costs associated with a biometric system. Direct costs:
• Biometric capture hardware and software • Back-end processing power to maintain the database • System design costs • Infrastructure modification and upgrades • Installation costs, including current system integration costs • Costs associated with collecting user identification data (enrollment) • System maintenance costs, including ongoing enrollment and training • Licensing (site or per-seat) costs
Indirect or less obvious costs:
4/7/2008 62
• Research, planning, system evaluation, and selection costs • Implementation planning costs • IT staff training costs • User education and training costs • Cost of lost productivity during implementation learning curve. • Security administration, including exception processing (“work-arounds” for
persons unable to use the chosen biometric.) • Implementation of new exception handling procedures for false rejects • Revocation costs incurred should the system have to be shut down due to
inadequate planning. D. Specifying Assistance in the SOW for Training Program Development and Implementation
End-User training The end-user population (employees, contractors, temporarily assigned personnel) must be trained sufficiently to enable them to use the biometric equipment effectively once the system is activated. Time between training and actual use of the system (or some portion thereof) should not exceed a week. This may be challenging when end-user populations are very large and may require multiple trainers and training sessions, or other innovative schemes such as operating the biometric system in parallel with a current existing system, staggering activation of the system, and/or setting up multiple scanners near entry points to enable end-users to practice authentication upon entry. Such training should include expectations for and limitations of the system/devices and provision of documentation regarding the system itself. Such documentation includes, but is not limited to:
• User’s manual • Policies governing the use of the technology • Policies governing the use of biometric templates
Manuals should be short, simple, and to the point. Positive user acceptance will yield greater success the more confident and secure they are in their knowledge of how the biometric-based system works and why it was deployed. Adverse reactions and resistance to a new biometric system can often be traced to lack of knowledge and even embarrassment because of poor initial performance on the devices. Supervised walkthroughs and trial-runs will help increase the comfort levels of users and decrease the pressure placed on them. Such simulations will also help decrease the error rates in the future when the users will not have someone with them while using the system.
4/7/2008 63
Proper training and education should always be part of the implementation plan for any new installation or modification of an existing biometric system. Users will prove cooperative and supportive of system use if they:
• Receive proper and comprehensive training in the use of the system. • Are guided carefully and unhurriedly through the enrollment procedure. • Are invited to ask questions about the system in general. • Have received some reference documentation with help/inquiry line details
included. • Are trained within a comfortable, unchallenging environment.
Please see Section 14: Training for more comprehensive information regarding training.
4/7/2008 64
Section 11 – System Engineering, Integration, and Implementation Having examined in some detail in Section 10 the various considerations and issues that drive the design process, we now turn our attention to the system engineering process that implements that design and the important steps that should be addressed. This section addresses System Engineering from two fundamental perspectives; the issues that arise in developing a detailed system architectural design, and the process that will result in a detailed system architecture design. The Engineering and Integration Issues portion identifies and discusses issues peculiar to biometric technologies, while the Engineering Process portion focuses on procedures common to biometric sub-systems, including integration. The implementation portion of this section addresses procurement and installation. While the biometric application discussed in this section is physical access control, it should be recognized that the processes and design issues described are applicable to other types of biometric installations as well, such as workstation access or network access. In addition, physical access is not limited to access to a building or room, but may include access to other physical areas or objects, such as a drug cabinet, bank safety deposit box, etc. 11.1 ENGINEERING AND INTEGRATION ISSUES AFFECTING THE SYSTEM ARCHITECTURE PROCESS A. General In general, the System Engineering and Integration of the biometric components of an access control system are shaped by three main factors. The first is the definition of security needs and program objectives developed in Section 10. The second is the design of the overall control system, not just the biometric sub-systems. As noted elsewhere in this Section, there is really no such thing as a ‘biometric system’, per se. Rather, there are a wide variety of primary systems that rely upon biometric devices for identity assurance. These range from physical security access control systems to welfare fraud prevention systems. It is the function of the primary application that will define the physical and logical boundaries within which the biometric must function. Consequently, many of the system’s architectural and functional design decisions have often been made by the time the biometric sub-system design engineer sits down to work. The third factor is whether the design is for a new a system or improvements to a legacy or existing system. A completely new system offers the opportunity to make correct design decisions throughout the whole system for optimum performance. On the downside, a new system is subject to design error at all places within the system, not just the points where new biometric components are added to an existing, but otherwise functional, system. This complicates the commissioning process and prolongs the achievement of operational readiness. While a legacy system offers the advantage of a working system in which the existing components are likely to be working as designed,
4/7/2008 65
the choice of new biometric components may be constrained by the existing technical configuration. B. Specific Issues System Design and Architecture The overall system design will play a major role in the selection of biometric products to be employed. A small system not requiring central enrollment or management may require only a low-cost stand-alone biometric device. One such device is an electric door handle and latch arrangement with a low cost fingerprint device integrated into the handle. Capable of storing fewer than 500 templates, the door control costs about $500-800 and is subject to a fair degree of errors. On the other hand, a distributed security system controlling access to facilities on a regional or national level (and perhaps globally distributed) and requiring very low error performance will limit the product selection to a few technologies and expensive devices and communications systems. Other constraints that must be addressed at the beginning of the design process include processing distribution, expansion, database design, and the overall security system IT design components. Distributed vs. Centralized Processing Figures 10-A through 10-C illustrated the three main alternatives for decision venues: at the portal, at a central control point, or at some intermediate location. In the first, stand-alone scenario, authorized personnel are enrolled at the portal. In some technologies, there is a nominal database that records who has activated the device and at what time and date. This data is downloaded periodically by a wire or wireless link between the device and a portable data collection platform; however, in less expensive products, there may be no enduring record of transactions. In a central control process, enrollment information is collected and stored at a central location. Massive databases for the entire enterprise can be maintained at the central location. Biometric templates collected at portals are transmitted to this location for processing, image comparison, and decision-making. This mode offers an improved degree of security and significant system oversight and overall awareness of activity in the facility. System efficiency, however, is dependant upon sustained network communications. In the event of a power or communications failure, no portal activity can continue, effectively locking employees out of their offices or labs and, in some special security applications requiring a biometric request to exit, locking these employees in their work space. Fire and safety codes normally require security systems to fail safe (but not secure) in the event of a power interruption which may pose an additional security peril to operations , even if power has not been lost at the local level. These functional concerns led to the development of remote door control units (DCU). DCUs function much the same as a central control in that they have capacity for a large number of enrolled templates, but are not affected by loss of power at the central control. When a person is enrolled in the enterprise system, necessary template and administrative
4/7/2008 66
information is transmitted to each door in the enterprise through which that person is authorized to pass. The main design consideration is the location of the DCU so that it is protected from outside attack and tampering. For ease of installation, unfortunately, many DCUs are placed directly in the plenum just above the protected door. This fact can and has been exploited by informed adversaries to by-pass the system’s safeguards. Expansion Requirements The choice of technology for a security system is influenced in part by the population of authorized persons it has to monitor and accommodate. While the current population value must be known at the start of the design process, it is even more important to know what the projection is for future population expansion over the next 5-6 years14 of the enterprise’s life. The resulting system design must account for this expansion to avoid costly retrofitting 2-3 years (or even 3-4 months in the case of rapidly growing offices) in the future. Secure and Privacy-compliant Database Design and Accessibility The nature of the enterprise operations and functions may have a significant impact on system design. A health organization with a substantial employee base and hundreds of clients will be confronted with difficult HIPAA access control issues and requirements. A public school system employing biometrics at its doors will need to examine local, state, and federal laws affecting the collection and storage of biometric information. System IT Security Design (Physical, Electronic, Encryption) Just as the security system secures the enterprise, security planning must be applied to the security system itself that, for the most part, is the security communications network. Indeed the language for IT security is often the same as for physical security applications: intruder detection, intrusion detection, deterrence, entry denial, and so on. As in the physical world, biometrics can play a significant role in safeguarding IT systems, providing protection of both the physical space (entry control to rooms containing vital IT technology) and the information system itself. Biometrics can also be incorporated with and contribute to effective encryption techniques.
Reliability and Performance Expectations Regardless of end-user expectations, no control system solution is absolutely perfect in achieving zero false accepts, false rejects, no failures to enroll, and no delays affecting throughput. All control systems have some degree of error. Further, the technologies are normally subject to adjustment so that false accepts or falser rejects can be modified to force the system to adjust to the using agency’s operational preferences.
Design Presumptions Underlying the decision to establish a new security system or to renovate a legacy security system with biometrics is an assumption that the biometric technology will
14 This horizon is appropriate considering the pace of new technology development and the expected obsolescence of the current design. Considering the impact of Moore’s law (estimating the rate of microchip capacity enhancement), a 6-year application life ends with the current system 3-4 generations of chip technology behind.
4/7/2008 67
afford a higher level of personal identification useful for a more efficient and reliable satisfaction of security objectives. It helps in the assessment and validation of this assumption if there is a current and actual or anticipated level of security compromise in the existing system that can be quantified. For example: “Today, we experienced a loss to pilferage from our storerooms greater than $10,000 per month as the result of the theft or misuse of keys issued to certain employees. By installing some form of biometric identification, we can reduce this loss to nearly zero.” Budget constraints Naturally, all system designs are subject to budget constraints and these will often limit the choice of biometric system to be employed. A biometric device may satisfy performance expectations, but not within the project budget constraints. An affordable device may not be able to satisfy performance expectations. Ultimately, this impasse requires a management/owner design decision relaxing performance expectations, increasing the project budget, or both. In any event, this is a management issue, not a design question.
Integration Integration is the process by which two or more sub-systems are brought together for physical, electrical, and logical interfacing with other components. It is also a process in which the logical processes and activities of the various components are introduced to the larger system for proper functioning. In some cases, the manufacturer has anticipated these requirements, but, in other cases, the integration is the responsibility of the system integrator. There are at least three main systems with which a new biometric sub-system will have to work: security, power, and building management.
C. Integration with Prime Systems Security or Authentication Systems Sub-systems designed to work with access control or authentication systems need to be integrated seamlessly with the prime system in a manner consistent with the design philosophy of that system. In many cases, the biometric sub-system will be expected to provide the same services as the existing system, such as proximity card tools, while delivering improved performance in terms of accuracy and durability. Power The biometric sub-system needs to be compatible with the facility’s power system in terms of voltage type, current, frequency, and distribution plan. Experience has proven the value of a robust back-up power solution such as heavy duty uninterruptible power source (UPS) devices at critical nodes. Building Management In a number of applications, the biometric system will provide useful inputs to the security system, but also to the facility’s building management system, turning on lights, activating elevators, and performing other identity-specific tasks.
4/7/2008 68
Multi-modal Design Considerations Underlying the concept of multi-mode applications is the thought that, if one biometric is good, two (or more) biometrics would be better. There is a certain truth to this, but a multi-modal solution is not without its problems. Essentially, if the probability of a false accept in one system is PFAR1 = 0.001% and the probability of a false accept in a second system is PFAR2 = 0.01%, then the PFAR1+2 = PFAR1 x PFAR2 = 0.001 x 0.01 = 0.00001%. The offside of this relationship is that the improvement in false accept is paid for by an increase in false rejects. The calculation for this side of the issue is:
in which case, for example P(FR) = 0.001 + 0.01 – (0.001 x 0.01) = 0.011 - 0.00001 = 0.01099 where both devices are set at their equal error rate. Dr. John Daugman (The Computer Laboratory, Cambridge University) has examined this issue in a brief paper entitled “Combining Multiple Biometrics.”15 In it, he says:
“…There is a common and intuitive assumption that the combination of different tests must improve performance, because "surely more information is better than less information." On the other hand, a different intuition suggests that if a strong test is combined with a weaker test, the resulting decision environment is in a sense averaged, and the combined performance will lie somewhere between that of the two tests conducted individually (and hence will be degraded from the performance that would be obtained by relying solely on the stronger test) ”There is truth in both intuitions. The key to resolving the apparent paradox is that when two tests are combined, one of the resulting error rates (False Accept or False Reject rate) becomes better than that of the stronger of the two tests, while the other error rate becomes worse even than that of the weaker of the tests. If the two biometric tests differ significantly in their power, and each operates at its own cross-over point, then combining them gives significantly worse performance than relying solely on the stronger biometric.” [Emphasis added.]
He concludes:
“…A strong biometric is better alone than in combination with a weaker one...when both are operating at their cross-over points. To reap benefits from decision combination, the equations above show that the operating point of the weaker biometric must be shifted to satisfy the following criteria: If the "OR" Rule is to be used, the False Accept rate of the weaker test must be made smaller than twice the
cross-over error rate of the stronger test. If the "AND" Rule is to be used, the False Reject rate of the weaker test must be made smaller than twice the cross-over error rate of the stronger test.”
The second issue is the relatively prosaic question of the increased cost of a system using two or more components instead of just one. One biometric system with outstanding performance values costs about $8,000-10,000 for an initial installation of 1-2 doors. Its operational performance is approximately FAR ≈ 0.000001 and FRR (+FTA) ≈ 0.05.%. Another technology offers comparable performance features, but adds another $4,000-6,000 to the cost of the integrated system for only a questionable improvement in overall performance. In an operating environment where there are, for example, 250 people enrolled, it is not clear what real or practical value has been gained by improving FAR fractions of errors in the 1:1,000,000 range and nearly doubling the cost. From a fiduciary perspective, multi-mode combinations seem to make more sense in applications where two or more relatively inexpensive devices can be combined, or in those instances in which the quality of input templates may not be high. To be sure, there are instances or operating environments in which a combined multi-mode biometric system makes good sense and enhances the overall operational security. Multiple biometric technologies are often required to accommodate persons with high FTE rates with specific technologies. Multi-mode biometrics should not be presumed to be the design of choice, but is a solution best arrived at by careful evaluation of the various factors that need to be addressed and satisfied. For further reference there has been extensive work done by experts, such as Anil Jain and Rick Lazarick, on fusion of multiple biometrics. Biometric Fusion16 The use of multi-biometric fusion techniques offers a potential solution to some of the inherent issues associated with the implementation of biometric technology for access control. One difficulty with single-modality biometric access control is that even a low failure to enroll or failure to acquire rate can correspond to large numbers of people in very large deployments. An alternate method of access security then needs to be implemented for these exception users. Multi-biometric fusion is one such alternate approach. It entails additional system components and/or complexities, so careful analysis of the costs and benefits is essential to effective implementation of such an approach. The techniques surrounding the use of multiple biometrics have been the subject of significant academic research to develop the concepts and to quantify the benefits. Experts in this field communicate these ideas and results, sometimes developing new expressions and terms needed to convey the findings. In an attempt to promote clarity and understanding of the advances in multiple biometric systems, the following material provides a basis in the form of terminology, description of computational aspects, and a framework for describing the processing. Hypothetical 16 Content on Biometric Fusion provided by Rick Lazarick of CSC.
4/7/2008 70
examples are provided to illustrate the use of the terminology and concept in recognizably airport access control situations. Multi-biometric Terminology The first challenge is to establish an agreeable set of terms and definitions to assist in the accurate and efficient discussion of the field of multi-biometrics. The initial motivation for addressing terminology is the inconsistent and therefore misleading use of the term “multi-modal” in the literature. Biometrics specialists came to realize that the term multi-modal should only be used to describe combinations of two different biometric modalities, such as face and fingerprint. A new definition established “multi-biometric” as the broadest term, encompassing any operation that utilized two different biometric captures or computations, and fused the information in some way to make a single identity decision. Within multi-biometric, a distinction was drawn about the differences between systems using multiple modalities, multiple algorithms, multiple sensors (for the same modality) and multiple instances of a biometric trait. Thus the agreed upon set of terms for multi-biometric and its components are:
• Multi-biometric - the use of multiple biometric modalities, instances within a modality, sensors and/or algorithms prior to making a specific verification/identification or enrollment decision.
• Multi-modal - the use of multiple different biometric modalities. (Example: face and hand geometry).
• Multi-algorithmic - the use of two or more distinct algorithms for processing the same biometric sample. (Example: facial geometric structure and skin texture)
• Multi-instance - the use of two or more instances within one modality for an individual. (Examples: Iris (left) + Iris (right), Fingerprint (left index) + Fingerprint (right index))
• Multi-sensorial - the use of two or more distinct sensors for sampling the same biometric instance. (Examples: for face: infrared spectrum, visible spectrum, 2-D image, and 3-D image; for fingerprint: optical, electrostatic, multi-spectral subsurface imaging, and acoustic or ultrasound sensors)
Additional terminology useful to explain and understand the concepts of multi-biometrics are included here as well.
• Modality - the human body part, body part characteristic, or behavioral characteristic that can be sensed and used for human identification/verification. Example: iris, fingerprint, or walking gait
• Simultaneous - the subject perceives that all biometric samples are captured during a single event
• Sequential - the subject perceives different biometric samples being captured as separate events
4/7/2008 71
• Cascaded - pass/fail thresholds of individual biometric captures are used to determine if additional biometric data is required to be processed to reach an overall decision
• Layered - individual biometric scores are used to determine the pass/fail thresholds of other biometric data processing
• Hybrid - indicates the combination of more than one multi-biometric concept in a particular application.
Multi-biometric techniques can be applied at different “levels”, typically defined as decision, score, feature and sample level fusion. For usage with airport access control systems, the discussion is limited to the more popular and simpler levels of decision and score levels. D. Normalization and Fusion The following sections pertain primarily to score level fusion approaches. The concepts of score normalization and score level fusion are summarized at a high level. Score normalization Different biometric devices generate their matching statistic in different (and proprietary) ways. Some may produce a similarity score (high being a good match) or a dissimilarity score (such as a hamming distance). There is also no uniformity in the range or scale of these scores, hence the need for normalization prior to combining the scores. Score normalization maps scores into a domain (for example 0.0 to 1.0) where they possess a common meaning in terms of biometric performance. Thus score normalization adapts the parameters of the matching score distributions to the outputs of the individual matchers, such that the normalized matching score distributions exist in a common domain. Score normalization is closely related to score level fusion since it affects how scores are combined and interpreted in terms of biometric performance. Due to these reasons, scores are generally normalized prior to fusion into a common domain. (Note that some fusion methods use probability density functions (PDFs) directly and do not require normalization methods.) Score fusion methods When individual biometric matchers output a set of possible matches along with the accuracy (quality) of each match (match score), integration can be done at the match score level. This is also known as fusion at the measurement level or confidence level. The match score output by a matcher contains the richest information about the input biometric sample in the absence of feature level or sensor level information. Furthermore, it is relatively easy to access and combine the scores generated by several different matchers. Consequently, integration of information at the match score level is the most common approach in multi-biometric systems. In the context of verification, there are two approaches for consolidating the scores obtained from different matchers: (a) the classification approach, and (b) the combination approach. The more common
4/7/2008 72
combination approach takes on several forms, such as simple sum, maximum score, weighted matchers, and user weighting along with many other more complex approaches. E. Hypothetical Examples The following examples are provided to assist in understanding the concepts of multi-biometrics, described using the terminology introduced above. These are not intended to represent any specific known application, but are rather theoretical designs that may be recognizable as suitable for airport access control applications. Each example outlines the application, describes the technical approach, and then reflects on the strengths (advantages) and weaknesses (disadvantages) anticipated for such a system. Example 1: Multi-modal, decision level fusion with sequential sampling Application: Attended Physical Access Control. Typical of an airport access control for identity verification of cooperative, enrolled end users at intended points of entry, monitored by a security agent or guard. Technical Description: Fingerprint and Iris Recognition modalities. All end users are processed for enrollment in both modalities, attempting to enroll one or two fingers and one or two irises per person. Airport enrollment policy permits either iris or any finger that can be successfully enrolled, both modalities if possible. Identity verification is performed using the individual pass/fail decisions of each modality in the “OR” logic form of decision level fusion. The order of biometric presentation is fingerprint first (because it is faster and easier to use). If the fingerprint verification passes, then no iris sample is required. Advantages: This system design is well suited to accepting a very high percentage of users for enrollment based on the liberal enrollment policy and the multi-modal nature of the design. Using the “OR” logic promotes a potentially very low false rejection rate. Employing the sequential sampling technique along with the “OR” logic, and choosing the fingerprint first as the faster sampling modality, provides for a very low transaction time (or high throughput) which is highly desirable in many airport high volume applications. Disadvantages: The design calls for both fingerprint and iris sensors at all access points, which incurs additional acquisition, installation, enrollment, license and maintenance costs. The use of “OR” logic, while minimizing false rejection rate does amplify the potential for false acceptance. (This can be mitigated by proper selection of the individual decision thresholds for each modality.) Depending on the level of anti-spoofing countermeasures provided by the vendor, “OR” logic is subject to attack with device “spoofing” techniques (such as “fake fingers” or iris-replicating contact lenses) since only one modality is needed to pass. In this scenario, obvious and elaborate spoofing techniques are impractical since the access point is attended by a security agent. Example 2: Multi-instance, score level fusion with sequential sampling
4/7/2008 73
Application: Low-cost Unattended Logical/Physical Access Control. This application is suitable for a moderate to large scale deployment with distributed access points that requires a relatively high degree of security for logical (e.g. computer network) and/or physical access. Because of the number and geographic distribution of the access points, this application is not attended by a security agent. Technical Description: Multiple Fingerprints. To achieve the low-cost objective, the fingerprint sensor is a single-digit variety. All users must enroll multiple fingerprint instances (different fingers) with the minimum number set as an enrollment policy (minimum 2, prefer 4 or more). Identity verification requires the user to present multiple different enrolled fingers for sampling, along with identification of the specific finger for each sample to allow 1-to-1 comparisons. (The number of fingers is determined by the application’s verification policy.) Each sample produces a similarity score based on the 1-to-1 matching processing. These scores are fused using the “Sum Rule” and a verification decision is based on a single threshold for acceptable similarity. Note that for higher security applications, a query-response variation could be incorporated to prompt the user to present specific fingers at the time of attempted access, with randomness used across attempts to deter spoofing. Advantages: This design stresses the low-cost, high security combination for a distributed access application. Employing score level fusion of multiple instances of a user’s fingerprints promotes potential for lower false rejection rates at a given acceptable level of false acceptance rate. The sensor and license costs could be very low. Disadvantages: Due to the requirement for multiple sequential samples, this design may incur higher transaction times, so as to be not well suited to high volume access points. Because the system employs only the fingerprint modality, there typically is a fraction of the user population who will not be able to enroll (due to fingerprint quality or wear factors). More generally, because the approach uses multiple samples of only one modality, if an enrollment problem occurs in one sample, then compared to the multi-modal approach there is a higher likelihood that a problem will also occur in additional samples. Example 3: Multi-sensorial, multi-algorithmic hybrid fusion with simultaneous sampling Application: Token-less Identification for Privileged Access. Suitable for VIP facility access or other high volume applications geared to user satisfaction. The users are not required to identify themselves to the access system after enrollment, and are also not highly restricted with regard to positioning relative to the sensors. Technical Description: Face Recognition using distinct sensors. This design employs conventional video imagery for 2-D face image capture as well as stereoscopic (or other technique) face imagery for 3-D face modeling. Each user is enrolled with both sensors (not necessarily simultaneously) at several pose angles (and possibly variation in
4/7/2008 74
lighting). At the time of verification, the video imagery from each sensor is processed through multiple matching algorithms (as dissimilar in approach as possible). This stream of processing generates ranked lists of candidates (one list for each sensor-algorithm pair), or best matching scores when compared with the enrollment database. The decision logic is based on the “Weighted Sum Rule” with personalized thresholds, combined with a “Voting Scheme”. Ideally, the user will be correctly identified, and their identity will appear near or at the top of each candidate list. It is also possible that the same identity will appear several times on the candidate list due to matches at different pose angles or lighting variations. This situation is conducive to very accurate voting scheme logic. Advantages: The user convenience/acceptability aspects of this design are maximized, with no demand for a claim of identity (no tokens to remember or present), no physical contact (good hygiene perceptions), tolerance to pose and lighting variations, and no rigorous training requirements. Few if any users would be expected to fail enrollment. This design is conducive to high throughput, possibly even allowing the user to not even stop for biometric sampling. Potentially very high accuracy matching decisions based on the wealth of information provided to the fusion process (relative to uni-biometric face recognition). Disadvantages: The enrollment time needed to enroll in both sensors and at the required range of conditions could be high. The processing logic is still developmental, is complex and will require careful attention and tuning. Also, the system may use rather costly sensors and significantly powerful processors, so hardware costs will be high. 11.2 ENGINEERING PROCESS
A. Pilot Design It is in the context of these various considerations and issues that the pilot design can start. The objective of this phase is to provide an inventory of components to be procured, a preliminary graphic illustration of the relationship of the various components, and an assessment of the time required to integrate, install, and commission the system. Based on Operational Requirements as Expressed in SOW The initial design begins with the receipt and analysis of the customer’s statement of work (SOW). This document will outline the customer’s expectations for the delivered system. It is toward these objectives that the system will be designed. As in most projects of this type, however, unless the customer has retained the services of a professional engineering firm experienced in these systems, the customer is likely to be the least qualified to know what the optimum design solution should be. He/she may not know what to expect from modern technology and, consequently, the initial SOW may not be complete or accurate in its description of the solution to the customer’s real objectives. It is the function of the professional designer to communicate effectively with the customer to learn what these primary objectives are and to ensure the SOW is modified to reflect these points.
4/7/2008 75
Conceptual System Design The initial engineering architectural design is prepared in pilot form following a detailed analysis of the SOW and an analysis of the current operational environment. If a Conceptual Design was prepared as part of the detailed analysis recommended in Section 10, that conceptual design should not be accepted blindly as a mandate for further engineering without detailed analysis of the SOW and operational environment. New System New systems have the advantage of being unencumbered by existing components and architecture. They offer the easiest way to ensure the application of state-of-the-art technology and products. The disadvantage is the element of risk new technology might introduce into an otherwise sound design. Legacy System Legacy system modifications require attention to existing architectures and processes, some of which may conflict with a sound application of the new technologies. The initial design needs to attend to these considerations in detail:
♦ Develop an inventory of components to be procured. ♦ Prepare a preliminary graphic illustration of the relationship of the various
components (system architecture). ♦ Prepare an assessment of the time required to integrate, install, and
commission the system. ♦ Develop an Initial Operational Capability (IOC) Planning and
Implementation Schedule. With the completion of the Pilot Design, an implementation schedule can be developed and IOC date can be estimated. The details of the implementation schedule are beyond the scope of this manual.
♦ Perform the focused reviews listed in the paragraph “Integration of the
Factors” in Section 10. These reviews should establish the proposed engineering design’s ability to comply with the security needs, program objectives, and design issues of Section 10.
♦ Complete the Initial Detailed System Design
♦ Perform a seventh and final review considering the system as an integrated whole.
4/7/2008 76
B. Final Engineering Design The final design is achieved after a review process in which all responsible offices involved with the funding, installation, and use of the new or modified system have evaluated relevant sections of the design. After the first review, non-trivial changes to the design will require a second and, perhaps, a third round of design reviews before the system design is finalized. 11.3. IMPLEMENTATION The most technically challenging part of a biometric project is the Engineering Design phase. This is not to suggest that the implementation of biometric devices is trivial, but careful attention to the design issues of Section 10 and the engineering/integration issues just discussed will go a long way toward simplifying the implementation. This Section assumes the reader has available the trained and qualified service technicians required to integrate and install the system in a professional manner. No effort is made to instruct on these techniques in any great detail in this manual. There are five components that remain:
Procurement Installation Training System Support Final Deployment and Roll-out
11.3.1. Procurement Often neglected in design planning, procurement is an essential activity requiring attention to detail to ensure the right components arrive at the appropriate location in a timely manner. Some items need to be delivered to the eventual job site, but not until security is in place to prevent pilferage. Other components need to be delivered to the contractor’s staging site for pre-integration into larger sub-systems. 11.3.2. Installation Although the BTAM is not a technical manual designed to provide instructions for terminations, cable routing, or other aspects of installation work, it can illustrate the utility and significance of sound installation practices. The installation process is a key element in establishing and maintaining effective customer relations. Foremost among the essential aspects of professional installation work are adherence to schedule, budget, and workmanship. The customer expects the system to arrive and be operational according to the agreed-upon schedule. The customer expects there will be no surprises either in schedule or cost. In terms of workmanship, the typical customer expects that the system will work when it is powered up, the installation will appear neat and tidy, and that the trash and debris associated with the installation will be carried away.
4/7/2008 77
What the customer does not normally expect, but what makes a great impression, are the installations where the technician doing the wiring and terminations takes a few extra moments to minimize slack or surplus wiring and to lay out the cables and wires in neat, angular turns or curves and arrangements. It suggests to the customer that the installing company—as well as the design company—has really paid attention to detail and that they have received a quality system. As a customer, the reader should expect this level of service. As an installer, the reader should be prepared to deliver this standard of service.
Pre-Commissioning Prior to transferring ownership of the new system to the customer, all primary features and functions must be demonstrated in a satisfactory manner and the owner’s staff trained in its operation.
Acceptance Testing Typically, the formal demonstration takes the form of an acceptance test. Presumably, the system design was based on a customer-prepared statement of work and performance objectives. The acceptance test should be organized to reflect the structure and content of the statement of work. Copies of the test protocol are distributed. Each step provides a place for the customer and lead or commissioning engineer to place their initials indicating that step was demonstrated satisfactorily, or annotated to indicate what problems or shortfalls were observed. Any problems should be documented in an issues list that describes each problem, categorizes its severity, and documents its final resolution and retesting. When all items have been properly demonstrated, both parties sign off on the test document and the owner assumes responsibility and control of the installed system. Also, this is an appropriate moment for the system warranty to begin, although, on some projects, title and warranty transfer upon delivery of goods at the job site. This point should be made clear in the basic work contract.
11.3.3. Training Training is such a vital part of implementation of any biometric system that we have devoted an entire section (Section 14) to it. For our purposes in these earlier sections, it is important to note that provisions for training management, system operators, and especially end users should be an integral part of the system design, integration and implementation phase. It must be defined, scheduled and completed by the time of system acceptance so as to be ready for application as the acceptance testing is completed and the system comes on line. As the time and resources expended providing after-sale warranty services are inversely proportional to the quality of the design and installation, so is the quality of the training provided the new operators and end users. The more informed and better prepared they are to assume responsibility for effective implementation of the new system, the fewer phone calls and requests there will be for service. Please refer to Section 14 for more detail.
11.3.4. System Support
4/7/2008 78
Whether provided by the installing sub-contractor, the systems integrator, or another contractor, on-going support will be required to provide periodic preventive maintenance, and emergency system restoration. In very large systems, the owner will often have sufficient staff and resources to provide in-house (proprietary) maintenance, but, often, it will be more cost-effective to retain the system integrator or installer to provide these services. 11.3.5. Final Deployment and Roll-out A phase of the implementation process that is often ignored (and usually with disastrous results) is the deployment phase. Deployment and roll-out of the biometric-based system is a critically important component of the overall implementation plan. In fact, it should be part of the first rough outline of the implementation plan and should become more and more prominent as decisions on the other phases of implementation are made. The major conceptual features of the implementation plan should be included with the contract documents that go to potential bidders on the installation contract. The plan should be thoroughly fleshed out very soon after contract award to re-emphasize its importance to the vendor/installer/integrator. Components of the final deployment and roll-out plan should include:
• Provisions for continuing operations during the installation phase of the project. • Provisions for comprehensive system testing and validation prior to turnover. • Provisions for “Training the trainers”, including specifics such as the vendor or
integrator-provided trainers monitoring the in-house trainers as they begin to train end users.
• Provisions for training end users and keeping them practiced and current pending initialization of the system.
• Provisions for exception processing or “work-arounds” during the transition period.
• If feasible, provisions for operating an existing system in parallel with the biometric system during the transition period.
• Schedules for all phases of the deployment and roll-out. • Provisions for alerting the work force to changes in schedule and other
information critical to deployment.
4/7/2008 79
Section 12 – Operations and Management 12.1. OPERATING PLANS This section moves the focus of the BTAM from the requirements, design, and engineering functions to initial and long-term operation of the biometric system or subsystem. One of the primary concerns of any management team implementing a new system or policy, is that the new concept or system be fully functional, have employee support, resolve a problem that affects company performance, and minimize conflict with the remnants of the prior program (if any) that remain in place. Once again, there is no real substitute for a plan that assumes responsibility for operations at turnover and fully exploits the advantages offered by the new technology. People, by nature, tend to be wary of something they do not understand or that is foreign to the day-to-day processes with which they are familiar. Planning, documented in the form of an Operating Plan, defines the process from initial introduction into the facility to the eventual steady-state process of day-to-day functionality. If an Operating Plan for the facility already exists in the form of a security plan or some other document, than the operating management entity needs to consider and address the impact of the biometric subsystem on that existing operating document. If such a plan is not in place, then a new one that covers the issues to be considered for biometric usage should be prepared. In such cases, it may be an opportunity to more fully address the overall integrated system as well as the biometric component. When it comes to developing an Operations Plan for both routine and non-routine operations of a biometric identification system, there are no fixed definitions as to what must be included. The security manager for the organization or his/her equivalent, with a modicum of training, can define all of the operating issues that will need to be addressed. As an alternative, an experienced practitioner can be engaged to develop the Operations Plan for the organization, with the significant input and participation of the manager who will live with the final product. For the most part, a logical Operations Plan would consist, as a minimum, of the following elements. These should be addressed in as much detail as possible to ensure that all stakeholders in the system have a reference for what is expected of the biometric component, and how it is intended to support the overall goals of the organization. Mission, Organization, and Roles of Key Personnel System description and its functional role in overall operations Enrollment requirements/schedule Initial Long-term User orientation Dis-enrollment procedures Description of the normal/routine operating environment Equipment and performance Personnel performance, response, and problem resolution
4/7/2008 80
Support and supply requirements Description of operations and procedures (planned or emergency) in a non-normal or non-operating environment. Catastrophic failure Partial failure Work-around procedures Exception handling Testing the system Organizational/Corporate Support Interface with external organizations Security/police State and local government Training Maintenance and Service Routine and Preventive Emergency and response Resources and Budgeting While this is not an attempt to cover all of the details that should be addressed in each of these suggested areas, the following comments are offered for focused consideration. 12.1.1. Mission, Organization, and Roles of Key Personnel Since the biometric identification system will have an impact on all segments of an organization, expected impact and desired responses for all involved need to be defined, as well as possible, in a Statement of Mission, Organization, and Roles. This need not be complex. The mission or purpose of integrating the technology in the organization should be clearly defined, and expectations should be reasonably stated as to what results are anticipated. Any changes to the organization structure necessary to manage the new resource should be identified, and the roles and key assignments related to those changes should be explained as well. Personnel who will play an important role in start-up as well as long-term operations should be comfortable with their responsibilities and assignments, and additional training should be provided when necessary. When developing the roles or functions for each identified person involved in the operating system , nothing should be assumed. It is extremely important to the success of the mission and the overall effectiveness of the operation that everyone perceives their function clearly. All plans need to be flexible, adjusting to results as they occur during the action phase of implementation. 12.1.2. System Description and Its Functional Role Describe how the system will work and when and how it will be initiated in the organization. Describe the enrollment process (supported by manufacturers/integrators information), schedule and how users will be oriented in its use. Explain the reasons for dis-enrollment.
4/7/2008 81
12.1.3. Description of the Normal Operating Environment Speak to how the system fits in the organization’s security or other application program, describing the process and the normal encounter that each user can expect. Describe the function of operating personnel and their interface with both the system and the users. Cover operation of the equipment to the extent that user and operator intervention or contact is involved. Discuss issues that could occur and how they will be resolved. Address supply or operating maintenance issues (like cleaning). 12.1.4. Description of Procedures in Other than Normal Operations Describe planned downtime and the procedures for work-arounds when the system is not available. Cover unplanned system failure in both partial and large-scale incidents and the procedures that operating personnel and users are expected to follow. The procedure for how routine exceptions will be handled (e.g., false rejections, lost card, etc.) should also be described. 12.1.5. Testing Discuss plans for testing the system on a scheduled and unscheduled basis to periodically evaluate performance (machine and personnel) and to maintain confidence in system operations. One of the major functions of a biometric identification system is to perform a required task on a sustained basis at levels well-above those that can be attained with a manual or human-based system. However, even though the acquired system may have met performance requirements at the time of installation and turnover, there is no assurance that the system will continue to perform at those levels throughout its lifetime. As with most electronic or electro-mechanical systems designed to perform a security function, a biometric technology-based application should be the target of routine audits to ensure continued performance at the required levels. The audit should be accomplished by a third party so as to preclude cover-up of system problems that have been ignored or operator performance that is less than required. This function is normally accomplished by the technical staff, if one exists in-house, or by an outside contractor who is both competent and professional in performing such functions. Certainly, this is one situation where the “lowest bidder” is not always the best or even an acceptable alternate solution because of the potential for increased risk to the company. Operating audits need to be accomplished on a regular, non-scheduled basis to ensure valid data collection and system assessment. Audits, in a sense, are the determination of system performance, including the human element, after the fact. Audits, per se, are not designed to determine hardware failures, but instead to review the resultant effect of a hardware failure on the ability of the system to provide the desired functionality and the cost of doing so. Like all audits, there is a sense of one group of individuals (the auditors) being cast in the role of the “black hats” while those being audited are perceived to be the “white hats” who are targeted to determine performance shortfalls. In reality, both groups, the auditors and those being audited, should be working toward the common goal of
4/7/2008 82
identifying system abnormalities and identifying corrective actions to ensure required system performance. Since audits tend to have a major impact on company operations in that they are disruptive of the daily routine and are normally performed during operating hours so that those responsible for performing a function are available to respond to auditor’s requests for data, audits should not be performed more than once a year unless problems dictate otherwise. Similarly, system tests are intended to determine performance of the biometric system against operational requirements, but on a real-time basis. The system level testing should be designed to evaluate and determine performance of both the hardware and personnel, both the user and the operator. A system level technical test, if designed properly, would include not only an evaluation of the hardware performance but also the ability of the maintenance personnel to restore the system to required operational levels in the event of a failure. This being said, there are many levels of testing that can be developed in order to determine the status of the system. Testing can be designed to evaluate and document only the human component of the system, only the hardware element, or both. Test and evaluation of the human element should include such functions as:
• Competency of the operator(s) to perform enrollments • Ability to develop reports using the data produced by the system as the result of
daily operation • Ability to react to system problems and failures.
Hardware testing should be accomplished to determine if reliability specifications are maintained and maintainability requirements are confirmed. The implementation of emergency plans by all designated personnel involved should be tested on a routine basis to determine the adequacy of response in the event of system degradation, be it a catastrophic failure or merely a component degradation wherein the system does not perform up to specification to the required level. System hardware elements can be designed to execute required equipment tests either manually or automatically, with the results documented in a report to management. Ideally, all elements of the system – operator, user, hardware, and maintainer – should be subjected to combined testing on a routine basis with a report to management of the test results and recommendations for correction of deficiencies in system performance. To do otherwise is to create a situation of false security where security is assumed to be adequate but, in reality, the facility is highly vulnerable. 12.1.6. Organizational and Corporate Support The backing and support of corporate management, including participation on the individual level, is absolutely required for successful operation of the system. Procedures or deviations that allow corporate managers to by-pass the system for their personal convenience will destroy the purpose and value of the installation.
4/7/2008 83
Legal Department/Advisor For the reasons described in Volume 1 as well as earlier in this volume, it is important to have legal assistance available in reviewing the Operating Plan. Employees concerned with their personal rights related to system use or concerned about personal identity issues should have recourse to advice and have the procedure covered in the Operating Plan. Also, a redress procedure should be defined to ensure prompt correction of any incorrect information or data that has been entered into the system. Personnel or Human Resources Participation by the Personnel or Human Resources department in the operational planning process is considered a very important requirement. They need to be aware of the impact of operational planning on resources, to prepare documentation that is required to inform employees of their rights and obligations in the use of the system, and to assist the employees in transitioning to the new operation. In large organizations, Personnel/Human Resources will most likely be expected to perform the following functions during the implementation:
Develop informational brochures to inform existing and new employees about the technology.
Establish and schedule an employee training program, in conjunction with the
Security Department to ensure employees receive adequate information about the system.
Follow-on assessment of user acceptance needs to be met by the Personnel
Department, with the support of the technical staff, either the in-house organization or the system integrator/vendor responsible for installation of the system.
Facilities Manager/Maintenance Organization In most instances, the Facilities Manager or equivalent individual/organization will play a major role in the acquisition, installation, and maintenance of the new system. This will carry-over to long-term operations as well. Primary functions that can be addressed in the Operating Plan and are usually within the purview of this organization/corporate area are:
1. identifying necessary modifications to the physical structure; and
2. providing for the availability of power, lighting, ingress/egress features, troubleshooting services, routine preventative maintenance and corrective maintenance functions to ensure the system maintains specified performance throughout its life.
4/7/2008 84
If the resources are not inherent in the company organization, the Facilities Manager will be required to provide the necessary support using contracted services for the duration of the system operation. See also Section 13 for more detail on this matter. 12.1.7. Interface with External Organizations The Operations Plan should identify the critical relationships with outside agencies such as local police, fire, and other emergency response agencies and specify clearly when they are notified and to what purpose. 12.1.8. Training One of the key functions that the implementing organization must perform in the introduction of the biometric technology into the organization is development and execution of a well-structured training program for users. The training sessions should include the following:
• A basic description of the technology involved, how it works (and does not work) • Benefits being provided to the company and the individual employee through the
implementation of the biometric system • Expected impact on everyone’s daily routine • Address the expected concerns and fears the employees may have about the
technology such as: privacy issues, health issues (is there any possible damage to their body), etc.
• Ensure the collected data will be protected, will not be provided outside of the company, and will be limited to the intended application (security, time and attendance, payroll, etc.)
• Address the process for enrollment and identification • Address any religious concerns (use of facial images, iris images, etc.) • Process for data integrity—will it be destroyed should the employee terminate
employment? • Accommodation of individuals with disabilities and alternative solutions if
required by the employee demographics. The training program should be structured to address not only the technical aspects of the planned system, but also the personal concerns that employees may have. For a more in-depth discussion about training, see Section 14: Training 12.1.9. Maintenance and Services See Section 13 for information on Maintenance, Services, and Warranties. 12.1.10. Resources and Budgeting The Plan should be specific in spelling out the annual costs for operating and maintaining the biometric system, as well as the overall system, addressing all of the categories described in this section.
4/7/2008 85
Section 13 – Maintenance, Services, and Warranties 13.1. MAINTENANCE SERVICES The biometric portion of a system, like any other electromechanical system, requires periodic maintenance to minimize failure (and/or disruption of service) for the want of cleaning, lubricating, or adjusting. This is especially true with, but not limited to, moving parts and components, such as door-strikes and sensor alignment mechanisms. Any surface routinely touched by persons using the biometrics, such as fingerprint platens, hand geometry platens, etc., require periodic cleaning not only for continuing high performance, but for the sake of good hygiene as well. Such surfaces are normally no more a health threat to individuals than doorknobs, but a device that is routinely cleaned encourages continued use and lowers user resistance to such technologies. Vendors should be required to provide documented maintenance and calibration procedures, recommended spare parts list, and other appropriate maintenance documentation. 13.2. PRODUCT WARRANTIES Manufacturers are often required by law to offer product warranties. Additionally, certain warranties may be deemed to exist unless expressly disclaimed. The information contained in this chapter should not be construed or relied upon as legal advice. It is provided for general informational purposes only and applies only to products sold in the United States. Legal counsel should be consulted regarding product warranties to determine how the law specifically applies to various applications and to particular products. General Requirements The following is a list of some matters typically addressed by a written warranty.
• What the warranty covers or does not cover. The manufacturer should disclose what the warranty covers and, if necessary, what it does not cover. For example, if there are certain components or aspects of the device or system not covered, then the manufacturer has to describe in detail what those exceptions are. The warranty should also disclose to whom the warranty is extended and if it is limited to the original purchaser.
• Period of coverage. The manufacturer should disclose for what period of time
the warranty is active. This part of the warranty should also indicate when the warranty commences (e.g., on purchase, upon installation, etc.) and under what circumstances, other than the defined period of coverage, the warranty may become void (e.g., sale of product to a third party, failure to maintain, etc.).
• What the manufacturer will do to correct problems covered by the warranty.
The manufacturer should describe what it will do in the event of a problem with
4/7/2008 86
the product (e.g., repair, replace, refund, etc.). The warranty should also tell customers where to obtain warranty service and how to reach those persons or companies. Additionally, the warranty should provide information on the availability of any informal dispute resolution. The manufacturer should also explain what it will not do under the warranty program. This explanation may set forth expenses it will not cover, such as labor, and provide limitations on damages for defective products, such as an exclusion for consequential damages, etc. Some states do not allow such exclusions. This is the reason many exclusions are accompanied by the following statement: “Some states do not allow the exclusion of or limitations on relief such as incidental or consequential damages, so the above limitation or exclusion may not apply to you.” Each organization should determine its own limitations or exclusions as they apply in specific states.
• Limitations on Duration. The manufacturer may include a disclosure of any
limitations on the duration of implied warranties. This is the reason many warranties are accompanied by the following statement: “Some states do not allow limitations on how long an implied warranty lasts, so the above limitation may not apply to you.”
• How state law may affect customer's rights under the warranty. The warranty
should answer this question because implied warranty rights and certain other warranty rights vary from state to state. Thus, the following statement should be included: “This warranty gives you specific legal rights, and you may also have other rights which vary from state to state.”
13.3. IMPLIED WARRANTIES In the absence of a written disclaimer of warranties, the manufacturer may be bound to respect the terms of an “implied warranty.” Implied warranties are created by state law and all states have them. These implied warranties generally have several common features. Among them:
• A warranty of merchantability. This means the product will do what it was advertised and put forward to do. A potato peeler will peel potatoes, a pen will write, etc.
• A warranty of fitness for a particular purpose. If the kitchen appliance
salesperson knows that you are going to be using the peeler in a large commercial kitchen, then the peeler he/she recommends should be suitable for that environment
• Period of coverage. The period of coverage under an implied warranty may vary
considerably from state to state.
4/7/2008 87
• As is. A number of states permit manufacturers to avoid the “implied warranty” provisions by marking them as to be sold “as-is.” Several states do not permit “as-is” sales.
13.4. COMMON INDUSTRY PRACTICES The NBSP surveyed 65 manufacturing and integrating companies within the biometric industry to determine common industry practices with regard to warranties. While the length of warrantees offered ranged from three to 120 months, all but two offered a standard 12-month warranty on parts and labor. Eighty-three percent (83%) of respondents indicated they offer extended warranties for an additional fee. All but one of the companies requires a Product Return Authorization (PRA) before they would accept a package submitted for repair service.
4/7/2008 88
Section 14 – Training 14.1. ORGANIZATIONAL TRAINING PLAN A training program should be established, implemented, and managed to assure that adequate training is provided for all internal and external personnel who require or request biometric training. The training plan can be a component of the Operating Plan described in Section 12, or a separate document if managed by another part of the organization. 14.2. NEEDS ASSESSMENT A needs assessment is an essential element in determining an organization’s training requirements. It is important to understand that training needs should be periodically assessed as technology, processes, procedures, legal requirements, etc. change. Training needs should be reviewed annually, at a minimum, by both the security and personnel departments. Needs assessments can be conducted in various ways. Some suggestions are:
• Interviews/conversations with key groups and organizations (i.e., managers and key staff)
• Organizational surveys • Analysis of metrics related to training, such as what the trainee must demonstrate,
or the level of performance required to be trained • Review of current training completed in comparison to current required job tasks • Brainstorming sessions • Analysis of events that illustrate a need for training • Study of trends
14.3. EXTERNAL TRAINING SOURCES Introductory Level Courses Limited training in biometrics is available in several forms to those contemplating use of biometrics (see Appendix). For those exploring the possibility who have not yet committed to a biometric system there are symposia, conferences, and short courses available to give a broad overview of biometrics, highlighting different technologies (or “modalities”), applications, and the pros and cons of each. These courses are often attended by functional managers, senior managers, and decision makers. The National Biometric Security Project offers a variable length (1-hour to 1-day) Introduction to Biometrics course. This course is open to anyone and can be tailored to fit organizational need.
4/7/2008 89
Suggested Course Content – Introductory Level History of Biometrics
First uses – Industrial Age – Early Forensics – Modern Biometrics
Foundations of Biometrics Definitions – Properties of a Good Biometric – Templates – How Biometrics Work – Biometric Errors
Biometric Modalities Fingerprint – Hand Geometry – Iris Recognition – Facial Recognition – Emerging Technology – Other Technologies
Biometric Applications
Access Control – Authorizations – Other Applications
Spoofing Attacks – Countermeasures – Fingerprint – Iris – Hand – Face – Data Integrity
Biometrics Standards Definition – Purpose and Goal – Benefits – Standards Bodies – Development Groups – NBSP Role
Other Issues/Concerns Privacy – Legal – Societal Issues
Future View
Trends
Intermediate Level Courses For those organizations that have decided to implement biometrics or that want more detail, there are longer and more in-depth courses available to provide more detail relative to technology selection, pros and cons, and implementation and deployment. These courses are typically attended by middle managers, project officers, members of the IT staff, and, in some cases, IT or biometric technicians. Such courses are designed to run for three to five days. The National Biometric Security Project is currently developing a course to fill this need. A sample course curriculum follows.
4/7/2008 90
Suggested Course Content – Intermediate Level
History of Biometrics
First uses – Industrial Age – Early Forensics – Modern Biometrics
Foundations of Biometrics Definitions – Properties of a Good Biometric – Templates – How Biometrics Work – Biometric Errors
Biometric Modalities Fingerprint – Hand Geometry – Iris Recognition – Facial Recognition – Emerging Technology – Other Technologies
Biometric Applications
Access Control – Authorizations – Other Applications
Spoofing Attacks – Countermeasures – Fingerprint – Iris – Hand – Face – Data Integrity
Biometrics Standards Definition – Purpose and Goal – Benefits – Standards Bodies – Development Groups – NBSP Role
Other Issues and Concerns
Privacy – Legal – Societal Issues
Future View
Trends
Application Strengths and Vulnerabilities
Fingerprints – Iris – Facial – Hand
Installation Requirements Technical Specs for Each Type of Application
Time Required to Install Installation Time and Equipment Speeds – Testing Time – System Down-time
System Testing How to Test – Basic Troubleshooting
System Work-arounds Installation Issues – Putting the System Together
Lessons from the Field Case Studies and Examples
Testing and Evaluation of the System
Accuracy – Enrollment – User Acceptance – Perceived Invasiveness – Ease of Use – Deployability – Scalability – Speed – Technology Maturity – Technology Performance Comparison
Deployment and Roll-out Cost Comparison – Time to Implement – Staff Training Required – Training and Operational Tips
System Maintenance Vendor Contracts – Typical or Scheduled Maintenance – History of Existing Systems
End-user Training Training Programs and Best Practices
Role of Program Managers Operational Personnel – Biometric Technicians
4/7/2008 91
Advanced Courses For academics and those who want to know details of algorithms, the matching process, statistical basis for matching, and testing and evaluation, the NBSP is developing an extended length course (5-10 day). Currently, there is one pre-eminent specialized short course of five days offered through the UCLA extension system. A growing number of universities are also offering one or two semester courses. A sample curriculum for a multi-day advanced level biometrics course follows.
Suggested Course Content – Advanced Level Day One
Introduction to Biometrics
Day Two Science, Mathematical Basis, Theories, and Algorithms of Various Biometric Technologies
How and Why Various Biometric Technologies Work – Data Collection, Storage, and Usage Issues
Day Three
Testing Results and Protocols – Large-Scale System Performance – Legal/Sociological Issues – Vulnerability Assessment
Day Four Introduction to Fingerprinting – Traditional Identification Processes – Legal Issues
Day Five Applying Biometrics in Homeland Defense – Biometrics Standards – Large-scale System Acquisition Issues
14.4. INTERNAL TRAINING Gaining user acceptance with efficient and correct operation of the biometric security system is paramount to its success. Successful implementation, initialization, and operation of a biometric system require managers to understand user concerns and societal implications of biometrics. Such understanding provides the means to treat and deal with important privacy issues that can smooth a transition to a new process and gain user acceptance. Initial Pre-activation Training Training programs should focus on general orientation, operator/user training, and offer certified technician training for IT staff. The training program should also include reference materials in hard copy, hands-on activities, and possibly web-based versions of materials to maintain ongoing support and provide updates to current information regarding the biometric system.
4/7/2008 92
Proper and continued training is of equal importance for all users, including program managers, IT specialists, and end users. Users of a biometric system must be taught proper procedure for the system to perform optimally. Users of a biometric system must also have access to documentation regarding the system itself. Such documentation includes, but is not limited to:
• User’s or student manuals, which should be clear and concise • Procedures for using the technology in the form of walkthroughs and trial runs,
which will help users gain confidence in their knowledge of and ability to use a system
• Policies protecting users and the organization • Policies governing system use • Policies governing the use of biometric templates • Procedures for what to do in case of system error, failure, or building emergencies
When training program managers and IT specialists, keep the following in mind:
• These users need the same information as end users, targeted appropriately to their level of knowledge
• The field of biometric identification is changing rapidly, so advanced users of such systems need continued training on technological developments, security issues, and changes in social/legal issues
Manuals should be short, simple, and to the point. The acceptance rate of the users will be higher because they feel confident and secure in the knowledge of the biometric-based system. Walk-throughs and trial-runs will help increase the comfort levels of users and decrease the pressure placed on them. Such simulations will also help decrease the error rates in the future when the users will not have someone with them while using the system. Proper training and education should always be part of the implementation plan for any new installation or modification of an existing biometric system. Personnel who receive proper and comprehensive training in the use of the system will prove cooperative and supportive of system use. They should be guided carefully and unhurriedly through the enrollment procedure and should be invited to ask questions about the system in general. As mentioned, they should receive some reference documentation with help/inquiry line details included as well. These things should be provided in a comfortable, non-challenging environment. The three basic levels of training include:
1. End User — Knowledge-based training: "What is biometrics?", Instructional training: "How do I enroll and use the system in my daily activities? What happens if the system doesn’t allow my access?” First level trouble-shooting. Actions when that fails.
4/7/2008 93
2. Administration — Instructional training: technical installation, system management, and maintenance issues
3. Organization — Knowledge-based training: “Why Biometrics is our best solution”, "Will my fingerprints be stored?"
This particular training program focuses on the end users. End Users The end-user population (employees, contractors, temporarily assigned personnel) must be trained sufficiently to enable them to use the biometric equipment effectively once the system is activated. Time between training and actual use of the system (or some portion thereof) should not exceed a week. This may be challenging when end-user populations are very large and may require multiple trainers and training sessions or other innovative schemes, such as operating the biometric system in parallel with a current existing system, staggering activation of the system, and/or setting up multiple readers near entry points to enable end-users to practice authentication upon entry. Initial user training should include the following:
• Introduction and general overview of biometrics (what they are, how they work) • Overview of privacy issues, how biometric information will be controlled, end-
user options, and completion of informed-consent forms where deemed appropriate.
• Detail on the technology (modality) of the specific system to be deployed. • Demonstration of equipment use and the enrollment process. • Actual enrollment of each end-user. • Practice by each end-user on actual equipment. • Overview of how the system will be implemented, including need for
daily/weekly practice between training and system activation, dates and structure of staggered implementation, and/or dates and structure of overlap schemes.
• Sources of potential problems with the biometric system and things to avoid (use of hand cream before using fingerprint platen, use of reflective sunglasses, expressions in facial systems, etc.)
• Initial actions or troubleshooting by end-users when first encountering a problem (wiping the platen, taking glasses off, speaking in normal voice, etc.).
• Work-arounds and actions of end-users when troubleshooting fails. • Actions if system experiences catastrophic failure. • End-user practice opportunities between training and system activation. • A repeat of earlier student practice with instructor observation of each end-user.
Continuing Training after Deployment An initial training capability will have to be maintained for new employees, contractors, etc. Depending on the volume of new end-users, initial courses may have to be conducted daily, weekly, monthly, or on an ad hoc basis. Refresher training, usually the result of continuing problems encountered by specific end-users, can often be given simply by a trainer observing the person and offering corrective advice or suggestions.
4/7/2008 94
Where this is not a long-lasting solution, end-users may be integrated into the periodic initial training for a second time. A how-to guide for instructors helps ensure uniformity and consistency with the format used to teach the course using various trainers. Because biometrics are technical in nature, the organization may adopt policies for use of the technology. Users tend to be more cooperative and supportive of a security system being adopted if they:
• Receive proper and comprehensive training in the use of the system. • Are guided carefully and unhurriedly through the enrollment procedure. • Are invited to ask questions about the system in general. • Have received some reference documentation with help/inquiry line details
included. • Are trained within a comfortable, unchallenging environment.
14.5. PRACTICE USING THE BIOMETRIC TECHNOLOGY Immediately following a comprehensive training program that introduces users and administrators to the biometric technology, ample time should be provided for practice. The more users engage with system functionality, the more comfortable they will begin to feel performing the techniques. As part of the overall system deployment plan, calculate the number of persons to be trained, the length of time that will be required, and the length of time between classroom training and system implementation. Based on that, write into the vendor or system statement of work (SOW) the requirement to provide some number of sample sensors to install at entry control points to allow end users the opportunity for “no-penalty” practice on a daily basis. Ensure that such sample sensors provide pass/fail or go/no-go feedback to end users. Stress in the classroom training the need to practice and become familiar with the approaching biometric equipment/system before the implementation date. Encourage end users to report problems immediately and take steps to re-enroll if re-training is not adequate to get them thoroughly familiar with the system. 14.6. RESOURCE MATERIALS FOR TRAINERS The following content provides a detailed explanation of the more popular biometric methods, why each is useful for security, and how-to steps and techniques for users to apply to a given situation where the technology is in use. Train only the modality (or biometric technology) that has been selected for the particular installation and augment that material with material provided by the specific vendor of the equipment to be installed in the facility or facilities. This may require a provision spelled out in the SOW.
4/7/2008 95
There are a variety of biometric technologies that are available. Some include those used for facial recognition, fingerprint identification, hand geometry, iris recognition, and voice recognition. Some examples of these technologies are described in the chart that follows.
Case Studies Case Study A – India: Ration Card Program Problem The government of Andhra Pradesh, India, needed a program to control and manage the distribution of nearly 80 million state-issued food ration cards. These ration cards provide citizens with necessities – ranging from electricity to petrol to food – and the program, historically, has been laden with fraud. The Government of Andhra Pradesh wanted a solution to eliminate fraudulent cards and theft of goods and services, and to reduce costs and ensure its citizens are receiving the entitlements they are qualified to receive. Andhra Pradesh is the fourth largest state in the area, and the fifth largest by population. In addition to providing access to goods and services, the ration card is also a pseudo national ID card for the citizens of Andhra Pradesh. These cards help citizens get passports, admission into college, and other privileges. All families of the state receive ration cards. White cards represent those in or near poverty who need assistance; pink cards are given to those who can afford to buy what they need, whereby the card is used primarily for identification.
Source: Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October 2006 The identification solution was also envisioned to be the foundation for an extensive e-government program. Long-term plans are for using the identification solution as a means of proving citizenship, as well as for other authentication/identification applications in the future. The government intends to provide electronic communication access in every village, including PCs and broadband connectivity, and believes automated ID authentication is a cornerstone to a successful and pervasive e-government platform.
4/7/2008 98
The government of Andhra Pradesh also provides a hostel-education program to the needy children of the state. The identification solution selected for the ration card program would also be used to confirm the identities and populations of the nearly 4,000 child hostels across the state to reduce fraud and skimming perpetrated by unscrupulous hostel managers (one might claim, for example, that he has 150 children in the hostel when, in fact, he has only 50, keeping the extra supplies for himself or selling them on the black market). Access to low-income houses and housing subsidy programs for 28,000 families who apply for housing assistance will also be integrated into the chosen identification solution. The biometric-based solution will be used to identify citizens to make sure those who are entitled to such support receive it, and that those who are trying to defraud the system do not. Historically, the government has learned citizens who have fraudulently applied and reapplied for low-income housing support, or others who have applied to receive more than one house. The government was in need of a solution for administrative control in the allocation of approximately 9,000 affordable homes in the Guntur District, Andhra Pradesh. Under the Rajiv Gruha Kapla – affordable housing program for the urban poor – initiated by the Department of Housing in the State of Andhra Pradesh, an initial stock of affordable homes in Guntur District would be made available, with an enrollment process that incorporates iris recognition of applicant couples to prevent duplicate housing applications. Prior to implementation of the iris code-based ration card program, most ration cards were issued to Andhra Pradesh households up to 20 years ago. Since that time, many more new families have been added to the ration card system, so the new program must be flexible and scaleable to account for an ever-expanding population. Process The state of Andhra Pradesh sought a biometric-based identification solution to help eliminate fraud in its various benefits and citizen support programs. Several different biometric technologies were tested. It was determined that iris recognition was the ideal biometric technology for this application since other technologies did not provide the results they required. After testing both iris recognition and fingerprint technologies, the state of Andhra Pradesh issued an RFP in June 2005 for the use of iris recognition technology in the ration card program. Some key challenges faced by the implementation team were; a widely dispersed population – a combination of small villages, several large cities, and a broad spectrum of people – and varying degrees of education of the citizens, thus the solution had to be very easy to use. Additionally, the government needed to integrate the biometric solution into its existing legacy system, while also enhancing the state’s ability to add additional capabilities and programs in the future.
4/7/2008 99
The other technology that was considered – fingerprints – caused difficulties for many citizens due to the ubiquity of farmers, trades-people, and others who labor with their hands and rub off their fingerprints or render them difficult to read. After significant testing, the government selected iris recognition technology as the best solution for its current and future needs. They found enrollment to be easy and very fast, and the technology to be highly accurate in a one-to-many search mode. In discussing the selection of the technology in a press release initiated by LG Electronics dated September 8, 2005, the Managing Director of Andhra Pradesh Technology Services commented, “We looked at several different technology options. While enrollment ease and recognition speed and accuracy all count, there are many other reasons iris recognition and the robustness of the platform made it impossible in the end to choose anything else. That the technology works equally well on adults of all ages as well as on children – who as household members are also being enrolled in the ration card program – it requires only a single enrollment in a lifetime (barring trauma). This makes iris recognition ideal for our long-term needs as the government plans to follow this program with a variety of new service offerings that will be based around the ability to use the new ration card as a valid government-issued identity credential.” Solution The iris recognition technology provider (LG Electronics – Iris Recognition Division) worked closely with an India-based integrator (Andhra Pradesh Technology Services), a technical services arm of the state government. The development of the RFP, design, integration, and deployment of the system were all managed in-country by APTS. It took approximately three weeks for the iris recognition-based solution to become fully integrated and functional, and incorporated into the citizens’ daily lives. It is anticipated that, by the end of 2006, the entire 80 million population of Andhra Pradesh will be enrolled and actively using the iris recognition-based ration cards. A basic description of how the iris recognition-based ration card enrollments are accomplished . . . the family members participating in the ration card program go to one of the several hundred enrollment stations across the state, provide their demographic and biographical information to the enrollment officer, and look into the iris recognition imager to have their iris patterns recorded. This iris pattern is linked with the person’s biographical information and stored in a central database, as well as embedded into the ration card. The initial cost of the solution was certainly a concern for the Andhra Pradesh government, but they viewed the overall long-term savings and efficiencies offered by the iris recognition-based solution to be higher. Long-term plans for an e-government platform and identification authentication were key issues in the decision about which technology and solution to deploy.
4/7/2008 100
The government of Andhra Pradesh would not disclose the budget or cost for this system. Results To date, there has been no push-back from the Andhra Pradesh citizens regarding the use and implementation of the iris recognition-based solution. In fact, indications are that the citizens are willing to participate, since they cannot receive their benefits if they do not. As of October 2006, over 20 million ration cards were distributed in a 16-month timeframe17 with bogus cards being eliminated in tandem. Enrollment. The state turned over the running of over 600 enrollment sites to private entities who charge a fee (40 rupees per ration card) for enrollment into the ration card program. The Andhra Pradesh government provides limited support to these enrollment stations, as they are privately managed and run. The manager/owner of the enrollment station keeps the profits and shares a portion of the ration card fee with the government. As of October 2006, enrollments are 85% complete.18 Training. A centralized training program was developed prior to the deployment of the system. The owners of the enrollment stations were trained in how to enroll and use the iris recognition system and they, in turn, trained their personnel (train-the-trainer concept). The training process took a matter of weeks and both LG Electronics and the local integrator partner assisted in the program. Cost Savings. Although there are no hard numbers available to calculate the cost savings the iris recognition-based ration card program has provided to the government of Andhra Pradesh, the state anticipates that 60%-70% of fraud will be eliminated merely by deploying the technology, since potential fraudsters will be discourage to attempt fraud with the accurate identification technology now being used. Initial calculations in some Andhra Pradesh districts indicate the government has already benefited from substantial savings by deploying the technology, in terms of reduced fraud and subsidies, which extends beyond the primary ration card application into district stores, youth hostels, and low-income housing. Helping the government save money by reducing or eliminating fraud provides a real service to the Indian citizens who are in need. As of March 2006, this deployment in India is the largest known deployment of iris recognition technology in the world. Between initial implementation in July of 2005 and February 2006, approximately 8 million people had been enrolled in the iris recognition-based ration card program. As of October 2006, over 20 million ration
17 Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October 2006 18 Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
4/7/2008 101
cards were distributed in a 16-month timeframe19 with bogus cards being eliminated in tandem, and 80 million individuals have been enrolled in the iris ration card program. Within weeks of deployment in the Guntur District, the iris recognition-based affordable housing application program uncovered at least two known cases of ineligible applications. In a press release initiated by LG Electronics dated September 8, 2005, a senior Andhra Pradesh government official commented “ . . . is envisioned as the technology foundation for a variety of social services initiatives the government has planned and believes are important. There are, of course, financial benefits realized simply by ensuring that services and subsidies are delivered properly to those people entitled to receive them and who need them most. But there are numerous consumer benefits including enhanced convenience that are part of the ration card management program and these represent just the beginning of things we can do to make things better for the people of this state who deserve help and improved services from their government.” What would they do differently next time? Lessons learned . . . One of the most important things for those making biometric-based technology implementation decisions is to look at each technology on its own merit, and don’t let cost alone drive the decision. Look at the utility and functionality of the biometric technology, disengage from pricing and from legacy system issues, and determine the true usefulness of the technology on its own merit. It is also important to involve the various technology vendors before the RFP process. Engage them in a consultative process and leverage their knowledge. Use vendors as partners in the RFP, review, selection, and deployment process, rather than just as providers of hardware or technology. Sources and resources for this case study: - Interview with Mohammad Murad, Director, Sales and Business Development, LG
Electronics USA – Iris Technology Division – February 23, 2006 - “LG Electronics lands huge iris scan program in India.” Government Security News.
September 2005. - “Iridian Technologies facilitates affordable housing program in Andhra Pradesh,
India; Iris Recognition system validates identification to ensure equal opportunity.” www.zdnetindia.com/news July 13, 2005
- “LGE Iris Tech Win in India Redefines Biometric Scalability.” LG Electronics press release dated September 8, 2005.
- “India eyes Iridian.” Optics Report. July 12, 2005 - “Indian housing plan uses local technology.” Passage to India Business Weekly.
July 2005. 19 Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
4/7/2008 102
- Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
4/7/2008 103
Case Study B – State of Illinois: Driver Licensing Problem Identity theft is a fast-growing crime that has become a major problem for both law enforcement and victims. A survey conducted by the U.S. Department of Justice (DOJ), found the costs associated with identity theft are greater than $6 billion annually and has affected millions of individuals and families. Driver’s licenses and identification cards are by far the most common form of identification used in the U.S. A prime target of would-be identity thieves are agencies that issue credentials like driver’s licenses and passports. Maintaining the integrity of these forms of identification is extremely important. Once an identity thief has obtained a license or identification falsely, it is relatively easy to assume another’s identity and gain access to their finances. Each year, the Secretary of State for the State of Illinois is responsible for issuing driver’s licenses and identification cards to residents of Illinois. The Office has issued over 8.6 million driver’s licenses and 3.2 million identification cards at over 130 different motor vehicle facilities within the state of Illinois in the last year. The cards are issued in an over-the-counter manner where the cards are distributed to the individual at the time of the visit. Eight thousand to 12,000 images are captured on any given day. Prior to 1998, the Illinois Secretary of State would rely on its employees to review documentation (typically a primary and secondary form of identification) and demographic information provided by an individual seeking a driver’s license or identification card to verify the identity of the individual. If the demographic information and documentation matched, as verified by an employee, the applicant would then have a film picture taken and a license and/or identification card would be issued on the spot. One of the issues faced by the agency was that not all of the primary and secondary forms of identification included a photograph of the individual. This made it challenging at times for the employees to validate the applicant’s identity, which left opportunity for error. The other issue with the film system was that the Office did not retain copies of all the photographs taken. This was not possible with film photography. Upholding the integrity of the identification system in Illinois is the responsibility of the Secretary of State. In 1997, the Illinois Secretary of State was in the process of transitioning the film-based photograph system used for taking driver’s license pictures to a digital-based photo system. This created an opportunity to improve their current system with added tools. There were two initial objectives in evaluating potential systems:
The cards issued could not be easily altered or forged To ensure that the person holding the card is authorized to have it, is uniquely tied
to it, and is who the card says he or she is
If the system could decrease the potential for card tampering and increase the accuracy in the identification system, there would be the potential to reduce the incidence of identity
4/7/2008 104
theft and fraud and increase public safety. All this needed to be done without compromising the privacy of the individual cardholder. Process The state of Illinois sent out a request for proposal for a digitally based photograph driver’s license/identification card (DL/ID) system for the Secretary of State’s driver’s license photos. The original proposal did not require a face recognition system, but included it as an option for inclusion as part of an image system that could accommodate the large number of photos in a database. Only one vendor submitted a proposal that included the option, and they were the overall successful bidder. The biometric system would be a component of the larger system. Soon after the contract for the larger system was executed, the Secretary of State’s Office decided to pursue this option. Facial recognition seemed like a logical conclusion for this application. Facial recognition requires a digital photo of the individual, something that was already part of the DMV process. This allowed for passive, non-intrusive data gathering that had minimal effect on the customers and minimal effect on facility operations. The customers expected to get their picture taken when acquiring or renewing a driver’s license and there were no additional requirements of the DMV employees. Facial recognition technology could be applied to a piece of data that DMV was already using: The photo. In addition, no new legislation would be needed to implement the system. The facial recognition system was compatible with imported photos from other states so that it could potentially be used for law enforcement. An important component of the biometric system was that it could handle a one-to-many (1:N) environment versus a one-to-one (1:1) environment. A one-to-one match is where an individual presents his/her biometric sample and it is compared to the one he/she presented at enrollment in the system, to ensure he/she is the same person. A one-to-many matching environment is one when the individual’s identify is verified by presenting his/her biometric sample and comparing it to many others in the database. In the case of the Illinois Secretary of State, the system would be required to determine if the person is known to the system (with or without a claimed identity) by comparing the presented biometric sample and resultant template with all other known references in the database for the purpose of finding any cases where the same person was enrolled more than once, and had established multiple identities using different demographic data. This type of system screens driver’s license applicants to make sure that the person is not in the system under a different. Because of the large number of photos that would be captured, it was critical that the system could be scalable to a very large database. How the system actually works on a daily basis is an individual comes into the Secretary of State office to obtain or renew a driver’s license or identification card. The individual provides his/her name and a primary and secondary form of identification to the employee. The information is input into the database. The individual then has a digital photograph taken to be used as input into the facial recognition technology, as well as for use on the actual driver’s license or identification card. Unless there are discrepancies in
4/7/2008 105
the primary and secondary data sources provided, suspicious documents presented, or in the other verification systems used (such as Social Security On-Line Verification), the individual is printed a driver’s license or identification card on the spot. Results using the facial recognition technology are not immediate. The digital image is sent to the central database each evening and is then compared against the more than 20 million images in the system, scanning for any duplicate entries. The facial recognition technology does this by placing a grid or graph over the individual’s face identifying specific nodal locations. The nodal points identify local feature information and this is compared to other samples using a weighted sum of node similarities. To put this in layman’s terms, the face is broken down into specific features and those features are compared to all the other digital photos in the central database. Solution The State of Illinois decided to implement the facial recognition technology into its overall system because it had significant advantages and would work effectively with the new digital photo system that was being installed. There were several issues that needed to be addressed in implementing the new system. First and foremost was how the State would pay for the system and what infrastructure was needed to support the system. The State recognized it would need some assistance in funding the project; the cost was too high. The State was proactive in soliciting other agencies to help bear the burden of the cost. The State focused on agencies that would benefit from the technology and data that could be provided. The Illinois State Police chose to assist in funding. This created a new challenge in how to design a system that would be compatible with two agencies and determining what it would take to meet both organizations’ needs. The system actually was quite compatible and did ultimately interface well within the organizations although, as with any new system, it had its growing pains. Although the system seemed to fit quite well for this application, there were still many unknowns. Since the Secretary of State’s office was the first to use the technology in a high volume, one-to-many environment, there was nowhere to go for guidance. The impact on operations was largely unknown. The technology was relatively new and there were questions on how well it would perform. Sending a large number of photos across a network also prompted security and privacy concerns. It took the State of Illinois close to three years from the original RFP to design and implement the entire new and improved overall system. The biometric component was the last part of the overall system to be installed. Results The facial recognition technology has been an overwhelming success for the State of Illinois. When the system was implemented by the State, there were no other benchmark
4/7/2008 106
systems that could be used to gain insight. Facial recognition technology was being used, but typically on a much smaller scale. The technology has enabled the State of Illinois to accomplish its objective of improving the integrity of driver’s licenses and identification cards. Although there were certainly some growing pains in the process, the implementation was relatively easy because it dovetailed into the current operating system the challenge was more on the back-end than the front-end. The gathering of the data was very consistent with what typically occurred, however, the processing of the data was complex and developing the procedures if a fraud case was identified through this mechanism was something new to the office. The State now had to deal with new tasks like daily review of potential multiple identity cases, increased number of fraud cases to investigate, and use of a new technology as part of the evidence used in the criminal justice system when cases were pursued. It was a major change in how the organization operated. One of the results of its use was establishment of an ID Crimes Unit to focus resources on this new technology and the growing rate of identity crimes it could help uncover. “Both the use of face recognition and the use of stored images in the proofing process have resulted in early detection and prevention of fraud that would have otherwise gone unnoticed, maybe for years,” stated Beth Langen from the Illinois Office of the Secretary of State. To date, the facial recognition technology has identified over 3,100 cases of fraud. This included over 2,700 individuals with two identities and over 300 cases three or more identities. As a result, the DMV has cancelled over 9,700 licenses. What would you do differently next time? Lessons learned……… The Illinois Secretary of State’s office began the process of implementing the facial recognition system in 1997. The original Request for Proposal (RFP) was to upgrade the DMV film photography system to a digital based system. The original RFP included the option for face recognition and it was exercised. This system best fit their application. Other biometric technologies were not considered or evaluated. The Secretary of State chose the facial recognition system and was successful; however, there were many lessons learned. The first lesson learned was to ensure the integration of the system was in line with current business practices. When adopting the facial recognition biometric, the existing business processes needed to be re-evaluated to make sure that the processes would adequately support the biometric and determine if there were process changes required. One example of the importance in re-examining business process involved the timing of the issuance of identification cards or licenses. Cards are issued at the time the individual visits the office. However, the facial recognition process currently requires sending the photo image to a central database where it is processed overnight. If multiple identities are detected, the individual has already been issued a card and would need to be located. As part of a business processes review, the office will soon be evaluating many business processes, and that will include processes for face recognition and card issuance.
4/7/2008 107
It is also important to consider the human factor – even though a biometric is being used for determining if there are multiple identities in the system, it is still the responsibility of an employee of the Secretary of State’s office to make the final decision if there is fraud. A trained staff with the appropriate skill set is critical. There are instances of false positive matches that are not fraud, but occur because an individual has more than one legitimate record in the system or may look a great deal like another person, in the case of identical twins, for example. Another important lesson learned was that the system selection, design, testing, and evaluation take a significant amount of time and effort. Having the resources that can devote the appropriate amount of time is important. It is also very difficult to test a system outside of the anticipated production environment and see the shortfalls. Only when a system is up and running in the actual environment can shortcomings or performance issues be accurately identified. Therefore, it is important to continue to evaluate the performance of the system on an on-going basis after it has been installed. Upgrades can be made and have the potential to significantly improve the overall performance. Managing expectations is extremely crucial. There is the belief that a biometric is foolproof; that it can detect any type of fraud. This is not the case and people are still ultimately responsible for the success of the system. When installing a biometric system, it is vital to consider how the public and customers will react. The reaction to facial biometrics in Illinois was positive. This was primarily due to the fact that it was a non-invasive method for the purpose of preventing identity theft and fraud and associated crimes, not a system of surveillance that is typically associated with privacy concerns. In this respect, it is protecting identities. The system is only accessible by Secretary of State employees and law enforcement personnel. The environment that the system is operating in should also be considered. For a facial recognition system, proper lighting, camera locations, etc. can affect the overall quality of the image and thus affect the performance of the system. If the image taken is not of a reasonable quality, the accuracy of the system has the potential to be reduced. Sources and resources for this study
Interview with Beth Langen, Illinois Office of the Secretary of State • Biometric Summit Winter 2006 Proceedings Viisage press release “Illinois Secretary of State Partnering with Viisage to
Prevent Identity Theft – Digital Driver’s License with Face Recognition” www.viisage.com
4/7/2008 108
Case Study C – The City of Glendale, California: Desktop Computer Access Problem The City of Glendale is the third largest in Los Angeles County. In 2001, the city was under pressure from auditors to maintain high security standards for sensitive information. At the same time, the Federal Privacy Act was requiring higher access security. Passwords that were easy for users to remember were not secure enough. The city needed to use randomly generated eight-digit alpha-numeric passwords that were changed every 60 days. As a result, the city’s 2,000 employees were writing their passwords down on or near their workstations. Ninety-five percent (95%) of users failed to change their passwords within the time allotted, and became locked out. Forty-five percent (45%) of help desk calls were from locked out users, costing the city roughly $50,000 per year just in password administration costs. Glendale’s municipal employees are located all across the city in 300-400 different offices working for diverse agencies including public works, power, finance, and administrative services. The city implemented a single password for multiple uses, which proved to be of little use when 1,900 users were locked out of their systems every 90days, requiring at least two hours of work per day from the help desk staff. Because most of the calls came in clusters, employees experienced significant unproductive time as well. Process A member of the City Council saw a demonstration of biometric keyboard authentication at a city fair and requested an investigation. Multiple options were considered by the IT department, and Digital Persona fingerprint reader was selected. The price, then roughly $150 per unit, was a factor, but because the vendor allowed small numbers of units to be purchased at a time, the city was able to test a few stations without a significant initial financial commitment. The units were popular. Over time, additional departments enrolled and received fingerprint readers as funds became available. Solution The device was a UareU® 2000 Pro Workstation Package with sensor and software. The initial installation required having the software installed on each participating machine. The USB device is smaller than a mouse and contains a sensor. Most users primarily use their thumb, though multiple fingers and the entire thumb are initially registered into the database. The system generates a computer password and synchronizes it with the user’s fingerprint. Users do not have to remember anything. Scott Harmon, the City’s Assistant Director of Information Services says, “Just bring your finger”. There are exceptions
4/7/2008 109
though. For example, temporary workstations do not yet employ the fingerprint reader biometric. The city has since upgraded to the 2004 version of the software, where it can be installed and upgraded centrally. Other new options and newer versions are server-based, allowing users to log into any networked computer and access their own files. Glendale would like to upgrade to this system in the future, though it would increase the costs. Results User Acceptance. To date, there has been no push-back from any employee. Generally, users are very pleased at the ease of use of the system compared to the past. There have been no civil liberties issues that have come to the attention of the IT staff. User Rejection. Glendale has one employee whose fingerprints do not register. Other than this, there have been no documented cases of false acceptances. Rejections are rare. Subsequent to contact with swimming pool chemicals at his home, one employee experienced a temporary change in his fingerprints. Other employees have had cuts on their fingers or slammed fingers in a car door, causing temporary changes. As a precaution, the city registers multiple fingerprints and the entire thumb. Enrollment. The systems are incorporated into daily activity immediately since there is no learning required of the end user. “All they have to do is put their finger on there and go,” says Harmon. Most employees are comfortable with the concept, which they have experienced at the local Department of Motor Vehicles. Registering a new fingerprint and setting up a new account is not difficult and has become easier over the last few years. Maintenance and Training. To date, all maintenance for the systems has been handled by the in-house IT staff, which spends considerably less time on the fingerprint access system than they did with forgotten passwords. Newer reader models that have come along in the last few years are slimmer and easier to work with. Harmon considers Digital Persona’s field technicians to be quite competent. His staff calls with questions, and most issues are resolved over the phone. Cost Savings. Glendale has not tracked the cost savings of the fingerprint keyboard access systems in terms of increased employee productivity and fewer required help desk resources. In 2001, the cost per workstation was roughly $150. Today, that cost is reduced to approximately $100 per workstation. For a city the size of Glendale to roll out a new system today would cost approximately $200,000.
4/7/2008 110
What would they do differently next time? Lessons learned . . . The only drawback to the system, according to Harmon, is that is does not accommodate remote users. RSA’s portable, key-sized devices are better for people who work in the field, telecommute, or want to check-in over the weekend. When employees want remote access, they must call the help desk for a remote reset, which must be re-synchronized when the employee returns to the office. Anyone rolling out a new system today would have easier maintenance than Glendale had during its system launch. For example, Active Directory is a new feature that allows uploads to the domain controller that houses a central repository of all fingerprints and passwords. “It would be much easier to maintain. At the time a few years ago that wasn’t in place. That’s why we are in stand alone mode now,” comments Harmon. In the future, Glendale also wants to enable employees to be able to access their files from any workstation. Sources and resources for this case study: - Interview with Scott Harmon, Assistant Director, Information Services, and Steve
Richmond Security Analyst, City of Glendale, CA March 8, 2006. - “Glendale, CA Goes with Biometrics”, Biometrics in Human Services, User Group
Newsletter number 27, Volume 6, March 2, 2002. State of Connecticut, by David Mintie
- “Glendale Locks Down PCs with Digital Persona Biometrics”, by Lynn Haber, October 18, 2001, Ziff Davis http://techupdate.zdnet.com
- City of Glendale, Case Study Digital Persona. Digital Persona http://www.digitalpersona.com/docrequest/pdf1?pdf=18
4/7/2008 111
Case Study D – Lancaster County Prison: Inmate Identification Problem Although the mistaken release of prisoners was not a common occurrence at the Lancaster County Prison, one high profile incident in 1993 resulted in an unprecedented innovation. An accused murderer walked out of the front door by impersonating another inmate. The prisoner was subsequently caught and convicted of the murder. At the time, the prison employed a standard release protocol that consisted of human-based facial recognition (i.e., the guards looking at the prisoner’s face) and a series of specific questions relating to the inmate’s incarceration experience and pre-prison life. “There were checks and balances and everything had to go wrong for this to happen and everything went wrong,” says Luther Schwartz, Training Officer and Department Network Administrator for the prison. Process In the wake of the incident, Moorestown, New Jersey-based Iridian Technologies arranged a demonstration of its IriScan iris recognition device with Warden Vincent A. Guarini. Later that day, Guarini saw a program about the new technology on cable television’s Discovery Channel, which convinced him it was something that would be useful for the prison. “The price seemed reasonable so I thought we’d give it a shot,” commented Guarini. The Lancaster County commissioners approved a grant application with the state Commission on Crime and Delinquency for $7,712 to fund the purchase of an IriScan® iris recognition reader, which was subsequently approved by the state commission.20 Solution The first application was a DOS version, which was upgraded to Windows after roughly 24 months. Hardware currently consists of one server and two clients. The server is in an office near the systems administrator. Clients are located in the commitment and visitation areas where they are used by 30 or more staff members on a regular basis. There are two processing phases in the prison system: enrollment and verification. In the former, the eye is digitally photographed. Over 400 points are mapped into a 512-byte code. The iris map is stored in the database along with other information about the inmate, which is taken from identification documents. Lancaster County Prison uses fingerprints in conjunction with iris scanning for all inmates. The iris recognition software is used primarily in the facility commitment area. By using the iris technology on its 1,180 prisoners, the prison feels it can definitely determine that
20 http://www.naco.org/cnews/1996/96-06-24/17eye.htm Lancaster County Prison uses new ID to keep eye on prisoners
4/7/2008 112
the same person with the same name who was committed is released under the same name. A secondary use is in the visitation area. As of March 2006, Lancaster County Prison processed hundreds of visitors per day, amounting to tens of thousands of visits each year. First-time visitors must produce multiple forms of positive identification, which is entered into the system along with the iris scan. Return visitors may be admitted with just an iris scan. Upon discharge, inmates are not allowed to return as visitors for six months. Within a few seconds, the system can tell if the visitor has been incarcerated at the Lancaster County facility. Results Errors. While the technology itself is very exact, human errors can be made in data processing. Incorrect categorization of inmates has resulted in false identification. Administrator Schwartz safeguards against this problem by occasionally looking through the database for possible input errors, which he feels a trained individual can easily recognize. Cooperation. Lancaster County Prison has not experienced any compliance issues. Because most people are used to having their pictures taken, the process is natural and comfortable. It is also considered very safe and sanitary, since no direct contact is necessary between the subject and the guard or the equipment. The scan takes just a few seconds. When inmates and visitors express reluctance to participate, reminders that visitation and release are contingent upon compliance has been made the program effective. Support. Third-party vendors provide hardware and support. Support requirements have been minimal and routine. Most incidents are handled over the telephone. Repairs have been handled by shipping extra parts. Installation is straightforward. Training. All of the prison employees in both commitment and visitation use the iris recognition-based system. There are in excess of 30 officers or more who use it on a regular basis. Training has been conducted by colleague observation, which is estimated by Officer Schwartz to take roughly 15 minutes. What would they do differently next time? Lessons learned . . . Overall Satisfaction. Officer Schwartz states that Lancaster County is pleased with the system’s ease of use and precision. Lancaster County Prison would go the same route if they had to revisit their decision today. Regarding the cost, he replied “How do you put a price on the safety of the community?” Software Licensing Costs. Criticisms center on software licensing fees. “Because the technology is so limited, the fewer suppliers there are, the higher the price. “ Mainstream software, such as that used in fingerprint recognition can be less expensive.
4/7/2008 113
Database Integration. Because iris scans are a fairly new technology, there is not a large iris database in existence to leverage or integrate with other law enforcement authorities. Fingerprints, which have been introduced at Lancaster County Prison for other applications, can be checked against FBI and National Crime Information Center, whose databases include years and years of input. “The AFIS system goes out and gathers information and brings back a criminal history on the individual… with the iris, you don’t have that kind of resource available,” says Schwartz. Lancaster County Prison’s iris database is maintained at the prison and is not shared with other entities. Sources and resources for this case study: - Interview with Luther Schwartz, Training Officer and Department Network
Administrator, March 30, 2006 - Interview with Frank Fitzsimmons, President and Chief Executive Officer, Iridian
Technologies, April 6, 2006 - http://www.naco.org/cnews/1996/96-06-24/17eye.htm Lancaster County Prison uses
new ID to keep eye on prisoners - “Body Language: Using biometric Technology” March 1, 2002, American City &
County, http:/www.printthis.clickability.com/pt/cpt - “IriScan’s Leader Looks Secure”, Business Week Online , July 5, 2005 Olga Kharif - New York Times Technology Review, April 5, 2006,
Case Study E – University of Georgia: Student ID/Access Control Problem The first hand geometry system that was installed in the University of Georgia dining hall in 1972 to verify meal plan participants has since grown to a fully integrated solution that secures three different types of facilities on the school’s extensive campus. In addition to the continued use of hand geometry in the dining hall, the system was expanded to include student housing – to verify a student lives in the building – and to the student recreational center – to verify membership in the sports facility. With a student population of 32,000, the University needed an access control system that was fast, easy to use, and foolproof. To provide a safe, secure campus, the school wanted to identify students entering residential halls and athletic facilities and to limit dining hall access to those students who had paid for a meal plan. A fourth application for hand geometry that is currently being considered by the University is to identify students prior to exams, to be sure the right student is taking the test. Process The University of Georgia has been a pioneer in adopting biometrics, implementing one of the first wide-scale applications of hand geometry in the U.S. When it was time to upgrade the school’s old (1972) hand readers in 1990, the administration evaluated various biometric technologies, such as facial, hand, fingerprint, iris, and signature devices. With a large, diverse, and active student population, the University needed a solution that did not require cards (students lose, forget, or loan them) or a typed passcode (students forget or loan them). Biometrics offered a token-less solution, and hand geometry technology met the school’s requirements for ease of use, functionality, and cost. A signature-based biometric was evaluated, as well as other technologies, but was found to be too time consuming for students accessing the dining hall and housing facilities. Initially, the University relied on outside consultants and integrators to assist with evaluation, selection, and integration. As the system grew over the years, the University brought this function in-house and is now self-managing the hand geometry system through two fulltime employees. Solution Initially, the 1972 systems were two-dimensional hand geometry readers placed at dining hall entrances to verify that students who paid for meal plans were the same students that actually entered at mealtime. Students who require a work-around (i.e., students without a right hand), can type in a passcode for access.
4/7/2008 115
The 1972-1990 system required a card to be inserted with no other option. The 1990-1994 system required a card to be swiped. All of the data was held on the card until first use, then stored in reader memory. The current system allows for either a card swipe or the number from the card to be entered into the HandKey reader. In order to do a one-to-one match, the University requires that the unique number be entered. This versatility is one reason the system has a high level of acceptance among students. In the dining hall, the system averages 1,700 attempts per day per reader (with two installed readers), translating to over 3 million valid accesses per year during the school year. Based on the system’s success in the food service area, the university installed a similar system to control access to the Ramsey Center, a recreational sports facility. The Ramsey Center includes six readers, averaging 2,500 authentication attempts per day (translating into 870,000 accesses per year). The University controls its false rejection rate to about 1.5-2%. Next, the school added the biometric security solution in the housing facilities, replacing magnetic stripe-only readers with hand geometry readers. Across the dorms, there are 450 access attempts per reader per day, translating to over 2 million accesses per school year. (In September 2005 alone, there were 300,675 valid accesses.) The hand readers for the housing system are unmanned, but there are security cameras at each entry point for additional safety. Today, the 70-reader system controls access for 32,000 users to select facilities all over the campus, from dining halls to recreational centers, dormitories to testing rooms. According to Donald Smith, coordinator of the University of Georgia (UGA) Card Services department, “The number of cards typically lost in a year is a good reason for not utilizing a card-based system, so biometrics just made more sense.” Enrollment into the hand geometry system happens when a student initially gets his/her campus ID. The University enrolls the right hand of every student and the process typically takes about 1-1.5 minutes. During the enrollment process, the students are also trained in how to use the system for access to the various locations where it is used. Currently, the University is storing about 90,000 hand images on its central server. Identification time through the various turnstiles averages 1-2 seconds. Results Since 1972, use of the hand geometry technology for student identification and access has saved hundreds-of-thousands of dollars in terms of personnel time and materials for replacing lost student access cards. This initiative was important to reduce the number of IDs the students had to manage.
4/7/2008 116
In total, the University of Georgia has spent over $250,000 on its biometrics program spread out over a 5-year period – approximately $2,000 for each of the indoor models and approximately $3,000 for every outdoor model. Costs are greater for the outdoor readers because they require steel enclosures to protect them from weather. From initial deployment, it took approximately four years for the system to become fully integrated into students’ daily use across campus. The vast majority of students are enthusiastic about the hand geometry systems. “They think its cool,” commented Donald Smith. “It is future technology. We don’t get many complaints from students.” Occasionally the University receives objections based on religious beliefs. There are workarounds for these students, as well as for handicapped persons or those missing a finger or hand. There are about 84 students requiring workarounds (out of a 32,000 population). What would they do differently next time? Lessons learned . . . The initial deployment of hand geometry back in 1972 still relied on cards, which housed the students’ biometric data and passcode for the one-to-one verification. Transitioning the biometric data to a centralized server not only reduced the number of cards processed each year, but also reduced the total number of servers required to operate the campus-wide system, saving the University a significant amount of money. Additionally, authentications are done in real time and are much more efficient. It is important for those considering a biometric-based identification system to study how other organizations similar to yours are using such technology. There is no single biometric technology that is right for every application. Make sure the solution that is chosen is the best one for your application. Look at all the various options. Lastly, remember to get the users involved, as best you can. Introduce them to the concept, allow them to be part of the decision-making, and explain the reasons for transitioning to a biometric-based solution. Most importantly, explain how the system will benefit them in the long run. Users will tend to be more cooperative if they understand how the system works and why it is needed. Sources and resources for this case study: - Interview with Donald Smith, University of Georgia – March 16, 2006 - “University of Georgia Secures Campus with RSI HandReaders” press release from
IR Recognition Systems - Floyd, J. Michael. “Biometrics-The Future Competitive Edge” FE&S. January 2003 - “University of Georgia Migrates Recognition Systems HandReaders Campus-wide”
press release from IR Recognition Systems. July 30, 1999 - Kiernan, Vincent. “Show Your Hand, Not Your ID” The Chronicle of Higher
Education-Information Technology. December 2, 2005
4/7/2008 117
Case Study F – St. Vincent Hospital: Desktop Computer Access Problem St. Vincent Health is an Indiana-based healthcare provider with a network of 16 hospitals and a number of health services locations. St. Vincent is a member of Ascension Health, which includes more than 70 healthcare facilities. Although St. Vincent is one of the largest healthcare providers in the Indianapolis region, attracting and retaining physicians is extremely competitive and the hospital must continually seek ways to enhance its attractiveness to area physicians and surgeons by ensuring its facilities are state-of-the-art and easy to work in. In 2000, looking to gain a competitive advantage in the Indianapolis region, the management of St. Vincent Health embarked on a program to improve physician satisfaction with the hospital, improving their overall experiences with referring their patients to and working in St. Vincent hospital over other healthcare options in the area. One part of the overall “physician satisfaction program” included the need for improved and more efficient access to the hospital’s electronic patient information, health records, and other computer-based systems used by the hospital’s physicians and nursing staff. The goal was to increase ease-of-access to information while also improving data protection. The hospital’s computer network serves 8,000+ users and operates 24 hours per day, seven days per week, so a solution that is fast, secure, easy to use, and extremely reliable was required. Part of the problem was that, as the hospital’s information and computer system grew, in conjunction with a growing number of physicians, surgeons, nurses, and other medical staff working at the facility, St. Vincent experienced problems with multiple physician passwords. Up to 500 active St. Vincent doctors were accessing four to 10 different applications every day, all with different passwords. “Physician access to our systems had always been a problem and it was becoming more of a problem as we added advanced systems and additional required passwords,” commented Bruce Peck, Information Security Officer at St. Vincent. “Patient records are completely electronic and physicians were having difficulty accessing charts and signing off on medical records, causing more administrative work than was necessary.” Time-crunched physicians were having to request password resets, which delayed patient record access and frustrated the doctor, the hospital IT department, and the nursing staff. Process St. Vincent needed an efficient and highly secure system for healthcare workers to access patients’ electronic medical records, while complying with the government’s Health Insurance Portability and Accountability Act (HIPAA) privacy rules that became effective in 2003.
4/7/2008 118
After extensive research and review of various biometric technologies, St. Vincent’s IT team determined that a single sign-on (SSO) solution in combination with biometric authentication would enable them to eliminate the most critical log-in challenge – forgotten passwords. They conducted a competitive pilot program to fully test a variety of available solutions. The hospital determined it needed to replace the one single sign-on password with a fingerprint authentication solution. Solution In the decision-making process, system support for multiple biometrics was a key decision factor. The system had to be “biometric agnostic.” Although St. Vincent is currently using fingerprint technology, iris recognition is being considered for system access where users may be gloved and masked. Problems are anticipated in implementing a biometric solution in clean rooms, such as surgical areas, where protective clothing is required. Surgical personnel cannot use fingerprint scanners while wearing latex gloves. The design of certain intensive care areas required the hospital to install special wall-mounted PCs, which posed an additional challenge. The sterile environment of a hospital also presented a unique challenge in that nursing stations, for example, are wiped down with cleaning products that are not normally compatible with computer keyboards and fingerprint scanners. As a result, a special silicon seal was developed for the fingerprint reader to prevent liquid from seeping inside the casing, and the hardware OEM ensured its chip coatings would stand up to cleaning solvents used in a hospital setting. A very small number of users have difficulty with a fingerprint reader. For these individuals, a password work-around is in place. Currently, St. Vincent uses 1,500 workstations with one fingerprint reader at each. Results The fingerprint-based single sign-on solution implemented by St. Vincent allows many clinical users to quickly share workstations without the time consuming requirements of logging in to the network operating systems (Novell and Windows NT). “With the biometric-based SSO, we have the assurance that a person logging into the system is really that person, for increased accountability that didn’t previously exist,” commented Bruce Peck. With the government’s HIPAA privacy rules, it is an added bonus that biometric authentication solutions provide St. Vincent’s healthcare staff and doctors with a more efficient and more highly secure system for accessing patient electronic medical records, ultimately combining St. Vincent’s “physician satisfaction” objectives with HIPAA compliance.
4/7/2008 119
When the fingerprint-based SSO system was first initiated, the hospital was fortunate to have strong support from the nursing director. Once the rollout was underway and other clinical areas saw the benefits of biometric authentication, the hospital’s IT department had difficulty keeping up with the inquiries. Enrollment into the fingerprint-based system was simplified and streamlined to accommodate the hectic and time-crunched schedules of the doctors. Enrollment had to be flexible and adapted to the people as nurses cannot be absent from the floor and physicians come and go depending on patient rounds and surgery schedules. Rather than hosting set times for enrollment during a conventional 9 to 5 workday, the enrollment program was multi-phased and capitalized on the places within the hospital that staff and physicians tended to frequent, such as the cafeteria and lounges. One-on-one enrollments were held at a variety of times to catch healthcare workers on swing and night shifts. The personal interaction between an IT staff member and the physician or healthcare worker helped advance the project because they could immediately address questions on privacy and safety, as well as train the doctors and nurses in system use. To manage the entire enrollment process, St. Vincent hired two fulltime staff people for eight months. After five years of deployment, the fingerprint-based SSO system identifies over 3,000 individuals with 1,500 fingerprint readers. What would they do differently next time? Lessons learned . . . The cost and time required for enrollment was not thought-through at the beginning. The multi-phase approach and addition of two fulltime staff who concentrated only on enrolling healthcare workers and doctors into the biometric system was necessary, but unanticipated. The “catch as catch can” enrollments made it difficult to predict how long it would take from initial deployment to full enrollment and participation. The cost for future upgrades of hardware and software should also be considered in any biometric deployment, as technology is continually advancing. Technology flexibility was a critical requirement for St. Vincent so that various fingerprint reading devices from different vendors can be used, if needed. The hospital wanted to avoid getting locked in to using only one vendor. St. Vincent realized after a few months of deployment that they should have forced people to use the fingerprint-based SSO system at the onset, rather than allow users to continue with the password-based system. Stragglers and late adopters were slow to enroll (due to their demanding and non-conventional schedules) so the hospital eventually had to lock-down the systems to force users to enroll in the biometric-based solution. The healthcare environment at St. Vincent causes dry skin because users constantly wash their hands. It was important to experiment with fingerprint readers from various vendors to identify which could best accommodate a dry skin environment. Those looking to
4/7/2008 120
implement a biometric-based system, particularly one that requires touch, should closely examine the users’ environment to identify such factors and take them into account at the onset. Sources and resources for this case study: - Interview with Bruce Peck, Information Security Officer for St. Vincent Health - “Biometrics and SSO: Helping in Healthcare” Powerpoint presentation from St.
Vincent Health - “Hospital Adopts Biometric Security Solution for Workstations”.
www.findbiometrics.com - Peck, Bruce. “Rx for Password Headaches” Health Management Technology
magazine. January 2003 - “St. Vincent’s Hospital and Healthcare Center” client profile from Saflink
Corporation - “St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client
profile from Computer Associates - Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld.
October 2001.
4/7/2008 121
Case Study G – Beaumont Hospital: Medical Records Security Problem William Beaumont was a surgeon in the U.S. army and was renowned as the “The Father of Gastric Physiology” based on his research performed on the human digestive system. In 1956, the William Beaumont Hospital was opened in Royal Oaks, Michigan in honor of Dr. Beaumont. Today, Beaumont Hospital is a corporation that consists of two locations, Royal Oaks and Troy, Michigan. Both hospitals are community hospitals with full in-patient and out-patient services. The Royal Oak facility currently has 1,061 beds, 8,500 employees, and 1,760 physicians. The Beaumont Hospital in Troy was opened in 1977 and is considerably smaller than the Royal Oak facility with 254 beds, 2,800 employees, and 900 physicians on staff. The Troy emergency room saw over 60,000 patients in 2005. In 1994, Chris Hengstebeck was in charge of the hospital security system for the Troy facility. The security for any hospital includes the protection of in-patients, out-patients, employees, and visitors. This is extremely challenging because of the shear number of individuals (employees, inpatients, outpatients, emergency room patients, and visitors) that enter the facility everyday, 365 days a year. The other challenge in hospital security is the transient nature of the individuals who visit due to the continuous patient turnover. There are different levels of security for different hospital areas. The areas in Beaumont that required higher levels of security were the narcotic storage areas and the OB/Maternal Child Health area. The objective was to improve the accountability in the distribution of controlled substances and better control access to the OB/Maternal Child Health wing of the hospital. At the time, card access was the method used by employees to access restricted areas in the hospital. This provided a level of security, but it did have its problems. Theft of narcotics in hospitals is a significant problem. With distribution of controlled substances, the current hospital system was able to identify individuals entering the room where the narcotics were stored, however, there was no method to determine the actual narcotic that was taken from the cabinet. Also, magnetic identification cards can be shared, stolen, or lost. That meant that although there was a record of the card used to access the area, there was no guarantee the appropriate person actually used the card to gain access. In addition to attempting to improve access to certain areas, there were also issues with employees carrying their identification card on a consistent basis. Doctors were the primary source of the problem because many would forget or misplace their identification cards.
4/7/2008 122
The goal of Mr. Hengstebeck was to improve the overall security in the hospital. Cost was an important consideration. The magnetic system’s average cost per card reader was $225. The hospital employees were very comfortable with this system and changing that had the potential for resistance and may require a significant level of effort. Biometrics was initially considered purely out of Mr. Hengstebeck’s curiosity. Biometrics was not widely used and there was concern if the technology was advanced enough to use in this type of application. It was even difficult to determine if there were any hospitals utilizing a biometric technology. Hand geometry was the biometric system most widely used at the time. A typical hand geometry scanning unit was $1800. This was significantly higher than the magnetic system the hospital currently employed. Process The hospital sent out a request for proposal for a hand geometry-based biometric system to determine if it was a feasible cost effective solution for the hospital. Hand geometry seemed like the natural solution since it would utilize the same equipment that their existing magnetic card reader system utilized. The requirements for a hand geometry system (wiring, door hardware, etc.) were consistent with their existing system and the units could be placed exactly where the card reader units were and they were similar in size. The hand geometry system would need to be user friendly and able to accommodate typical scenarios experienced in hospitals. An initial concern would be if the system would be usable if was someone wearing surgical gloves. In addition, hand washing is a common practice in hospitals. Hands can become extremely dry and many hospital employees use lotion to combat the dry skin. Would the system be affected if someone had lotion on his/her hands? Although it was important to limit access to restricted areas, there needed to be an override mechanism in case of emergency. The price per unit of $1800 was a deterrent to installing a biometric system throughout the hospital. The hospital contemplated installing three hand geometry units in the narcotics storage area. This is where the hospital believed it would yield the greatest benefits and would be more willing to incur the cost. The units, if installed, would be a trial case to validate the effectiveness of such a system in a hospital setting. Solution Beaumont Hospital decided to implement a hand geometry system, from Recognition Systems, in the narcotics storage area. Three units were installed initially by Electronic Security Systems. The hand geometry system would measure the length, width, thickness, and surface areas of an individual’s fingers and hands. The data is then sent to a central security data base where it is monitored. An employee would identify themselves to the system by entering an identification number (ID) then by placing his/her hand on the reader, the system then verifies that the employee is who he says he is. Initially, there was a concern regarding the usability of the system with surgical
4/7/2008 123
gloves. This did not become an issue due to the fact that surgical gloves are typically removed after each procedure and are not required in the narcotics area. The added benefits of the hand geometry system were that the hospital would be able to identify who entered the controlled access areas. For the narcotics storage area there would be complete accountability. The hospital would know who entered the room and the specific narcotic that was taken. This was a substantial improvement over their current system. On a daily basis, hundreds of employees access the narcotics storage room and the drugs stored in this area were highly desirable and could be sold for a significant amount of money on the black market if they fell into the wrong hands with potential deadly consequences. Results The hand geometry unit was an overwhelming success at Beaumont Hospital in Troy. Currently, there are over 60 readers in the hospital. The readers are located in nursing areas of the hospital that includes medical surgical and critical care. The readers were phased in over a 12 year period and were typically installed in areas that were undergoing redesign or renovations. All the readers are supplied by the same manufacturer. This allows for ease of compatibility. Enrolling employees in the system is relatively straight forward and consists of assigning an ID number to the employee and scanning the employee’s hand in the hand reader. The ID number is used for both the card access areas as well as the biometric access. In order for an employee to gain access using the biometric system, the assigned ID number needs to be input into the reader. The employee then places his/her hand on the scanner three times. The system either verifies the individual’s identity or rejects the individual. The error rate in the system is extremely low and is typically the result of either inputting an incorrect identification number, poor hand placement, or not following the instructions on the prompter. Another issue that may effect system use is the frequency an individual utilizes the system. If someone has not used the system in a considerable amount of time, the sensitivity level may not recognize the user. Significant changes in hand size may cause the system to yield a false identification match. This could be from swelling from some type of hand injury. Bandages may also affect the ability of the equipment to identify the individual. These occurrences are rare and require the individual to re-enroll to re-establish his/her identity. There is only one individual to-date who is not compatible with the system. The actual readers are very similar in appearance with the magnetic card readers. The maintenance of the actual hand readers is minimal. Occasional re-calibration and/or cleaning are the extent of the maintenance. Feedback from the employees notes that the hand readers are very user friendly.
4/7/2008 124
For the narcotics storage area, there is a hand reader to gain access to the area as well as a hand reader to access the storage cabinet. In addition, there is a software system called Pyxis that is used to identify the specific medication and amount that is being dispersed. The Pyxis system is standard in most hospitals for use in dispensing of narcotics. Each employee has to enter their unique user name and password in addition to a thumbprint biometric in order to access the system. The type of narcotic as well as the dosing information is input into the Pyxis software system. Even with all of these security measures, there is the potential for employees to input false information into the Pyxis system or to not disperse the narcotic to the patient however with frequent audits these types of breeches are kept to a minimum and extremely traceable. The system has also been used to assist in theft investigations and time fraud investigations. What would you do differently next time? Lessons learned……… This system works extremely well for the Troy facility, but the Royal Oaks facility has not yet installed any biometric technology. The initial investment in a biometric system in such a large facility would be millions of dollars and the Royal Oaks hospital at this time cannot justify the expense. It is important to investigate all types of biometrics before deciding on one type. There is the potential that there are other biometric technologies that are much more affordable when considering the overall system cost. Facial recognition is supposed to be less expensive and could have worked well in the hospital, however, at this point the high switching cost, going from hand to a different biometric technology, would be prohibitive. It is also important to verify that the organization yields the greatest value in use for the biometric. There are many applications for biometrics in a hospital setting. Currently, hospitals are utilizing biometrics to manage access patient health records (HIPAA compliance), identify patients, control access to controlled/restricted areas, and assist in employee time management. A biometric system, although has a high upfront cost, has the potential to save money for many organizations in the long run. When implementing a system, it is important to think through the ways that it can save the organization money. One example at Beaumont is the reduced cost of theft investigations due to the improved access control and identification accuracy. Recent Developments There has been an industry shift from the use of hand gels for hand cleaning to foam hand washes due to the longevity and fire retardant properties. There is preliminary evidence that the use of these foam hand gels inhibits the performance of the hand scanners. Most employees wash their hands before and after entering the nursing areas. Residual residue
4/7/2008 125
from the foam hand wash may still be on the employees hand and is then left on the hand scanner, leaving their impression on the device. The employees most affected are ones with smaller hands. This is still under investigation and no conclusions have been reached. Sources and resources for this study
Interview with Chris Hengstebeck, Director of Security, Parking and Safety at William Beaumont Hospital, Troy, Michigan
Biometric Summit Winter 2006 Proceedings
4/7/2008 126
Case Study H – Pinellas County Sheriff’s Office: Arrestee Identification Problem Like other law enforcement agencies around the country, the Pinellas County Sheriff’s Office (PCSO) found it was burdened with a cumbersome manual booking, release, and criminal investigation (identification) process. During the arrest process, it is common for law enforcement officials to be confronted with people who lack proper identification, such as a driver’s license, or who may present an alias ID to avoid identification. Sometimes, the individual is incapable of telling officers his/her name. The manual process that was used by the PCSO caused delays in information collection and analysis, sometimes letting suspects get away with providing false identification, hampering law enforcement, or sidetracking investigations. With annual bookings exceeding 60,000 per year and a 60%-70% recidivism rate, the Pinellas County Sheriff’s Office needed a more automated and reliable way to identify suspects, convicted persons, and others coming into and out of the jail system. Additionally, the technological solution that was to be selected had to be user friendly and straightforward enough for the 3,300 PCSO personnel who would be interacting with it on a daily basis. Process In 2000, Sheriff Everett Rice looked into various technology alternatives for the PCSO and was awarded a federal grant from the Office of Community Oriented Policing Services (COPS) at the U.S. Department of Justice to implement biometric technology. The goal of the funding was to demonstrate the use of facial recognition technology for Florida law enforcement. A major portion of project scoping included the integration of nearly 12 years of photos and images of people who had been through the PCSO system, as well as data and images from many other Florida law enforcement agencies who would cross-share image and data information. This was a huge application for facial recognition technology, with many moving parts in a complex system. For project and system design, there was more to consider beyond a basic plug and play application. For example: How would the solution be integrated across other operations and departments? How should users interact with the system? To help address these and other issues, PCSO encouraged end-user involvement in the decision process by engaging a cross-section of personnel from various departments – patrol, intake, operations, release, etc. – garnered input from the very people who would be using the system on a daily basis, and provided guidance to the technology vendor who could tailor system design to PCSO’s specifications. For a system this complex that would eventually extend across the state, the vendor needed to fully understand and appreciate the processes and business flow of the organization.
4/7/2008 127
With the project scope defined, PCSO selected Viisage facial recognition technology since it planned to build a large state-wide database with potentially millions of images that would be shared among multiple law enforcement agencies. Viisage’s prior success with driver license applications also provided credibility for both the company and this particular facial recognition algorithm. The timeframe from initial system design to implementation was about 6-8 months, with a review session held after about 4 months to recommend any additional changes before the final system was delivered, installed, and deployed. Total cost for the complete system was approximately $10 million, which included design, deployment, training, and other elements. Solution Since this is a law enforcement application, finger print technology was considered and reviewed. Because it can be difficult or impossible to get readable fingerprint images from uncooperative suspects, the facial recognition technology was selected. Although the department has kept a digital fingerprint file since 1995, it has also maintained images of arrestees for over 12 years. Ultimately, the facial recognition system does not replace the use of fingerprints, but it is an important complement to fingerprints, which are still used and required by the court system. In 2000, when the PCSO’s 7-year-old proprietary mug shot system was due for replacement, officials decided to try facial recognition to identify prisoners at booking. The full facial recognition system that was designed and deployed for PCSO is a multi-faceted solution, comprising intake and booking at the jail, mobile identification in patrol cars, watch list identification at the airport, visitor identification at the jail and courthouse, and cross-jurisdictional sharing of facial images and data amongst the Florida-based law enforcement community. Facial recognition has allowed the sheriff’s office to quickly access important identity information and retrieve records, allowing officers to correctly identify even the most uncooperative suspects and to conduct more efficient investigations. Mobile System. The technology allows deputies in patrol cars to capture a person’s facial image with a digital camera, place the camera into a docking station in the patrol car, and via wireless communication to the image databases of the PCSO and other jurisdictions, conduct a facial recognition search to determine if the individual has been previously arrested. By using the facial recognition technology, patrol officers can know immediately if the individual in question has a PCSO criminal record, including previous offenses. Officers who encounter suspects on the street who have no or unverifiable identity information can, within 20-30 seconds, have a gallery of photos presented in the patrol car and use these to make a positive identification. As directed by the Department of Justice grant, the PCSO has partnered with other state and local agencies in Florida to maximize the effectiveness of the system. Agencies participating in the facial recognition program include: Florida Department of
4/7/2008 128
Corrections, Florida Department of Law Enforcement (FDLE), seven Florida Regional Terrorism Task Forces, Hillsborough County Sheriff’s Office, Orange County Sheriff’s Office, and Miami-Dade, Broward, Leon, and Duval counties. Intake and Booking. When a suspect enters the PCSO facility, his/her photograph is taken and compared against the database of images to determine if he/she has been through the system before. With more than 60% of those arrested being repeat offenders, the PCSO identifies hundreds of people each year using only their faces. With information about the arrestee’s criminal history, the officer can handle each case with appropriate care and caution. When a match is made, the suspect’s basic demographic data is automatically entered, regardless of any alias name he/she may have given, and the new record is linked to previous bookings, creating a more efficient and thorough process. Release. Before being released from the Pinellas County jail, facial recognition is used again to confirm the individual’s identity. This additional check compares a photograph taken at the time of release with the formal booking image, providing a side-by-side comparison of the two photos for the officer to review, along with a green, yellow, or red rating based on the facial recognition results, helping to ensure release of the right inmate. Since the facial recognition system was installed in 2002, PCSO has not had a single incorrect release. Airport System/Watch List. In partnership among the PCSO, St. Petersburg-Clearwater International Airport, and the America Trans Air (ATA) Airlines, facial recognition technology was implemented to improve passenger security. Facial images of ticketed passengers are checked against a 5,000-record database of Federal, State, and local violent and wanted criminals as part of regular security procedures. The facial comparisons are done in real-time and compare a passenger’s face to a select universe of wanted persons’ images. This system, which was provided by the PCSO with funding from the U.S. Department of Justice, is located at two departure security checkpoints in the airport. Since the PCSO was implementing the same facial recognition technology for its own use in suspect identification and inmate booking, law enforcement felt it necessary to deploy the same technology at the airport for a watch list application. Results The PCSO’s application is believed to be the largest facial recognition-enabled law enforcement tool in the U.S., with nearly 4.5 million records in the database. “Since implementing Viisage’s fused face recognition technology, we have noted marked increases in the accuracy and speed of identifying and verifying arrestees,” commented Lt. Jim Main of Pinellas County Sheriff’s Office.
4/7/2008 129
Commenting on the value derived from the mobile system alone, Lt. Main said, “The deployment of the Mobile Identification System has added an entirely new dimension to law enforcement practices of our field deputies. Many of our daily encounters involved individuals who lack acceptable identification or provide false information. This system has provided our deputies with a tool that complements their training and judgment and reduces costly delays that can occur when attempting to ascertain an individual’s true identity. Furthermore, this solution helps improve deputy safety and public safety by providing instant information on the suspect in question and ultimately taking criminals off the streets.” Training Intake and Booking. Prior to installation of the final system, a “test and training” environment was created, in which the old legacy system was kept online to assure continuity and provide two levels of verification during the transition period. Approximately 800 people participated in the initial training program, each receiving a minimum of 4 hours of training on the new facial recognition-based booking system. Every station was emulated and scenarios were run – from intake and receiving to booking to release. All personnel learned what facial recognition was and what it was not, and popular myths were dispelled. Education and training were a key component to combating any negative perceptions about the use of biometric technology in general or facial recognition technology in particular. The PCSO followed a framework for training that revolved around both classroom learning and in-use training. After installation, typically 8-20 people were included in a training session, complete with handouts and bound copies of the system user manual. Scenarios were used to build system proficiency and comfort in using it. Time was allotted after formal training for personnel to practice, review, and apply what they had learned. Users ran through the various components to familiarize themselves with the system. They were taught how to pick out key elements of a person’s face, and learned how and why the facial image gallery could be completely different than what they might initially expect. For example, race and gender are not considered by the algorithms. Next, the operational components of the facial recognition system were taken into account. Personnel were placed into different groups and taken through the various operational components – in 4-hour shifts for about one month. Supervisors were included in this training program to “train the trainers” and took the lead in training the PCSO staff and answering questions. Once all personnel were trained in using the facial recognition system, a live switch over from the legacy system to the new biometric-based system was completed. It was noted that this transition from the old procedures to the new process was the smoothest one ever for the PCSO.
4/7/2008 130
Continuing support and training for PCSO personnel in use of the facial recognition system include training materials and handouts, users’ manuals, email contact and technical support, online support, and a “cheat sheet” that resides at each station. Airport System/Watch List. The investigative component of the facial recognition system is in use at the St. Petersburg/Clearwater Airport, jail visitation center, and courthouse. During personnel training, PCSO had to address up front why and how to use the system since this application is different from the jail application. In this usage scenario, screeners are only concerned with persons who are actively “wanted” with outstanding warrants. The investigative screening training required 4-hour blocks of time for in-lab or classroom training, which included an overview on facial recognition – what it is and what it is not to dispel popular myths about biometrics. Users were allowed to bring in various photos and images they wanted to test on the system. The I-Browser (investigative browser) Challenge became a critical component in the training program. This involved a test of 10 different images of people known to be “in the system” in which the user had to identify them based on the gallery of images returned. Mobile. Fifty out of 550 marked patrol cars are equipped with the mobile facial recognition capability. When first deployed, several groups, each containing 6-8 officers, were trained about facial recognition technology and system usage. The I-Broswer Challenge was used, as well as scenario-based training that comprised a beta car with the facial recognition system installed for practice. New users receive about 4 hours of one-on-one training with sessions held monthly. User acceptance. The in-depth training program for all aspects of the facial recognition system along with inclusion in the initial design process were critical to overall user acceptance and buy-in. There is a broad spectrum of personnel associated with the PCSO – some more technically savvy than others, and some more open to new processes and ways of doing things. The system was tailored to meet the needs of those who had been with the organization the longest so they would be comfortable with it. Multiple methods of working with the system were designed-in to meet the varying comfort levels, styles, and preferences of the users. Personnel can navigate and interact with the system based on their own styles. What would they do differently next time? Lessons learned . . . Due to careful and thoughtful planning of the system at the outset, there were really no surprises or hidden costs associated with the deployment of the facial recognition system. The system was well-designed from the beginning thanks to close collaboration among the vendor, system end users, and PSCO decision makers. Looking back on the training program and continual turnover of personnel, more “train the trainers” would have been prepared initially. As personnel advanced into new
4/7/2008 131
positions or left the PCSO, many of the initial “train the trainers” moved on, so there became a critical need for additional people able to take this role. PCSO would have increased the ratio of trainers in training vs. end users in training during the initial training cycle. Additionally, a closer look would have been taken at the actual people being trained. Ultimately, everyone was trained on system usage, but not everyone perhaps should have been. From a cost perspective (both time and money), PCSO could have saved some overtime costs by excluding those individuals who would not interact with the facial recognition system. Other personnel could perhaps have been trained less intensively. Ultimately, the facial recognition system deployed by PCSO has changed law enforcement in Florida for the better. Advice for another law enforcement agency looking to deploy a biometrics-based system is: be sure to look at the various technologies that are available and do your homework on the vendors. One reason the PCSO implementation was so smooth was because the vendor was willing to listen carefully and create real solutions. Be sure to work directly with the vendor and integrator to define exactly what the need is and how the biometric-based system will be used, and fully understand the scope of the project and the timing, based on precise needs and goals. Sources and resources for this case study:
- Interview with Scott McCallum, PCSO – May 25, 2006 - Facial Recognition: The Pinellas County Sheriff’s Office Experience.
Presentation provided by Scott McCallum - “Facial Recognition in Action.” Government Security. August 1, 2004. - “Who’s Who: Piece by puzzle piece, FL county checks suspects’ identities.”
Government Computer News. August 2, 2004. - “Pinellas County Invests in Face-Recognition Technology.” Tampa Bay Business
Journal. October 8, 2002 - “St. Petersburg-Clearwater International Airport Deploys Viisage Technology
Facial Recognition Security”. Viisage press release. January 22, 2002. - “An Arresting Case for Biometrics.” Biometric Technology Today. May 2005 - “Viisage Awarded $2.4 Million Facial Recognition Contract from Pinellas
County.” Viisage press release. October 8, 2002. - “Pinellas County Sheriff’s Office Deploys New Mobile Identification Solution.”
Government Technology. June 18, 2004.
4/7/2008 132
Case Study I – United Arab Emirates: Iris Expellees Tracking and Border Control System Problem Combined, the seven emirates that make up the United Arab Emirates amount geographically to the size of the U.S. state of Maine, but what it lacks in territory, it makes up for in wealth and unprecedented population growth. Because the UAE depends heavily on an outside workforce, a steady influx of expatriates has boosted the population in recent years to more than four million, out of which only 20% are UAE citizens. Foreign workers pour in from the region, as well as from every other continent. Having to deal with a daily onslaught of immigrants and visitors, the UAE adopted advanced technology to strengthen its border control and identify potential terrorists. The UAE is one of the first countries to use an iris recognition system at most points of entry. Process The biometric technology selected for the border-crossing and expellee identification solution was required to:
• Identify a single person from a large population of people • Rely on a biometric feature that does not change over time • Use biometric features that can be acquired quickly • Be easy to use • Respond in real-time for mass transit applications (i.e., airports) • Be safe and non-invasive • Scale into the millions and maintain top performance • Be affordable
Solution First begun in 2000, iris recognition systems were installed at three major jails across the country. The project was expanded to ports and airports in 2002. For example, at the Dubai airport, one of the busiest in the world, all arriving passengers have to wait in line to have their eyes scanned. In the UAE application, the information obtained from the iris scan is sent via distributed communications network to the Central IrisCode® Repository located at the Abu Dhabi Police General Headquarters. After an offender has his irises enrolled, the iris templates are placed in the database. Subsequently, the offender simply looks at the iris recognition reader that checks the iris in just over one second. With the strong support of H.R.H. Sheikh Saif Bin Zayed, Minister of Interior, the UAE acquired the technology and license
4/7/2008 133
for the iris recognition system from Iridian Technologies, which custom-developed a system that suited the country’s requirements. The UAE iris recognition system is a synthesis of three core components: iris cameras with autofocus and autozoom, developed by LG Iris; iris recognition algorithms; and a networked distributed server and communications architecture called “IrisFarm”, developed by IrisGuard. It allows simultaneous enrollments into the central database without interrupting parallel searching queries from multiple distributed stations, and offers almost unlimited scalability to national populations of registered persons and travelers without reduction in execution speed. Iris enrollment stations consisting of 49 cameras are located in 22 deportation centers around the country. A total of 81 cameras are installed in “Iris Finder Workstations” at 35 points across the UAE, including Abu Dhabi International Airport, Al Ain International Airport, the two terminals of Dubai International Airport, Sharjah International Airport, Fujairah Airport, Ras Al Khaimah International Airport, residency departments and sea ports nationwide, and a number of police stations, prisons, and deportation centers.
This figure shows the distributed and fully networked “IrisFarm” architecture (IFA®) used for the UAE border crossing and expellee tracking system.
4/7/2008 134
Results As of December 2006, iris recognition systems installed at checkpoints nationwide had detected around 107,000 deportees attempting to re-enter the country over the last four years. “These illegals attempted to return to the country after they changed their names, passports, and obtained job or visit visas,” commented Colonel Ahmad Nasser Al Raisi, Director of the Central Operations at Abu Dhabi Police. In the first quarter of 2006, 11,360 deportees were detected, including 3,277 in Abu Dhabi, 3,977 in Dubai, 3,882 in Sharjah, 168 in Fujairah, 29 in Umm Al Quwain, and eight in Ras Al Khaimah. This averages out to about 126 people caught per day, which is more than last year’s daily average of 90-95 people. The system supports approximately 1,000 new enrollments each day. The central database contains approximately 1,050,000 enrollments, and can be searched at the rate of 650,000 templates per second. In this application, it is claimed that about 2 trillion random comparisons between images of irises from people from various nationalities have been made over the past three years. Colonel Al Raisi comments the system “is absolutely accurate in detecting forgery and impersonation attempts.” “It also helps prevent expelled foreigners from returning and prevents wanted criminals from leaving the country, regardless of the identification documents they use. The system also tracks movements of prison inmates.” Although the iris recognition system was designed to prevent illegal immigrants and former expellees from entering a country using fraudulent travel documents, by comparing the iris biometric of all arriving passengers against a “negative watch list” of detainees, all aspects of the IrisFarm architecture, cameras, and the core iris recognition algorithms are equally suited for “positive” applications in which the main goal is to enhance the convenience, speed, and efficiency of border-crossing formalities for legitimate travelers. The General Headquarters of Abu Dhabi Police has begun deploying new iris cameras developed by IrisGuard, which offer higher resolution and smaller size than the cameras originally acquired. Eventually, all existing cameras will be replaced with the newer generation ones. A future initiative involves installing “e-gates” at all airports, which would speed up entry and exit procedures. This system is already in place at the Dubai airport. For about US$40, passengers can have their passports scanned, fingerprints and photo taken, and have all this information stored on a card no bigger than a U.S. driver’s license. The card is valid for two years. As of November 2005, approximately 200,000 e-cards had been issued, which has also spawned commercial tie-ins. For example, travelers can combine the e-card with an Emirates Airlines Skywards frequent-flyer card. Global banking group ABN AMRO lets users get an e-card for about US$36 when they obtain a credit card from the bank. Cardholders do not have to wait in the long passport control lines and can have cards scanned by turnstile machines similar to those at any U.S. subway station.
4/7/2008 135
Additionally, the UAE is working on an identification card project that will serve the “same purpose as the U.S. social security number.” The smart card will hold a person’s entire information, including date of birth, fingerprints, driver’s license, health card, employment authorization, picture, and passport information. Readers currently exist for these cards, using fingerprint recognition. Eventually, this system will be expanded to iris recognition. Some statistics from the UAE application include:
• The UAE’s database holds over 1,050,000 iris codes • There are:
- 3.3 million searches per year - 2 trillion comparisons - 9,000 average searches per day - about 125 people caught per day
• Speed of search: 2 seconds • 30 million people traveled to the UAE in 2005
What would they do differently next time? Lessons learned . . . UAE officials had to adopt new security methods to detect if an iris has been dilated with eye drops before scanning. Expatriates who were banned from the UAE started using eye drops in an effort to fool the government’s iris recognition system when they try to re-enter the country. A new algorithm and computerized step-by-step procedure has been adopted to help officials determine if an iris is in normal condition or an eye-dilating drop has been used. People are typically the weakest link in any security system. Those considering adoption of a biometric-based identification system must remember to consider system scalability, performance, vendor reliability and track record, and interoperability of the biometric system with legacy systems and procedures. It is imperative that the end-user organization, vendors and suppliers, integrators, and all involved with the design and deployment of a biometric-based system fully understand the problem(s) to be solved, analyze it thoroughly from different points of view, assess the situation and need(s), do a pilot test of the new technology, make changes, then implement to full deployment Sources and resources for this case study: - Presentation by Lt. Mohammed Almualla, Head of Security, Abu Dhabi Police
General Headquarters to U.S. Biometric Consortium 2005 regarding UAE Iris Expellee Tracking System. September 2005
- Kanellos, Michael. “Passports passé in United Arab Emirates”. CNET News.com November 17, 2005
4/7/2008 136
- Daugman, John; Malhas, Imad. Iris Recognition Border-crossing System in the UAE. International Airport Review, Issue 2, 2004
- Hilotin, Jay B. Deportees caught with eyes wide open. Gulfnews.com April 2, 2006 - Tiron, Roxana. “Biometrics Systems Help Strengthen Border Security in Persian
Gulf Nation” National Defense magazine. June 2005 - “Iris scanner blocks 62,000 illegals”. Gulfnews.com May 3, 2006 - Malhas, Imad. Personal communication, December 2006.
4/7/2008 137
Appendices Appendix A – Biometric Selection/Application Checklist Item Target
Date Start Date End Date Other
Develop concept plan Risk/vulnerability assessment Current operational concept Vulnerable resources Threat sources Threat scenarios Consequence analysis Proposed concept or action Rough Order of Magnitude costs Business case, ROI assessment
Develop Implementation plan Operational/Functional requirements Develop Statement Of Work (SOW) Develop technical requirements Evaluate potential providers Provide for system design reviews Identify direct costs H/W & S/W Processing power System design Modifications & upgrades Installation cost Licensing cost Identify indirect or less obvious costs Research, planning, selection costs Implementation planning costs IT staff training costs End user education & training costs Collecting data costs Lost productivity costs Security administration costs System maintenance costs Define & develop training program Develop deployment & roll-out plan Continue operations during installation Train the trainers Training end users Exception processing during transition Parallel access control systems Schedule Alerting workforce
4/7/2008 138
Appendix B – Miscellaneous Resources Advanced Biometric Research Center (ABRC) Website: http://bmsildb.snu.ac.kr/sub.htm Description: The ABRC works in collaboration with the Seoul National University, Seoul, Biomedical Signal and Information Laboratory (BMSIL). The primary focus of the research with BMSIL is on applications of biological signals and information for the diagnosis of diseases and monitoring of individual’s health status. AIM Global Website: www.aimglobal.org Description: AIM is a global trade association comprising providers of components, networks, systems, and services that manage the collection and integration of data with information management systems. Serving more than 900 members in 43 countries, AIM is dedicated to accelerating the growth and use of Automation Identification and Data Collection) AIDC technologies and services around the world. American Society for Industrial Security (ASIS) Website: http://www.asisonline.org Description: ASIS International is the largest international organization for professionals responsible for security, including managers and directors of security. Australian Biotechnology Association (Aus Biotech, Ltd.) Website: http://www.ausbiotech.org Description: The Australian Biotechnology Association is a hybrid organization with a mixture of a traditional scientific society and an industry trade association. One of its major aims is to link technical people in companies with public sector researchers. AVIOS Inc. Website: www.avios.com Description: AVIOS which stands for Applied Voice Input/Output Society is a 23 year old, not for profit professional membership organization founded as the American Voice Input/Output Society, with the name later changed to reflect growing international participation. Their goals are to provide resources to the speech community that will help create quality applications of advanced speech technology, including applications of speech recognition, speech synthesis and speaker authentication. BioAPI Consortium Website: http://www.bioapi.org/ Description: The BioAPI Consortium was formed to develop a widely available and widely accepted API that will serve for various biometric technologies. The intent is to work with industry biometric solution developers, software developers, and system integrators to leverage existing standards to facilitate easy adoption and implementation, develop an OS independent standard, and make the API biometric independent. Version 1.1 of the BioAPI specification has been published as ANSI/INCITS 358-2002. BioAPI Version 2.0 has been published as ISO/IEC 19784-1: 2006.
4/7/2008 139
The Biometric Consortium Website: http://www.biometrics.org/ Description: Biometric Consortium serves as a focal point for research, development, testing, evaluation, and application of biometric-based personal identification/verification technology. Biometric Digest Website: http://www.biodigest.com/ Description: Offers a variety of biometric and related e-newsletters. The Biometrics Catalog Website: http://www.biometricscatalog.org/ or www.biometrics.gov Description: The Biometrics Catalog is a U.S. Government-sponsored database of information about biometric technologies, including research and evaluation reports, government documents, legislative text, news articles, conference presentations, and vendors/consultants. Biometrics EnAbled Mobile Commerce (BEAM) Consortium Description: BEAM Consortium is focused on developing biometrics based technological solutions to the security problem faced by the users of future mobile commerce. The purpose is to bring together interested parties in both industry and academia, to jointly develop solutions that are capable of providing a personalized, easy to use and secured transaction method. Biometric Foundation Website: www.biometricfoundation.org Description: The Biometric Foundation, founded in August 2000, is dedicated to a systematic program of research and education to reduce impediments to wide adoption and use of all biometric technologies. The Foundation will address technical, societal, and legal aspects of biometric technologies and their applications. Accordingly, the Foundation's agenda will include studies of public attitudes toward uses of biometrics; demonstration and evaluation of alternative biometric technologies; inquiry into biometric standards issues; development of formal educational curricula that encourage students to enter the field of biometrics as a professional career choice; and conferences and seminars about the most effective uses of biometrics in key applications. Biometrics Institute Ltd Website: www.biometricsinstitute.org Description: The Biometrics Institute is an independent not-for-profit membership organization based in Australia and founded in July 2001. Its primary members are government and business users of biometric services and products, with other membership categories for vendor. Initial members are from Australia however members are welcome from the wider Asia Pacific region. Biometrics in Human Services User Group – Connecticut Department of Social Services
4/7/2008 140
Website: http://www.dss.state.ct.us/digital.htm Description: The focus of BHSUG is providing a platform for sharing ideas and innovations, distributing findings, identifying best practices, recommending and creating useful standards for both human services users and technology developers for this market. The Biometric Interoperability, Performance and Assurance Working Group Website: http://www.nist.gov/bcwg Description: This organization supports the advancement of technically efficient and compatible biometric technology solutions on a national and international basis. It consists of over 90 organizations representing biometric vendors, system developers, information assurance organizations, commercial end users, universities, government agencies, national labs and industry organizations. Biometric Security Consortium (BSC) Website: http://www.bsc-japan.com/en/ Description: The BSC promotes the formation of a coalition between the industry-government-academia, whose main objective is to propose effective business models, enhance the growth of biometrics technologies for the next generation industrial infrastructure and improve global competition. Biometric Testing Services (BIOTEST) Description: A European project aimed at developing standard metrics for measuring/comparing performance of biometric devices and establishing testing services Biometric Watch Newsletter Website: http://www.biometricwatch.com Description: A 10-issue per year, subscription-based biometric industry newsletter that is e-mailed to subscribers. BioPrivacy Initiative Website: http://ww.bioprivacy.org Description: Recognizing that biometric technologies are seeing increased usage in the public and private sectors, International Biometric Group’s BioPrivacy Initiative defines best practices as well as deployment and technology guidelines for maintenance of personal and informational privacy in biometric deployments. BioSec Biometric Security Website: http://www.biosec.org Description: BioSec is an Integrated Project (IP) where Biometrics and security play together to leverage the trust and confidence in a wide spectrum of everyday applications. Partners from nine countries constitute a critical mass in the Biometric area including large companies, biometric HW/SW producers, prestigious universities and subject matter experts. Canadian Advanced Technology Alliance (CATA) Biometrics Group
4/7/2008 141
Website: www1.cata.ca/biometrics/ Description: The Canadian Advanced Technology Alliance formed the CATA Biometrics Group (CBG) to ensure that Canadian companies – those within the sector and those using the technology- are equipped to thrive from an expanding market for biometric technologies. A partnership of Manufacturers, Developers and Customers. It is a focused advocacy initiative backed by Canada's largest technology association. CATA Biometrics Group works to create public acceptance of biometric technologies and to speed the adoption of biometric solutions. Center for Identification Technology Research Website: http://www.citer.wvu.edu/about/mission.php Description: CITeR is dedicated to serving the needs of their members by advancing the performance of biometric systems through cross-cutting research for new enabling technologies, interdisciplinary training of scientists and engineers through its biometrics research, and the facilitation of the transfer of new biometrics technology to the private and government sectors through its membership. Communications-Electronics Security Group (CESG) Website: http://www.cesg.gov.uk/ Description: CESG is the Information Assurance (IA) arm of the UK Government Communications Headquarters (GCHQ) and is based in Cheltenham, Gloucestershire, UK. The organization is the UK Government’s National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing to help their customers achieve their business aims. COST 275 Website: http://www.fub.it/cost275/pages/_home_main/index.htm Description: COST means Cooperation in the Scientific and Technological research, focusing in part on biometrics-based recognition of people over the Internet. DoD Biometric Management Office Website: www.biometrics.dod.mil Description: In December of 2000, DoD established the Biometrics Management Office and the Biometrics Fusion Center and directs the Secretary of the Army, as DoD Executive Agent, to "ensure that biometric technologies are integrated effectively into information assurance systems, physical access control systems, best business practices, and other DoD applications." European Biometrics Forum (EBF) Website: www.eubiometricforum.com Description: The Forum is composed of some of Europe’s leading privacy, technology and usability experts who are focused on establishing a realistic vision for the future of the biometric industry in Europe in the context of a fast developing international market. The objectives of this organization are to formally establish a roadmap for the EU Commission which will investigate and advice on the likely commercial application of
4/7/2008 142
biometrics over the forthcoming 10 years and to carry out clearly focused research into key biometric areas Financial Services Technology Consortium (FSTC) (biometric fraud prevention) Website: http://www.fstc.org Description: Formed in 1993, FSTC is a consortium of leading North American-based financial institutions, technology vendors, independent research organizations, and government agencies. It brings forward, tests, proves, and validates the next generation of critical financial services technologies. ID Newswire Website: http://www.cardtechnology.com/idnewswire.html Description: A bi-weekly, four-page, electronic newsletter focused on developments and trends in personal identification and biometric technologies. International Association for Biometrics (iAfb) Website: http://www.iafb.org.uk Description: The iAfB, formerly the Association for Biometrics, provides a forum for the European and wider International Biometrics Community to promote the development and implementation of Biometric technologies, standards and applications through education and awareness programs and the gathering and dissemination of best practices. International Association for Identification (IAI) Website: http://www.theiai.org Description: The oldest and largest forensic organization in the world, providing a forum where forensic specialists can interact. International Biometric Industry Association (IBIA) Website: www.ibia.org Description: The International Biometric Industry Association (IBIA) is a trade association founded in 1998 in Washington, D.C. to advance, advocate, defend and support the collective international interests of the biometric industry. IBIA is governed by and for biometric developers, manufacturers and integrators, and is impartially dedicated to serve all biometric technologies in all applications. International Center for Disability Resources on the Internet (ICDRI) Website: http://www.icdri.org/biometrics/biometrics.htm Description: Site includes papers and guidance for adapting biometric-based systems to accommodate special needs users. International Biometric Society (IBS) Website: www.tibs.org Description: The IBS is an international society promoting the development and application of statistical and mathematical theory and methods in biosciences, including agriculture, biomedical science and public health. Biologists, mathematicians, statisticians, and others interested in its objectives are invited to become members.
4/7/2008 143
International Civil Aviation Organization Website: http://www.icao.int/ Description: Six strategic objectives of the Organization have been developed. They are: Safety, Security, Environmental Protection, Efficiency and Regularity, Legal Framework and Effectiveness. The strategic objectives are action oriented and present a range of activities which include development, implementation and technical support. Korea Biometric Association (KBA) Website: http://www.biometrics.or.kr/eng/default.htm Description: With increase of information oriented e-business, necessity for strong user authentication was brought out as an important issue. The Association is required to activate domestic biometric industry, present vision of biometrics field through exchange between biometrics related industry-university research institute and promote various cooperative activities. National Biometric Security Project (NBSP) Website: http://nationalbiometric.org Description: The NBSP is designed to perform an independent public service in support of anti-terroist and homeland security objectives. That service provides unbiased support regarding application of biometric technology, from development of standards to focused testing, research, training, and education for all levels of government and the private sector that have responsibility for security of the civilian national infrastructure. National Biometric Test Center Website: http://www.biometrics.org/html/testcenter.html Description: Although no longer active, the National Biometric Test Center was established at San Jose University in the spring of 1997 by the Biometric Consortium to establish a set of standards against which the performance of biometric technologies could be evaluated and ranked. Office of Law Enforcement Technology Commercialization Website: http://www.oletc.org Description: The Office of Law Enforcement Technology Commercialization (OLETC) is a program of the National Institute of Justice (NIJ). OLETC assists in the commercialization of innovative technology for use in law enforcement and corrections. Their many successes are a direct result of OLETC’s ongoing commitment to assisting in providing law enforcement, corrections and public safety professionals a safer and more effective environment in which to conduct their daily operations. Security Industry Association Website: http://www.securitygateway.com Description: Formed in 1969, the Security Industry Association (SIA) provides its members with a full-service, international trade association promoting growth, expansion, and professionalism within the security industry by providing education, research, technical standards, representation, and defense of their members. SIA has over 300
4/7/2008 144
member companies representing manufacturers, distributors, service providers, integrators and others. SIA members are involved in several market segments such as CCTV, access control, biometrics, computer security, fire/burglar alarms, and home automation, just to name a few. Members work together to address issues facing the industry and develop programs to enhance the environment in which they sell products and services. Swedish National Biometric Association (SNBA) Website: http://biometricassociation.org Description: SNBA has as its goal to strengthen the national knowledge about biometrics in Sweden and be a focal point for knowledge transfer about biometric news, research and commercial applications UK Biometrics Working Group Website: www.cesg.gov.uk/technology/biometrics Description: The UK Biometrics Working Group (BWG) co-ordinates the Office of the e-Envoy (OeE) Biometrics Programme, the goal of which it to enable the use of biometric authentication technology to support the OeE e-government aims and to facilitate the adoption of biometrics in support of wider government business.
4/7/2008 145
Appendix C – Biometric Publications Books Access Control and Personal Identification Systems Author: Dan Bowers Publisher: Butterworth-Heinemann, 1998 Advances in Fingerprint Technology Author: Henry C. Lee, et al Publisher: CRC Press, 1994 A renowned group of leading forensic, identification, and criminology experts present, in this valuable work, exciting progress in fingerprint technology. Advances in Fingerprint Technology covers major developments in latent fingerprint processing, including physical, chemical, instrumental, and combination techniques. In addition to an explanation of numerous methods and procedures of fingerprint technology, a renowned group of leading forensic, identification, and criminalogy experts provides a concise history of fingerprinting and briefly discuss Live-Scan and Image Transmission networks. The book also includes an essential chapter on effective presentation of fingerprint evidence in court. Audio- and Video-based Biometric Person Authentication First International Conference, AVBPA ’97, Crans-Montana, Switzerland March 12-14, 1997 (Lecture notes in Computer Science, Vol. 1206) Author: Gerard Chollet, et al Publisher: Springer Verlag This book constitutes the refereed proceedings of the First International Conference on Audio- and Video-based Biometric Person Authentication, AVBPA'97, held in Crans-Montana, Switzerland, in March 1997. The 49 revised papers presented were carefully reviewed and selected by the program committee for inclusion in the book; also included are four invited contributions. The papers are organized in sections on facial features localization, lip and facial motion, visual non-face biometrics, face-based authentication, text-dependent speaker authentication, text-independent authentication, audio-video features and fusion, and systems and applications.
4/7/2008 146
Audio- and Video-based Biometric Person Authentication Third International Conference, AVBPA ’01, Halmstad, Sweden June 6-8, 2001 Author: Josef Bigun, et al Publisher: Springer Verlag This book constitutes the refereed proceedings of the First International Conference on Audio- and Video-based Biometric Person Authentication, AVBPA'01, held in Hamstad, Sweden, in June 2001. Authentication: From Passwords to Public Keys Author: Richard E. Smith Publisher: Addison-Wesley, 2001 Gives readers a clear understanding of what an organization needs to reliably identify its users and how the different techniques for verifying identity are executed. The Auto ID Book Author: Glenn Lee Publisher: Informatics, Ltd. This comprehensive, but straight-forward book wipes away the myth that bar codes are complicated and difficult to implement. It begins by explaining how bar codes can help improve productivity, accuracy, and timeliness of information in different environments. To illustrate how bar codes have now become a universal practice, the book covers a wide range of applications such as inventory, work in progress, point of sale, accounts receivable, time and attendance, marketing and many others. You will find how these and other applications relate to your work environment, and how they can easily be implemented to increase productivity.
4/7/2008 147
Automated Biometrics: Technologies and Systems (The Kluwer International Series on Asian Studies in Computer and Information Science) Author: David D. Zhang Publisher: Kluwer Academic Publishers, 2000 Introduces the relative biometric technologies and explores how to design the corresponding systems with in-depth discussion. Engineering applications of biometrics to personal authentication and Chinese medicine are covered. The issues addressed in this book are highly relevant to many fundamental concerns of both researchers and practitioners of automated biometrics in computer and system security. Automatic Fingerprint Recognition Systems Author: Nalini Ratha, et al. Published 2003 For intermediate to expert biometrics professionals and developers. It contains an excellent collection of technical chapters written by authors who are experts on the chapter's topic. Contrary to perhaps common belief, even after several decades of research, automatic fingerprint recognition is not a solved problem. New fingerprint sensing technologies, algorithmic advances, and abundant computing power continue to drive advances in this area and to open up new realms of possibility. Bantam User Guide: Biometric and Token Technology Application Modeling Language Author: Julian Ashbourn Publisher: Springer Verlag, 2002 Basic Latent Print Development Author: James P. Mock Publisher: Lightning Powder Company, 1993 This book can be used as a training text for new employees or can be read by beginners. Many instructors use it as a primer for basic latent print development college classes. Sections cover: How latent prints are deposited, Investigating the Crime Scene, Which powders to use, How to lift and preserve the latent prints. There are simple to follow sketches on how to powder a surface and how to tear and lift with tape.
4/7/2008 148
Biometrics Author: Nanavati Publisher: John Wiley & Sons Biometrics Author: John D. Woodward, Jr., et al Publisher: McGraw-Hill Osborne, 2002 Discover how to make biometrics -- the technology involving scanning and analyzing unique body characteristics and matching them against information stored in a database -- a part of your overall security plan with this hands-on guide. Includes deployment scenarios, cost analysis, privacy issues, and much more. Biometrics: Advanced Identity Verification: The Complete Guide Author: Julian D.M. Ashbourn Publisher: Springer Verlag, 2000 An in-depth grounding in biometrics, specifically those applied to individual identity verification. Serves as a reference for the academic researcher or student of biometrics, and even has something to offer the non-technical reader. The CD-ROM contains interesting utilities for Microsoft Windows environments. Biometrics and Network Security Author: Paul Reid Publisher: Prentice Hall PTR, 2003 Covers a variety of biometric options, ranging from fingerprint identification to voice verification to hand, face, and eye scanning. Approaching the subject from a practitioner's point of view, Reid describes guidelines, applications, and procedures for implementing biometric solutions for your network security systems. Biometric Authentication: International ECCV 2002 Workshop Author: Massimo Tistarelli, et al Publisher: Springer Veralg, 2002
4/7/2008 149
Biometric Authentication: A Machine Learning Approach Author: S.Y. Kung Publisher: Prentice Hall, 2004
As they improve, biometric authentication systems are becoming increasingly indispensable for protecting life and property. This book introduces powerful machine learning techniques that significantly improve biometric performance in a broad spectrum of application domains. Three leading researchers bridge the gap between research, design, and deployment, introducing key algorithms as well as practical implementation techniques. They demonstrate how to construct robust information processing systems for biometric authentication in both face and voice recognition systems, and to support data fusion in multimodal systems.
Biometrics: Identity Verification in a Networked World Author: Samir Nanavati, et al Publisher: John Wiley & Sons, 2002 An in-depth look at biometrics, focused on critical issues such as accuracy, privacy, technology capabilities, and cost-effective deployment. Written by leading industry authorities. Biometrics for Network Security Author: Paul Reid Publisher: Prentice Hall, 2003
Network security has become the latter-day equivalent of oxymoronic terms like "jumbo shrimp" and "exact estimate." Newspaper headlines are routinely peppered with incidents of hackers thwarting the security put forth by the government and the private sector. As with any new technology, the next evolution of network security has long languished in the realm of science fiction and spy novels. It is now ready to step into the reality of practical application. The book covers a variety of biometric options, ranging from fingerprint identification to voice verification to hand, face, and eye scanning. Approaching the subject from a practitioner's point of view, the author describes guidelines, applications, and procedures for implementing biometric solutions for network security systems.
4/7/2008 150
Biometric Inverse Problems Author: Svetlan Yanushkevich Publisher: Taylor & Francis Group, 2005 Biometrics in Agricultural Science Author: Shu Geng, et al Publisher: Kendall/Hunt Publishing Company, 1997 Biometrics: Personal Identification in Networked Society Author: Anil Jain, et al Publisher: Kluwer Academic Publishers, 1999 General principles and ideas of designing biometric-based systems and their underlying tradeoffs. Identification of important issues in the evaluation of biometrics-based systems. Integration of biometric cues, and the integration of biometrics with other existing technologies. Assessment of the capabilities and limitations of different biometrics. The comprehensive examination of biometric methods in commercial use and in research development. Exploration of some of the numerous privacy and security implications of biometrics. Also included are chapters on face and eye identification, speaker recognition, networking, and other timely technology-related issues.
4/7/2008 151
Biometric Solutions for Authentication in an E-World Author: David Zhang, et al Publisher: Kluwer Academic Publishers, 2002 Biometric Solutions for Authentication in an E-World provides a collection of sixteen chapters containing tutorial articles and new material in a unified manner. This includes the basic concepts, theories, and characteristic features of integrating/formulating different facets of biometric solutions for authentication, with recent developments and significant applications in an E-world. This book provides the reader with a basic concept of biometrics, an in-depth discussion exploring biometric technologies in various applications in an E-world. It also includes a detailed description of typical biometric-based security systems and up-to-date coverage of how these issues are developed. Experts from all over the world demonstrate the various ways this integration can be made to efficiently design methodologies, algorithms, architectures, and implementations for biometric-based applications in an E-world. Biometric Solutions for Authentication in an E-World meets the needs of a professional audience composed of researchers and practitioners in industry and graduate-level students in computer science and engineering. Researchers and practitioners in research and development laboratories working in fields of security systems design, biometrics, immigration, law enforcement, control, pattern recognition, and the Internet will benefit from this book. Biometric Systems: Technology, Design, and Performance Author: James Wayman, et al Publisher: Springer Verlag, 2004 Focuses on the technologies of fingerprint, iris, face, and speaker recognition, how they have evolved, how they work, and how well they work. Examines the challenges of designing and deploying biometrics in people-centered systems, and concludes with discussions on the legal and privacy issues of biometric deployments from both European and US perspectives. Computational Algorithms for Fingerprint Recognition Author: Bir Bhanu, et al Publisher: Kluwer Academic Publishers, 2003 Cutaneous Biometrics Author: Doris A. Schwindt, et al Publisher: Plenum PR, 2001
4/7/2008 152
Department of Homeland Security Author: Michael Kerrigan, et al Publisher: Mason Crest Publishers, 2003 Dynamic Vision: From Images to Face Recognition Author: Shaogang Gong, et al Publisher: Imperial College Press, 2000 This book describes the latest models and algorithms that are capable of performing face recognition in a dynamic setting. The key question is how to design computer vision and machine learning algorithms that can operate robustly and quickly under poorly controlled and changing conditions. Consideration of face recognition as a problem in dynamic vision is perhaps both novel and important. The algorithms described have numerous potential applications in areas such as visual surveillance, verification, access control, video-conferencing, multimedia and visually mediated interaction. Enhanced Methods in Computer Security, Biometric, and Artificial Intelligence Systems Author: Jerzy Pejas Publisher: Springer, 2004 This book contains over 30 contributions from leading European researchers showing the present state and future directions of computer science research. In addition to other topics, the book covers three important areas of security engineering in information systems: software security, public key infrastructure, and the design of new cryptographic protocols and algorithms. Fingerprint Detection with Lasers Author: E. Ronald Menzel Publisher: Marcel Dekker, 1999 Discusses laser fingerprint detection, which is, in its essence, the general application of photoluminescence methodology to physical evidence examination, representing a new paradigm in criminalistics.
4/7/2008 153
Fingerprint Science: How to Roll, Classify, File, and Use Fingerprints Author: Clarence Gerald Collins Publisher: Cooperhouse Publishing, 1994 This work covers almost all areas of fingerprinting and identification. Guide to Biometrics Author: Ruud Bolle, et al Publisher: Springer Verlag, 2004 This is a complete technical guide aimed at presenting the core ideas that underlie the area of biometrics. It explains the definition and measurement of performance and examines the factors involved in choosing between different biometrics. It also delves into practical applications and covers a number of topics critical for successful system integration. These include recognition accuracy, total cost of ownership, acquisition and processing speed, intrinsic and system security, privacy and legal requirements, and user acceptance. Handbook of Fingerprint Recognition Author: David Maltoni, et al. Publisher: Springer Professional Computing, 2003 Reference on automatic fingerprint recognition providing in-depth coverage of the most recent advances and practices; including sensing, feature extraction and matching, synthetic fingerprint image generation, indexing, and multi-modal systems. For biometric security professionals, researchers, developers, and systems administrators. Handbook of Information Security Management Author/Publisher: International Information Security Systems Certification Consortium, 1993 Homeland Security Law Handbook Publisher: Government Law Institutes, 2003
4/7/2008 154
Homeland Security Statutes 2003 Publisher: Government Institutes Research Group Homeland Security Office Author: Edward Lipton Publisher: Nova Science Publishers, 2002 Homeland Security v. Constitutional Rights Author: Ted Gottfried Publisher: 21st Century Books In this time of increased terrorism, how can we balance civil liberties with the risk to American lives and property? Is criticism of the president unpatriotic? Can torture ever be morally justified? Beginning with a detailed account of the 9/11 attack and its aftermath, Gottfried addresses these questions as he discusses the recent history of American war and defense, including the controversial Patriot Act. How to Prove Yourself. Practical Solutions to Identification and Signature Problems Advances in Cryptology—Crypto ’86, Volume 263 Author: A. Fiat, et al Publisher: Springer Verlag, 1987
4/7/2008 155
Human Identification: The Use of DNA Markers Author: Bruce S. Weir Publisher: Kluwer Academic Publishers The ongoing debate on the use of DNA profiles to identify perpetrators in criminal investigations or fathers in paternity disputes has too often been conducted with no regard to sound statistical, genetic or legal reasoning. The contributors to Human Identification: The Use of DNA Markers all have considerable experience in forensic science, statistical genetics or jurimetrics, and many of them have had to explain the scientific issues involved in using DNA profiles to judges and juries. Although the authors hold differing views on some of the issues, they have all produced accounts which pay due attention to the, sometimes troubling, issues of independence of components of the profiles and of population substructures. The book presents the considerable evolution of ideas that has occurred since the 1992 Report of the National Research Council of the U.S. Implementing Biometric Security Author: John Chirillo, et al Publisher: John Wiley & Sons, 2003 Guide provides explanations and hands-on examples needed to understand, implement, and apply security authentication methods that rely on fingerprints, retinal scans, speech patterns, and facial thermography. Provides the basics and real-world uses for setting up and maintaining a biometric security system in a LAN, WAN, or wireless infrastructure. Implementing Homeland Security for Enterprise IT Author: Michel Erbschloe Publisher: Digital Press, 2003 This book shows what IT in organizations need to accomplish to implement The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets and The National Strategy to Secure Cyberspace which were developed by the Department of Homeland Security after the terrorist attacks of September 2001.
4/7/2008 156
Intelligent Biometric Techniques in Fingerprint and Face Recognition Author: L.C. Jain, et al Publisher: CRC Press, 1999 A wide range of experts have contributed to this collection of articles discussing established and emerging applications and techniques for face and fingerprint recognition systems. The book includes literature reviews, discussions of neural network approaches, methods of recognizing human faces, and intelligent fingerprint processing for minutia and pore feature extraction and matching. This book would be most useful to researchers and engineers interested in developing fingerprint and face recognition systems for a variety of applications. Multimodal Biometrics: Human Recognition Systems Author: Arun A. Ross Publisher: Springer, 2005 Consistent advances in biometrics help to address problems that plague traditional human recognition methods and offer significant promise for applications in security as well as general convenience. This book provides an accessible, focused examination of the science and technology behind multimodal human recognition systems, as well as their ramifications for security systems and other areas of application. It also describes the various scenarios possible when consolidating evidence from multiple biometric systems and examines multimodal system design and methods for computing user-specific parameters. The Myth of Homeland Security Author: Marcus Ranum Publisher: John Wiley & Sons, 2003 Text reveals the truth about 'feel-good' security policies and spending programs that mask real threats and do nothing tangible to improve public safety. Nondestructive Detection and Measurement for Homeland Security Author: Steven R. Doctor Publisher: SPIE – The International Society for Optical Engineering, 2003
4/7/2008 157
Practical Biometrics: From Aspiration to Implementation Author: Julian Ashbourn Publisher: Springer Verlag, 2003 Containing a wealth of real world advice and written from an operational rather than purely academic perspective, "Practical Biometrics" examines the many issues raised by the application of biometric technologies to practical situations. This book concentrates on the practical implementation of biometric verification techniques, with specific regard to wide scale public applications. It acts as a practical guide to implementation, identifying the associated issues around: * Scalability * Interoperability * Ethnicity * Failure to enroll * User psychology * Features and Benefits. Highlights non device-specific issues such as human factors, environment, privacy and data protection. Focuses on the practical aspects of managing large-scale systems Provides an invaluable resource to program managers, application developers and consultants working in this area Preparing the U.S. Army for Homeland Security: Concepts, Issues, and Options Author: Eric Larson, et al Publisher: Rand Homeland security encompasses five distinct missions: domestic preparedness and civil support in case of attacks on civilians, continuity of government, continuity of military operations, border and coastal defense, and national missile defense. This report extensively details four of those mission areas (national missile defense having been covered in great detail elsewhere). The authors define homeland security and its mission areas, provide a methodology for assessing homeland security response options, and review relevant trend data for each mission area. They also assess the adequacy of the doctrine, organizations, training, leadership, materiel, and soldier systems and provide illustrative scenarios to help clarify Army planning priorities. The report concludes with options and recommendations for developing more cost-effective programs and recommends a planning framework that can facilitate planning to meet homeland security needs.
4/7/2008 158
Secrets and Lies: Digital Security in a Networked World Author: Bruce Schneier Publisher: John Wiley & Sons, 2000 Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more. The Practical Intrusion Detection Handbook Author: Paul E. Proctor Publisher: Prentice-Hal, 2001 Security, ID Systems, and Locks: The Book on Electronic Access Control Author: Joel Konicek Publisher: Butterworth-Heinemann, 1997 Written by the President of a leading manufacturer of access control systems. However, it is not biased towards his own company at all. It is an excellent introduction to Electronic Access Control and the only worthwhile book on the subject. If your business needs, or might need, an electronic access control system, this book will tell you everything you need to know to buy and manage one. U.S. Department of Homeland Security Handbook Author: USA International Business Publications, 2003 Voice and Speech Processing Author: Thomas Parsons Publisher: McGraw-Hill, 1987
4/7/2008 159
Voice Recognition Author: Richard Klevans Publisher Artech House, 1995 This revised scholarly work on voice recognition technology outlines cutting-edge research in this exciting area of computer science. The book begins with a readable historical introduction to speech synthesis, speech recognition, and speaker classification. (According to the authors, Alexander Graham Bell was actually working on the problem of speech synthesis when he invented the telephone.) When To Use Biometrics Author: Hagai Bar-El, 2003 Biometrics systems have become common over the years. Their ease of use for the end user and their perceived security make them seem to be the best solution to any problem involving user authentication. Although biometric systems can provide fast and secure user authentication with minimal user intervention, they have several inherant limitations making them inappropriate for most environments where authentication is used. The focus of this paper is not the possible use-cases of biometry, but rather it is those limitations that are neither biometry type-specific nor implementation-specific and that make biometric measures limited in their scope of possible users. Who Are You? The Encyclopedia of Personal Identification Author: Scott French Publisher: Biblio Distribution
4/7/2008 160
Market and Technology Reports The 2003-2004 Directory of Homeland Security Author: Northern Virginia Technology Council Publisher: Tech Wire Media Group Comprehensive organizational chart for the new Department of Homeland Security; detailed descriptions of offices and initiatives associated with the new Department of Homeland Security; list of homeland security responsibilities for federal departments and agencies; FY2004 budget information for federal departments and agencies; listings for national organizations working on homeland security; and helpful resources on selling products to the federal government Army Biometric Applications: Identifying and Addressing Sociocultural Concerns Author: John D. Woodward Publisher: RAND, 2002 With concern about its information assurance systems and physical access control increasing, the Army has undertaken an assessment of how it can use biometrics to improve security, efficiency, and convenience. This report examines the sociocultural concerns that arise among soldiers, civilian employees, and the general public when the military mandates widespread use of biometrics. The authors see no significant legal obstacles to Army use of biometrics but recommend that the Army go beyond the provisions of the Privacy Act of 1974 to allay concerns related to this emerging technology. This report should be of interest to those responsible for access control as well as anyone concerned about privacy and technology issues. The Army and Homeland Security: A Strategic Perspective Author: Antulio Joseph Echevarria Publisher: Strategic Studies Institute, U.S. Army War Co., 2001
4/7/2008 161
Biometrics and Smart Cards Author/Publisher: International Biometric Group, 2003 Smart cards and biometrics are strongly synergistic technologies whose acceptance in the U.S. market are being driven by the desire in many applications for token-based as opposed to centralized biometric functionality. Increased opportunities are present for large-scale biometrics and smart card usage in public sector ID applications. However, various competing and proprietary technologies in both the biometric and smart card markets pose problems for institutions interested in large-scale deployment, as there is risk of technology obsolescence or over-reliance on a single vendor. This report identifies challenges that deployers and vendors face in adopting and developing this technology. Exclusive analysis in this report leverages years of hands-on experience testing and deploying biometrics and smart card technologies, years of interaction with leading vendors, and extensive evaluation of the technology for large-scale applications. The Biometrics Industry Report: Forecasts and Analysis to 2006 2nd Edition Author: Mark Lockie Publisher: Elsevier Advanced Technology The second edition of The Biometrics Industry Report - Forecasts and Analysis to 2006 examines the current use and future growth of biometrics. It analyses the trends in markets, technologies and industry structure and profiles the major players. The report provides key market statistics and forecasts essential for companies to plot their future growth strategies.
4/7/2008 162
Biometrics: A Look at Facial Recognition Author: John D. Woodward, et al Publisher: RAND, 2003 During the 2002 Virginia General Assembly, Delegate H. Morgan Griffith sponsored legislation setting legal parameters for public sector use of facial recognition technology in Virginia. The Virginia State Crime Commission, a standing legislative commission of the Virginia General Assembly, is statutorily mandated to make recommendations on all areas of public safety in the Commonwealth of Virginia. RAND analyst John D. Woodward, Jr. presented this briefing to the Virginia State Crime Commission Facial Recognition Sub-committee in September 2002. It does not make specific policy recommendations, rather defines biometrics and discusses examples of the technology, explaining how biometrics may be used for authentication and surveillance purposes. Facial recognition is examined in depth, to include technical, operational, and testing considerations. It concludes with a discussion of the legal status quo with respect to public sector use of facial recognition. Biometric Market Report: 2003-2007 Author/Publisher: International Biometric Group The industry’s most comprehensive, extensive, and authoritative analysis of biometric technologies, applications, and global markets. The report provides post-9/11 market data and real-world guidance to biometric technology deployers, developers, investors, and researchers. Biometrics and Privacy: Assessing Deployment and Technology Risks Author/Publisher: International Biometric Group, 2003 For organizations not yet prepared to execute a full privacy impact assessment of a biometric deployment or technology, this report provides a framework for understanding privacy issues in biometric technologies. With a review of framing legislation, discussion of information and personal privacy issues, and detailed evaluation of the application-specific and technology-specific risks posed by biometric technology, this report is essential due diligence for any biometric deployer in the commercial, civil, or employment sector.
4/7/2008 163
Biometric Systems: Worldwide Deployments, Market Drivers, and Major Players December 2002 Author: John Chang Publisher: Allied Business Intelligence "Numerous industries will accelerate their biometric deployments as the advantages of deploying biometrics outweigh the capital expenditures in the technology. Furthermore, biometric vendors will establish operational support systems necessary to offer an efficient and scalable network by the third quarter of 2003", said John W. Chang, ABI Senior Analyst and author of the report. "All the major airports within North America, Europe, and Asia will have multiple biometric technologies implemented within the airports, including facial recognition for criminal surveillance, iris recognition for frequent traveler check-in, hand geometry for time and attendance verification of airport employees, and fingerprint scanning for secured physical access." Biometric Technology Standards for Iris Technology Author/Publisher: International Biometric Group, 2003 Biometric Technology Standards for Fingerprint Technology Author/Publisher: International Biometric Group, 2003 Biometric Technology Standards for Border Entry and MRTDs Author/Publisher: International Biometric Group, 2003 Biometric Technology Standards for Performance Testing Author/Publisher: International Biometric Group, 2003 Biometric Technology Standards for Facial Recognition Technology Author/Publisher: International Biometric Group, 2003
4/7/2008 164
Face Recognition: Cognitive and Computational Processes Author: Sam S. Rakover, et al Publisher: University of Haifa/Oakland University, Michigan, 2001 Provides an original approach to criminological applications. The book discusses original ideas on conceptualizing face perception and recognition in tasks of facial cognition, developing the schema theory and the catch model, and introducing a discovery of the proposed law of face recognition by similarity. Homeland Security: State of the Industry Assessment 2002 Author: Acclaro Growth Partners Publisher: MarketResearch.com, 2002 The objective of this report is to analyze the market opportunity for homeland defense-related products and services. It is intended to help interested investors make timely investment decisions; assist current market participants in devising expansion plans, and advise potential participants in evaluating market opportunities. The assessment is based on the perspective of a variety of industry executives, including manufacturers, distributors, end-users, and a wealth of third party and secondary research sources. This report includes fact and opinion-based information and is presented with charts, discussion, and analysis that describes and assesses the raw data. The information in this study pertains to the US market for homeland defense-related products and services. Homeland Security: Best Practices for Local Government Author: Roger L. Kemp Publisher: Intl City/County Mgt. Association, 2003 Homeland Security: Biometrics October 2003 Author/Publisher: Foster Bryan Ltd. A comprehensive analysis of how biometrics, including iris recognition, fingerprint analysis, and eight other technologies may be used in homeland security applications.
4/7/2008 165
Industry Insight: President Gives Homeland Security the Green Light but Vendors Should Proceed with Caution Author/Publisher: IDC This IDC Flash analyzes the newly approved Department of Homeland Security's impact on IT spending. Market Opportunities in Homeland Security Author: Richard K. Miller & Associates Publisher: MarketResearch.com, 2003 This is a comprehensive analysis of public- and private sector business opportunities in the rapidly expanding $100 billion homeland security marketplace. Topics include critical infrastructure, first responders, public health preparedness, corporate programs, risk and vulnerability assessments, physical security and detection technology. Market opportunities are assessed for each market sector, including aviation, banking, border protection, chemical processing, energy, food, ports, postal, surface transportation, and water utilities. Included in the handbook are profiles of 170 companies involved in the homeland security market place which will introduce you to potential new partners for business ventures and provide you with a competitor analysis. The reference sections of the handbook provide a complete guidebook to federal agencies, programs of all 50 states, periodicals, trade associations, academic programs and other market research sources. Multimodal Biometrics Author/Publisher: International Biometric Group, 2003 International Biometric Group is at the forefront of multimodal biometrics (or multiple biometrics) research. As part of IBG's involvement in the Information Technology Standards (INCITS) Technical Committee M1, Biometrics, IBG is actively involved in multimodal biometrics research. Multimodal biometric systems are those that utilize more than one physiological or behavioral characteristic for enrollment, verification, or identification. This report defines the basic variables and categories of variables involved in multimodal biometric systems, addresses the current body of knowledge regarding these systems, and surveys the market for current and emerging multimodal biometric solutions.
4/7/2008 166
National Strategy for Homeland Security Author: George W. Bush Publisher: Diane Publishing Co., 2003 Review and Evaluation of Biometric Techniques for Identification and Authentication: Final Report May 1999 Author: Dr. Despina Polemi Includes an appraisal of the areas where various biometrics are most applicable. Use of Biometric Technologies in MRTD Issuance and Border Entry/Exit Systems Author/Publisher: International Biometric Group, 2003 This report provides essential material gathered from a number of IBG deliverables, and is the culmination of IBG’s work to date on the complex topic of biometrics in border control, immigration, and MRTD (machine readable travel document)/visa issuance. It is designed to help agencies mitigate risks and gain an up-to-the-minute understanding of performance, technology, policy, privacy, and standards issues involved in the use of biometrics in MRTD and border entry applications. Secure Human Identification Protocols Author: Nicholas J. Hopper, et al Publisher: Computer Science Dept., Carnegie Mellon University An important challenge is providing secure authentication and identification for unassisted humans. There are a range of protocols for secure identification that require various forms of trusted hardware or software, aimed at protecting privacy and financial assets. But how do we verify our identity, securely, when we don’t have or don’t trust our smart card, palmtop, or laptop? Science and Technology for Army Homeland Security: Report 1 Author: Committee on Army Service and Technology for Homeland Defense Publisher: National Academy Press, 2003
4/7/2008 167
State of Biometric Technology Standards Author/Publisher: International Biometric Group, 2003 Designed for vendors, integrators, and deployers, the "State of Biometric Technology Standards" report provides critical information on standards relevant to biometric products, applications, and deployments. Standards addressed include BioAPI, BAPI, CDSA/HRS, CBEFF, X9.84, M1 activities and SC37 activities (including interoperable template formats, interoperable data formats, biometric performance testing, biometric security evaluations), ANSI/NIST ITL 2000, ANSI B10.8, ICAO (SC17), biometrics and card technologies, and biometrics and cryptographic systems (x.509). This report is absolutely essential for organizations looking to use biometrics in government or financial services applications. State of Fingerprint Technology Author/Publisher: International Biometric Group, 2003 This report provides a detailed assessment of fingerprint recognition from an industry and technology perspective. The report leverages years of hands-on experience testing and deploying fingerprint technology, years of interaction with leading fingerprint recognition vendors, and extensive evaluation of the technology for large-scale applications. State of Facial Recognition Technology Author/Publisher: International Biometric Group, 2003 This report provides a detailed assessment of facial recognition from an industry and technology perspective. The report leverages years of hands-on experience testing and deploying facial recognition technology, years of interaction with leading facial recognition vendors, and extensive evaluation of the technology for large-scale applications. The report profiles key facial recognition vendors, including Identix, Viisage and Cognitec, and provides facial recognition market projections through 2007. It also examines significant facial recognition deployments and the impact of facial recognition’s incorporation in machine readable travel document applications. The report offers an in-depth analysis of facial recognition performance tests such as FRVT 2002, discusses the use of facial recognition in multimodal biometric applications, and details relevant facial recognition standards. The report also examines the emergence of 3D facial recognition technology and details the landscape of the 3D facial recognition marketplace, profiling vendors such as 3Dbiometrics, A4Vision, Geometrix, Neurodynamics and Genex Technologies.
4/7/2008 168
State of Iris Recognition Technology Author/Publisher: International Biometric Group, 2003 This report provides a detailed assessment of iris recognition from an industry and technology perspective. The report leverages years of hands-on experience testing and deploying iris technology, years of interaction with leading iris recognition vendors, and extensive evaluation of the technology for large-scale applications.
4/7/2008 169
Appendix D – Education/Training Resources Introductory Level Biometrics Courses For those exploring the possibility who have not yet committed to a biometric system there are symposia, conferences, and short courses available to give a broad overview of biometrics, highlighting different technologies (“modalities”), applications, and pros and cons of each.
• Biometric Technology: Web-based training course available for anyone sponsored by the American Society for Industrial Security (ASIS) at http://www.stamhost.com/asis/
• Biometrics Technology: Web-based training course available for anyone
sponsored by Security Products Online at http://www.stamweb.com/spo/Biometrics.html
Medium Level Biometric Courses For those organizations which have decided to implement biometrics, or who want more detail, there are longer courses available to provide more detail relative to technology selection, pros & cons, and implementation details. These courses can be attended by middle managers, project officers, members of the IT staff and in some cases IT or biometric technicians.
• The Biometric Knowledge Center (BKnC) at West Virginia University
• Biometric Systems Laboratory (University of Bologna, Italy)
• Center for Identification Technology Research (CITeR)
• Clarkson University Biomedical Signal Analysis Laboratory21
• Michigan State University Biometrics Research Homepage
• Purdue University Biometrics Standards, Performance and Assurance Laboratory
• San Jose State University's Biometric Identification Research Effort
• St. Lawrence University SABER
• Student Society for Advancement of Biometrics (SSAB) at West Virginia University
• National Biometric Test Center Collected Works 1997-2000, San Jose State University, Edited by: James L. Wayman, Director, Version 1.3, August 2000
• The Biometrics Institute22
21 Center for Identification Technology Research (CITeR). www.citer.wvu.edu/links.php 22 http://www.itl.nist.gov/div893/biometrics/
4/7/2008 170
• The Center for Automatic Identification, Ohio University
• The Speech Recognition Group, Rutgers University23
• University at Buffalo Center for Unified Biometrics and Sensors (CUBS)
• West Virginia University/FBI Forensic Identification Degree Program
Advanced Biometric Courses and Biometric Certificate Programs24 For academics and those who want to know details of algorithms, the matching process, statistical bass for matching, and testing and evaluation or individuals interested in earning a certificate in biometrics. Consultants and Systems Integrators25 Consultants and systems integrators can provide needed guidance when evaluating the need and implementation of biometric systems. Following is a list of selected providers, according to The Biometric Consortium.
• Acuity Market Intelligence • Biometric Technology, Inc. • East Shore Technologies • EyeIT.com, Inc. • FingerPrint USA • Fulcrum Strategic Partners, Inc. • Higgins & Associates, International • ID Technology Partners • IDynta Systems, Inc. • Info Data, Inc. • Integrated Biometrics • International Biometric Group (IBG) • J. Markowitz, Consultants • Justice Technology Information Network (JUSTNET) • National Information Assurance Partnership (NIAP) • Metrics Group • MITRE • Mitretek Systems - Biometric Identification • NIST's Computer Security Resource Center (CSRC) • Romsey Associates, Ltd. • SyntheSys Secure Technologies, Inc. • The Extranet for Security Professional (ESP)
23 http://www.itl.nist.gov/div893/biometrics/ 24 Biometric Consortium, http://www.biometrics.org/html/links_to.html 25 from The Biometric Consortium
4/7/2008 171
• Trans Biometric Technologies • Transecure, Inc.
4/7/2008 172
Bibliography and References In researching and compiling the BTAM, the authors relied heavily on secondary research from already-published, public sources. The following sources and resources represent works from which information and knowledge was used and referenced, and for which the authors are acknowledged and thanked for sharing this knowledge. Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December 10, 2005. “An Arresting Case for Biometrics.” Biometric Technology Today. May 2005 Anderson, Teresa. The Eyes Have It. Security Management magazine. Biometric Information Directory. Grey House Publishing. www.greyhouse.com
• Biometric Summit Winter 2006 Proceedings
• “Biometrics and SSO: Helping in Healthcare” Powerpoint presentation from St. Vincent Health
Biometrics in Corrections. National Law Enforcement and Corrections Technology Center. TechBeat. Fall 2000. Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality. Reprinted from the December 2002 issue of Corrections Today, Vol. 64, No. 7 “Body Language: Using biometric Technology” March 1, 2002, American City & County. City of Glendale, Case Study Digital Persona. Digital Persona http://www.digitalpersona.com Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An Experiment in a Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253. January 2006. Daugman, John. Combining Multiple Biometrics. The Computer Laboratory, Cambridge University. Facial Recognition: The Pinellas County Sheriff’s Office Experience. Presentation provided by Scott McCallum “Facial Recognition in Action.” Government Security. August 1, 2004.
4/7/2008 173
Floyd, J. Michael. “Biometrics-The Future Competitive Edge” FE&S. January 2003 “University of Georgia Migrates Recognition Systems HandReaders Campus-wide” press release from IR Recognition Systems. July 30, 1999 Haber, Lynn. “Glendale Locks Down PCs with Digital Persona Biometrics”, October 18, 2001, Ziff Davis http://techupdate.zdnet.com “Hospital Adopts Biometric Security Solution for Workstations”. www.findbiometrics.com Immigration and Naturalization Service Passenger Accelerated Service System Pilot Program. Audit Report 95-8, (3/95). Prepared by the Office of the Inspector General, Audit Division. “India eyes Iridian.” Optics Report. July 12, 2005 “Indian housing plan uses local technology.” Passage to India Business Weekly. July 2005. “Iridian Technologies facilitates affordable housing program in Andhra Pradesh, India; Iris Recognition system validates identification to ensure equal opportunity.” www.zdnetindia.com/news July 13, 2005 Kiernan, Vincent. “Show Your Hand, Not Your ID” The Chronicle of Higher Education-Information Technology. December 2, 2005 Kharif, Olga. “IriScan’s Leader Looks Secure” Business Week Online. July 5, 2005 “Lancaster County Prison uses new ID to keep eye on prisoners.” http://www.naco.org/cnews/1996/96-06-24/17eye.htm “LG Electronics lands huge iris scan program in India.” Government Security News. September 2005. “LGE Iris Tech Win in India Redefines Biometric Scalability.” LG Electronics press release dated September 8, 2005. Mintie, David. “Glendale, CA Goes with Biometrics”, Biometrics in Human Services User Group Newsletter number 27, Volume 6, March 2, 2002. State of Connecticut Misplaced Fears Impede Biometric Adoption. www.findbiometrics.com New York Times Technology Review. April 5, 2006 “Partnering with Viisage to Prevent Identity Theft”
4/7/2008 174
Peck, Bruce. “Rx for Password Headaches” Health Management Technology magazine. January 2003 “Pinellas County Invests in Face-Recognition Technology.” Tampa Bay Business Journal. October 8, 2002 “Pinellas County Sheriff’s Office Deploys New Mobile Identification Solution.” Government Technology. June 18, 2004. Riley, Jr., Richard A.; Kleist, Virginia Franke. “The biometric technologies business case: a systematic approach” Information Management & Computer Security, Apr 2005 Volume: 13 Issue: 2 Page: 89 – 105. Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb. www.techweb.com January 23, 2006. “St. Petersburg-Clearwater International Airport Deploys Viisage Technology Facial Recognition Security”. Viisage press release. January 22, 2002. “St. Vincent’s Hospital and Healthcare Center” client profile from Saflink Corporation “St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client profile from Computer Associates “The National Biometrics Challenge” National Science and Technology Council (NSTC) Subcommittee on Biometrics. August 2006 “University of Georgia Secures Campus with RSI HandReaders” press release from IR Recognition Systems Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld. October 2001. “Viisage Awarded $2.4 Million Facial Recognition Contract from Pinellas County.” Viisage press release. October 8, 2002. “Who’s Who: Piece by puzzle piece, FL county checks suspects’ identities.” Government Computer News. August 2, 2004.
4/7/2008 175
Acknowledgements A special thank you to the following individuals and organizations that contributed their time and expertise to the development of this volume. James Cambier Valerie Evanoff Eizen, Fineburg, and McCarthy, LP Gates and Company Walter Hamilton Scott Harmon Chris Hengensten C.B. Boots Kuhla Beth Langen Scott McCallum Mohammad Murad Bruce Peck Russ Ryan John Siedlarz Donald Smith Samir Tamer Cathy Tilton Dr. James L. Wayman Jerry Williams Bill Wilson
