Documente Academic
Documente Profesional
Documente Cultură
4/7/2008 1
Biometric Technology Application Manual (BTAM)
Case Studies
Case Study A – India: Ration Card Program ....................................................... 97
Case Study B – State of Illinois: Driver Licensing............................................ 103
Case Study E – University of Georgia: Student ID/Access Control.................. 115
Case Study F – St. Vincent Hospital: Desktop Computer Access..................... 118
4/7/2008 2
About the National Biometric Security Project
The National Biometric Security Project (NBSP) is a tax exempt, nonprofit 501(c)(3)
organization incorporated and headquartered in Washington, DC. Its mission is to
enhance the practice and effectiveness of identity assurance in government and the
private sector, through the application of biometrics, for the purpose of deterring and
detecting terrorist and criminal attacks on the national infrastructure. NBSP was formed
in the immediate aftermath of 9/11 and has been consistently supported by the Congress
to enhance government-wide use of biometrics and improve the capability of the
industrial base.
To reflect its expanded biometric application services, NBSP recently re-established its
Test, Research and Data Center under the new name Biometric Services International,
LLC (BSI). Located in Morgantown, West Virginia, BSI is a wholly owned, non-profit
subsidiary of NBSP and is the only laboratory, exclusively focused on biometrics, to
achieve the coveted ISO/IEC 17025:2005 accreditation for testing. BSI’s biometric
application services have been expanded to address biometric deployment considerations
such as requirements definition, articulation of program goals and objectives,
vulnerability assessments, application impact studies, life-cycle cost analyses and privacy
impact assessments just to name a few. NBSP BSI adds dimension to its biometric
application services with robust Testing, Training and Research capabilities.
BSI adds dimension to its biometric application services with robust Testing, Training
and Research capabilities. Performance Testing assures that biometric products under
consideration for an application will meet manufacturers’ claims and meet or exceed
published biometric performance metrics. Conformance Testing evaluates a biometric
product’s conformance to applicable, published ISO/IEC standards. Products that pass
the performance and the applicable conformance tests become part of BSI’s “Qualified
Products List”, which provides potential users with an independent source of evaluation.
Custom Testing includes, for example, vulnerability assessments, comparative testing,
algorithm testing, sensor testing, product development tests, and interoperability testing.
4/7/2008 3
Abstract
Published by the National Biometric Security Project (NBSP), the Biometric Technology
Application Manual (BTAM) is a comprehensive reference manual on biometric
technology applications. This reference book, in two volumes, has been compiled for
biometric technology users and for those who are evaluating biometrics as an enabling
technology within an integrated system or program for security and identification
assurance. The BTAM is intended to be a rational and practical tool for those who
specify, buy, integrate, operate, and manage biometric technology-based systems.
The experienced biometric practitioner will see much that is familiar in the BTAM. The
publication is not intended to provide all new (never before published) scientific
information. Rather, it is a compilation of published and experience-based information
designed to inform the rapidly growing community of new users, integrators, and
designers, and assist them in their search for practical application solutions. Hopefully, it
will prove to be the standard desktop reference on the subject of biometrics for all levels
of interest and experience.
Generally, this manual has been compiled and is intended for individuals and
organizations that have responsibility for protection of the civil infrastructure and related
applications. These include, but are not limited to:
In researching and compiling the BTAM, the authors relied heavily on secondary
research from published, public sources. For a list of the reference materials, authors,
publications, and other sources used and referenced in this compilation, please see
appropriate footnotes as well as the Bibliography.
4/7/2008 4
Purpose and Objectives
Although the overriding purpose and objectives of the two-volume set are similar,
Volume 1 was developed to be more of a primer on biometrics as it presents and defines
biometrics on a fundamental level, including:
• Biometric System Design. This Section presents guidance and insight as to how
system requirements should be defined and the appropriate performance
specifications documented. Issues such as technical requirements, operational
capabilities, performance expectations, architectural aspects, and other related
concepts are presented in this Section.
4/7/2008 5
• Biometrics Standards and Best Practices provides an overview on biometrics
standards development. The development and adoption of standards is important
for the biometrics industry to become mainstream and more fully integrated into
our critical infrastructure. This Section provides the reader with information as
to the current state of standards development, enabling insight into the various
types of biometric technologies and their vendors – where they are in terms of
complying with industry-approved standards – and explaining why biometrics
standards are critical to integrating full-solution systems.
• Trends and Implications. The final Section of Volume 1 presents some key
trends and implications for biometrics in general, and sets the stage for follow-on
information and additional detail in Volume 2.
Disclaimer
The National Biometric Security Project (NBSP) and the Biometric Technology
Application Manual (BTAM) do not and cannot provide any legal advice nor is the
BTAM a substitute for professional engineering design support. The information in this
publication is for general information purposes only. None of the information contained
in this manual, Volume 1 or Volume 2, is intended to be or should be relied upon as
specific or definitive to the design of a particular program, or system, or process, or legal
policy. The reader should obtain the advice of a suitably qualified engineer, attorney, or
4/7/2008 6
experienced practitioner before taking any action in the application and use of any of the
information contained in this publication.
NBSP intends to regularly update the BTAM with new and revised material from all
relevant sources. NBSP is also very interested in the comments and feedback of its
readers. Readers are encouraged to share their thoughts and impressions on the BTAM –
either Volume 1 or Volume 2 – as well as any suggestions for content corrections, typos,
or errors of omission. Please send feedback to:
Every effort has been made to contact copyright holders for content and images used in
this manual. The publisher apologizes in advance for any unintentional omissions and
will insert appropriate acknowledgements in subsequent editions of this publication when
so advised.
4/7/2008 7
FORWARD
This Volume 2 of the BTAM continues the mission to provide a complete set of reference
tools that are readily available to the biometric community regardless of the reader’s
specialty or level of activity in the technology. Here, we examine “best practices” and
even “not so best” practices, recognizing therein that the deployment and operation of
biometrics systems is still a work in progress.
Finally, the reader is strongly encouraged to help make the BTAM a living and current
tool by recommending changes and improvements in any area. All such
recommendations will be carefully reviewed by NBSP Editors, and by an independent
review Board constituted as required to address controversial proposals for change.
4/7/2008 8
Section 9 – Biometrics Applications
A biometric device can be applied in virtually any scenario in which one might otherwise
use keys, identification cards, security cards, personal identification numbers (PINs), or
passwords to gain access to a physical facility, a virtual domain (information system), or
a process, or to determine eligibility for a privilege. The real value of biometrics is the
potential for use in applications where keys, ID cards, and passwords would be of no
value whatsoever: the “negative identification” applications. The application of
biometric technologies is increasing over a wide array of industries as organizations and
individuals look for higher levels of security and identity assurance. Advances in
biometric devices have made the technology more affordable and less intimidating for
applications where high security, which was a compelling reason initially, is not the
primary objective. More routine applications, such as access to school dining halls, are
now joining the traditional high security applications such as access to military resources
and nuclear power plants. In addition, with the advent of credible identification systems
(the one-to-many process of comparing a submitted biometric sample against all of the
biometric templates on file to determine whether it matches any of the templates), the
breadth of applications which can be achieved has expanded greatly. Today we are not
limited to applications where a claimant must provide a claim of identity such as a user
name, PIN, or password to facilitate the recognition process. Thus a new class of
applications such as refugee processing/control, watch lists, benefits eligibility
determination, duplicate checks, repudiation prevention, forensic identification, and
others not yet conceived or applied are available.
Nonetheless, it is easier and perhaps more meaningful to persons new to the science to
have some sort of organized structure with which to get an overview of the field – and so
a classification system has been developed that covers most of what is being fielded
today. It is important to point out that this classification is categorized by functional
application, and is not organized on the basis of whom or what entity initiates them. It
seems that categorizing applications as Federal, State, Local and Municipal government;
Commercial, Private, or Transportation Sectors; Financial Sector; Manufacturing Sector;
Healthcare Sector; Schools and Education; etc. was not particularly useful for persons
interested in exploring how biometrics can help them. It is certainly true that all of these
4/7/2008 9
entities and sectors provide the settings in which biometrics may and must be applied.
But it serves no useful purpose beyond identifying the policy, funding, and contractual
hoops and wickets that implementers must pass through on their journey to implementing
a biometric system. The important issue is how one functionally applies biometrics to
solve a problem, or improve an existing operation that requires positive human
identification.
4/7/2008 10
A Functional Classification of applications
(with generic examples)
Table 9-1
4/7/2008 11
Following are selected examples of biometric technologies in use today. This section is
not meant to be all-inclusive, but rather to present various biometric technologies in
different usage applications. These examples are further supplemented by more detailed
examples in the Case Studies section of this volume.
San Francisco International Airport, the nation’s fifth busiest, uses hand geometry readers
to verify TSA employees identities to ensure only authorized individuals access sensitive
and secured areas. These hand readers are in addition to those previously employed at
SFO. Since 1991, San Francisco International Airport has employed biometric hand
geometry readers to secure its air operations area (AOA), allowing access to authorized
individuals only.
Additionally, in January 2006, a live test of e-passports, that contain contactless chips
with biographic and biometric information and the readers that are capable of reading
these e-passports began at Terminal G at SFO. This test was a collaborative effort
between the United States, Australia, New Zealand, and Singapore that ran through April
2006. The test was successful. A total of 1,398 e-passports were interrogated and the
systems’ performance pointed to significant progress in readability since the government
first started testing e-passports in 2004. The U.S. Department of Homeland Security used
the results of that test to determine which inlays (chips) to use in the e-passports issued to
U.S. citizens.
4/7/2008 12
A nuclear power plant in Japan has adopted a facial recognition system known as Face
VACS (Cognitec Systems) to replace an older, manual system of access control. The
advanced functionality allows employees to access high security areas in nuclear power
plants faster, at lower cost, and with greater accuracy. At the access point, the face of
every person is captured by a video camera, the facial features are extracted and
translated into a mathematical representation on a template. That template is then
compared in a 1:1 verification application with the enrolled template registered to the
person the entrant claims to be. No change.
The U.S. Office of Legislative Council, which is the legislative drafting service of the
U.S. House of Representatives, has deployed the SAF2000 enterprise biometric
authentication software (by SAFLINK Corporation) on its computers. SAF2000 supports
authentication through iris recognition, finger image identification, speaker verification,
and facial recognition. It offers an event log for recording enrollment, changes to user
profiles, workstation updates, and account deletions. The system supports multiple
databases and director service protocols for secure storage of user profiles, and offers
encrypted biometric algorithms designed to use the maximum number of available bits
from the operating system. The biometric-based system was deployed to help protect the
4/7/2008 13
files and working documents the Office of Legislative Council is working on for the U.S.
House of Representatives. No change.
9.1.3. Identification
The Port of Palm Beach, the 4th busiest container port in Florida and the 8th busiest in
the continental U.S., has implemented a biometrically based visitor management
program. The system logs entry and exit of 200-300 truck drivers as they bring goods in
and out of the port, and others visiting the port each day with fingerprints and
photographs using Cross Match Technologies' VisTrak(TM) and MV 100(TM) digital
fingerprinting systems. The port uses a hand-held fingerprint and photograph capture
system, with built in PDA, to log and transmit the data to a central database wirelessly. It
also captures biometric and biographic information from visitors and checks it against a
banned visitor list. The system enables the port to have an accurate audit trail of visitors,
including fingerprints, photos, time and date of arrival and departure, demographic
information, company, purpose and more, and provides visitors with temporary badges.
The State of Florida has a rule allowing visitors to enter the port a maximum of five times
within a 90-day period. The fingerprinting system automatically keeps track of frequency
and flags any violators. No change.
Sarasota County Florida demonstrates the capabilities of a 1:N iris recognition system
that can identify individuals in a large population without prior claim of identity. While
this specific example features a corrections-law enforcement application, it demonstrates
biometric use outside typical standard access control or information security applications.
Typical of many county jails, the maximum security Sarasota County Detention Center in
Sarasota, Florida, is the processing agent for more than 19,000 arrestees each year. The
facility processes criminals for every police station in the county and provides a
temporary holding place for people arrested for everything from open alcohol containers
to homicide. Once they reach the jail, inmates are segregated according to the severity of
the charges and are transported to the appropriate facilities. The facility itself is capable
of housing 750 inmates.
Under the old system, arrestees were escorted to the booking area where they gave their
name and other personal information and were fingerprinted and photographed. Though
the ID system was computerized, the fingerprints were taken manually, and physically
filed away. When inmates were released on work detail or on parole, prison personnel
relied on the inmate's ID badge and his or her personal knowledge, such as a Social
4/7/2008 14
Security number or birthday, for identification. Comparing fingerprints was inefficient
because positively matching inked fingerprints required calling in a forensic specialist.
With the new biometric system, arrestees are enrolled using iris recognition technology at
a central enrollment station. The active database of persons currently incarcerated at the
detention center is automatically searched in real time (1–2 seconds), and as processing
continues, the archived database of former inmates or arrestees is searched off-line. The
technology has the capacity and capability to search a 50-year history in seconds
(although iris records have only been available for the past several years). Once an
enrollment is in place, the system confirms the identity of all inmates who leave the
facility, whether for court appearances, work crews, or at the time of their release.
As a result, in the first year of operation alone, the detention center detected seven escape
attempts, most cases being inmates trading IDs to assume the identity of an inmate
legally scheduled for release. In one case, Sarasota discovered an arrestee attempting to
pretend to be his identical twin brother on commitment. He had been an inmate at the
detention center sometime earlier in the year and was enrolled in the iris recognition
system. After he was released, he went on a crime spree but was subsequently arrested
on a minor charge. Realizing that there were warrants for his arrest on some very serious
crimes, he attempted to pass himself off as his law-abiding brother. The system’s
automatic archival search identified him out of several thousand former inmates under his
true identity and he was prosecuted accordingly.
Such a recognition system also helps resolve disputes when released inmates are arrested
for a violation of their parole. When individuals are brought in on warrants, they often
claim there has been a case of mistaken identity. Names and Social Security numbers are
sometimes jumbled on warrants, which further confuses the issue. The iris recognition
system tracks the true identity of the individual, in one case establishing that police had
indeed detained the wrong person.
After the Afgan war, the United Nations High Commissioner for Refugees (UNHCR)
used a biometric recognition system capable of high speed search of large databases (up
to 1.5 million) to recognize returning refugees in Peshawar, Pakistan. The staff of the
Takhta Baig Voluntary Repatriation Centre (VRC) performed a check on Afghan
refugees who wished to return to their homeland. These refugees were entitled to a one-
time assistance package, provided they had not been processed through the program
before. The anonymous enrollment process in the iris recognition biometric system
ensured that returnees were making their first visit to the VRC and that they are therefore
legitimately entitled to the aid, by performing a near-instantaneous exhaustive search of
the enrolled database. No PINs were required in the recognition system and the process
was essentially a one-time procedure. Additionally, the system maintained the privacy of
the Afghan refugees, as the only data recorded was the digitized template record.
4/7/2008 15
9.1.5. Commercial Transactions
A retail solutions manufacturer is using hand geometry to track the time and attendance
for 400 hourly employees at its facility in Austin, Texas. The readers eliminate the need
for an employee to carry a badge, thus eliminating the problem of lost or forgotten
badges. Biometric time clocks also eliminate “buddy punching,” the practice of
employees clocking in and out for each other. They provide more accurate information
about who is working at any given moment and help companies eliminate mistakes or
intentional fraud. Additionally, not requiring hourly employees to manually fill in their
time card each pay period results in cumulative cost savings. Before installing the
biometric solution, hourly employees completed paper timesheets, signing in and out
each day. At the end of the pay period, employees had to complete paperwork and give it
to their team leaders for verification prior to entering it into the payroll system. This
process took about 15 minutes per worker—time that could be better spent on the
manufacturing process.
Manufacturing costs are directly affected by the productivity of employees. With its 400
workers spread across four buildings at the Austin facility, the company needed a more
efficient method of collecting time and attendance records and readying the information
for payroll.
The biometric handreader system easily implemented the rules for labor collection and
supported rules that allow the company to allocate time for 15 minutes in the morning
and afternoon for breaks that could be charged directly to overhead, not to a product.
This enables tracking of labor efficiency accurately and developing efficiency reports for
accounting. The system can compare the amount of labor used to manufacture a product
against the forecasted costs, providing management with up-to-the-minute data on their
manufacturing process. This information helps the company plan its hiring, track
overtime usage, and determine the output per person in each area.
The final benefit of the handreader-based system is that it works over the company’s
existing Ethernet network, which eliminated the expense of having to install new wire.
No change.
The following tables provide partial listings of selected usage examples in various
application groups.
4/7/2008 16
Driver License Programs
Table 9-2
4/7/2008 17
State Benefit Programs
Table 9-3
4/7/2008 18
Law Enforcement
Table 9-4
4/7/2008 19
Schools
Table 9-5
4/7/2008 20
Government Operations
Table 9-6
4/7/2008 21
Casinos
Table 9-7
4/7/2008 22
Section 10 – System Requirements and Selection
If the need for positive identification is, or will be, a part of an organization’s normal
operations, then the basic requirement to define, design, and build a biometric component
or subsystem for integration into that operation may be established. Section 10 focuses
on development of a detailed requirements statement as a prelude to design of the
subsystem, as well as the primary issues that should be considered in that design process.
Section 11 and those that follow address the implementation process and long-term
management of the biometric component.
The BTAM is intended to provide guidelines for the design and build process, but will
obviously not, in itself, provide adequate training or resources to prepare an untrained
person to be a qualified practitioner/ designer, electrical engineer or systems integrator.
Sections 10 and 11 are intended to help a qualified engineer, security systems designer, or
technology practitioner include biometrics in program design and implementation.
Operational/Program Requirements
When evaluating the use of biometric technology to meet operational needs for positive
identification, it is first necessary to determine which functions are most appropriate for a
particular operational need. It is important to look closely at what operating goals the
technology is designed to achieve or what problem(s) the technology is supposed to
solve, and then determine who will be using it, what interface the system will have with
other components, what the interoperability requirements are, and what the anticipated
scope and lifespan of the system are. Examples of basic operational/program
requirements, as described in previous sections, are:
Risk/Vulnerability Assessment
4/7/2008 23
of fraudulent attempts; denial of service issues; process vulnerabilities in the current
operation and so on.
It is also necessary to consider what or who threatens these assets and eligibility
programs. Is the operation subject to terrorist threat, competitors seeking knowledge of
intellectual property, recipes, simple theft from outsiders, employee theft, fraudulent
claims from authorized persons or non-authorized, etc.?
The answers to these questions, condensed in a clear Risk Assessment Summary, will
help determine whether biometrics are only part of a solution, or are of critical
importance to that solution. Coupled with scope issues (e.g., how many biometric
readers will be necessary, how many persons will be enrolled in a biometric system),
these answers will also provide insight into the performance characteristics of a biometric
system and how much it may cost to integrate biometrics into an overall security or
eligibility program. The Risk Summary will also be helpful in doing periodic re-
evaluations of risks and threats to be sure that system performance is consistent with
changing situations and conditions, as well as calculating a cost/benefit ratio.
A. Design Goals
B. Design Considerations
4/7/2008 24
1. Functional
2. Operational
3. Legal
4. Environmental
5. Social
6. Business and Economic
At this stage of analysis, none of these is more important than any other. In each specific
case, however, it will often develop that one or another of these becomes the driving
force affecting the ultimate system design. The following discusses the key aspects of
these six issues.
This aspect of system design asks a basic question regarding the overall purpose or
purposes of the system, a question often best answered by the journalistic questions:
who, what, when, where, and why. Who is going to be using the system for what purpose
at what time/day and at what location? What are the application considerations?
At the simplest level, as noted above, one does not design a biometric security system,
but a security system with biometric components principally designed to improve access
control by enhancing the assurance of identity of and convenience for the persons
requesting entry. In access control applications, the biometric device augments or
replaces more traditional door control devices such as a cipher keypad or proximity card
reader. Electrically, the function of the biometric device is identical to other control
devices: Upon presentation of an approved credential, the device activates or causes the
activation of a relay that releases the door strike.
Referring to the following figure, in some system architectures, the biometric device
itself energizes the door strike (see Figure 10-1) while, in other designs, the biometric
device sends a captured biometric template to a central processor. If the template
matches that of an enrolled person, the central processor activates or energizes the strike
relay. A third variation is one in which an identity verification takes place at a remote
door control mechanism. An option for integrating biometrics into existing access
control systems is for the biometric device to communicate with an access control panel,
using the same communications protocol as non-biometric devices, such as card readers
or keypads.
4/7/2008 25
Secure Access
Fig. 10-B
Security Control
Figure 10-1
4/7/2008 26
Which of these basic design approaches is most appropriate depends upon the overall
system design and architecture, reliability and performance expectations, and budget and
legacy system constraints.
Examples of System Requirement statements that are typical of physical access control
functional issues include:
* I need to move 450 employees into my facility through three portals between the
hours of 0730 and 0830 each weekday morning. 80% of those employees use
Portal A, 15% use Portal B, and 5% use Portal C.
• Given the size of my workforce, and the ongoing cost and operational disruption
of maintaining our current card-based security system, I want to eliminate cards.
* Given the potential for a 30% expansion of the facility and employee population, I
want to be able to upgrade any biometric solution as circumstances dictate in the
future. This could include designation of additional secure areas within my
facilities with higher security requirements demanding different types of
biometric systems.
• Will the biometric device of choice operate in a stand-alone mode in which all
users are enrolled at the device. In this instance:
o Does the device control the door via a relay or does it send a signal to a
separate door control mechanism?
o Does the device record each entry for subsequent downloading?
o Does the device have a mechanism for backing up the enrollment database?
o Does the data flow into the primary security system or directly to a
proprietary door control?
4/7/2008 27
o If biometric matching is performed at a central server, what happens when
the network crashes?
• What are the power requirements and where are the power sources?
• What alarm reporting and response provisions does the system offer?
The use of biometrics to control access to logical systems is not new, but not nearly as
mature as for physical access control. Most implementations are at the workstation level
in which the biometric control is integrated into the physical case and electronics of the
workstation, whether a “desktop” system or a “laptop.” Other systems use a plug-in
biometric device, typically a fingerprint peripheral connected to a USB port or by
embedding the fingerprint sensor directly in a laptop housing. Some time ago, a
manufacturer marketed a plug-in, table-top device using iris recognition as the biometric
of choice. Either integrated or USB plug-ins should be sufficient for most applications,
but it is suspected that the plug-in devices would not be able to satisfy the higher levels of
government secure computing protocols. Testing of the built-in or integrated devices by
a Common Criteria Testing Laboratory (CCTL) would be required to verify the
acceptability of these devices for high security computing.
In virtually all cases, the biometric device authenticates the person touching (or looking
at) it, and enables operation of the workstation. The computing system and anyone at a
remote terminal communicating with the “secured” workstation assumes (and this is a
very profound assumption to be aware of) that the keystrokes generated or the files
accessed following authentication are the actions of the authenticated person. Some
computing systems include a keystroke recognition sub-routine that portends to verify the
user as he/she types by measuring typing rhythm and style as a form of behavioral
biometric, once access is granted to the keyboard. In principle, this approach would
establish continuing authentication of the user, but this implies a consistent matching
accuracy level for keystroke dynamics yet to be independently validated. Another
approach to continuous presence monitoring would be to use a constant video assessment
confirming the presence of one person at the keyboard and that the person’s face or eye is
recognized by a facial or iris recognition biometric, respectively.
4/7/2008 28
Authentication systems can also verify or recognize the identity of an individual for some
useful purpose other than granting access to a physical or virtual asset. These include
three main uses:
• Communications
• Authorizations
• Non-repudiation
Communications
Biometric systems can be used in communications as part of the data encryption process
(a matter beyond the scope of this manual) and to authenticate users. As noted above, it
is one thing to successfully activate the biometric device by an enrolled user, but quite
another to ensure that the originally authenticated person is still operating the keyboard
and not an unauthorized person sending or receiving sensitive data. Biometric
identification alone, in this context, might not be sufficient for a truly secure system. At
the same time, non-biometric subsystems, including encryption products such as public
key infrastructure1 (PKI) are not a complete substitute for biometrics in identity
validation of the actual user.
Authorizations
The number of specific uses of biometrics for an authorization function is extensive.
Some examples currently using biometrics include processing and distribution of welfare
benefits, issuing and examination of drivers licenses, access to medical records (under
HIPAA), and validation of various government and private industry identification cards
and credentials. It is important to note the difference between “authentication” and
“authorization”. The role of biometrics is to support the latter by performing the former.
Non-Repudiation
In the areas of classified document production and control, financial transactions, and
legal contracts, it is important to be able to affirm that a certain person did, in fact sign
for or generate a particular document or transaction, thus providing a strong basis for
non-repudiation, barring the individual from denying they signed the contract, published
the document, removed it from secure storage, or participated in the transaction.
1
A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet
to securely and privately exchange data and money through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a
digital certificate that can identify an individual or an organization and directory services that can store and,
when necessary, revoke the certificates
4/7/2008 29
application and the impact of its use. From past experiences, for example, the
participation rate in an essential welfare program was much lower than expected when a
new biometric system was adopted. On analysis, it was determined that the use of a
fingerprint system had deterred many eligible participants who feared the data would be
sent to law enforcement officials. In this case, a decision was made to use a hand
geometry device instead. Participation immediately and dramatically increased. On the
positive argument supporting reduced participation, the biometric-based system reduced
the number of double- and triple-dippers, thereby eliminating duplicate or triplicate
applications from a single person.
To ensure most aspects of system design are addressed, it is worthwhile to return to the
basic questions regarding the overall design and purpose of the system mentioned earlier:
who, what, when, where, and why. Who is going to be using the system for what purpose
at what time/day and at what location?
A brief description of the ultimate system to be installed, addressing and including the
answers to those questions is fundamental to developing a clear view of what remaining
functional requirements one’s biometric system/component must perform.
How many?
How many people will be using the system? The answer to this question will affect
which technologies should be used or considered. If only a few people are going to use
the system, then almost any biometric—all other issues being equal—will do. On the
other hand, if there will be a very large number of users, then there will be a number of
subsequent issues (see “Throughput”).
Age?
Age of the user population may be an important consideration depending on the type of
biometric equipment that will be used. Age can impact the incidence of Failure to Enroll
as well as cause training issues. The ability of some biometrics to function well is
sometimes a function of the age of the subject. For example, the skin on the hands of
older people tends to become very smooth and fine, making it very difficult for some
fingerprint sensors to acquire a well-defined image of the fingerprint ridge pattern, thus
making it difficult to enroll the subject into the system. Arthritis can also cause problems
for those using hand geometry readers. If this is a major concern, other biometric
technologies that feature easier enrollment and use (such as facial or iris recognition
systems) may be an appropriate alternative. Other technologies may require users,
4/7/2008 30
relatively speaking, to pay greater attention to detail and process (such as some
fingerprint and hand geometry systems) that involve precision in both finger or hand
placement and the entry of a PIN, a requirement that may overly tax persons with
declining physical and mental acuity.
In all cases in defining Who, the issue is not whether the user group includes some
persons who may challenge the system, but whether the group includes a majority of
users who may challenge the system. It is important to understand that even if a majority
of a user group can use a system, a significant minority with usage difficulties can bring
the entire system down. An industrial plant may be assumed to provide shelter and work
for a wide range of ages and races, as well as an even split on gender. On the other hand,
a nursing home may compromise a number of users who will, unfortunately, challenge
certain technologies, suggesting that, in such instances, some other biometric technology
should be considered. If workplace protocol requires staff to always wear protective
clothing, such as latex gloves, then fingerprint technology might not be an appropriate
choice for routine authentication.
What?
What is the proposed technological solution of which the biometric device(s) are
expected to be a part, and what is the problem the solution is designed to address?
Additional “what” questions include:
Technology
In what sort of technical environment will the biometric devices be employed? Will the
biometric be the technical highlight of the system—such as in a benefits distribution
center—or will it be overshadowed by a significant application of other technologies for
identification, security, and other purposes?
The level of training is most likely to be a function of the technical aptitude and
experience of the operators and users, coupled with the complexity of the biometric
technology. Adequate training for biometric use must be provided regardless of the
overall complexity of the system, i.e. do not short-change biometric training simply
because it may be a relatively minor component of the total system.
4/7/2008 31
Process
In general, what is the system doing? Is it counting votes, distributing benefits, providing
public vehicular law enforcement, processing information, or performing some other
definable function?
Specifically, to what use will the biometric device be put in the context of the operating
system? Will it open doors? Will it allow access to information technology and/or
activate software applications? Will it permit access to or activation of a machine?
Even more specifically, what will the process be for the following biometric-related
functions:
Enrollment
How will users be enrolled? In one large group? Individually as users are registered into
the larger process? Will the enrollment function be distributed to geographic locations
close to the users? Will the user’s self-enroll or will the enrollment process be attended
by a trusted agent? How much time can be dedicated to pre-enrollment instruction on the
enrollment process and the subsequent everyday use of the technology? How much time
can be dedicated per person for the actual enrollment process? What is the expected
allowable Failure to Enroll rate for this technology and this population? What work-
arounds are to be provided for those who cannot be enrolled for one reason or another?
How does this work-around satisfy security requirements on a par with the biometrically
based solution? Just the logistics of enrollment can be daunting. It is important to
determine of enrollment will be supervised, self-enrollment, remote enrollment, etc.
User Training
What amount of user training will be provided? What is the purpose or intent of the
training? How often is this training to be offered?
Anticipated Problems
In addition to enrollment failures, what other problems or anomalies might be
encountered while using the biometric technology?
Termination of a User
What are the rules for how a user’s access privilege is to be removed from the system?
How does this process ensure a permanent removal and prevent the terminated user from
subsequently gaining access?
When?
What are the periods of operation and how often is the biometric to be employed? At
what week(s) of the month or day(s) of the week shall enrolled persons be required to use
the system? Is the use of the biometric component only required during periods of
elevated threat levels? At what time of day do permissions begin and end? The answers
to these questions relate to identifying biometric technologies that are appropriate to the
internal or external environment they must tolerate, an approximation of the level of use
required, and what sort of interaction with the control system is required.
4/7/2008 32
Time/Day
The time of day of expected use will determine whether consideration must be made for
the effects of ambient light or other environmental factors related to time. Many
biometric systems are basically imaging devices that can and will be adversely affected
by sunlight or bright overhead light shining on the image collection device. This is also
related to the more general issue of environmental conditions in which the device may be
installed outdoors. The day(s) of the week the device will be used also has an influence
on the determination of appropriate technologies. A system in which the device is used
only one or two days a week can be more fragile or less demanding than an application in
which the device is expected to function every day, 24 hours a day.
Excluded Period(s)/Location(s)
Often, access control systems will be programmable to enable the exclusion of otherwise
enrolled persons as a function of the time of day and/or the day of the week, month, or
year. Such system may exclude persons on holidays, evenings, and/or weekends. For
example, certain employees may have access on Monday through Friday from 8:00 a.m.
to 5:00 p.m., but should not be in the facility during the weekend.
The system should be configured or configurable to not only pass identification codes to
the processor – whether centralized or localized – where the final pass/reject decision will
be made, but also time and date information.
Where?
Environment: The system description should give the designer a meaningful sense of the
climate and weather conditions for the more challenging venues where the system will be
employed. It should also indicate whether the device(s) are to be mounted outdoors or
indoors as each of these factors affects the choice of technology. There are, of course,
other environmental factors besides weather , including the degree of ruggedization
required (i.e., shock and vibration) and sources of interference (background noise, etc.).
Scope: Scope is essentially a very straightforward, but necessary, issue, the answer to
which defines the size and impact of the installed system. Where, specifically, will the
system be deployed and how extensively? In one city at one location or multiple cities
and/or multiple locations? What is the total expected enrollment capacity? Is the system
scalable across multiple locations and can it grow as additional users are added? The
answers determine the capacities and communications requirements for the devices.
Some products are good for small standalone applications, but falter in large, distributed
systems. Other products are not effectively used unless they have thousands of enrolled
templates and operate in complex communications environments.
Why?
The answer to this question was addressed partially in applications issues above, but is
worthy of a revisit to ensure that all purposes intended for the system as a whole are
included in their varied form(s).
4/7/2008 33
• To prevent welfare fraud
• To prevent unauthorized entry to a facility(ies) or area(s)
• To ensure only authorized drivers are on the streets
• To ensure known or suspected terrorists do not pass a border control point without
further screening
• To ensure only ticketed persons board the aircraft
… and so on.
This is a key question looking for an essential answer. Until the designer knows this
answer, it is not possible to determine whether a given design approach is correct or “off
the mark.” With this in hand, it is possible to evaluate a given design and determine
whether that design will satisfy its primary function in an optimum manner.
a. Performance
b. Reliability
c. Facility
d. Training.
B.2.a. Performance
Performance includes several measures (metrics) of biometric systems. The end-user
needs to understand these metrics, be able to determine what they need to be given the
organizations security policies, and articulate them to the designer.
B.2.a.1 Accuracy.
In modern biometric access control systems, it is rare (but possible) that the right
combination of ambient light, humidity, temperature, feature or image position, etc., can
4/7/2008 34
combine to send an image to the processor that resembles an enrolled template closely
enough to produce a False Accept. Normally, however, that event and combination of
factors is virtually impossible to recreate closely enough to make it repeatable. For this
reason, those who would attempt to by-pass a biometric system do not rely on False
Accepts for access but a more deliberate attack, such as “spoofing”. It is difficult, if not
impossible, to accurately measure the number of False Accepts in an operational setting
(because, of course, the successful imposter is unlikely to report it), but it is possible to
estimate the statistical probability of False Accepts during a pre-operations scenario test
or technology test.
False Rejects are an administrative and operational nuisance in physical or virtual access
control applications, and do not directly cause or represent a security hazard. False
Rejections contribute to weakened security, however, if the rate of False Rejects is so
high that regular users start trying to find ways to circumvent the control—like leaving
the door propped open. High FRRs also weaken security if the users’ objections
influence the security manager to move an adjustable threshold to reduce the incidence of
False Rejects, thus increasing the likelihood of a False Accept.
The objective of the designer and the security manager is to select and use biometric
devices that minimize False Accepts to an optimum level without increasing False
Rejects to an unacceptable level.2
False Accept and False Reject rates are more fully discussed in Volume 1 of the
Biometric Technology Application Manual.
While managers often worry about the FAR, they often do so more than they should. For
example, presume that the statistical probability of an imposter being able to randomly
match the biometric of a legitimate identity purely by coincidence is 1 in 100 (1% FAR).
Looked at from the other perspective, an imposter would have a 99% chance of being
thwarted - not very attractive odds. Thus a biometric system acts as an effective deterrent
to all but the most sophisticated and determined. As biometrics become more and more
sophisticated, the likelihood of hostile forces successfully exploiting a device’s implicit
2
FAR and FRR are inversely related. That is, an adjustment in the sensitivity of the device that decreases
the probability of a False Accept increases the probability of a False Reject. However, the relationship is
not necessarily linear (that a 5% increase in one factor results in a 5% decrease in the other), but it is a
performance factor that needs to be understood.
4/7/2008 35
FAR is very low. Managers should focus on direct attacks on the system, such as the
device’s vulnerability to spoofing.
There is a real and significant difference between a False Accept and an effective spoof.
A true False Accept occurs when, during the matching process, the characteristic or
feature that has just been presented and which is a faithful representation of that
unauthorized person’s real biometric characteristics so closely resembles an enrolled
person’s template that the system declares a match. It is an honest mistake properly
anticipated by the device’s computed FAR. It is a statistic that tells the technology buyer
what the chances are of the door being opened by a casual passerby (i.e., a zero effort
attack). As noted above, such events can happen but are not likely to be routinely
repeated, even seconds apart. A one-time accident/error does not constitute a useful tool
for those with bad intentions.
Spoofing, on the other hand, is a systematic and concerted attempt to fashion some sort of
disguise, artifact, or fake biometric (a mask, a fake finger, a rubber hand, etc.) in a willful
attempt to circumvent the biometric safeguards. It relates to the FAR in the sense that
both events result, if the spoof is successful, in the device being sufficiently convinced of
the similarity between the presented object and the enrolled template that it declares a
match and allows entry to an unauthorized person. What the security manager really
wants to know is to what extreme would a person have to go to purposefully fool or spoof
the technology and thereby routinely gain unauthorized (and even repeatable) access.
Theoretically, any system can be spoofed, provided enough time, labor, and money is
contributed to the attack method. The security manager wants to know how much time,
labor, and money is required to compromise the technology. If there were a convenient
way to characterize this “spoofability” into a simple number like a FAR or FRR, it would
readily become a key factor in product selection. At this time, we have no such magic
bullet, but work is underway to produce a useful estimator of “spoofability”. It should
also be noted that the biometric industry fully recognizes the exposure to spoofing
techniques and senor manufacturers are continually developing sophisticated counter
measures that would render many of the less sophisticated spoofing attacks ineffective.
Throughput is the number of people who can be successfully processed and permitted to
proceed beyond the biometric checkpoint in a given period of time (e.g., six people per
minute). Throughput and False Rejects will often battle for the lead in user irritation in
operating biometric systems and are a major source of system failure. A biometric
screening device that works without errors of any type, but only allows 1 or 2 individuals
to pass the checkpoint per hour (or even per minute) would not be accepted and installed
in most applications. Consider also a user-sign-on application for a company with 10,000
employees who are logging on to their server system in the morning as they report to
work. The system must be able to handle thousands of access requests that come in
around the same time, otherwise there will be significant delays and False Rejects due to
inability to process.
4/7/2008 36
Ultimately, however, throughput, like False Reject Rates, is an administrative or
management issue. A low throughput rate or high reject rate is not, in and of itself, a
security breech. It is an institutional nuisance that, in the worst case, motivates people to
try to find ways to circumvent the irritant, such as propping the controlled door open all
day, a practice that would allow unauthorized persons into the protected space. The
“correct” value for throughput is subjectively established as a rate at least equal to one
more person per unit of time than the minimum rate that management finds acceptable.
The best achievable throughput is one in which there is no discernable delay in the
movement of people passing a biometric checkpoint regardless of the number of people
attempting simultaneous entry. A couple of factors will also impact throughput. These
include population and flow pattern.
Population Size
A major factor affecting the assessment of throughput is the total number of people who
must pass a biometric checkpoint in a specified period of time in a single file. If there are
five doors into a facility and 1,500 people need to enter the facility, then each checkpoint
device needs to process at least 300 people in the unit of time available for personnel
entry. If that limit is 30 minutes, then the throughput needs to be at least 10 people per
minute per portal. This example assumes that all 1,500 people will spontaneously
distribute themselves so that exactly 300 arrive at each of the five separate doors at the
same time – not a likely scenario. Therefore, when developing requirements that will
guide the design of a biometric system, it’s important to observe and know the real-world
flow pattern. For example, if only one of the doors is directly facing the primary parking
lot and the other four are administrative doors allowing access from other interior spaces,
then a primary door with a 10 person per minute throughput will only get 1/3 of the
workforce into the facility in the allotted time. A system designer must either find a
biometric device that processes 50 people per minute, or provide perhaps five biometric
devices servicing that one primary door.
4/7/2008 37
voice recognition biometric system. Likewise, a person with no hands cannot be enrolled
into a fingerprint-based biometric system. At a more subtle level, fingerprints may be
difficult to enroll from the elderly or from persons in certain racial, occupational, or
geographical populations whose fingers may be too dry, too fine, or too smooth, thus
offering poor input data. Individuals whose fingerprints are subject to extraordinary
occupational wear and tear (e.g., brick layers, chemical workers, etc.) are often hard to
enroll. Persons who simply cannot be enrolled in a given technology, however, may be
quite able to be enrolled in another. There will also be instances where a person cannot
interact with the device properly (e.g., a blind person is unable to focus his/her eye
properly in front of an iris recognition reader). Even in the event a marginal quality
enrollment is achieved, such an individual will experience more Failure to Acquire errors
and often be rejected from entry. In these cases, an appropriate work-around or
alternative identification mechanism should be provided.
Another significant difference between False Rejects and FTA is that, with a
good re-enrollment, user re-training and re-orientation, and appropriate
reader device servicing and cleaning, the FTA rate may drop significantly,
almost completely eliminating rejection errors. Little, however, can be
achieved by using these techniques to sometimes reduce true False Rejects.
In theory, if the sensitivity of a device is set to its “equal error point” or
“Crossover Error Point,” (CEP) the FRR should equal the FAR. So, if the
system is set at a CEP equal to 0.01%, yet demonstrates a FRR of 5.00%, the
fair assumption is that FTA rate = 4.99% and FRR = 0.01%. As re-
enrollments are made, re-training is given, and devices are better serviced,
the remaining difference between theoretical FRR and observed rejection
rates should be the measure of the continuing FTA rate.
4/7/2008 38
End users in operational environments sometimes contend that reliability is an issue of
greater importance than performance. They argue legitimately that reliability more often
determines the success or failure of a biometric installation than a few percentage points
difference in FAR and FRR discussed in the foregoing section. With equal validity, they
point out that FAR and FRR are measures of the population behavior in a particular
application environment, and thresholds can be set by the device administrator. Further,
performance factors are negatively affected by the improper use of the biometric
subsystem through poor quality enrollment, inadequate user training, environmental
interference (e.g., variation in lighting), and poor maintenance. Reliability, in contrast, is
largely inherent in the equipment, system design, and technology (modality), and thus
deserves as much if not more attention and care during the design process. The overall
term for this consideration is System Availability (SA). SA is a function of two main
values: Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR). In
more recent literature, discussions of System Availability have begun to include
references to System Survivability, referring to the ability of a system to recover from an
extraordinary event (such as a power outage) and continue functioning.
B.2.b.1 MTBF
The oldest, most familiar, and best-quantified measure of reliability is Mean Time
Between Failures (MTBF). Through testing, failure rates of individual sensors,
transmission means, servers, processors, human interfaces, and other components can be
documented and validated. System MTBF is another matter, and many biometric
vendors are seldom willing to make claims or commitments as to the system-MTBF and
historically in the biometrics industry have not done so. In addition, it may be nearly
impossible to quantify biometric system MTBF because of the mix of general –purpose
equipment and components in a typical system over which the vendor has no control.
Anecdotal research of existing systems may be the most practical way to derive data on
which to make decisions in the design and selection process.
B.2.b.2 MTTR
MTTR refers to the mean time to repair or recover from an outage or failure. This value
is even less frequently published, even if the manufacturer knows what it is. Biometric
devices are normally always a part of a larger system comprising several different,
unrelated components each with their own MTBF and MTTR. Often, it is much easier to
swap out a defective biometric reader or device than to shut that part of the system down.
Consequently, the effective MTTR is measured in just a few minutes, a trivial length of
time in most circumstances. Often, there is little an end user can do to repair the device,
requiring a return to the factory for repairs. With the availability of express courier
services, effective MTTR becomes, at worst, 24 hours, more or less, from the time the
device is determined to be defective and a replacement unit ordered from the vendor.
4/7/2008 39
SA = MTBF / (MTBF + MTTR)
In more complex systems, management may elect to perform periodic maintenance (M)
on the system, requiring the system to be taken out of service. This value is expressed as
a percent of the total operational time. If, for example, the system is to be shut down for
one hour every six months, then the value of M is 0.0002%. This value is added to the
foregoing equation that becomes:
B2.b.4 Survivability3
Survivability has been defined as “the capability of a system to fulfill its mission in a
timely manner, in the presence of attacks, failures, or accidents.” Survivability analysis
is influenced by several important principles:
3
Ellison, R.J., et al. “Survivable Network Systems, an Emerging Discipline.” Technical Report CMU/SEI-
97-TR-013, 1997.
4/7/2008 40
Consideration needs to be given to the physical and virtual environment into which the
biometric components will be expected to function. This will either be done in the
context of a new or an existing system.
New System
New systems offer opportunity to prepare a well-considered design using the most
current and cost-effective components and procedures available. The downside to a new
system is that there is no baseline of performance for comparison and new systems often
fail to work the first time they are activated, resulting in considerable troubleshooting
activity before realizing success. One way to avoid unnecessary problems is to minimize
the level of innovation throughout the system and avoid reliance on new, unproven, or
untested equipment and technologies without a sound and rational reason. However, if
the need for new technology is compelling, implementation can be staged to test each
component of the technology in installation increments, or in phased pilot tests to
determine that each subsystem is functioning properly before moving on to another new
component or space.
Legacy System
As often as not, the addition of a new biometric component to an access control system
will be an integration into a well-established legacy system. This manual is not intended
to be a comprehensive tutorial on systems integration, but it is essential to have a
comprehensive understanding of the system into which the biometric technology will be
introduced. Most often, compromises will be required and it will be the new, biometric
addition that is expected to bend the most.
2. even later it was discovered, that the same customer had exercised its bargaining
power to acquire a control system that used a proprietary code approach.
In short order, there was a challenge to determine a way to configure the chosen
biometric technology to work with a proximity card. Fortunately, the manufacturer had
anticipated this possibility in applications and had included the necessary capability to
read proximity cards. The software, however, could not read the proximity card and
forward the appropriate information through the system. The manufacturer was so
committed to customer service and satisfaction that its lead software engineer spent 40-50
hours over a weekend rewriting the code to accommodate the proximity card information
and to perform the ‘AND’ function for access control.
4/7/2008 41
Later, after the new, combined solution was demonstrated, the customer announced its
credentials would no longer work since the code transmitted from its cards used a
proprietary code format, instead of the format common to most access control systems.
Fortunately, another software-adjustable feature allowed this latest surprise to be
accommodated.
The point here is that the system designer should not depend on the foresight and
willingness of the manufacturer (whether hardware or software) to provide such prompt
and face-saving solutions to even one problem, let alone several. Rather, sufficient
information must be collected from the owner regarding the existing system (as well as
any side procurements) so as to anticipate these problems and to engineer an appropriate
solution prior to committing the design to specification and order.
One factor having a significant input on the selection and performance of a particular
biometric system is the quantity and quality of training the using agency is able to
provide to both security system operators and system users in the proper method of
enrollment and daily use of the biometric. As discussed above, rejection, whether it is a
False Reject or a Failure to Acquire, along with the throughput rates, is one of the most
disconcerting negative aspects of the application of a biometric technology, but is subject
to significant improvement through effective operator and user training. Design of an
effective biometric system should include a discussion of the training appropriate to the
selected biometric technology and the proposed user population. Emphasis should be
placed on the description of operator responsibilities to ensure that enthusiastic, well-
trained operators conduct effective enrollments and user training to minimize poor
quality enrollments and the likelihood of Failure to Acquire errors.
Several legal aspects of the introduction of any security system must be anticipated and
considered in the final design. These include privacy issues, especially those related to
biometric systems, legislative issues and requirements, liability questions created by
security systems, and compliance with the ADA regulations.
Privacy Rights
Probably the most contentious aspect of biometric technologies is the question of whether
the biometric chosen for a particular application will somehow compromise an
individual’s privacy rights.
For most biometric solutions today, the answer to the privacy question in the United
States is that neither personal privacy compromise nor personal injury is a likely
consequence of using a given biometric technology. This is true not only because few
biometric technologies readily compromise personal information or represent a health
4/7/2008 42
threat, but because manufacturers have gone the extra step to build into their systems,
safeguards that prevent any compromise of physical safety or privacy. It is essential,
however, that security staff be trained in the technology, its operation, and the applicable
law, so they can explain to agency personnel and visitors the nature of the biometric
being used and why it should not compromise privacy and/or threaten personal health.
Some organizations may have a policy that requires a comprehensive privacy impact
assessment (PIA) for any proposed new system. Such an assessment should describe
how biometric data is collected, stored, shared, and protected as well as how errors are
addressed.
Regardless of the current state of privacy laws of the United States or other countries, the
general philosophy of NBSP and the biometric industry at large is to take the proactive
view that a person’s biometric information is “personal” because it is personally
identifiable information or unique to a person. Therefore, it is recommended that
“biometric information” be treated “as if” it were entitled to privacy protection regardless
of the applicable laws, which will vary from jurisdiction to jurisdiction. This approach
circumvents the issue of whether or not an individual’s privacy has been violated.
Similarly, even if the law of one jurisdiction does not treat a person’s biometric as private
today, social standards are likely to dictate changes in privacy laws, including new
legislation that could later mandate treating biometrics as private personal information
entitled to privacy protection. In conclusion, it is recommended that biometric systems
developed today be designed and engineered to safeguard biometric information privacy
so that they are in compliance with developing privacy laws and regulations.
• notice to the individual about how their biometric information will be used,
• separation of the biometric information from other personally identifiable
information to prevent linkage,
• restrictions on access to biometric information,
• transfer or sharing of the biometric information only with the individual’s
consent,
• enforcement measures to ensure compliance with the foregoing, and
• possibly, an individual’s choice to opt out of the system.
4/7/2008 43
Fair Credit and Reporting Act (FCRA), Federal Information Systems Security Act
(FISMA), 21 CFR Part 11 Regulations for Pharmaceutical Electronic Record Keeping,
etc. all have similar language to HIPAA that requires that system operators/owners take
appropriate steps to insure against unauthorized access to sensitive data. Any of the
organizations that fall under these regulatory controls should consider the benefits of
biometric authentication to control user access.
That is, a sufficient recognition of the duty to care is more or less equal to an appropriate
investment in insurance or security systems equal to the probability of a loss of an asset
times the value of that asset. The goal of the security manager or executive manager is to
minimize both the likelihood of any threat and the value of the protected assets that might
be lost. The compromise of essential, classified national security information or
corporate intellectual property (e.g., the formula for Coca-Cola®), cannot normally be
covered by conventional insurance, so the difference is often covered by one or more
layers of manned and automated security solutions.
Implied Security
In some ways, the existence of a security system is a double-edged sword. On one side, a
security system is evidence of management’s recognition of its duty to care. The other
side of the issue is that employees may construe the existence of various security
products—access controls, video surveillance, entry controls—as absolute guarantees that
they are safe from criminal attack or other illegal behaviors, and ignore common
precautions.
ADA Compliance
The Americans with Disabilities Act (ADA) requires that most public buildings,
regardless of ownership, comply with an extensive list of rules governing building design
and equipment used, especially for doors and access control. For example, although new
biometric fingerprint readers are wall mounted more or less in the same location as
proximity card readers, they are ergonomically difficult for wheelchair-bound individuals
to reach and use properly. To be fair, those responsible for developing ADA standards
are not especially well-trained or experienced in modern biometric technologies and are
lagging along with the industry in promulgating meaningful standards outlining
appropriate expectations for system designs.
4/7/2008 44
Section 508 Compliance
Section 508, an amendment to the U.S. Workforce Rehabilitation Act of 1973, is a
federal law mandating that all electronic and information technology developed,
procured, maintained, or used by the federal government be accessible to people with
disabilities. The scope of Section 508 is limited to the federal sector, and includes
binding, enforceable standards, as well as compliance reporting requirements and a
complaint procedure. Section 508 does not apply to the private sector, nor does it
impose requirements on the recipients of federal funding. However, the U.S. Department
of Education requires states funded by the Assistive Technology Act State Grant program
(a grant program that supports consumer-driven state projects to improve access to
assistive technology devices and services) to comply with Section 508.
According to Section 508 criteria (1194.26 Desktop and portable computers), when
biometric forms of user identification or control are used, an alternative form of
identification or activation, which does not require the user to possess particular
biological [biometric] characteristics, shall also be provided.
Accessibility policies like Section 508 vary from country to country, but most countries,
including the European Union, have adopted standards based on the Web Content
Accessibility Guidelines of the World Wide Web Consortium.
As part of the Homeland Security Act of 2002, Congress enacted the SAFETY Act to
provide risk management and litigation management protections for sellers of qualified
anti-terrorism technologies and others in the supply and distribution chain. The aim of
the Act is to encourage the development and deployment of anti-terrorism technologies
that will substantially enhance the protection of the nation.
Specifically, the SAFETY Act creates certain liability limitations for “claims arising out
of, relating to, or resulting from an act of terrorism” where qualified anti-terrorism
technologies have been deployed. The Act reflects the intent of Congress to ensure that
the threat of liability does not deter potential sellers from developing and
commercializing technologies that could significantly reduce the risk of, or mitigate the
effect of, acts of terrorism.
4/7/2008 45
If a technology has received a “Designation” as a Qualified Anti-Terrorism Technology
(QATT), the following legal protections are available in relation to claims arising out of,
relating to, or resulting from an act of terrorism:
If a technology has also received a “Certification” (described below), the following legal
protections for such types of claims are also available.
A Designation is valid for five to eight years and automatically terminates if the Qualified
Anti-Terrorism Technology (QATT) is significantly changed.
4/7/2008 46
The Department of Homeland Security, specifically the Under Secretary for Science and
Technology, is responsible for review and approval of applications for Designation and
Certification of QATTs. Companies wishing to be awarded SAFETY Act protections
must apply to the DHS using the forms provided by DHS, furnish all of the requisite
supporting data and information, and successfully demonstrate compliance with the Act’s
specific criteria. DHS will perform a comprehensive evaluation to determine eligibility
for SAFETY Act Designation or Certification. The evaluation process typically takes
about 120 days to complete.
As of the time of BTAM publication, over 100 technologies are covered under SAFETY
Act protection.
For questions or help with submission of an application under the SAFETY Act, contact
the Office of SAFETY Act Implementation at 1-866-788-9318 or email:
helpdesk@safetyact.com.
Biometric devices are not immune from weather conditions such as rain, snow, heat,
cold, and light. They are also subject to wear and tear in interior environments. The
following paragraphs examine a number of relevant environmental issues.
Indoor
Interior environment concerns are generally based on the wear and tear to which
biometric devices are subjected. Generally, the amount of direct contact with the device
will increase the “wear” factor. These concerns will also vary from installation to
installation.
Office
The most benign interior environment is the common office setting. Generally speaking,
this environment is reasonably (or, at least relatively) clean and quiet. For physical
access applications, the major issue is the volume of traffic through controlled
checkpoints; this is a key factor in determining throughput demand. Expected throughput
rate depends on the number of portals and employees, as well as the distribution of arrival
and departure times. With greater traffic volume there is an inevitable increase in
breakage and failures. Almost any biometric device manufactured should work well in
this environment, although it is important to note that some people who handle a lot of
paper can sometimes have issues with some fingerprint readers. Overhead or back
lighting can also sometimes be an issue.
Industrial
In manufacturing environments, there is a concern not only for devices that can provide
the throughput rate desired—a function of the number of people on staff—but on the
consistent and reliable acquisition of the biometric characteristic by the sensor device.
The hands and fingers are especially vulnerable to dirt, grease, injury, and loss; thus
rendering fingerprint systems more difficult to employ effectively and efficiently than
4/7/2008 47
some other technologies. Also, manufacturing floors can often be noisy, and sometimes
there is dust and other airborne particles in such environments.
Educational
School systems are beginning to adopt biometric access control for both the front door of
the school4 and the dining room or cafeteria5. The controls at the front door provide
security for both students and staff by admitting only those persons known to and trusted
by the school system. The cafeteria controls are designed to streamline the process by
which the students identify themselves as entitled to eat lunch and to access accounts
from which the meal is paid.
Hand geometry technology has been in use for food service applications at the University
of Georgia for more than 30 years. [See University of Georgia Case Study in this
BTAM.] The environment of a school is similar to a busy office building with many of
the same issues. Due to the relatively large numbers of people using the system daily, the
device of choice needs to be durable, quick, and reliable—the emphasis, perhaps, on the
quick and durable at the expense of reliable. There are also occasional parental privacy
concerns, most of which can be offset with a good parental orientation program on
biometrics. Fingerprint technology is also gaining popularity in elementary and
secondary school lunch programs. A number of school districts have implemented
fingerprint technology for school lunch programs. Because it is impractical to expect
young students to remember PINs or to carry ID cards, these fingerprint systems have
been implemented as ‘identification’ applications rather than one-to-one verification
applications. Each child presents their finger to the sensor and the system searches the
entire population of enrolled fingerprints to find a match candidate rather than indexing
to a specific enrolled record through a prior claim of identity as would be provided by an
ID card or PIN entry.
Recreational
Iris recognition has been in use by the military at the Pentagon to control entry not only
to highly classified briefings and restricted spaces, but to the gym, as well. Use is
reported in commercial gyms as well. By using a biometric, gym users do not need to
carry personal identification cards on them when they are dressed in their exercise
clothing. One advantage of iris technology is its extraordinary accuracy and its database
search-match speed. This means that a large database can be searched to determine
identity rather than requiring a prior claim of identity for a match against a single known
record.
4
Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb. www.techweb.com January 23,
2006.
5
Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December 10, 2005.
4/7/2008 48
Correctional
Biometrics have been used in correctional facilities for some time.6,7 but not without
resistance. Wardens and jailers tend to be technologically conservative. Few, if any
wardens have been promoted based on their innovative adoption of state-of-the-art
technology, but many have been relieved of duty for jail escapes. Hand geometry was
one of the first technologies to be used in jails and prisons. More recently, fingerprint
and iris recognition systems have been successfully employed. Due to its effectiveness
in performing 1:N searches for individual recognition, iris recognition is often used in
jails to prevent inadvertent and premature release of inmates exploiting identity confusion
and theft.
In one instance8, an arrestee with outstanding warrants was caught during booking
attempting to use his identical but law-abiding twin brother’s name. [See Lancaster
County Prison Case Study in this BTAM.]
Despite the utility of biometrics in prison, the environment includes several unusual
hazards. In most environments protected by biometrics, the users are willing participants
and cooperate with the technology as a condition of employment and as a means to
safeguard themselves and their work. Consequently, they treat the equipment with a
reasonable amount of respect and care. In jails, inmates are constantly challenging
anything that complicates their desire to be anywhere but in jail. A major East Coast
correctional facility using fingerprint technology investigated iris recognition technology
when they discovered inmates were using their fingernails to scrape away at the bar code
on their wrist bands that contained their biometric template. If the technology could not
read the bar code, then the staff had to use some other means to verify their identity prior
to the inmate being allowed to pass certain check points. This resulted in excessive staff
time and materials costs. Any lens type of surface, whether a fingerprint platen or an iris
imaging lens, will be subject to repeated efforts to scratch and obscure the lens rendering
the device useless until repaired.
Outdoor
Biometric technologies are often challenged when employed in outdoor environments,
normally the exterior door to protected buildings.
6
Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An Experiment in a
Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253. January 2006.
7
Biometrics in Corrections. National Law Enforcement and Corrections Technology Center. TechBeat.
Fall 2000.
8
Anderson, Teresa. The Eyes Have It. Security Management magazine.
4/7/2008 49
Climate
There are few climate zones free from challenges to biometrics. At some time of the
year, almost all regions are subject to extremes in temperature and humidity. The
performance of electromechanical devices begins to deteriorate significantly in extreme
cold or heat. When cold, moving parts tend to slow down and critical timings are often
affected. In extreme heat, electrical circuits begin to fail. Likewise, although biometrics
are usually not affected by the extremely low humidity in desert environments, blowing
sand that often accompanies such conditions will prematurely age devices left exposed,
as well as impair reader performance.
Likewise, biometric devices are no different than other electromechanical systems when
exposed to the elements. Prolonged exposure to sunshine will result in the degradation
and ultimate disintegration of plastic cases and keypads. Exposure to any sort of
moisture, especially wind-blown seawater, accelerates the corrosion of metal
components. Melting snow, is another source of moisture contamination. As mentioned
above, blowing sand will eventually degrade exposed devices. For biometric technology
to function adequately in outdoor weather-exposed environments, it must be housed and
protected from the elements in accordance with appropriate standards for such use.
Neighborhood Environment
Whenever biometric equipment is installed outdoors, the history of criminal in
surrounding neighborhood should be examined. Is it a location with a high crime rate,
including vandalism and other petty property crimes, or is it a relatively benign area?
Religious Concerns
Some fundamentalist groups continue to challenge technology in general and biometrics
in particular with references to the “mark of the beast”, as found in the Book of
Revelations in the Bible, and the assignment of record numbers in access control
databases. Why these groups do not realize that any type of access control system
(biometric-based or not) does the same kind of database assignment is not clear. Perhaps
it is just the relative novelty of biometrics.
Another concern affecting the use of biometrics is the issue of the proscription of making
“graven images.” In such cases, facial recognition systems or any other imaging system
recording a recognizable image of the individual would be challenged. Whether imaging
only portions of the individual, such as the fingerprints, eyes, ears, etc., constitutes
graven images or not is a matter of local practice and culture and defies generalization. It
is a question, however, the designer must address before proceeding with a particular
biometric technology.
4/7/2008 50
Financial
There is occasional resistance to the use of biometrics in financial applications, and it can
be extremely strong, if not widespread. Identity theft in a financial context is different
than in an access control context. In access control if someone steals my identity it’s not
so personal. Sure, they can get access to my workplace, gym, or medical records, but 1)
they then have to engage in some second tier, undefined skullduggery, 2) it may only
affect my employer’s assets, or someone else and not me personally, and 3) the impact
may be minimal such as a tightening of security procedures, or re-enrolling or getting
another PIN. Stealing my identity in a financial context, however, could have an
immediate and devastating impact on my entire financial well-being.
There is often a basic misconception of how biometrics work as well, and thus unrealistic
fears for identity theft. A persistent concern is the inherent, intrinsic nature of one’s own
biometric(s) and the inability of an individual to revoke, change, or re-issue his/her
biometric feature (10 fingers give the fingerprint modality an edge here).
Additionally the potential for someone to “hack” into a system and obtain a biometric
template has been overblown – not impossible, but simply overemphasized as both a
threat and potential consequence. There are a multitude of IT security tools and practices
available such as hashing, encryption, and even third-party anonymous authentication,
that a properly-designed biometric system should possess. More fundamental is the
irreversible nature of the mathematical representation of the biometric inherent in the
template that prevents creation of an image from a template.
Thus, a properly designed, constructed, and protected biometric system poses no greater
threat in the financial context than in any other, and indeed, a much reduced threat when
compared to the more traditional and pervasive PIN, card, and password systems in use
today.
4/7/2008 51
Implications of Technology
Biometric systems do not travel without some ‘baggage’ that needs to be recognized and
accommodated. These generally have historical, criminal, or privacy issues associated
with them.
Historical Context
A difficult aspect of designing and installing any new technology, including biometrics,
is the experience and expectation users bring with them to meet the new technology.
Prior to the introduction and use of retina scanning technologies, the public had been
sensitized to the existence and perceived use of lasers for industrial applications. They
were also sensitized to the potentially harmful effects of lasers on eyes. With the arrival
of retina scanning, which did not use lasers, there was considerable user pushback based
on an unfounded concern that using retina scanning would somehow place the user’s eye
in jeopardy. The fact that the technology used a very low power infrared LED (light
emitting diode) technology to illuminate and scan the retina blood vessel pattern was not
well understood by the public and concerns about the safety to the eye became a major
factor in the failure of the technology to become a successful, mainstream biometric
technology.
For years following the introduction of iris recognition, even these products met with
considerable mistrust and apprehension out of concern for the potential risk to the organ
of sight. A part of this was enormous confusion between the retina and iris (the colored
area around the pupil), which still persists today. Slowly, the public has come to
understand that iris recognition technology is based on a very benign video image of the
iris illuminated, but not scanned, by unfocused infrared light.
The lesson of all this, for the designer, is to be mindful of the historical path any product
may have followed and to anticipate any concerns users may raise.
Criminal
Due to its long forensic association with crime and criminals, fingerprint-based systems
often elevate user concerns that submitting their fingerprint(s) images into a system will
somehow subject them to identification to or investigation by law enforcement officials.
This is a real and serious issue. From a technical perspective, it is entirely feasible that a
law enforcement official could acquire a company’s fingerprint database and examine the
enrolled templates in a search for fugitives. The employee’s safeguards are not technical,
but procedural. It is company policy, practice, and legal due process that stand between
this exposure and a third-party search of the database. Persons designing applications
that rely upon fingerprint technology should recognize this concern and develop
meaningful policy safeguards and procedures to ensure that such searches can only take
place in a lawful and strictly controlled manner (e.g., under subpoena).
This user concern has contributed to the adoption of alternative non-fingerprint systems,
such as iris, or hand geometry-based technologies, since these technologies do not
currently relate to traditional law enforcement investigative tools like fingerprints.
4/7/2008 52
Other than face, none of the non-fingerprint technologies is used in large, central,
criminally-oriented databases.
Perceptual Concerns
There are a variety of concerns that people raise in opposition to the use of biometrics.
The extent to which these are true beliefs of the objecting persons or simply excuses for
avoiding something new is undeterminable, and not necessarily germane when
implementing a biometric system. The issue is to be prepared to address these concerns
in a positive and sincere way to elicit a cooperative, rather than forced support of an
impending biometric system. Some of these concerns and an appropriate response are
itemized9,10 in the following table:
9
Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality. Reprinted from the
December 2002 issue of Corrections Today, Vol. 64, No. 7
10
Misplaced Fears Impede Biometric Adoption. www.findbiometrics.com
4/7/2008 53
Table 10-2
Biometrics in Biometrics work in real-life just Not usually, since the bad guy is often
general like they do in spy novels and able to beat the biometric system in the
movies movies; this task is far more difficult – if not
impossible – in reality.
Biometric technologies will work Not every biometric technology will work
for everyone for every person. Some people are
missing hands and fingers, for example.
Or their fingerprints are difficult to read.
Fingerprints are used in law True, but there are many non-law
enforcement to find criminals. enforcement applications in use today.
Fake fingers can fool a fingerprint Not generally true. Today’s technology
authentication system. uses algorithms that can detect 3-D
structures so photocopies, transparencies,
or latent images are not accepted. Mature
technologies are adding various tests for
liveness detection that are increasing the
technologies’ protection against artifacts.
Iris An examination of the iris will Not true. Despite Iridologists claims to
Recognition reveal health-related information. the contrary, iris recognition does not
reflect current health conditions or
diseases. No current iris biometric device
has any integrated diagnostic capability.
The laser beams that go into my
eyes will cause damage. No lasers are used for illumination in any
iris biometric system. Illumination is
provided by extremely low-level,
unfocused near IR, proven safe in
scientific studies.
4/7/2008 54
Technology Concern Reality
Facial I don’t want my face to be made This concern is focused on general and
Recognition available for law enforcement or unannounced capture of facial images.
other legal purposes. This is an issue that should be carefully
addressed before a covert application is
approved.
It is sometimes difficult to make an effective business case for the use of biometrics in
security applications on the basis of traditional business criteria such as cost trade-offs or
Return on Investment (ROI). Biometric systems may cost more than conventional card-
based systems, although some savings may be realized through avoiding card
replacement and (in user authentication systems) resetting passwords and PINs. In
biometric time and attendance applications, the cost difference can be rapidly made up
through increased payroll accuracy. The use of biometrics in eligibility applications may,
however, be a very different matter.
A case for the adoption of biometrics is better made on the basis of increasing security to
protect people and assets, avoid property loss, and improve business operations. An
intangible benefit is the degree to which management has fulfilled its responsibility to
stakeholders by introducing security improvements. There is no guarantee that
implementation of a biometrically based access control system can or will prevent all
4/7/2008 55
incidents, accidents, and losses. There is, however, a presumption that doing something
positive is evidence that management is forward-thinking and has the good of the
employees and stakeholders as a high priority.
Additionally, the economic aspects of biometrics are and will be constantly changing;
consequently, it is not possible to state definitively and forever that a given biometric
technology is or is not cost-effectively suited for a particular application. The best we
can do is outline an approach for evaluating the cost-effectiveness and investment returns
as the result of adopting a biometric solution for access control.
Not many years ago, the application of a biometric solution to an access control problem
was not generally cost-effective due to the acquisition and installation cost of biometric
equipment. Conventional access control equipment, as recent as 5-10 years ago, would
normally cost about $2,000 per door in a large facility. To add biometric devices at these
doors would often add $5,000 to $15,000 to each door, depending on the technology
adopted. To justify such an expense, security managers would often have to demonstrate
that the cost to the company or the nation, should security be compromised, was far
greater than the cost of the security equipment and that this difference was not just
marginally greater, but greater by orders of magnitude.
When people would elect not to install a reliable biometric door control at their personal
homes, they would often say that it would be “technical overkill” to do so. In fact, the
real reason was more likely to be an economic one. At a point in time where a common
but quality door lock and key solution is $50-75/door, there is little justification for an
automatic system costing $5,000 to $15,000 to implement. With the passage of time,
however, the cost of reliable biometric solutions has fallen to a point where an effective
front door lock and integrated biometric control is now less than $500-800 at retail.
Within a few years, it is quite likely this solution will be available at a price comparable
to the old key and lock solution. At this point, solution selection criteria cease to be
either technical or economic, but a question of relative reliability and aesthetics.
Cost/Benefits
The decision to install and use biometric technologies is both a security and investment
decision and one complicated with many facets. It is one thing to collect the cost data
and do a comparative analysis with an existing solution for a snapshot in time. It is far
more difficult to factor in and account for the rapid decline in biometric prices, an
increase in product reliability, and the fundamentally vague nature of the value of assets,
especially intellectual property assets or the value of living assets such as rare animals or
distinguished human personalities.
For example, it is relatively easy to determine the appropriate duty to care if the protected
asset is a valuable piece of jewelry: duty to care is satisfied if the cost of the protective
actions (e.g., insurance, physical security, etc.) is some function of the value of the
jewelry times the likelihood of a theft. The former is a matter of professional appraisal
and the latter might be an estimate based on the historical crime rate in the vicinity of the
jewelry.
4/7/2008 56
It is quite something else, however, to determine the proper level of the duty to care if the
asset is the life of the President of the United States, the president of a university, or the
manager of a day care center. Of course, we would not expect the investment for
personal safeguards for the day care center operator to be the same as for the President of
the United States. First, the likelihood of a serious personal attack is normally far greater
for the latter. Second, the level of national disruption in the event of a successful attack
on the day care operator is likely to be far less than a similar attack on the President.
Nevertheless, by how much are the two scenarios different? Intuitively, it is understood
and accepted that there is a difference and that it is not insignificant, but to quantify that
is subjective, and nearly impossible.
The valuation issues notwithstanding, the purpose of this section is to examine the
various aspects involved in performing a meaningful return on investment (ROI) analysis.
Analysis
One approach to cost and ROI analysis is to start with known values and actual current
data points. Once a baseline has been established, several alternative solutions should be
modeled to help analyze the more difficult assumptions. The analysis then considers
these factors in several biometric applications.
The life-cycle period in years [P] will be somewhere between the manufacturer’s
warranty period and the length of time the IRS will impose for a useful life-cycle.
Typically, the warranty period will be short (this protects the manufacturer from having
to pay for normal wear and tear) and the IRS depreciation period will normally be long
and the device will likely be ready for replacement before that time. For the purposes of
this analysis, it is suggested that the sanctioned depreciation period be used.
The third cost is the annual cost to maintain the device(s) throughout its life cycle [M].
This may be as simple as an annual dusting and lubrication, or it may involve a more
frequent visit from a locksmith for disassembly, cleaning, and reassembly. Finally, there
is the cost or value of the asset [V] if lost or compromised, times the likelihood or
probability of loss or compromise [L]. This value says that, if custody of an asset is
retained for a sufficient time, it will be stolen or compromised. Given the previous
discussion, the life-cycle cost [LCC] to install and maintain a particular safeguard may be
calculated from:
4/7/2008 57
LCC = A + R + PM + VL and the annualized value is = LCC/P.
(In this model, the legal ‘duty to care’ is more or less equal to VL and the remaining
values represent steps taken to discharge that responsibility. So, it follows that VL will,
in theory, at least, be less than or equal to A + R + PM, so LCC could be approximated
by 2VL. But as the value of V becomes more and more subjective, the 2VL relationship
becomes more speculative and loses its utility.)
In the case where LCCnew => LCCold + N, the decision to upgrade to the new system
nonetheless would be rationalized by an expectation of a significant increase in M (the
cost to maintain the old), and/or a likelihood that L (probability of loss) is, for some
reason, expected to increase significantly in the near future.
ROI Analysis11
The computation of the return on investment (ROI) of security products is complicated
by the absence of a direct revenue stream resulting from the investment. For this reason,
middle management often views these investments as operating costs to be minimized, an
approach which leads to a false sense of economy. One perspective is that middle
management is preoccupied with the income statement portion of the corporate books
that concentrates on revenues and expenses, the cost to acquire security equipment being
one of the many costs to be managed. The benefits of investments in security, however,
do not appear on the income statement.
Senior management and the shareholders, however, are more involved with the balance
sheet portion of the corporate books and it is here that upward changes or growth in net
worth reflects the benefits of investments in security. It is on this part of the financial
11
“The biometric technologies business case: a systematic approach,” Richard A. Riley Jr, Virginia Franke
Kleist, Information Management & Computer Security, Apr 2005 Volume: 13 Issue: 2 Page: 89 – 105.
4/7/2008 58
report the company will see its return for investing on security technology in the growth
of net assets because of reduced theft or pilferage.
The second problem with assessing the return aspect of investments in security, in
ordinary industrial security applications, is to isolate that portion of increased net worth
that can be attributed to security and not some other corporate action. Likewise, in a
company with falling net assets due to non-security activities, it will be difficult to
identify the loss diversion benefits without which the net worth losses would be even
greater.
In other applications, such as welfare fraud prevention, it may be possible to credit the
application of new, biometrically based security with the reduction in the incidence of
duplicate claims. Even in this case, though, there is an implicit assumption, not
necessarily well-defended, that what is being measured is based only on what has been
detected.
ROI can be forecast to some degree with assumptions identifying current loss levels and
the degree of security enhancement afforded by the new technology. These projections
should be validated post-facto, however, to ensure expectations are being met. The
analysis required to do this validation is useful not only for the peace of mind of the
designer, but to identify any anomalies in the new system. Significant negative
deviations from expected results will signify either a serious misstatement of the
assumptions or an incorrect installation of the new system.
The art and science of designing effective applications with biometric components
requires the ability to skillfully integrate the six major issues that were explained
previously in this Section:
1. Functional
2. Operational
3. Legal
4. Environmental
5. Social
6. Business
Ultimately, compromises may need to be made, but the goal is to specify a system that
equitably recognizes owner’s security expectations; users’ physical limitations, legal
concerns and social expectations; the operational environment; and the system’s
interoperability requirements.
Once designed, the system should be reviewed, briefly, as many as seven times in a
complex design. During each of the initial reviews, the organization and the
designer/integrator should ‘walk through’ the design from the perspective of each of the
six main design factors. The first review, for example, should consider each design
4/7/2008 59
decision in the context of “Does this recognize the functional requirements of the
system?” The second review should just concern itself with the question “Does this
recognize the operational requirements of the system?” Etc., etc. The seventh review
considers the system as an integrated whole. (See Design Process that follows.)
A. Technical Specifications
• The biometric system, including servers, sensors, and remote units shall be sized
to accommodate an expansion to a minimum of 585 persons and meet the
previous throughput requirements without purchase of new equipment.
Additionally, the biometric system shall be BioAPI12 and CBEFF13 compliant and
meet the following criteria for interoperability:
By the time one has completed the foregoing tasks and the preparation of procurement
documents is underway, one should have a reasonably good idea which technologies and
systems will meet the described functional and technical requirements. Technology and
product performance analyses should be a fundamental and parallel part of the processes
described above. In some cases, enough information will have been analyzed to specify
the biometric technology (modality) that will meet the stated functional and technical
requirements. In other cases, more than one technology might be suitable, or
12
See BioAPI Consortium for more information. www.bioapi.org
13
Common Biometric Exchange File Format. See CBEFF (NISTIR 6529-A).
4/7/2008 60
procurement policy may dictate that procurements must be open to all technologies. In
the latter case, the SOW and specification(s) should be written broadly enough to
accommodate a variety of technologies and systems. In those cases a formal technology
and product performance analysis can proceed when proposals have been received.
Unfortunately, the biometric industry has not evolved to the point where this is a simple
and straightforward process. There are test data available from a variety of sources,
however it varies in credibility and reliability. Vendor claims are prone to be overly
optimistic, not solely because of a profit motive, but also because the tests are generally
conducted in the most optimum conditions, by the most knowledgeable people. Other
testing as mentioned in BTAM Volume 1, Section 6, Testing and Evaluation is more
rigorous, but is often conducted for a specific application which may be (but probably
will not be) exactly the same as any other given implementation of a biometric program.
(Please refer to Section 6 for more detailed information.)
Should a technology and product performance analysis be conducted, the results should
be provided to an independent system designer or integrator that has no formal affiliation
with any particular technology or vendor to be assessed and evaluated.
Throughout the foregoing processes the professional services of the referenced system
designer or integrator should be sought, coupled with frequent formal reviews as the
functional requirements are translated to technical requirements and system
specifications. The primary purpose of these frequent reviews is to ensure the system
design parameters accurately and adequately reflect the initial functional requirements.
When including, making, or refining cost estimates in the SOW, there is value to
understanding all the cost components of a biometric system and making some
reasonably accurate estimates of the costs in order to facilitate trade-off decisions and
budgeting. Potential designers, consultants, vendors, and suppliers should be aware of
both direct and indirect costs associated with a biometric system.
Direct costs:
4/7/2008 61
• Research, planning, system evaluation, and selection costs
• Implementation planning costs
• IT staff training costs
• User education and training costs
• Cost of lost productivity during implementation learning curve.
• Security administration, including exception processing (“work-arounds” for
persons unable to use the chosen biometric.)
• Implementation of new exception handling procedures for false rejects
• Revocation costs incurred should the system have to be shut down due to
inadequate planning.
End-User training
Such training should include expectations for and limitations of the system/devices and
provision of documentation regarding the system itself. Such documentation includes,
but is not limited to:
• User’s manual
• Policies governing the use of the technology
• Policies governing the use of biometric templates
Manuals should be short, simple, and to the point. Positive user acceptance will yield
greater success the more confident and secure they are in their knowledge of how the
biometric-based system works and why it was deployed.
Adverse reactions and resistance to a new biometric system can often be traced to lack of
knowledge and even embarrassment because of poor initial performance on the devices.
Supervised walkthroughs and trial-runs will help increase the comfort levels of users and
decrease the pressure placed on them. Such simulations will also help decrease the error
rates in the future when the users will not have someone with them while using the
system.
4/7/2008 62
Proper training and education should always be part of the implementation plan for any
new installation or modification of an existing biometric system. Users will prove
cooperative and supportive of system use if they:
Please see Section 14: Training for more comprehensive information regarding training.
4/7/2008 63
Section 11 – System Engineering, Integration, and Implementation
Having examined in some detail in Section 10 the various considerations and issues that
drive the design process, we now turn our attention to the system engineering process that
implements that design and the important steps that should be addressed.
This section addresses System Engineering from two fundamental perspectives; the
issues that arise in developing a detailed system architectural design, and the process that
will result in a detailed system architecture design. The Engineering and Integration
Issues portion identifies and discusses issues peculiar to biometric technologies, while the
Engineering Process portion focuses on procedures common to biometric sub-systems,
including integration.
The implementation portion of this section addresses procurement and installation. While
the biometric application discussed in this section is physical access control, it should be
recognized that the processes and design issues described are applicable to other types of
biometric installations as well, such as workstation access or network access. In addition,
physical access is not limited to access to a building or room, but may include access to
other physical areas or objects, such as a drug cabinet, bank safety deposit box, etc.
A. General
In general, the System Engineering and Integration of the biometric components of an
access control system are shaped by three main factors. The first is the definition of
security needs and program objectives developed in Section 10.
The second is the design of the overall control system, not just the biometric sub-systems.
As noted elsewhere in this Section, there is really no such thing as a ‘biometric system’,
per se. Rather, there are a wide variety of primary systems that rely upon biometric
devices for identity assurance. These range from physical security access control
systems to welfare fraud prevention systems. It is the function of the primary application
that will define the physical and logical boundaries within which the biometric must
function. Consequently, many of the system’s architectural and functional design
decisions have often been made by the time the biometric sub-system design engineer sits
down to work.
The third factor is whether the design is for a new a system or improvements to a legacy
or existing system. A completely new system offers the opportunity to make correct
design decisions throughout the whole system for optimum performance. On the
downside, a new system is subject to design error at all places within the system, not just
the points where new biometric components are added to an existing, but otherwise
functional, system. This complicates the commissioning process and prolongs the
achievement of operational readiness. While a legacy system offers the advantage of a
working system in which the existing components are likely to be working as designed,
4/7/2008 64
the choice of new biometric components may be constrained by the existing technical
configuration.
B. Specific Issues
These functional concerns led to the development of remote door control units (DCU).
DCUs function much the same as a central control in that they have capacity for a large
number of enrolled templates, but are not affected by loss of power at the central control.
When a person is enrolled in the enterprise system, necessary template and administrative
4/7/2008 65
information is transmitted to each door in the enterprise through which that person is
authorized to pass. The main design consideration is the location of the DCU so that it is
protected from outside attack and tampering. For ease of installation, unfortunately,
many DCUs are placed directly in the plenum just above the protected door. This fact
can and has been exploited by informed adversaries to by-pass the system’s safeguards.
Expansion Requirements
The choice of technology for a security system is influenced in part by the population of
authorized persons it has to monitor and accommodate. While the current population
value must be known at the start of the design process, it is even more important to know
what the projection is for future population expansion over the next 5-6 years14 of the
enterprise’s life. The resulting system design must account for this expansion to avoid
costly retrofitting 2-3 years (or even 3-4 months in the case of rapidly growing offices) in
the future.
Design Presumptions
Underlying the decision to establish a new security system or to renovate a legacy
security system with biometrics is an assumption that the biometric technology will
14
This horizon is appropriate considering the pace of new technology development and the expected
obsolescence of the current design. Considering the impact of Moore’s law (estimating the rate of
microchip capacity enhancement), a 6-year application life ends with the current system 3-4 generations of
chip technology behind.
4/7/2008 66
afford a higher level of personal identification useful for a more efficient and reliable
satisfaction of security objectives. It helps in the assessment and validation of this
assumption if there is a current and actual or anticipated level of security compromise in
the existing system that can be quantified. For example: “Today, we experienced a loss
to pilferage from our storerooms greater than $10,000 per month as the result of the theft
or misuse of keys issued to certain employees. By installing some form of biometric
identification, we can reduce this loss to nearly zero.”
Budget constraints
Naturally, all system designs are subject to budget constraints and these will often limit
the choice of biometric system to be employed. A biometric device may satisfy
performance expectations, but not within the project budget constraints. An affordable
device may not be able to satisfy performance expectations. Ultimately, this impasse
requires a management/owner design decision relaxing performance expectations,
increasing the project budget, or both. In any event, this is a management issue, not a
design question.
Integration
Integration is the process by which two or more sub-systems are brought together for
physical, electrical, and logical interfacing with other components. It is also a process in
which the logical processes and activities of the various components are introduced to the
larger system for proper functioning. In some cases, the manufacturer has anticipated
these requirements, but, in other cases, the integration is the responsibility of the system
integrator. There are at least three main systems with which a new biometric sub-system
will have to work: security, power, and building management.
Power
The biometric sub-system needs to be compatible with the facility’s power system in
terms of voltage type, current, frequency, and distribution plan. Experience has proven
the value of a robust back-up power solution such as heavy duty uninterruptible power
source (UPS) devices at critical nodes.
Building Management
In a number of applications, the biometric system will provide useful inputs to the
security system, but also to the facility’s building management system, turning on lights,
activating elevators, and performing other identity-specific tasks.
4/7/2008 67
Multi-modal Design Considerations
Underlying the concept of multi-mode applications is the thought that, if one biometric is
good, two (or more) biometrics would be better. There is a certain truth to this, but a
multi-modal solution is not without its problems. Essentially, if the probability of a false
accept in one system is PFAR1 = 0.001% and the probability of a false accept in a second
system is PFAR2 = 0.01%, then the PFAR1+2 = PFAR1 x PFAR2 = 0.001 x 0.01 = 0.00001%.
The offside of this relationship is that the improvement in false accept is paid for by an
increase in false rejects. The calculation for this side of the issue is:
P(FR) = 1-[1-PFRR1][1-PFRR2]
= PFRR1 + PFRR2 - PFRR1 PFRR2
Dr. John Daugman (The Computer Laboratory, Cambridge University) has examined this
issue in a brief paper entitled “Combining Multiple Biometrics.”15 In it, he says:
“…There is a common and intuitive assumption that the combination of different tests
must improve performance, because "surely more information is better than less
information." On the other hand, a different intuition suggests that if a strong test is
combined with a weaker test, the resulting decision environment is in a sense
averaged, and the combined performance will lie somewhere between that of the two
tests conducted individually (and hence will be degraded from the performance that
would be obtained by relying solely on the stronger test)
”There is truth in both intuitions. The key to resolving the apparent paradox is that
when two tests are combined, one of the resulting error rates (False Accept or False
Reject rate) becomes better than that of the stronger of the two tests, while the other
error rate becomes worse even than that of the weaker of the tests. If the two
biometric tests differ significantly in their power, and each operates at its own cross-
over point, then combining them gives significantly worse performance than relying
solely on the stronger biometric.” [Emphasis added.]
He concludes:
“…A strong biometric is better alone than in combination with a weaker one...when
both are operating at their cross-over points. To reap benefits from decision
combination, the equations above show that the operating point of the weaker
biometric must be shifted to satisfy the following criteria: If the "OR" Rule is to be
used, the False Accept rate of the weaker test must be made smaller than twice the
15
Daugman, John. Combining Multiple Biometrics. The Computer Laboratory, Cambridge University.
4/7/2008 68
cross-over error rate of the stronger test. If the "AND" Rule is to be used, the False
Reject rate of the weaker test must be made smaller than twice the cross-over error
rate of the stronger test.”
The second issue is the relatively prosaic question of the increased cost of a system using
two or more components instead of just one. One biometric system with outstanding
performance values costs about $8,000-10,000 for an initial installation of 1-2 doors. Its
operational performance is approximately FAR ≈ 0.000001 and FRR (+FTA) ≈ 0.05.%.
Another technology offers comparable performance features, but adds another $4,000-
6,000 to the cost of the integrated system for only a questionable improvement in overall
performance. In an operating environment where there are, for example, 250 people
enrolled, it is not clear what real or practical value has been gained by improving FAR
fractions of errors in the 1:1,000,000 range and nearly doubling the cost. From a
fiduciary perspective, multi-mode combinations seem to make more sense in applications
where two or more relatively inexpensive devices can be combined, or in those instances
in which the quality of input templates may not be high.
Biometric Fusion16
The use of multi-biometric fusion techniques offers a potential solution to some of the
inherent issues associated with the implementation of biometric technology for access
control. One difficulty with single-modality biometric access control is that even a low
failure to enroll or failure to acquire rate can correspond to large numbers of people in
very large deployments. An alternate method of access security then needs to be
implemented for these exception users. Multi-biometric fusion is one such alternate
approach. It entails additional system components and/or complexities, so careful
analysis of the costs and benefits is essential to effective implementation of such an
approach.
The techniques surrounding the use of multiple biometrics have been the subject of
significant academic research to develop the concepts and to quantify the benefits.
Experts in this field communicate these ideas and results, sometimes developing new
expressions and terms needed to convey the findings.
4/7/2008 69
examples are provided to illustrate the use of the terminology and concept in
recognizably airport access control situations.
Multi-biometric Terminology
The first challenge is to establish an agreeable set of terms and definitions to assist in the
accurate and efficient discussion of the field of multi-biometrics. The initial motivation
for addressing terminology is the inconsistent and therefore misleading use of the term
“multi-modal” in the literature. Biometrics specialists came to realize that the term multi-
modal should only be used to describe combinations of two different biometric
modalities, such as face and fingerprint. A new definition established “multi-biometric”
as the broadest term, encompassing any operation that utilized two different biometric
captures or computations, and fused the information in some way to make a single
identity decision.
Within multi-biometric, a distinction was drawn about the differences between systems
using multiple modalities, multiple algorithms, multiple sensors (for the same modality)
and multiple instances of a biometric trait. Thus the agreed upon set of terms for multi-
biometric and its components are:
4/7/2008 70
• Cascaded - pass/fail thresholds of individual biometric captures are used to
determine if additional biometric data is required to be processed to reach an
overall decision
• Layered - individual biometric scores are used to determine the pass/fail
thresholds of other biometric data processing
• Hybrid - indicates the combination of more than one multi-biometric concept in a
particular application.
The following sections pertain primarily to score level fusion approaches. The concepts
of score normalization and score level fusion are summarized at a high level.
Score normalization
Different biometric devices generate their matching statistic in different (and proprietary)
ways. Some may produce a similarity score (high being a good match) or a dissimilarity
score (such as a hamming distance). There is also no uniformity in the range or scale of
these scores, hence the need for normalization prior to combining the scores.
Score normalization maps scores into a domain (for example 0.0 to 1.0) where they
possess a common meaning in terms of biometric performance. Thus score normalization
adapts the parameters of the matching score distributions to the outputs of the individual
matchers, such that the normalized matching score distributions exist in a common
domain. Score normalization is closely related to score level fusion since it affects how
scores are combined and interpreted in terms of biometric performance. Due to these
reasons, scores are generally normalized prior to fusion into a common domain. (Note
that some fusion methods use probability density functions (PDFs) directly and do not
require normalization methods.)
4/7/2008 71
combination approach takes on several forms, such as simple sum, maximum score,
weighted matchers, and user weighting along with many other more complex approaches.
E. Hypothetical Examples
The following examples are provided to assist in understanding the concepts of multi-
biometrics, described using the terminology introduced above. These are not intended to
represent any specific known application, but are rather theoretical designs that may be
recognizable as suitable for airport access control applications. Each example outlines
the application, describes the technical approach, and then reflects on the strengths
(advantages) and weaknesses (disadvantages) anticipated for such a system.
Application: Attended Physical Access Control. Typical of an airport access control for
identity verification of cooperative, enrolled end users at intended points of entry,
monitored by a security agent or guard.
Technical Description: Fingerprint and Iris Recognition modalities. All end users are
processed for enrollment in both modalities, attempting to enroll one or two fingers and
one or two irises per person. Airport enrollment policy permits either iris or any finger
that can be successfully enrolled, both modalities if possible. Identity verification is
performed using the individual pass/fail decisions of each modality in the “OR” logic
form of decision level fusion. The order of biometric presentation is fingerprint first
(because it is faster and easier to use). If the fingerprint verification passes, then no iris
sample is required.
Advantages: This system design is well suited to accepting a very high percentage of
users for enrollment based on the liberal enrollment policy and the multi-modal nature of
the design. Using the “OR” logic promotes a potentially very low false rejection rate.
Employing the sequential sampling technique along with the “OR” logic, and choosing
the fingerprint first as the faster sampling modality, provides for a very low transaction
time (or high throughput) which is highly desirable in many airport high volume
applications.
Disadvantages: The design calls for both fingerprint and iris sensors at all access points,
which incurs additional acquisition, installation, enrollment, license and maintenance
costs. The use of “OR” logic, while minimizing false rejection rate does amplify the
potential for false acceptance. (This can be mitigated by proper selection of the
individual decision thresholds for each modality.) Depending on the level of anti-
spoofing countermeasures provided by the vendor, “OR” logic is subject to attack with
device “spoofing” techniques (such as “fake fingers” or iris-replicating contact lenses)
since only one modality is needed to pass. In this scenario, obvious and elaborate
spoofing techniques are impractical since the access point is attended by a security agent.
4/7/2008 72
Application: Low-cost Unattended Logical/Physical Access Control. This application is
suitable for a moderate to large scale deployment with distributed access points that
requires a relatively high degree of security for logical (e.g. computer network) and/or
physical access. Because of the number and geographic distribution of the access points,
this application is not attended by a security agent.
Advantages: This design stresses the low-cost, high security combination for a
distributed access application. Employing score level fusion of multiple instances of a
user’s fingerprints promotes potential for lower false rejection rates at a given acceptable
level of false acceptance rate. The sensor and license costs could be very low.
Disadvantages: Due to the requirement for multiple sequential samples, this design may
incur higher transaction times, so as to be not well suited to high volume access points.
Because the system employs only the fingerprint modality, there typically is a fraction of
the user population who will not be able to enroll (due to fingerprint quality or wear
factors). More generally, because the approach uses multiple samples of only one
modality, if an enrollment problem occurs in one sample, then compared to the multi-
modal approach there is a higher likelihood that a problem will also occur in additional
samples.
Application: Token-less Identification for Privileged Access. Suitable for VIP facility
access or other high volume applications geared to user satisfaction. The users are not
required to identify themselves to the access system after enrollment, and are also not
highly restricted with regard to positioning relative to the sensors.
Technical Description: Face Recognition using distinct sensors. This design employs
conventional video imagery for 2-D face image capture as well as stereoscopic (or other
technique) face imagery for 3-D face modeling. Each user is enrolled with both sensors
(not necessarily simultaneously) at several pose angles (and possibly variation in
4/7/2008 73
lighting). At the time of verification, the video imagery from each sensor is processed
through multiple matching algorithms (as dissimilar in approach as possible). This
stream of processing generates ranked lists of candidates (one list for each sensor-
algorithm pair), or best matching scores when compared with the enrollment database.
The decision logic is based on the “Weighted Sum Rule” with personalized thresholds,
combined with a “Voting Scheme”. Ideally, the user will be correctly identified, and
their identity will appear near or at the top of each candidate list. It is also possible that
the same identity will appear several times on the candidate list due to matches at
different pose angles or lighting variations. This situation is conducive to very accurate
voting scheme logic.
Disadvantages: The enrollment time needed to enroll in both sensors and at the required
range of conditions could be high. The processing logic is still developmental, is
complex and will require careful attention and tuning. Also, the system may use rather
costly sensors and significantly powerful processors, so hardware costs will be high.
A. Pilot Design
It is in the context of these various considerations and issues that the pilot design can
start. The objective of this phase is to provide an inventory of components to be
procured, a preliminary graphic illustration of the relationship of the various components,
and an assessment of the time required to integrate, install, and commission the system.
4/7/2008 74
Conceptual System Design
The initial engineering architectural design is prepared in pilot form following a detailed
analysis of the SOW and an analysis of the current operational environment. If a
Conceptual Design was prepared as part of the detailed analysis recommended in Section
10, that conceptual design should not be accepted blindly as a mandate for further
engineering without detailed analysis of the SOW and operational environment.
New System
New systems have the advantage of being unencumbered by existing components and
architecture. They offer the easiest way to ensure the application of state-of-the-art
technology and products. The disadvantage is the element of risk new technology might
introduce into an otherwise sound design.
Legacy System
Legacy system modifications require attention to existing architectures and processes,
some of which may conflict with a sound application of the new technologies. The initial
design needs to attend to these considerations in detail:
4/7/2008 75
B. Final Engineering Design
The final design is achieved after a review process in which all responsible offices
involved with the funding, installation, and use of the new or modified system have
evaluated relevant sections of the design. After the first review, non-trivial changes to
the design will require a second and, perhaps, a third round of design reviews before the
system design is finalized.
11.3. IMPLEMENTATION
The most technically challenging part of a biometric project is the Engineering Design
phase. This is not to suggest that the implementation of biometric devices is trivial, but
careful attention to the design issues of Section 10 and the engineering/integration issues
just discussed will go a long way toward simplifying the implementation. This Section
assumes the reader has available the trained and qualified service technicians required to
integrate and install the system in a professional manner. No effort is made to instruct on
these techniques in any great detail in this manual.
Procurement
Installation
Training
System Support
Final Deployment and Roll-out
11.3.1. Procurement
Often neglected in design planning, procurement is an essential activity requiring
attention to detail to ensure the right components arrive at the appropriate location in a
timely manner. Some items need to be delivered to the eventual job site, but not until
security is in place to prevent pilferage. Other components need to be delivered to the
contractor’s staging site for pre-integration into larger sub-systems.
11.3.2. Installation
Although the BTAM is not a technical manual designed to provide instructions for
terminations, cable routing, or other aspects of installation work, it can illustrate the
utility and significance of sound installation practices. The installation process is a key
element in establishing and maintaining effective customer relations. Foremost among
the essential aspects of professional installation work are adherence to schedule, budget,
and workmanship. The customer expects the system to arrive and be operational
according to the agreed-upon schedule. The customer expects there will be no surprises
either in schedule or cost. In terms of workmanship, the typical customer expects that the
system will work when it is powered up, the installation will appear neat and tidy, and
that the trash and debris associated with the installation will be carried away.
4/7/2008 76
What the customer does not normally expect, but what makes a great impression, are the
installations where the technician doing the wiring and terminations takes a few extra
moments to minimize slack or surplus wiring and to lay out the cables and wires in neat,
angular turns or curves and arrangements. It suggests to the customer that the installing
company—as well as the design company—has really paid attention to detail and that
they have received a quality system. As a customer, the reader should expect this level
of service. As an installer, the reader should be prepared to deliver this standard of
service.
Pre-Commissioning
Prior to transferring ownership of the new system to the customer, all primary features
and functions must be demonstrated in a satisfactory manner and the owner’s staff
trained in its operation.
Acceptance Testing
Typically, the formal demonstration takes the form of an acceptance test. Presumably,
the system design was based on a customer-prepared statement of work and performance
objectives. The acceptance test should be organized to reflect the structure and content of
the statement of work. Copies of the test protocol are distributed. Each step provides a
place for the customer and lead or commissioning engineer to place their initials
indicating that step was demonstrated satisfactorily, or annotated to indicate what
problems or shortfalls were observed. Any problems should be documented in an issues
list that describes each problem, categorizes its severity, and documents its final
resolution and retesting.
When all items have been properly demonstrated, both parties sign off on the test
document and the owner assumes responsibility and control of the installed system.
Also, this is an appropriate moment for the system warranty to begin, although, on some
projects, title and warranty transfer upon delivery of goods at the job site. This point
should be made clear in the basic work contract.
11.3.3. Training
Training is such a vital part of implementation of any biometric system that we have
devoted an entire section (Section 14) to it. For our purposes in these earlier sections, it
is important to note that provisions for training management, system operators, and
especially end users should be an integral part of the system design, integration and
implementation phase. It must be defined, scheduled and completed by the time of
system acceptance so as to be ready for application as the acceptance testing is completed
and the system comes on line. As the time and resources expended providing after-sale
warranty services are inversely proportional to the quality of the design and installation,
so is the quality of the training provided the new operators and end users. The more
informed and better prepared they are to assume responsibility for effective
implementation of the new system, the fewer phone calls and requests there will be for
service. Please refer to Section 14 for more detail.
4/7/2008 77
Whether provided by the installing sub-contractor, the systems integrator, or another
contractor, on-going support will be required to provide periodic preventive maintenance,
and emergency system restoration. In very large systems, the owner will often have
sufficient staff and resources to provide in-house (proprietary) maintenance, but, often, it
will be more cost-effective to retain the system integrator or installer to provide these
services.
• Provisions for continuing operations during the installation phase of the project.
• Provisions for comprehensive system testing and validation prior to turnover.
• Provisions for “Training the trainers”, including specifics such as the vendor or
integrator-provided trainers monitoring the in-house trainers as they begin to train
end users.
• Provisions for training end users and keeping them practiced and current pending
initialization of the system.
• Provisions for exception processing or “work-arounds” during the transition
period.
• If feasible, provisions for operating an existing system in parallel with the
biometric system during the transition period.
• Schedules for all phases of the deployment and roll-out.
• Provisions for alerting the work force to changes in schedule and other
information critical to deployment.
4/7/2008 78
Section 12 – Operations and Management
This section moves the focus of the BTAM from the requirements, design, and
engineering functions to initial and long-term operation of the biometric system or
subsystem. One of the primary concerns of any management team implementing a new
system or policy, is that the new concept or system be fully functional, have employee
support, resolve a problem that affects company performance, and minimize conflict
with the remnants of the prior program (if any) that remain in place. Once again, there is
no real substitute for a plan that assumes responsibility for operations at turnover and
fully exploits the advantages offered by the new technology.
People, by nature, tend to be wary of something they do not understand or that is foreign
to the day-to-day processes with which they are familiar. Planning, documented in the
form of an Operating Plan, defines the process from initial introduction into the facility
to the eventual steady-state process of day-to-day functionality. If an Operating Plan for
the facility already exists in the form of a security plan or some other document, than the
operating management entity needs to consider and address the impact of the biometric
subsystem on that existing operating document. If such a plan is not in place, then a new
one that covers the issues to be considered for biometric usage should be prepared. In
such cases, it may be an opportunity to more fully address the overall integrated system
as well as the biometric component.
When it comes to developing an Operations Plan for both routine and non-routine
operations of a biometric identification system, there are no fixed definitions as to what
must be included. The security manager for the organization or his/her equivalent, with a
modicum of training, can define all of the operating issues that will need to be addressed.
As an alternative, an experienced practitioner can be engaged to develop the Operations
Plan for the organization, with the significant input and participation of the manager who
will live with the final product. For the most part, a logical Operations Plan would
consist, as a minimum, of the following elements. These should be addressed in as much
detail as possible to ensure that all stakeholders in the system have a reference for what is
expected of the biometric component, and how it is intended to support the overall goals
of the organization.
4/7/2008 79
Support and supply requirements
Description of operations and procedures (planned or emergency) in a
non-normal or non-operating environment.
Catastrophic failure
Partial failure
Work-around procedures
Exception handling
Testing the system
Organizational/Corporate Support
Interface with external organizations
Security/police
State and local government
Training
Maintenance and Service
Routine and Preventive
Emergency and response
Resources and Budgeting
While this is not an attempt to cover all of the details that should be addressed in each of
these suggested areas, the following comments are offered for focused consideration.
When developing the roles or functions for each identified person involved in the
operating system , nothing should be assumed. It is extremely important to the success of
the mission and the overall effectiveness of the operation that everyone perceives their
function clearly. All plans need to be flexible, adjusting to results as they occur during
the action phase of implementation.
4/7/2008 80
12.1.3. Description of the Normal Operating Environment
Speak to how the system fits in the organization’s security or other application program,
describing the process and the normal encounter that each user can expect. Describe the
function of operating personnel and their interface with both the system and the users.
Cover operation of the equipment to the extent that user and operator intervention or
contact is involved. Discuss issues that could occur and how they will be resolved.
Address supply or operating maintenance issues (like cleaning).
12.1.5. Testing
Discuss plans for testing the system on a scheduled and unscheduled basis to periodically
evaluate performance (machine and personnel) and to maintain confidence in system
operations.
Like all audits, there is a sense of one group of individuals (the auditors) being cast in the
role of the “black hats” while those being audited are perceived to be the “white hats”
who are targeted to determine performance shortfalls. In reality, both groups, the
auditors and those being audited, should be working toward the common goal of
4/7/2008 81
identifying system abnormalities and identifying corrective actions to ensure required
system performance. Since audits tend to have a major impact on company operations in
that they are disruptive of the daily routine and are normally performed during operating
hours so that those responsible for performing a function are available to respond to
auditor’s requests for data, audits should not be performed more than once a year unless
problems dictate otherwise.
Similarly, system tests are intended to determine performance of the biometric system
against operational requirements, but on a real-time basis. The system level testing
should be designed to evaluate and determine performance of both the hardware and
personnel, both the user and the operator. A system level technical test, if designed
properly, would include not only an evaluation of the hardware performance but also the
ability of the maintenance personnel to restore the system to required operational levels
in the event of a failure.
This being said, there are many levels of testing that can be developed in order to
determine the status of the system. Testing can be designed to evaluate and document
only the human component of the system, only the hardware element, or both. Test and
evaluation of the human element should include such functions as:
System hardware elements can be designed to execute required equipment tests either
manually or automatically, with the results documented in a report to management.
Ideally, all elements of the system – operator, user, hardware, and maintainer – should be
subjected to combined testing on a routine basis with a report to management of the test
results and recommendations for correction of deficiencies in system performance. To do
otherwise is to create a situation of false security where security is assumed to be
adequate but, in reality, the facility is highly vulnerable.
4/7/2008 82
Legal Department/Advisor
For the reasons described in Volume 1 as well as earlier in this volume, it is important to
have legal assistance available in reviewing the Operating Plan. Employees concerned
with their personal rights related to system use or concerned about personal identity
issues should have recourse to advice and have the procedure covered in the Operating
Plan. Also, a redress procedure should be defined to ensure prompt correction of any
incorrect information or data that has been entered into the system.
Develop informational brochures to inform existing and new employees about the
technology.
Primary functions that can be addressed in the Operating Plan and are usually within the
purview of this organization/corporate area are:
4/7/2008 83
If the resources are not inherent in the company organization, the Facilities Manager will
be required to provide the necessary support using contracted services for the duration of
the system operation.
12.1.8. Training
One of the key functions that the implementing organization must perform in the
introduction of the biometric technology into the organization is development and
execution of a well-structured training program for users. The training sessions should
include the following:
• A basic description of the technology involved, how it works (and does not work)
• Benefits being provided to the company and the individual employee through the
implementation of the biometric system
• Expected impact on everyone’s daily routine
• Address the expected concerns and fears the employees may have about the
technology such as: privacy issues, health issues (is there any possible damage to
their body), etc.
• Ensure the collected data will be protected, will not be provided outside of the
company, and will be limited to the intended application (security, time and
attendance, payroll, etc.)
• Address the process for enrollment and identification
• Address any religious concerns (use of facial images, iris images, etc.)
• Process for data integrity—will it be destroyed should the employee terminate
employment?
• Accommodation of individuals with disabilities and alternative solutions if
required by the employee demographics.
The training program should be structured to address not only the technical aspects of the
planned system, but also the personal concerns that employees may have.
For a more in-depth discussion about training, see Section 14: Training
4/7/2008 84
Section 13 – Maintenance, Services, and Warranties
The biometric portion of a system, like any other electromechanical system, requires
periodic maintenance to minimize failure (and/or disruption of service) for the want of
cleaning, lubricating, or adjusting. This is especially true with, but not limited to, moving
parts and components, such as door-strikes and sensor alignment mechanisms. Any
surface routinely touched by persons using the biometrics, such as fingerprint platens,
hand geometry platens, etc., require periodic cleaning not only for continuing high
performance, but for the sake of good hygiene as well. Such surfaces are normally no
more a health threat to individuals than doorknobs, but a device that is routinely cleaned
encourages continued use and lowers user resistance to such technologies.
General Requirements
The following is a list of some matters typically addressed by a written warranty.
• What the warranty covers or does not cover. The manufacturer should
disclose what the warranty covers and, if necessary, what it does not cover. For
example, if there are certain components or aspects of the device or system not
covered, then the manufacturer has to describe in detail what those exceptions are.
The warranty should also disclose to whom the warranty is extended and if it is
limited to the original purchaser.
• Period of coverage. The manufacturer should disclose for what period of time
the warranty is active. This part of the warranty should also indicate when the
warranty commences (e.g., on purchase, upon installation, etc.) and under what
circumstances, other than the defined period of coverage, the warranty may
become void (e.g., sale of product to a third party, failure to maintain, etc.).
4/7/2008 85
the product (e.g., repair, replace, refund, etc.). The warranty should also tell
customers where to obtain warranty service and how to reach those persons or
companies. Additionally, the warranty should provide information on the
availability of any informal dispute resolution. The manufacturer should also
explain what it will not do under the warranty program. This explanation may set
forth expenses it will not cover, such as labor, and provide limitations on damages
for defective products, such as an exclusion for consequential damages, etc.
Some states do not allow such exclusions. This is the reason many exclusions are
accompanied by the following statement: “Some states do not allow the exclusion
of or limitations on relief such as incidental or consequential damages, so the
above limitation or exclusion may not apply to you.” Each organization should
determine its own limitations or exclusions as they apply in specific states.
• How state law may affect customer's rights under the warranty. The warranty
should answer this question because implied warranty rights and certain other
warranty rights vary from state to state. Thus, the following statement should be
included: “This warranty gives you specific legal rights, and you may also have
other rights which vary from state to state.”
• Period of coverage. The period of coverage under an implied warranty may vary
considerably from state to state.
4/7/2008 86
• As is. A number of states permit manufacturers to avoid the “implied warranty”
provisions by marking them as to be sold “as-is.” Several states do not permit
“as-is” sales.
The NBSP surveyed 65 manufacturing and integrating companies within the biometric
industry to determine common industry practices with regard to warranties. While the
length of warrantees offered ranged from three to 120 months, all but two offered a
standard 12-month warranty on parts and labor. Eighty-three percent (83%) of
respondents indicated they offer extended warranties for an additional fee. All but one of
the companies requires a Product Return Authorization (PRA) before they would accept a
package submitted for repair service.
4/7/2008 87
Section 14 – Training
The National Biometric Security Project offers a variable length (1-hour to 1-day)
Introduction to Biometrics course. This course is open to anyone and can be tailored to
fit organizational need.
4/7/2008 88
Suggested Course Content – Introductory Level
History of Biometrics First uses – Industrial Age – Early Forensics – Modern Biometrics
4/7/2008 89
Suggested Course Content – Intermediate Level
History of Biometrics First uses – Industrial Age – Early Forensics – Modern Biometrics
Time Required to Install Installation Time and Equipment Speeds – Testing Time –
System Down-time
Deployment and Roll-out Cost Comparison – Time to Implement – Staff Training Required
– Training and Operational Tips
4/7/2008 90
Advanced Courses
For academics and those who want to know details of algorithms, the matching process,
statistical basis for matching, and testing and evaluation, the NBSP is developing an
extended length course (5-10 day). Currently, there is one pre-eminent specialized short
course of five days offered through the UCLA extension system. A growing number of
universities are also offering one or two semester courses. A sample curriculum for a
multi-day advanced level biometrics course follows.
Gaining user acceptance with efficient and correct operation of the biometric security
system is paramount to its success. Successful implementation, initialization, and
operation of a biometric system require managers to understand user concerns and
societal implications of biometrics. Such understanding provides the means to treat and
deal with important privacy issues that can smooth a transition to a new process and gain
user acceptance.
4/7/2008 91
Proper and continued training is of equal importance for all users, including program
managers, IT specialists, and end users. Users of a biometric system must be taught
proper procedure for the system to perform optimally. Users of a biometric system must
also have access to documentation regarding the system itself. Such documentation
includes, but is not limited to:
When training program managers and IT specialists, keep the following in mind:
• These users need the same information as end users, targeted appropriately to
their level of knowledge
• The field of biometric identification is changing rapidly, so advanced users of
such systems need continued training on technological developments, security
issues, and changes in social/legal issues
Manuals should be short, simple, and to the point. The acceptance rate of the users will
be higher because they feel confident and secure in the knowledge of the biometric-based
system. Walk-throughs and trial-runs will help increase the comfort levels of users and
decrease the pressure placed on them. Such simulations will also help decrease the error
rates in the future when the users will not have someone with them while using the
system.
Proper training and education should always be part of the implementation plan for any
new installation or modification of an existing biometric system. Personnel who receive
proper and comprehensive training in the use of the system will prove cooperative and
supportive of system use. They should be guided carefully and unhurriedly through the
enrollment procedure and should be invited to ask questions about the system in general.
As mentioned, they should receive some reference documentation with help/inquiry line
details included as well. These things should be provided in a comfortable, non-
challenging environment.
4/7/2008 92
2. Administration — Instructional training: technical installation, system
management, and maintenance issues
3. Organization — Knowledge-based training: “Why Biometrics is our best
solution”, "Will my fingerprints be stored?"
End Users
The end-user population (employees, contractors, temporarily assigned personnel) must
be trained sufficiently to enable them to use the biometric equipment effectively once the
system is activated. Time between training and actual use of the system (or some portion
thereof) should not exceed a week. This may be challenging when end-user populations
are very large and may require multiple trainers and training sessions or other innovative
schemes, such as operating the biometric system in parallel with a current existing
system, staggering activation of the system, and/or setting up multiple readers near entry
points to enable end-users to practice authentication upon entry.
• Introduction and general overview of biometrics (what they are, how they work)
• Overview of privacy issues, how biometric information will be controlled, end-
user options, and completion of informed-consent forms where deemed
appropriate.
• Detail on the technology (modality) of the specific system to be deployed.
• Demonstration of equipment use and the enrollment process.
• Actual enrollment of each end-user.
• Practice by each end-user on actual equipment.
• Overview of how the system will be implemented, including need for
daily/weekly practice between training and system activation, dates and structure
of staggered implementation, and/or dates and structure of overlap schemes.
• Sources of potential problems with the biometric system and things to avoid (use
of hand cream before using fingerprint platen, use of reflective sunglasses,
expressions in facial systems, etc.)
• Initial actions or troubleshooting by end-users when first encountering a problem
(wiping the platen, taking glasses off, speaking in normal voice, etc.).
• Work-arounds and actions of end-users when troubleshooting fails.
• Actions if system experiences catastrophic failure.
• End-user practice opportunities between training and system activation.
• A repeat of earlier student practice with instructor observation of each end-user.
4/7/2008 93
Where this is not a long-lasting solution, end-users may be integrated into the periodic
initial training for a second time.
A how-to guide for instructors helps ensure uniformity and consistency with the format
used to teach the course using various trainers. Because biometrics are technical in
nature, the organization may adopt policies for use of the technology.
Users tend to be more cooperative and supportive of a security system being adopted if
they:
As part of the overall system deployment plan, calculate the number of persons to be
trained, the length of time that will be required, and the length of time between classroom
training and system implementation. Based on that, write into the vendor or system
statement of work (SOW) the requirement to provide some number of sample sensors to
install at entry control points to allow end users the opportunity for “no-penalty” practice
on a daily basis. Ensure that such sample sensors provide pass/fail or go/no-go feedback
to end users. Stress in the classroom training the need to practice and become familiar
with the approaching biometric equipment/system before the implementation date.
Encourage end users to report problems immediately and take steps to re-enroll if re-
training is not adequate to get them thoroughly familiar with the system.
The following content provides a detailed explanation of the more popular biometric
methods, why each is useful for security, and how-to steps and techniques for users to
apply to a given situation where the technology is in use.
Train only the modality (or biometric technology) that has been selected for the particular
installation and augment that material with material provided by the specific vendor of
the equipment to be installed in the facility or facilities. This may require a provision
spelled out in the SOW.
4/7/2008 94
There are a variety of biometric technologies that are available. Some include those used
for facial recognition, fingerprint identification, hand geometry, iris recognition, and
voice recognition. Some examples of these technologies are described in the chart that
follows.
4/7/2008 95
Table 14-1
Picture Name of Website Weight Applications
System (lbs)
Time and
HandPunch
http://www.compumatictime.com/biometric/index_hp4000.html 6 Attendance
4000
Physical Access
HandKey II http://www.safe-mart.com/hk2.html 6 Control
Transportation
Security, Laboratory
Security,
Infrastructure
Security, Public
LG IrisAccess
http://www.quicksitemaker.com/members/fephila2/iris.html 8 Safety and Justice,
3000
Border Control, Data
Center Security,
Time and
Attendance
Transportation
Security, Laboratory
Security,
Infrastructure
Security, Public
OKI IrisPass-
http://www.oki.com/jp/FSC/iris/en/iriswg.html 13.2 Safety and Justice,
WG
Border Control, Data
Center Security,
Time and
Attendance
Physical Access
MorphoAccess Control; Multi-layer
MA300 http://www.bioservice.ch/english/physical.html# 1.6 Verification for Low-
to-High Security
Time and
FINGER007/P http://kor.idteck.com/product/product_list.php Attendance Access
1.20
?cateANum=1&cateBNum=1&cateDepth=1&prdCateA=1 Controller
Physical Access
FACE007/P Control
http://kor.idteck.com/product/product_list.php 1.25
?cateANum=1&cateBNum=1&cateDepth=1&prdCateA=1
"Face in a Crowd"
Surveillance;
Enables 2D and 3D
ActiveID
http://www.geometrix.com/products/biocamera.html 1.5 Measurements for
Forensic Criminology
Applications
Access Control
System www.magen.ca/.../photos/ N/A Physical Access
Controls different
Mercedes
aspects
voice control - www.whnet.com/4x4/vrm.html N/A
Of the car
Linguatronic
4/7/2008 96
Case Studies
Problem
The government of Andhra Pradesh, India, needed a program to control and manage the
distribution of nearly 80 million state-issued food ration cards. These ration cards
provide citizens with necessities – ranging from electricity to petrol to food – and the
program, historically, has been laden with fraud. The Government of Andhra Pradesh
wanted a solution to eliminate fraudulent cards and theft of goods and services, and to
reduce costs and ensure its citizens are receiving the entitlements they are qualified to
receive. Andhra Pradesh is the fourth largest state in the area, and the fifth largest by
population.
In addition to providing access to goods and services, the ration card is also a pseudo
national ID card for the citizens of Andhra Pradesh. These cards help citizens get
passports, admission into college, and other privileges. All families of the state receive
ration cards. White cards represent those in or near poverty who need assistance; pink
cards are given to those who can afford to buy what they need, whereby the card is used
primarily for identification.
Source: Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
The identification solution was also envisioned to be the foundation for an extensive e-
government program. Long-term plans are for using the identification solution as a
means of proving citizenship, as well as for other authentication/identification
applications in the future. The government intends to provide electronic communication
access in every village, including PCs and broadband connectivity, and believes
automated ID authentication is a cornerstone to a successful and pervasive e-government
platform.
4/7/2008 97
The government of Andhra Pradesh also provides a hostel-education program to the
needy children of the state. The identification solution selected for the ration card
program would also be used to confirm the identities and populations of the nearly 4,000
child hostels across the state to reduce fraud and skimming perpetrated by unscrupulous
hostel managers (one might claim, for example, that he has 150 children in the hostel
when, in fact, he has only 50, keeping the extra supplies for himself or selling them on
the black market).
Access to low-income houses and housing subsidy programs for 28,000 families who
apply for housing assistance will also be integrated into the chosen identification
solution. The biometric-based solution will be used to identify citizens to make sure
those who are entitled to such support receive it, and that those who are trying to defraud
the system do not. Historically, the government has learned citizens who have
fraudulently applied and reapplied for low-income housing support, or others who have
applied to receive more than one house.
The government was in need of a solution for administrative control in the allocation of
approximately 9,000 affordable homes in the Guntur District, Andhra Pradesh. Under the
Rajiv Gruha Kapla – affordable housing program for the urban poor – initiated by the
Department of Housing in the State of Andhra Pradesh, an initial stock of affordable
homes in Guntur District would be made available, with an enrollment process that
incorporates iris recognition of applicant couples to prevent duplicate housing
applications.
Prior to implementation of the iris code-based ration card program, most ration cards
were issued to Andhra Pradesh households up to 20 years ago. Since that time, many
more new families have been added to the ration card system, so the new program must
be flexible and scaleable to account for an ever-expanding population.
Process
After testing both iris recognition and fingerprint technologies, the state of Andhra
Pradesh issued an RFP in June 2005 for the use of iris recognition technology in the
ration card program. Some key challenges faced by the implementation team were; a
widely dispersed population – a combination of small villages, several large cities, and a
broad spectrum of people – and varying degrees of education of the citizens, thus the
solution had to be very easy to use. Additionally, the government needed to integrate the
biometric solution into its existing legacy system, while also enhancing the state’s ability
to add additional capabilities and programs in the future.
4/7/2008 98
The other technology that was considered – fingerprints – caused difficulties for many
citizens due to the ubiquity of farmers, trades-people, and others who labor with their
hands and rub off their fingerprints or render them difficult to read.
After significant testing, the government selected iris recognition technology as the best
solution for its current and future needs. They found enrollment to be easy and very fast,
and the technology to be highly accurate in a one-to-many search mode.
Solution
The iris recognition technology provider (LG Electronics – Iris Recognition Division)
worked closely with an India-based integrator (Andhra Pradesh Technology Services), a
technical services arm of the state government. The development of the RFP, design,
integration, and deployment of the system were all managed in-country by APTS.
It took approximately three weeks for the iris recognition-based solution to become fully
integrated and functional, and incorporated into the citizens’ daily lives. It is anticipated
that, by the end of 2006, the entire 80 million population of Andhra Pradesh will be
enrolled and actively using the iris recognition-based ration cards.
A basic description of how the iris recognition-based ration card enrollments are
accomplished . . . the family members participating in the ration card program go to one
of the several hundred enrollment stations across the state, provide their demographic and
biographical information to the enrollment officer, and look into the iris recognition
imager to have their iris patterns recorded. This iris pattern is linked with the person’s
biographical information and stored in a central database, as well as embedded into the
ration card.
The initial cost of the solution was certainly a concern for the Andhra Pradesh
government, but they viewed the overall long-term savings and efficiencies offered by
the iris recognition-based solution to be higher. Long-term plans for an e-government
platform and identification authentication were key issues in the decision about which
technology and solution to deploy.
4/7/2008 99
The government of Andhra Pradesh would not disclose the budget or cost for this system.
Results
To date, there has been no push-back from the Andhra Pradesh citizens regarding the use
and implementation of the iris recognition-based solution. In fact, indications are that the
citizens are willing to participate, since they cannot receive their benefits if they do not.
As of October 2006, over 20 million ration cards were distributed in a 16-month
timeframe17 with bogus cards being eliminated in tandem.
Enrollment. The state turned over the running of over 600 enrollment sites to private
entities who charge a fee (40 rupees per ration card) for enrollment into the ration card
program. The Andhra Pradesh government provides limited support to these enrollment
stations, as they are privately managed and run. The manager/owner of the enrollment
station keeps the profits and shares a portion of the ration card fee with the government.
As of October 2006, enrollments are 85% complete.18
Training. A centralized training program was developed prior to the deployment of the
system. The owners of the enrollment stations were trained in how to enroll and use the
iris recognition system and they, in turn, trained their personnel (train-the-trainer
concept). The training process took a matter of weeks and both LG Electronics and the
local integrator partner assisted in the program.
Cost Savings. Although there are no hard numbers available to calculate the cost savings
the iris recognition-based ration card program has provided to the government of Andhra
Pradesh, the state anticipates that 60%-70% of fraud will be eliminated merely by
deploying the technology, since potential fraudsters will be discourage to attempt fraud
with the accurate identification technology now being used.
Initial calculations in some Andhra Pradesh districts indicate the government has already
benefited from substantial savings by deploying the technology, in terms of reduced fraud
and subsidies, which extends beyond the primary ration card application into district
stores, youth hostels, and low-income housing. Helping the government save money by
reducing or eliminating fraud provides a real service to the Indian citizens who are in
need.
As of March 2006, this deployment in India is the largest known deployment of iris
recognition technology in the world. Between initial implementation in July of 2005
and February 2006, approximately 8 million people had been enrolled in the iris
recognition-based ration card program. As of October 2006, over 20 million ration
17
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
18
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
4/7/2008 100
cards were distributed in a 16-month timeframe19 with bogus cards being eliminated in
tandem, and 80 million individuals have been enrolled in the iris ration card program.
Within weeks of deployment in the Guntur District, the iris recognition-based affordable
housing application program uncovered at least two known cases of ineligible
applications.
One of the most important things for those making biometric-based technology
implementation decisions is to look at each technology on its own merit, and don’t let
cost alone drive the decision. Look at the utility and functionality of the biometric
technology, disengage from pricing and from legacy system issues, and determine the
true usefulness of the technology on its own merit.
It is also important to involve the various technology vendors before the RFP process.
Engage them in a consultative process and leverage their knowledge. Use vendors as
partners in the RFP, review, selection, and deployment process, rather than just as
providers of hardware or technology.
19
Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra Pradesh State.
Presentation by LG Iris at the Biometrics 2006 Conference, October 2006
4/7/2008 101
- Eyes on India: Iris Recognition and Entitlements Management in India’s Andhra
Pradesh State. Presentation by LG Iris at the Biometrics 2006 Conference, October
2006
4/7/2008 102
Case Study B – State of Illinois: Driver Licensing
Problem
Identity theft is a fast-growing crime that has become a major problem for both law
enforcement and victims. A survey conducted by the U.S. Department of Justice (DOJ),
found the costs associated with identity theft are greater than $6 billion annually and has
affected millions of individuals and families. Driver’s licenses and identification cards
are by far the most common form of identification used in the U.S. A prime target of
would-be identity thieves are agencies that issue credentials like driver’s licenses and
passports. Maintaining the integrity of these forms of identification is extremely
important. Once an identity thief has obtained a license or identification falsely, it is
relatively easy to assume another’s identity and gain access to their finances.
Each year, the Secretary of State for the State of Illinois is responsible for issuing driver’s
licenses and identification cards to residents of Illinois. The Office has issued over 8.6
million driver’s licenses and 3.2 million identification cards at over 130 different motor
vehicle facilities within the state of Illinois in the last year. The cards are issued in an
over-the-counter manner where the cards are distributed to the individual at the time of
the visit. Eight thousand to 12,000 images are captured on any given day.
Prior to 1998, the Illinois Secretary of State would rely on its employees to review
documentation (typically a primary and secondary form of identification) and
demographic information provided by an individual seeking a driver’s license or
identification card to verify the identity of the individual. If the demographic information
and documentation matched, as verified by an employee, the applicant would then have a
film picture taken and a license and/or identification card would be issued on the spot.
One of the issues faced by the agency was that not all of the primary and secondary forms
of identification included a photograph of the individual. This made it challenging at
times for the employees to validate the applicant’s identity, which left opportunity for
error. The other issue with the film system was that the Office did not retain copies of all
the photographs taken. This was not possible with film photography.
Upholding the integrity of the identification system in Illinois is the responsibility of the
Secretary of State. In 1997, the Illinois Secretary of State was in the process of
transitioning the film-based photograph system used for taking driver’s license pictures to
a digital-based photo system. This created an opportunity to improve their current system
with added tools. There were two initial objectives in evaluating potential systems:
If the system could decrease the potential for card tampering and increase the accuracy in
the identification system, there would be the potential to reduce the incidence of identity
4/7/2008 103
theft and fraud and increase public safety. All this needed to be done without
compromising the privacy of the individual cardholder.
Process
The state of Illinois sent out a request for proposal for a digitally based photograph
driver’s license/identification card (DL/ID) system for the Secretary of State’s driver’s
license photos. The original proposal did not require a face recognition system, but
included it as an option for inclusion as part of an image system that could accommodate
the large number of photos in a database. Only one vendor submitted a proposal that
included the option, and they were the overall successful bidder. The biometric system
would be a component of the larger system. Soon after the contract for the larger system
was executed, the Secretary of State’s Office decided to pursue this option.
Facial recognition seemed like a logical conclusion for this application. Facial
recognition requires a digital photo of the individual, something that was already part of
the DMV process. This allowed for passive, non-intrusive data gathering that had
minimal effect on the customers and minimal effect on facility operations. The customers
expected to get their picture taken when acquiring or renewing a driver’s license and
there were no additional requirements of the DMV employees. Facial recognition
technology could be applied to a piece of data that DMV was already using: The photo.
In addition, no new legislation would be needed to implement the system. The facial
recognition system was compatible with imported photos from other states so that it
could potentially be used for law enforcement.
An important component of the biometric system was that it could handle a one-to-many
(1:N) environment versus a one-to-one (1:1) environment. A one-to-one match is where
an individual presents his/her biometric sample and it is compared to the one he/she
presented at enrollment in the system, to ensure he/she is the same person. A one-to-
many matching environment is one when the individual’s identify is verified by
presenting his/her biometric sample and comparing it to many others in the database. In
the case of the Illinois Secretary of State, the system would be required to determine if
the person is known to the system (with or without a claimed identity) by comparing the
presented biometric sample and resultant template with all other known references in the
database for the purpose of finding any cases where the same person was enrolled more
than once, and had established multiple identities using different demographic data. This
type of system screens driver’s license applicants to make sure that the person is not in
the system under a different. Because of the large number of photos that would be
captured, it was critical that the system could be scalable to a very large database.
How the system actually works on a daily basis is an individual comes into the Secretary
of State office to obtain or renew a driver’s license or identification card. The individual
provides his/her name and a primary and secondary form of identification to the
employee. The information is input into the database. The individual then has a digital
photograph taken to be used as input into the facial recognition technology, as well as for
use on the actual driver’s license or identification card. Unless there are discrepancies in
4/7/2008 104
the primary and secondary data sources provided, suspicious documents presented, or in
the other verification systems used (such as Social Security On-Line Verification), the
individual is printed a driver’s license or identification card on the spot.
Results using the facial recognition technology are not immediate. The digital image is
sent to the central database each evening and is then compared against the more than 20
million images in the system, scanning for any duplicate entries. The facial recognition
technology does this by placing a grid or graph over the individual’s face identifying
specific nodal locations. The nodal points identify local feature information and this is
compared to other samples using a weighted sum of node similarities. To put this in
layman’s terms, the face is broken down into specific features and those features are
compared to all the other digital photos in the central database.
Solution
The State of Illinois decided to implement the facial recognition technology into its
overall system because it had significant advantages and would work effectively with the
new digital photo system that was being installed.
There were several issues that needed to be addressed in implementing the new system.
First and foremost was how the State would pay for the system and what infrastructure
was needed to support the system. The State recognized it would need some assistance in
funding the project; the cost was too high. The State was proactive in soliciting other
agencies to help bear the burden of the cost. The State focused on agencies that would
benefit from the technology and data that could be provided. The Illinois State Police
chose to assist in funding. This created a new challenge in how to design a system that
would be compatible with two agencies and determining what it would take to meet both
organizations’ needs. The system actually was quite compatible and did ultimately
interface well within the organizations although, as with any new system, it had its
growing pains.
Although the system seemed to fit quite well for this application, there were still many
unknowns. Since the Secretary of State’s office was the first to use the technology in a
high volume, one-to-many environment, there was nowhere to go for guidance. The
impact on operations was largely unknown. The technology was relatively new and there
were questions on how well it would perform. Sending a large number of photos across a
network also prompted security and privacy concerns.
It took the State of Illinois close to three years from the original RFP to design and
implement the entire new and improved overall system. The biometric component was
the last part of the overall system to be installed.
Results
The facial recognition technology has been an overwhelming success for the State of
Illinois. When the system was implemented by the State, there were no other benchmark
4/7/2008 105
systems that could be used to gain insight. Facial recognition technology was being used,
but typically on a much smaller scale. The technology has enabled the State of Illinois to
accomplish its objective of improving the integrity of driver’s licenses and identification
cards.
Although there were certainly some growing pains in the process, the implementation
was relatively easy because it dovetailed into the current operating system the challenge
was more on the back-end than the front-end. The gathering of the data was very
consistent with what typically occurred, however, the processing of the data was complex
and developing the procedures if a fraud case was identified through this mechanism was
something new to the office. The State now had to deal with new tasks like daily review
of potential multiple identity cases, increased number of fraud cases to investigate, and
use of a new technology as part of the evidence used in the criminal justice system when
cases were pursued. It was a major change in how the organization operated. One of the
results of its use was establishment of an ID Crimes Unit to focus resources on this new
technology and the growing rate of identity crimes it could help uncover.
“Both the use of face recognition and the use of stored images in the proofing process
have resulted in early detection and prevention of fraud that would have otherwise gone
unnoticed, maybe for years,” stated Beth Langen from the Illinois Office of the Secretary
of State. To date, the facial recognition technology has identified over 3,100 cases of
fraud. This included over 2,700 individuals with two identities and over 300 cases three
or more identities. As a result, the DMV has cancelled over 9,700 licenses.
The Illinois Secretary of State’s office began the process of implementing the facial
recognition system in 1997. The original Request for Proposal (RFP) was to upgrade the
DMV film photography system to a digital based system. The original RFP included the
option for face recognition and it was exercised. This system best fit their application.
Other biometric technologies were not considered or evaluated. The Secretary of State
chose the facial recognition system and was successful; however, there were many
lessons learned.
The first lesson learned was to ensure the integration of the system was in line with
current business practices. When adopting the facial recognition biometric, the existing
business processes needed to be re-evaluated to make sure that the processes would
adequately support the biometric and determine if there were process changes required.
One example of the importance in re-examining business process involved the timing of
the issuance of identification cards or licenses. Cards are issued at the time the individual
visits the office. However, the facial recognition process currently requires sending the
photo image to a central database where it is processed overnight. If multiple identities
are detected, the individual has already been issued a card and would need to be located.
As part of a business processes review, the office will soon be evaluating many business
processes, and that will include processes for face recognition and card issuance.
4/7/2008 106
It is also important to consider the human factor – even though a biometric is being used
for determining if there are multiple identities in the system, it is still the responsibility of
an employee of the Secretary of State’s office to make the final decision if there is fraud.
A trained staff with the appropriate skill set is critical. There are instances of false
positive matches that are not fraud, but occur because an individual has more than one
legitimate record in the system or may look a great deal like another person, in the case of
identical twins, for example.
Another important lesson learned was that the system selection, design, testing, and
evaluation take a significant amount of time and effort. Having the resources that can
devote the appropriate amount of time is important. It is also very difficult to test a
system outside of the anticipated production environment and see the shortfalls. Only
when a system is up and running in the actual environment can shortcomings or
performance issues be accurately identified. Therefore, it is important to continue to
evaluate the performance of the system on an on-going basis after it has been installed.
Upgrades can be made and have the potential to significantly improve the overall
performance.
When installing a biometric system, it is vital to consider how the public and customers
will react. The reaction to facial biometrics in Illinois was positive. This was primarily
due to the fact that it was a non-invasive method for the purpose of preventing identity
theft and fraud and associated crimes, not a system of surveillance that is typically
associated with privacy concerns. In this respect, it is protecting identities. The system is
only accessible by Secretary of State employees and law enforcement personnel.
The environment that the system is operating in should also be considered. For a facial
recognition system, proper lighting, camera locations, etc. can affect the overall quality of
the image and thus affect the performance of the system. If the image taken is not of a
reasonable quality, the accuracy of the system has the potential to be reduced.
4/7/2008 107
Case Study C – The City of Glendale, California: Desktop Computer Access
Problem
The City of Glendale is the third largest in Los Angeles County. In 2001, the city was
under pressure from auditors to maintain high security standards for sensitive
information. At the same time, the Federal Privacy Act was requiring higher access
security. Passwords that were easy for users to remember were not secure enough. The
city needed to use randomly generated eight-digit alpha-numeric passwords that were
changed every 60 days. As a result, the city’s 2,000 employees were writing their
passwords down on or near their workstations. Ninety-five percent (95%) of users failed
to change their passwords within the time allotted, and became locked out. Forty-five
percent (45%) of help desk calls were from locked out users, costing the city roughly
$50,000 per year just in password administration costs.
Glendale’s municipal employees are located all across the city in 300-400 different
offices working for diverse agencies including public works, power, finance, and
administrative services.
The city implemented a single password for multiple uses, which proved to be of little
use when 1,900 users were locked out of their systems every 90days, requiring at least
two hours of work per day from the help desk staff. Because most of the calls came in
clusters, employees experienced significant unproductive time as well.
Process
Solution
The device was a UareU® 2000 Pro Workstation Package with sensor and software. The
initial installation required having the software installed on each participating machine.
The USB device is smaller than a mouse and contains a sensor. Most users primarily use
their thumb, though multiple fingers and the entire thumb are initially registered into the
database.
The system generates a computer password and synchronizes it with the user’s
fingerprint. Users do not have to remember anything. Scott Harmon, the City’s Assistant
Director of Information Services says, “Just bring your finger”. There are exceptions
4/7/2008 108
though. For example, temporary workstations do not yet employ the fingerprint reader
biometric.
The city has since upgraded to the 2004 version of the software, where it can be installed
and upgraded centrally. Other new options and newer versions are server-based, allowing
users to log into any networked computer and access their own files. Glendale would like
to upgrade to this system in the future, though it would increase the costs.
Results
User Acceptance. To date, there has been no push-back from any employee. Generally,
users are very pleased at the ease of use of the system compared to the past. There have
been no civil liberties issues that have come to the attention of the IT staff.
User Rejection. Glendale has one employee whose fingerprints do not register. Other
than this, there have been no documented cases of false acceptances. Rejections are rare.
Subsequent to contact with swimming pool chemicals at his home, one employee
experienced a temporary change in his fingerprints. Other employees have had cuts on
their fingers or slammed fingers in a car door, causing temporary changes. As a
precaution, the city registers multiple fingerprints and the entire thumb.
Enrollment. The systems are incorporated into daily activity immediately since there is
no learning required of the end user. “All they have to do is put their finger on there and
go,” says Harmon. Most employees are comfortable with the concept, which they have
experienced at the local Department of Motor Vehicles. Registering a new fingerprint
and setting up a new account is not difficult and has become easier over the last few
years.
Maintenance and Training. To date, all maintenance for the systems has been handled by
the in-house IT staff, which spends considerably less time on the fingerprint access
system than they did with forgotten passwords. Newer reader models that have come
along in the last few years are slimmer and easier to work with. Harmon considers
Digital Persona’s field technicians to be quite competent. His staff calls with questions,
and most issues are resolved over the phone.
Cost Savings. Glendale has not tracked the cost savings of the fingerprint keyboard
access systems in terms of increased employee productivity and fewer required help desk
resources. In 2001, the cost per workstation was roughly $150. Today, that cost is
reduced to approximately $100 per workstation. For a city the size of Glendale to roll out
a new system today would cost approximately $200,000.
4/7/2008 109
What would they do differently next time? Lessons learned . . .
The only drawback to the system, according to Harmon, is that is does not accommodate
remote users. RSA’s portable, key-sized devices are better for people who work in the
field, telecommute, or want to check-in over the weekend. When employees want remote
access, they must call the help desk for a remote reset, which must be re-synchronized
when the employee returns to the office.
Anyone rolling out a new system today would have easier maintenance than Glendale
had during its system launch. For example, Active Directory is a new feature that allows
uploads to the domain controller that houses a central repository of all fingerprints and
passwords. “It would be much easier to maintain. At the time a few years ago that wasn’t
in place. That’s why we are in stand alone mode now,” comments Harmon.
In the future, Glendale also wants to enable employees to be able to access their files
from any workstation.
- Interview with Scott Harmon, Assistant Director, Information Services, and Steve
Richmond Security Analyst, City of Glendale, CA March 8, 2006.
- “Glendale, CA Goes with Biometrics”, Biometrics in Human Services, User Group
Newsletter number 27, Volume 6, March 2, 2002. State of Connecticut, by David
Mintie
- “Glendale Locks Down PCs with Digital Persona Biometrics”, by Lynn Haber,
October 18, 2001, Ziff Davis http://techupdate.zdnet.com
- City of Glendale, Case Study Digital Persona. Digital Persona
http://www.digitalpersona.com/docrequest/pdf1?pdf=18
4/7/2008 110
Case Study D – Lancaster County Prison: Inmate Identification
Problem
Although the mistaken release of prisoners was not a common occurrence at the
Lancaster County Prison, one high profile incident in 1993 resulted in an unprecedented
innovation. An accused murderer walked out of the front door by impersonating another
inmate. The prisoner was subsequently caught and convicted of the murder.
At the time, the prison employed a standard release protocol that consisted of human-
based facial recognition (i.e., the guards looking at the prisoner’s face) and a series of
specific questions relating to the inmate’s incarceration experience and pre-prison life.
“There were checks and balances and everything had to go wrong for this to happen and
everything went wrong,” says Luther Schwartz, Training Officer and Department
Network Administrator for the prison.
Process
Solution
The first application was a DOS version, which was upgraded to Windows after roughly
24 months. Hardware currently consists of one server and two clients. The server is in an
office near the systems administrator. Clients are located in the commitment and
visitation areas where they are used by 30 or more staff members on a regular basis.
There are two processing phases in the prison system: enrollment and verification. In the
former, the eye is digitally photographed. Over 400 points are mapped into a 512-byte
code. The iris map is stored in the database along with other information about the
inmate, which is taken from identification documents. Lancaster County Prison uses
fingerprints in conjunction with iris scanning for all inmates.
The iris recognition software is used primarily in the facility commitment area. By using
the iris technology on its 1,180 prisoners, the prison feels it can definitely determine that
20
http://www.naco.org/cnews/1996/96-06-24/17eye.htm Lancaster County Prison uses new ID to keep eye
on prisoners
4/7/2008 111
the same person with the same name who was committed is released under the same
name.
A secondary use is in the visitation area. As of March 2006, Lancaster County Prison
processed hundreds of visitors per day, amounting to tens of thousands of visits each
year. First-time visitors must produce multiple forms of positive identification, which is
entered into the system along with the iris scan. Return visitors may be admitted with
just an iris scan. Upon discharge, inmates are not allowed to return as visitors for six
months. Within a few seconds, the system can tell if the visitor has been incarcerated at
the Lancaster County facility.
Results
Errors. While the technology itself is very exact, human errors can be made in data
processing. Incorrect categorization of inmates has resulted in false identification.
Administrator Schwartz safeguards against this problem by occasionally looking through
the database for possible input errors, which he feels a trained individual can easily
recognize.
Cooperation. Lancaster County Prison has not experienced any compliance issues.
Because most people are used to having their pictures taken, the process is natural and
comfortable. It is also considered very safe and sanitary, since no direct contact is
necessary between the subject and the guard or the equipment. The scan takes just a few
seconds. When inmates and visitors express reluctance to participate, reminders that
visitation and release are contingent upon compliance has been made the program
effective.
Support. Third-party vendors provide hardware and support. Support requirements have
been minimal and routine. Most incidents are handled over the telephone. Repairs have
been handled by shipping extra parts. Installation is straightforward.
Training. All of the prison employees in both commitment and visitation use the iris
recognition-based system. There are in excess of 30 officers or more who use it on a
regular basis. Training has been conducted by colleague observation, which is estimated
by Officer Schwartz to take roughly 15 minutes.
Overall Satisfaction. Officer Schwartz states that Lancaster County is pleased with the
system’s ease of use and precision. Lancaster County Prison would go the same route if
they had to revisit their decision today. Regarding the cost, he replied “How do you put a
price on the safety of the community?”
Software Licensing Costs. Criticisms center on software licensing fees. “Because the
technology is so limited, the fewer suppliers there are, the higher the price. “ Mainstream
software, such as that used in fingerprint recognition can be less expensive.
4/7/2008 112
Database Integration. Because iris scans are a fairly new technology, there is not a large
iris database in existence to leverage or integrate with other law enforcement authorities.
Fingerprints, which have been introduced at Lancaster County Prison for other
applications, can be checked against FBI and National Crime Information Center, whose
databases include years and years of input. “The AFIS system goes out and gathers
information and brings back a criminal history on the individual… with the iris, you
don’t have that kind of resource available,” says Schwartz. Lancaster County Prison’s iris
database is maintained at the prison and is not shared with other entities.
4/7/2008 113
Case Study E – University of Georgia: Student ID/Access Control
Problem
The first hand geometry system that was installed in the University of Georgia dining hall
in 1972 to verify meal plan participants has since grown to a fully integrated solution that
secures three different types of facilities on the school’s extensive campus. In addition to
the continued use of hand geometry in the dining hall, the system was expanded to
include student housing – to verify a student lives in the building – and to the student
recreational center – to verify membership in the sports facility.
With a student population of 32,000, the University needed an access control system that
was fast, easy to use, and foolproof. To provide a safe, secure campus, the school
wanted to identify students entering residential halls and athletic facilities and to limit
dining hall access to those students who had paid for a meal plan.
A fourth application for hand geometry that is currently being considered by the
University is to identify students prior to exams, to be sure the right student is taking the
test.
Process
The University of Georgia has been a pioneer in adopting biometrics, implementing one
of the first wide-scale applications of hand geometry in the U.S. When it was time to
upgrade the school’s old (1972) hand readers in 1990, the administration evaluated
various biometric technologies, such as facial, hand, fingerprint, iris, and signature
devices.
With a large, diverse, and active student population, the University needed a solution that
did not require cards (students lose, forget, or loan them) or a typed passcode (students
forget or loan them). Biometrics offered a token-less solution, and hand geometry
technology met the school’s requirements for ease of use, functionality, and cost. A
signature-based biometric was evaluated, as well as other technologies, but was found to
be too time consuming for students accessing the dining hall and housing facilities.
Initially, the University relied on outside consultants and integrators to assist with
evaluation, selection, and integration. As the system grew over the years, the University
brought this function in-house and is now self-managing the hand geometry system
through two fulltime employees.
Solution
Initially, the 1972 systems were two-dimensional hand geometry readers placed at dining
hall entrances to verify that students who paid for meal plans were the same students that
actually entered at mealtime. Students who require a work-around (i.e., students without
a right hand), can type in a passcode for access.
4/7/2008 114
The 1972-1990 system required a card to be inserted with no other option. The 1990-
1994 system required a card to be swiped. All of the data was held on the card until first
use, then stored in reader memory. The current system allows for either a card swipe or
the number from the card to be entered into the HandKey reader. In order to do a one-to-
one match, the University requires that the unique number be entered. This versatility is
one reason the system has a high level of acceptance among students.
In the dining hall, the system averages 1,700 attempts per day per reader (with two
installed readers), translating to over 3 million valid accesses per year during the school
year.
Based on the system’s success in the food service area, the university installed a similar
system to control access to the Ramsey Center, a recreational sports facility. The
Ramsey Center includes six readers, averaging 2,500 authentication attempts per day
(translating into 870,000 accesses per year). The University controls its false rejection
rate to about 1.5-2%.
Next, the school added the biometric security solution in the housing facilities, replacing
magnetic stripe-only readers with hand geometry readers. Across the dorms, there are
450 access attempts per reader per day, translating to over 2 million accesses per school
year. (In September 2005 alone, there were 300,675 valid accesses.) The hand readers
for the housing system are unmanned, but there are security cameras at each entry point
for additional safety.
Today, the 70-reader system controls access for 32,000 users to select facilities all over
the campus, from dining halls to recreational centers, dormitories to testing rooms.
According to Donald Smith, coordinator of the University of Georgia (UGA) Card
Services department, “The number of cards typically lost in a year is a good reason for
not utilizing a card-based system, so biometrics just made more sense.”
Enrollment into the hand geometry system happens when a student initially gets his/her
campus ID. The University enrolls the right hand of every student and the process
typically takes about 1-1.5 minutes. During the enrollment process, the students are also
trained in how to use the system for access to the various locations where it is used.
Currently, the University is storing about 90,000 hand images on its central server.
Identification time through the various turnstiles averages 1-2 seconds.
Results
Since 1972, use of the hand geometry technology for student identification and access has
saved hundreds-of-thousands of dollars in terms of personnel time and materials for
replacing lost student access cards. This initiative was important to reduce the number of
IDs the students had to manage.
4/7/2008 115
In total, the University of Georgia has spent over $250,000 on its biometrics program
spread out over a 5-year period – approximately $2,000 for each of the indoor models and
approximately $3,000 for every outdoor model. Costs are greater for the outdoor readers
because they require steel enclosures to protect them from weather. From initial
deployment, it took approximately four years for the system to become fully integrated
into students’ daily use across campus.
The vast majority of students are enthusiastic about the hand geometry systems. “They
think its cool,” commented Donald Smith. “It is future technology. We don’t get many
complaints from students.” Occasionally the University receives objections based on
religious beliefs. There are workarounds for these students, as well as for handicapped
persons or those missing a finger or hand. There are about 84 students requiring
workarounds (out of a 32,000 population).
The initial deployment of hand geometry back in 1972 still relied on cards, which housed
the students’ biometric data and passcode for the one-to-one verification. Transitioning
the biometric data to a centralized server not only reduced the number of cards processed
each year, but also reduced the total number of servers required to operate the campus-
wide system, saving the University a significant amount of money. Additionally,
authentications are done in real time and are much more efficient.
Lastly, remember to get the users involved, as best you can. Introduce them to the
concept, allow them to be part of the decision-making, and explain the reasons for
transitioning to a biometric-based solution. Most importantly, explain how the system
will benefit them in the long run. Users will tend to be more cooperative if they
understand how the system works and why it is needed.
4/7/2008 116
Case Study F – St. Vincent Hospital: Desktop Computer Access
Problem
One part of the overall “physician satisfaction program” included the need for improved
and more efficient access to the hospital’s electronic patient information, health records,
and other computer-based systems used by the hospital’s physicians and nursing staff.
The goal was to increase ease-of-access to information while also improving data
protection. The hospital’s computer network serves 8,000+ users and operates 24 hours
per day, seven days per week, so a solution that is fast, secure, easy to use, and extremely
reliable was required.
Part of the problem was that, as the hospital’s information and computer system grew, in
conjunction with a growing number of physicians, surgeons, nurses, and other medical
staff working at the facility, St. Vincent experienced problems with multiple physician
passwords. Up to 500 active St. Vincent doctors were accessing four to 10 different
applications every day, all with different passwords. “Physician access to our systems
had always been a problem and it was becoming more of a problem as we added
advanced systems and additional required passwords,” commented Bruce Peck,
Information Security Officer at St. Vincent. “Patient records are completely electronic
and physicians were having difficulty accessing charts and signing off on medical
records, causing more administrative work than was necessary.”
Time-crunched physicians were having to request password resets, which delayed patient
record access and frustrated the doctor, the hospital IT department, and the nursing staff.
Process
St. Vincent needed an efficient and highly secure system for healthcare workers to access
patients’ electronic medical records, while complying with the government’s Health
Insurance Portability and Accountability Act (HIPAA) privacy rules that became
effective in 2003.
4/7/2008 117
After extensive research and review of various biometric technologies, St. Vincent’s IT
team determined that a single sign-on (SSO) solution in combination with biometric
authentication would enable them to eliminate the most critical log-in challenge –
forgotten passwords. They conducted a competitive pilot program to fully test a variety
of available solutions. The hospital determined it needed to replace the one single sign-
on password with a fingerprint authentication solution.
Solution
In the decision-making process, system support for multiple biometrics was a key
decision factor. The system had to be “biometric agnostic.” Although St. Vincent is
currently using fingerprint technology, iris recognition is being considered for system
access where users may be gloved and masked. Problems are anticipated in
implementing a biometric solution in clean rooms, such as surgical areas, where
protective clothing is required. Surgical personnel cannot use fingerprint scanners while
wearing latex gloves. The design of certain intensive care areas required the hospital to
install special wall-mounted PCs, which posed an additional challenge.
The sterile environment of a hospital also presented a unique challenge in that nursing
stations, for example, are wiped down with cleaning products that are not normally
compatible with computer keyboards and fingerprint scanners. As a result, a special
silicon seal was developed for the fingerprint reader to prevent liquid from seeping inside
the casing, and the hardware OEM ensured its chip coatings would stand up to cleaning
solvents used in a hospital setting.
A very small number of users have difficulty with a fingerprint reader. For these
individuals, a password work-around is in place.
Currently, St. Vincent uses 1,500 workstations with one fingerprint reader at each.
Results
The fingerprint-based single sign-on solution implemented by St. Vincent allows many
clinical users to quickly share workstations without the time consuming requirements of
logging in to the network operating systems (Novell and Windows NT). “With the
biometric-based SSO, we have the assurance that a person logging into the system is
really that person, for increased accountability that didn’t previously exist,” commented
Bruce Peck.
With the government’s HIPAA privacy rules, it is an added bonus that biometric
authentication solutions provide St. Vincent’s healthcare staff and doctors with a more
efficient and more highly secure system for accessing patient electronic medical records,
ultimately combining St. Vincent’s “physician satisfaction” objectives with HIPAA
compliance.
4/7/2008 118
When the fingerprint-based SSO system was first initiated, the hospital was fortunate to
have strong support from the nursing director. Once the rollout was underway and other
clinical areas saw the benefits of biometric authentication, the hospital’s IT department
had difficulty keeping up with the inquiries.
Rather than hosting set times for enrollment during a conventional 9 to 5 workday, the
enrollment program was multi-phased and capitalized on the places within the hospital
that staff and physicians tended to frequent, such as the cafeteria and lounges. One-on-
one enrollments were held at a variety of times to catch healthcare workers on swing and
night shifts. The personal interaction between an IT staff member and the physician or
healthcare worker helped advance the project because they could immediately address
questions on privacy and safety, as well as train the doctors and nurses in system use.
To manage the entire enrollment process, St. Vincent hired two fulltime staff people for
eight months. After five years of deployment, the fingerprint-based SSO system
identifies over 3,000 individuals with 1,500 fingerprint readers.
The cost and time required for enrollment was not thought-through at the beginning. The
multi-phase approach and addition of two fulltime staff who concentrated only on
enrolling healthcare workers and doctors into the biometric system was necessary, but
unanticipated. The “catch as catch can” enrollments made it difficult to predict how long
it would take from initial deployment to full enrollment and participation.
The cost for future upgrades of hardware and software should also be considered in any
biometric deployment, as technology is continually advancing. Technology flexibility
was a critical requirement for St. Vincent so that various fingerprint reading devices from
different vendors can be used, if needed. The hospital wanted to avoid getting locked in
to using only one vendor.
St. Vincent realized after a few months of deployment that they should have forced
people to use the fingerprint-based SSO system at the onset, rather than allow users to
continue with the password-based system. Stragglers and late adopters were slow to
enroll (due to their demanding and non-conventional schedules) so the hospital
eventually had to lock-down the systems to force users to enroll in the biometric-based
solution.
The healthcare environment at St. Vincent causes dry skin because users constantly wash
their hands. It was important to experiment with fingerprint readers from various vendors
to identify which could best accommodate a dry skin environment. Those looking to
4/7/2008 119
implement a biometric-based system, particularly one that requires touch, should closely
examine the users’ environment to identify such factors and take them into account at the
onset.
- Interview with Bruce Peck, Information Security Officer for St. Vincent Health
- “Biometrics and SSO: Helping in Healthcare” Powerpoint presentation from St.
Vincent Health
- “Hospital Adopts Biometric Security Solution for Workstations”.
www.findbiometrics.com
- Peck, Bruce. “Rx for Password Headaches” Health Management Technology
magazine. January 2003
- “St. Vincent’s Hospital and Healthcare Center” client profile from Saflink
Corporation
- “St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client
profile from Computer Associates
- Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld.
October 2001.
4/7/2008 120
Case Study G – Beaumont Hospital: Medical Records Security
Problem
William Beaumont was a surgeon in the U.S. army and was renowned as the “The Father
of Gastric Physiology” based on his research performed on the human digestive system.
In 1956, the William Beaumont Hospital was opened in Royal Oaks, Michigan in honor
of Dr. Beaumont. Today, Beaumont Hospital is a corporation that consists of two
locations, Royal Oaks and Troy, Michigan. Both hospitals are community hospitals with
full in-patient and out-patient services. The Royal Oak facility currently has 1,061 beds,
8,500 employees, and 1,760 physicians. The Beaumont Hospital in Troy was opened in
1977 and is considerably smaller than the Royal Oak facility with 254 beds, 2,800
employees, and 900 physicians on staff. The Troy emergency room saw over 60,000
patients in 2005.
In 1994, Chris Hengstebeck was in charge of the hospital security system for the Troy
facility. The security for any hospital includes the protection of in-patients, out-patients,
employees, and visitors. This is extremely challenging because of the shear number of
individuals (employees, inpatients, outpatients, emergency room patients, and visitors)
that enter the facility everyday, 365 days a year. The other challenge in hospital security
is the transient nature of the individuals who visit due to the continuous patient turnover.
There are different levels of security for different hospital areas. The areas in Beaumont
that required higher levels of security were the narcotic storage areas and the
OB/Maternal Child Health area.
In addition to attempting to improve access to certain areas, there were also issues with
employees carrying their identification card on a consistent basis. Doctors were the
primary source of the problem because many would forget or misplace their identification
cards.
4/7/2008 121
The goal of Mr. Hengstebeck was to improve the overall security in the hospital. Cost
was an important consideration. The magnetic system’s average cost per card reader was
$225. The hospital employees were very comfortable with this system and changing that
had the potential for resistance and may require a significant level of effort.
Process
The hospital sent out a request for proposal for a hand geometry-based biometric system
to determine if it was a feasible cost effective solution for the hospital. Hand geometry
seemed like the natural solution since it would utilize the same equipment that their
existing magnetic card reader system utilized. The requirements for a hand geometry
system (wiring, door hardware, etc.) were consistent with their existing system and the
units could be placed exactly where the card reader units were and they were similar in
size.
The hand geometry system would need to be user friendly and able to accommodate
typical scenarios experienced in hospitals. An initial concern would be if the system
would be usable if was someone wearing surgical gloves. In addition, hand washing is a
common practice in hospitals. Hands can become extremely dry and many hospital
employees use lotion to combat the dry skin. Would the system be affected if someone
had lotion on his/her hands? Although it was important to limit access to restricted areas,
there needed to be an override mechanism in case of emergency.
The price per unit of $1800 was a deterrent to installing a biometric system throughout
the hospital. The hospital contemplated installing three hand geometry units in the
narcotics storage area. This is where the hospital believed it would yield the greatest
benefits and would be more willing to incur the cost. The units, if installed, would be a
trial case to validate the effectiveness of such a system in a hospital setting.
Solution
4/7/2008 122
gloves. This did not become an issue due to the fact that surgical gloves are typically
removed after each procedure and are not required in the narcotics area.
The added benefits of the hand geometry system were that the hospital would be able to
identify who entered the controlled access areas. For the narcotics storage area there
would be complete accountability. The hospital would know who entered the room and
the specific narcotic that was taken. This was a substantial improvement over their
current system. On a daily basis, hundreds of employees access the narcotics storage
room and the drugs stored in this area were highly desirable and could be sold for a
significant amount of money on the black market if they fell into the wrong hands with
potential deadly consequences.
Results
The hand geometry unit was an overwhelming success at Beaumont Hospital in Troy.
Currently, there are over 60 readers in the hospital. The readers are located in nursing
areas of the hospital that includes medical surgical and critical care. The readers were
phased in over a 12 year period and were typically installed in areas that were undergoing
redesign or renovations. All the readers are supplied by the same manufacturer. This
allows for ease of compatibility.
Enrolling employees in the system is relatively straight forward and consists of assigning
an ID number to the employee and scanning the employee’s hand in the hand reader. The
ID number is used for both the card access areas as well as the biometric access.
In order for an employee to gain access using the biometric system, the assigned ID
number needs to be input into the reader. The employee then places his/her hand on the
scanner three times. The system either verifies the individual’s identity or rejects the
individual.
The error rate in the system is extremely low and is typically the result of either inputting
an incorrect identification number, poor hand placement, or not following the instructions
on the prompter. Another issue that may effect system use is the frequency an individual
utilizes the system. If someone has not used the system in a considerable amount of time,
the sensitivity level may not recognize the user. Significant changes in hand size may
cause the system to yield a false identification match. This could be from swelling from
some type of hand injury. Bandages may also affect the ability of the equipment to
identify the individual. These occurrences are rare and require the individual to re-enroll
to re-establish his/her identity. There is only one individual to-date who is not compatible
with the system.
The actual readers are very similar in appearance with the magnetic card readers. The
maintenance of the actual hand readers is minimal. Occasional re-calibration and/or
cleaning are the extent of the maintenance. Feedback from the employees notes that the
hand readers are very user friendly.
4/7/2008 123
For the narcotics storage area, there is a hand reader to gain access to the area as well as a
hand reader to access the storage cabinet. In addition, there is a software system called
Pyxis that is used to identify the specific medication and amount that is being dispersed.
The Pyxis system is standard in most hospitals for use in dispensing of narcotics. Each
employee has to enter their unique user name and password in addition to a thumbprint
biometric in order to access the system. The type of narcotic as well as the dosing
information is input into the Pyxis software system. Even with all of these security
measures, there is the potential for employees to input false information into the Pyxis
system or to not disperse the narcotic to the patient however with frequent audits these
types of breeches are kept to a minimum and extremely traceable.
The system has also been used to assist in theft investigations and time fraud
investigations.
This system works extremely well for the Troy facility, but the Royal Oaks facility has
not yet installed any biometric technology. The initial investment in a biometric system in
such a large facility would be millions of dollars and the Royal Oaks hospital at this time
cannot justify the expense.
It is important to investigate all types of biometrics before deciding on one type. There is
the potential that there are other biometric technologies that are much more affordable
when considering the overall system cost. Facial recognition is supposed to be less
expensive and could have worked well in the hospital, however, at this point the high
switching cost, going from hand to a different biometric technology, would be
prohibitive.
It is also important to verify that the organization yields the greatest value in use for the
biometric. There are many applications for biometrics in a hospital setting. Currently,
hospitals are utilizing biometrics to manage access patient health records (HIPAA
compliance), identify patients, control access to controlled/restricted areas, and assist in
employee time management.
A biometric system, although has a high upfront cost, has the potential to save money for
many organizations in the long run. When implementing a system, it is important to think
through the ways that it can save the organization money. One example at Beaumont is
the reduced cost of theft investigations due to the improved access control and
identification accuracy.
Recent Developments
There has been an industry shift from the use of hand gels for hand cleaning to foam hand
washes due to the longevity and fire retardant properties. There is preliminary evidence
that the use of these foam hand gels inhibits the performance of the hand scanners. Most
employees wash their hands before and after entering the nursing areas. Residual residue
4/7/2008 124
from the foam hand wash may still be on the employees hand and is then left on the hand
scanner, leaving their impression on the device. The employees most affected are ones
with smaller hands. This is still under investigation and no conclusions have been
reached.
4/7/2008 125
Case Study H – Pinellas County Sheriff’s Office: Arrestee Identification
Problem
Like other law enforcement agencies around the country, the Pinellas County Sheriff’s
Office (PCSO) found it was burdened with a cumbersome manual booking, release, and
criminal investigation (identification) process. During the arrest process, it is common
for law enforcement officials to be confronted with people who lack proper identification,
such as a driver’s license, or who may present an alias ID to avoid identification.
Sometimes, the individual is incapable of telling officers his/her name.
The manual process that was used by the PCSO caused delays in information collection
and analysis, sometimes letting suspects get away with providing false identification,
hampering law enforcement, or sidetracking investigations. With annual bookings
exceeding 60,000 per year and a 60%-70% recidivism rate, the Pinellas County Sheriff’s
Office needed a more automated and reliable way to identify suspects, convicted persons,
and others coming into and out of the jail system. Additionally, the technological
solution that was to be selected had to be user friendly and straightforward enough for the
3,300 PCSO personnel who would be interacting with it on a daily basis.
Process
In 2000, Sheriff Everett Rice looked into various technology alternatives for the PCSO
and was awarded a federal grant from the Office of Community Oriented Policing
Services (COPS) at the U.S. Department of Justice to implement biometric technology.
The goal of the funding was to demonstrate the use of facial recognition technology for
Florida law enforcement.
A major portion of project scoping included the integration of nearly 12 years of photos
and images of people who had been through the PCSO system, as well as data and
images from many other Florida law enforcement agencies who would cross-share image
and data information.
This was a huge application for facial recognition technology, with many moving parts in
a complex system. For project and system design, there was more to consider beyond a
basic plug and play application. For example: How would the solution be integrated
across other operations and departments? How should users interact with the system? To
help address these and other issues, PCSO encouraged end-user involvement in the
decision process by engaging a cross-section of personnel from various departments –
patrol, intake, operations, release, etc. – garnered input from the very people who would
be using the system on a daily basis, and provided guidance to the technology vendor
who could tailor system design to PCSO’s specifications. For a system this complex that
would eventually extend across the state, the vendor needed to fully understand and
appreciate the processes and business flow of the organization.
4/7/2008 126
With the project scope defined, PCSO selected Viisage facial recognition technology
since it planned to build a large state-wide database with potentially millions of images
that would be shared among multiple law enforcement agencies. Viisage’s prior success
with driver license applications also provided credibility for both the company and this
particular facial recognition algorithm.
The timeframe from initial system design to implementation was about 6-8 months, with
a review session held after about 4 months to recommend any additional changes before
the final system was delivered, installed, and deployed. Total cost for the complete
system was approximately $10 million, which included design, deployment, training, and
other elements.
Solution
Since this is a law enforcement application, finger print technology was considered and
reviewed. Because it can be difficult or impossible to get readable fingerprint images
from uncooperative suspects, the facial recognition technology was selected. Although
the department has kept a digital fingerprint file since 1995, it has also maintained images
of arrestees for over 12 years. Ultimately, the facial recognition system does not replace
the use of fingerprints, but it is an important complement to fingerprints, which are still
used and required by the court system. In 2000, when the PCSO’s 7-year-old proprietary
mug shot system was due for replacement, officials decided to try facial recognition to
identify prisoners at booking.
The full facial recognition system that was designed and deployed for PCSO is a multi-
faceted solution, comprising intake and booking at the jail, mobile identification in patrol
cars, watch list identification at the airport, visitor identification at the jail and
courthouse, and cross-jurisdictional sharing of facial images and data amongst the
Florida-based law enforcement community. Facial recognition has allowed the sheriff’s
office to quickly access important identity information and retrieve records, allowing
officers to correctly identify even the most uncooperative suspects and to conduct more
efficient investigations.
Mobile System. The technology allows deputies in patrol cars to capture a person’s
facial image with a digital camera, place the camera into a docking station in the patrol
car, and via wireless communication to the image databases of the PCSO and other
jurisdictions, conduct a facial recognition search to determine if the individual has been
previously arrested. By using the facial recognition technology, patrol officers can know
immediately if the individual in question has a PCSO criminal record, including previous
offenses. Officers who encounter suspects on the street who have no or unverifiable
identity information can, within 20-30 seconds, have a gallery of photos presented in the
patrol car and use these to make a positive identification.
As directed by the Department of Justice grant, the PCSO has partnered with other state
and local agencies in Florida to maximize the effectiveness of the system. Agencies
participating in the facial recognition program include: Florida Department of
4/7/2008 127
Corrections, Florida Department of Law Enforcement (FDLE), seven Florida Regional
Terrorism Task Forces, Hillsborough County Sheriff’s Office, Orange County Sheriff’s
Office, and Miami-Dade, Broward, Leon, and Duval counties.
Intake and Booking. When a suspect enters the PCSO facility, his/her photograph is
taken and compared against the database of images to determine if he/she has been
through the system before. With more than 60% of those arrested being repeat offenders,
the PCSO identifies hundreds of people each year using only their faces. With
information about the arrestee’s criminal history, the officer can handle each case with
appropriate care and caution. When a match is made, the suspect’s basic demographic
data is automatically entered, regardless of any alias name he/she may have given, and
the new record is linked to previous bookings, creating a more efficient and thorough
process.
Release. Before being released from the Pinellas County jail, facial recognition is used
again to confirm the individual’s identity. This additional check compares a photograph
taken at the time of release with the formal booking image, providing a side-by-side
comparison of the two photos for the officer to review, along with a green, yellow, or red
rating based on the facial recognition results, helping to ensure release of the right
inmate. Since the facial recognition system was installed in 2002, PCSO has not had a
single incorrect release.
This system, which was provided by the PCSO with funding from the U.S. Department of
Justice, is located at two departure security checkpoints in the airport. Since the PCSO
was implementing the same facial recognition technology for its own use in suspect
identification and inmate booking, law enforcement felt it necessary to deploy the same
technology at the airport for a watch list application.
Results
“Since implementing Viisage’s fused face recognition technology, we have noted marked
increases in the accuracy and speed of identifying and verifying arrestees,” commented
Lt. Jim Main of Pinellas County Sheriff’s Office.
4/7/2008 128
Commenting on the value derived from the mobile system alone, Lt. Main said, “The
deployment of the Mobile Identification System has added an entirely new dimension to
law enforcement practices of our field deputies. Many of our daily encounters involved
individuals who lack acceptable identification or provide false information. This system
has provided our deputies with a tool that complements their training and judgment and
reduces costly delays that can occur when attempting to ascertain an individual’s true
identity. Furthermore, this solution helps improve deputy safety and public safety by
providing instant information on the suspect in question and ultimately taking criminals
off the streets.”
Training
Intake and Booking. Prior to installation of the final system, a “test and training”
environment was created, in which the old legacy system was kept online to assure
continuity and provide two levels of verification during the transition period.
Approximately 800 people participated in the initial training program, each receiving a
minimum of 4 hours of training on the new facial recognition-based booking system.
Every station was emulated and scenarios were run – from intake and receiving to
booking to release. All personnel learned what facial recognition was and what it was
not, and popular myths were dispelled. Education and training were a key component to
combating any negative perceptions about the use of biometric technology in general or
facial recognition technology in particular.
The PCSO followed a framework for training that revolved around both classroom
learning and in-use training. After installation, typically 8-20 people were included in a
training session, complete with handouts and bound copies of the system user manual.
Scenarios were used to build system proficiency and comfort in using it. Time was
allotted after formal training for personnel to practice, review, and apply what they had
learned.
Users ran through the various components to familiarize themselves with the system.
They were taught how to pick out key elements of a person’s face, and learned how and
why the facial image gallery could be completely different than what they might initially
expect. For example, race and gender are not considered by the algorithms.
Next, the operational components of the facial recognition system were taken into
account. Personnel were placed into different groups and taken through the various
operational components – in 4-hour shifts for about one month. Supervisors were
included in this training program to “train the trainers” and took the lead in training the
PCSO staff and answering questions.
Once all personnel were trained in using the facial recognition system, a live switch over
from the legacy system to the new biometric-based system was completed. It was noted
that this transition from the old procedures to the new process was the smoothest one ever
for the PCSO.
4/7/2008 129
Continuing support and training for PCSO personnel in use of the facial recognition
system include training materials and handouts, users’ manuals, email contact and
technical support, online support, and a “cheat sheet” that resides at each station.
The investigative screening training required 4-hour blocks of time for in-lab or
classroom training, which included an overview on facial recognition – what it is and
what it is not to dispel popular myths about biometrics. Users were allowed to bring in
various photos and images they wanted to test on the system. The I-Browser
(investigative browser) Challenge became a critical component in the training program.
This involved a test of 10 different images of people known to be “in the system” in
which the user had to identify them based on the gallery of images returned.
Mobile. Fifty out of 550 marked patrol cars are equipped with the mobile facial
recognition capability. When first deployed, several groups, each containing 6-8 officers,
were trained about facial recognition technology and system usage. The I-Broswer
Challenge was used, as well as scenario-based training that comprised a beta car with the
facial recognition system installed for practice.
New users receive about 4 hours of one-on-one training with sessions held monthly.
User acceptance. The in-depth training program for all aspects of the facial recognition
system along with inclusion in the initial design process were critical to overall user
acceptance and buy-in. There is a broad spectrum of personnel associated with the PCSO
– some more technically savvy than others, and some more open to new processes and
ways of doing things. The system was tailored to meet the needs of those who had been
with the organization the longest so they would be comfortable with it. Multiple methods
of working with the system were designed-in to meet the varying comfort levels, styles,
and preferences of the users. Personnel can navigate and interact with the system based
on their own styles.
Due to careful and thoughtful planning of the system at the outset, there were really no
surprises or hidden costs associated with the deployment of the facial recognition system.
The system was well-designed from the beginning thanks to close collaboration among
the vendor, system end users, and PSCO decision makers.
Looking back on the training program and continual turnover of personnel, more “train
the trainers” would have been prepared initially. As personnel advanced into new
4/7/2008 130
positions or left the PCSO, many of the initial “train the trainers” moved on, so there
became a critical need for additional people able to take this role. PCSO would have
increased the ratio of trainers in training vs. end users in training during the initial
training cycle.
Additionally, a closer look would have been taken at the actual people being trained.
Ultimately, everyone was trained on system usage, but not everyone perhaps should have
been. From a cost perspective (both time and money), PCSO could have saved some
overtime costs by excluding those individuals who would not interact with the facial
recognition system. Other personnel could perhaps have been trained less intensively.
Ultimately, the facial recognition system deployed by PCSO has changed law
enforcement in Florida for the better. Advice for another law enforcement agency
looking to deploy a biometrics-based system is: be sure to look at the various
technologies that are available and do your homework on the vendors. One reason the
PCSO implementation was so smooth was because the vendor was willing to listen
carefully and create real solutions. Be sure to work directly with the vendor and
integrator to define exactly what the need is and how the biometric-based system will be
used, and fully understand the scope of the project and the timing, based on precise needs
and goals.
4/7/2008 131
Case Study I – United Arab Emirates: Iris Expellees Tracking and Border Control
System
Problem
Combined, the seven emirates that make up the United Arab Emirates amount
geographically to the size of the U.S. state of Maine, but what it lacks in territory, it
makes up for in wealth and unprecedented population growth.
Because the UAE depends heavily on an outside workforce, a steady influx of expatriates
has boosted the population in recent years to more than four million, out of which only
20% are UAE citizens. Foreign workers pour in from the region, as well as from every
other continent. Having to deal with a daily onslaught of immigrants and visitors, the
UAE adopted advanced technology to strengthen its border control and identify potential
terrorists.
The UAE is one of the first countries to use an iris recognition system at most points of
entry.
Process
The biometric technology selected for the border-crossing and expellee identification
solution was required to:
Solution
First begun in 2000, iris recognition systems were installed at three major jails across the
country. The project was expanded to ports and airports in 2002. For example, at the
Dubai airport, one of the busiest in the world, all arriving passengers have to wait in line
to have their eyes scanned.
In the UAE application, the information obtained from the iris scan is sent via distributed
communications network to the Central IrisCode® Repository located at the Abu Dhabi
Police General Headquarters. After an offender has his irises enrolled, the iris templates
are placed in the database. Subsequently, the offender simply looks at the iris recognition
reader that checks the iris in just over one second. With the strong support of H.R.H.
Sheikh Saif Bin Zayed, Minister of Interior, the UAE acquired the technology and license
4/7/2008 132
for the iris recognition system from Iridian Technologies, which custom-developed a
system that suited the country’s requirements.
The UAE iris recognition system is a synthesis of three core components: iris cameras
with autofocus and autozoom, developed by LG Iris; iris recognition algorithms; and a
networked distributed server and communications architecture called “IrisFarm”,
developed by IrisGuard. It allows simultaneous enrollments into the central database
without interrupting parallel searching queries from multiple distributed stations, and
offers almost unlimited scalability to national populations of registered persons and
travelers without reduction in execution speed.
This figure shows the distributed and fully networked “IrisFarm” architecture
(IFA®) used for the UAE border crossing and expellee tracking system.
4/7/2008 133
Results
In this application, it is claimed that about 2 trillion random comparisons between images
of irises from people from various nationalities have been made over the past three years.
Colonel Al Raisi comments the system “is absolutely accurate in detecting forgery and
impersonation attempts.” “It also helps prevent expelled foreigners from returning and
prevents wanted criminals from leaving the country, regardless of the identification
documents they use. The system also tracks movements of prison inmates.”
Although the iris recognition system was designed to prevent illegal immigrants and
former expellees from entering a country using fraudulent travel documents, by
comparing the iris biometric of all arriving passengers against a “negative watch list” of
detainees, all aspects of the IrisFarm architecture, cameras, and the core iris recognition
algorithms are equally suited for “positive” applications in which the main goal is to
enhance the convenience, speed, and efficiency of border-crossing formalities for
legitimate travelers.
The General Headquarters of Abu Dhabi Police has begun deploying new iris cameras
developed by IrisGuard, which offer higher resolution and smaller size than the cameras
originally acquired. Eventually, all existing cameras will be replaced with the newer
generation ones.
A future initiative involves installing “e-gates” at all airports, which would speed up
entry and exit procedures. This system is already in place at the Dubai airport. For about
US$40, passengers can have their passports scanned, fingerprints and photo taken, and
have all this information stored on a card no bigger than a U.S. driver’s license. The card
is valid for two years. As of November 2005, approximately 200,000 e-cards had been
issued, which has also spawned commercial tie-ins. For example, travelers can combine
the e-card with an Emirates Airlines Skywards frequent-flyer card. Global banking group
ABN AMRO lets users get an e-card for about US$36 when they obtain a credit card
from the bank.
Cardholders do not have to wait in the long passport control lines and can have cards
scanned by turnstile machines similar to those at any U.S. subway station.
4/7/2008 134
Additionally, the UAE is working on an identification card project that will serve the
“same purpose as the U.S. social security number.” The smart card will hold a person’s
entire information, including date of birth, fingerprints, driver’s license, health card,
employment authorization, picture, and passport information. Readers currently exist for
these cards, using fingerprint recognition. Eventually, this system will be expanded to
iris recognition.
UAE officials had to adopt new security methods to detect if an iris has been dilated with
eye drops before scanning. Expatriates who were banned from the UAE started using eye
drops in an effort to fool the government’s iris recognition system when they try to re-
enter the country. A new algorithm and computerized step-by-step procedure has been
adopted to help officials determine if an iris is in normal condition or an eye-dilating drop
has been used.
It is imperative that the end-user organization, vendors and suppliers, integrators, and all
involved with the design and deployment of a biometric-based system fully understand
the problem(s) to be solved, analyze it thoroughly from different points of view, assess
the situation and need(s), do a pilot test of the new technology, make changes, then
implement to full deployment
4/7/2008 135
- Daugman, John; Malhas, Imad. Iris Recognition Border-crossing System in the UAE.
International Airport Review, Issue 2, 2004
- Hilotin, Jay B. Deportees caught with eyes wide open. Gulfnews.com April 2, 2006
- Tiron, Roxana. “Biometrics Systems Help Strengthen Border Security in Persian
Gulf Nation” National Defense magazine. June 2005
- “Iris scanner blocks 62,000 illegals”. Gulfnews.com May 3, 2006
- Malhas, Imad. Personal communication, December 2006.
4/7/2008 136
Appendices
4/7/2008 137
Appendix B – Miscellaneous Resources
AIM Global
Website: www.aimglobal.org
Description: AIM is a global trade association comprising providers of components,
networks, systems, and services that manage the collection and integration of data with
information management systems. Serving more than 900 members in 43 countries, AIM
is dedicated to accelerating the growth and use of Automation Identification and Data
Collection) AIDC technologies and services around the world.
AVIOS Inc.
Website: www.avios.com
Description: AVIOS which stands for Applied Voice Input/Output Society is a 23 year
old, not for profit professional membership organization founded as the American Voice
Input/Output Society, with the name later changed to reflect growing international
participation. Their goals are to provide resources to the speech community that will help
create quality applications of advanced speech technology, including applications of
speech recognition, speech synthesis and speaker authentication.
BioAPI Consortium
Website: http://www.bioapi.org/
Description: The BioAPI Consortium was formed to develop a widely available and
widely accepted API that will serve for various biometric technologies. The intent is to
work with industry biometric solution developers, software developers, and system
integrators to leverage existing standards to facilitate easy adoption and implementation,
develop an OS independent standard, and make the API biometric independent. Version
1.1 of the BioAPI specification has been published as ANSI/INCITS 358-2002. BioAPI
Version 2.0 has been published as ISO/IEC 19784-1: 2006.
4/7/2008 138
The Biometric Consortium
Website: http://www.biometrics.org/
Description: Biometric Consortium serves as a focal point for research, development,
testing, evaluation, and application of biometric-based personal identification/verification
technology.
Biometric Digest
Website: http://www.biodigest.com/
Description: Offers a variety of biometric and related e-newsletters.
Biometric Foundation
Website: www.biometricfoundation.org
Description: The Biometric Foundation, founded in August 2000, is dedicated to a
systematic program of research and education to reduce impediments to wide adoption
and use of all biometric technologies. The Foundation will address technical, societal,
and legal aspects of biometric technologies and their applications. Accordingly, the
Foundation's agenda will include studies of public attitudes toward uses of biometrics;
demonstration and evaluation of alternative biometric technologies; inquiry into
biometric standards issues; development of formal educational curricula that encourage
students to enter the field of biometrics as a professional career choice; and conferences
and seminars about the most effective uses of biometrics in key applications.
4/7/2008 139
Website: http://www.dss.state.ct.us/digital.htm
Description: The focus of BHSUG is providing a platform for sharing ideas and
innovations, distributing findings, identifying best practices, recommending and creating
useful standards for both human services users and technology developers for this
market.
BioPrivacy Initiative
Website: http://ww.bioprivacy.org
Description: Recognizing that biometric technologies are seeing increased usage in the
public and private sectors, International Biometric Group’s BioPrivacy Initiative defines
best practices as well as deployment and technology guidelines for maintenance of
personal and informational privacy in biometric deployments.
4/7/2008 140
Website: www1.cata.ca/biometrics/
Description: The Canadian Advanced Technology Alliance formed the CATA Biometrics
Group (CBG) to ensure that Canadian companies – those within the sector and those
using the technology- are equipped to thrive from an expanding market for biometric
technologies. A partnership of Manufacturers, Developers and Customers. It is a focused
advocacy initiative backed by Canada's largest technology association. CATA
Biometrics Group works to create public acceptance of biometric technologies and to
speed the adoption of biometric solutions.
COST 275
Website: http://www.fub.it/cost275/pages/_home_main/index.htm
Description: COST means Cooperation in the Scientific and Technological research,
focusing in part on biometrics-based recognition of people over the Internet.
4/7/2008 141
biometrics over the forthcoming 10 years and to carry out clearly focused research into
key biometric areas
ID Newswire
Website: http://www.cardtechnology.com/idnewswire.html
Description: A bi-weekly, four-page, electronic newsletter focused on developments and
trends in personal identification and biometric technologies.
4/7/2008 142
International Civil Aviation Organization
Website: http://www.icao.int/
Description: Six strategic objectives of the Organization have been developed. They are:
Safety, Security, Environmental Protection, Efficiency and Regularity, Legal Framework
and Effectiveness. The strategic objectives are action oriented and present a range of
activities which include development, implementation and technical support.
4/7/2008 143
member companies representing manufacturers, distributors, service providers,
integrators and others. SIA members are involved in several market segments such as
CCTV, access control, biometrics, computer security, fire/burglar alarms, and home
automation, just to name a few. Members work together to address issues facing the
industry and develop programs to enhance the environment in which they sell products
and services.
4/7/2008 144
Appendix C – Biometric Publications
Books
This book constitutes the refereed proceedings of the First International Conference on
Audio- and Video-based Biometric Person Authentication, AVBPA'97, held in Crans-
Montana, Switzerland, in March 1997. The 49 revised papers presented were carefully
reviewed and selected by the program committee for inclusion in the book; also included
are four invited contributions. The papers are organized in sections on facial features
localization, lip and facial motion, visual non-face biometrics, face-based authentication,
text-dependent speaker authentication, text-independent authentication, audio-video
features and fusion, and systems and applications.
4/7/2008 145
Audio- and Video-based Biometric Person Authentication
Third International Conference, AVBPA ’01, Halmstad, Sweden
June 6-8, 2001
Author: Josef Bigun, et al
Publisher: Springer Verlag
This book constitutes the refereed proceedings of the First International Conference on
Audio- and Video-based Biometric Person Authentication, AVBPA'01, held in Hamstad,
Sweden, in June 2001.
Gives readers a clear understanding of what an organization needs to reliably identify its
users and how the different techniques for verifying identity are executed.
This comprehensive, but straight-forward book wipes away the myth that bar codes are
complicated and difficult to implement. It begins by explaining how bar codes can help
improve productivity, accuracy, and timeliness of information in different environments.
To illustrate how bar codes have now become a universal practice, the book covers a
wide range of applications such as inventory, work in progress, point of sale, accounts
receivable, time and attendance, marketing and many others. You will find how these and
other applications relate to your work environment, and how they can easily be
implemented to increase productivity.
4/7/2008 146
Automated Biometrics: Technologies and Systems
(The Kluwer International Series on Asian Studies in Computer and Information Science)
Author: David D. Zhang
Publisher: Kluwer Academic Publishers, 2000
Introduces the relative biometric technologies and explores how to design the
corresponding systems with in-depth discussion. Engineering applications of biometrics
to personal authentication and Chinese medicine are covered. The issues addressed in
this book are highly relevant to many fundamental concerns of both researchers and
practitioners of automated biometrics in computer and system security.
This book can be used as a training text for new employees or can be read by beginners.
Many instructors use it as a primer for basic latent print development college classes.
Sections cover: How latent prints are deposited, Investigating the Crime Scene, Which
powders to use, How to lift and preserve the latent prints. There are simple to follow
sketches on how to powder a surface and how to tear and lift with tape.
4/7/2008 147
Biometrics
Author: Nanavati
Publisher: John Wiley & Sons
Biometrics
Author: John D. Woodward, Jr., et al
Publisher: McGraw-Hill Osborne, 2002
Discover how to make biometrics -- the technology involving scanning and analyzing
unique body characteristics and matching them against information stored in a database --
a part of your overall security plan with this hands-on guide. Includes deployment
scenarios, cost analysis, privacy issues, and much more.
4/7/2008 148
Biometric Authentication: A Machine Learning Approach
Author: S.Y. Kung
Publisher: Prentice Hall, 2004
Network security has become the latter-day equivalent of oxymoronic terms like "jumbo
shrimp" and "exact estimate." Newspaper headlines are routinely peppered with incidents
of hackers thwarting the security put forth by the government and the private sector. As
with any new technology, the next evolution of network security has long languished in
the realm of science fiction and spy novels. It is now ready to step into the reality of
practical application. The book covers a variety of biometric options, ranging from
fingerprint identification to voice verification to hand, face, and eye scanning.
Approaching the subject from a practitioner's point of view, the author describes
guidelines, applications, and procedures for implementing biometric solutions for
network security systems.
4/7/2008 149
Biometric Inverse Problems
Author: Svetlan Yanushkevich
Publisher: Taylor & Francis Group, 2005
General principles and ideas of designing biometric-based systems and their underlying
tradeoffs. Identification of important issues in the evaluation of biometrics-based
systems. Integration of biometric cues, and the integration of biometrics with other
existing technologies. Assessment of the capabilities and limitations of different
biometrics. The comprehensive examination of biometric methods in commercial use
and in research development. Exploration of some of the numerous privacy and security
implications of biometrics. Also included are chapters on face and eye identification,
speaker recognition, networking, and other timely technology-related issues.
4/7/2008 150
Biometric Solutions for Authentication in an E-World
Author: David Zhang, et al
Publisher: Kluwer Academic Publishers, 2002
Focuses on the technologies of fingerprint, iris, face, and speaker recognition, how they
have evolved, how they work, and how well they work. Examines the challenges of
designing and deploying biometrics in people-centered systems, and concludes with
discussions on the legal and privacy issues of biometric deployments from both European
and US perspectives.
Cutaneous Biometrics
Author: Doris A. Schwindt, et al
Publisher: Plenum PR, 2001
4/7/2008 151
Department of Homeland Security
Author: Michael Kerrigan, et al
Publisher: Mason Crest Publishers, 2003
This book describes the latest models and algorithms that are capable of performing face
recognition in a dynamic setting. The key question is how to design computer vision and
machine learning algorithms that can operate robustly and quickly under poorly
controlled and changing conditions. Consideration of face recognition as a problem in
dynamic vision is perhaps both novel and important. The algorithms described have
numerous potential applications in areas such as visual surveillance, verification, access
control, video-conferencing, multimedia and visually mediated interaction.
This book contains over 30 contributions from leading European researchers showing the
present state and future directions of computer science research. In addition to other
topics, the book covers three important areas of security engineering in information
systems: software security, public key infrastructure, and the design of new cryptographic
protocols and algorithms.
Discusses laser fingerprint detection, which is, in its essence, the general application of
photoluminescence methodology to physical evidence examination, representing a new
paradigm in criminalistics.
4/7/2008 152
Fingerprint Science: How to Roll, Classify, File, and Use Fingerprints
Author: Clarence Gerald Collins
Publisher: Cooperhouse Publishing, 1994
Guide to Biometrics
Author: Ruud Bolle, et al
Publisher: Springer Verlag, 2004
This is a complete technical guide aimed at presenting the core ideas that underlie the
area of biometrics. It explains the definition and measurement of performance and
examines the factors involved in choosing between different biometrics. It also delves
into practical applications and covers a number of topics critical for successful system
integration. These include recognition accuracy, total cost of ownership, acquisition and
processing speed, intrinsic and system security, privacy and legal requirements, and user
acceptance.
4/7/2008 153
Homeland Security Statutes 2003
Publisher: Government Institutes Research Group
In this time of increased terrorism, how can we balance civil liberties with the risk to
American lives and property? Is criticism of the president unpatriotic? Can torture ever
be morally justified? Beginning with a detailed account of the 9/11 attack and its
aftermath, Gottfried addresses these questions as he discusses the recent history of
American war and defense, including the controversial Patriot Act.
4/7/2008 154
Human Identification: The Use of DNA Markers
Author: Bruce S. Weir
Publisher: Kluwer Academic Publishers
The ongoing debate on the use of DNA profiles to identify perpetrators in criminal
investigations or fathers in paternity disputes has too often been conducted with no regard
to sound statistical, genetic or legal reasoning. The contributors to Human Identification:
The Use of DNA Markers all have considerable experience in forensic science, statistical
genetics or jurimetrics, and many of them have had to explain the scientific issues
involved in using DNA profiles to judges and juries. Although the authors hold differing
views on some of the issues, they have all produced accounts which pay due attention to
the, sometimes troubling, issues of independence of components of the profiles and of
population substructures. The book presents the considerable evolution of ideas that has
occurred since the 1992 Report of the National Research Council of the U.S.
This book shows what IT in organizations need to accomplish to implement The National
Strategy for the Physical Protection of Critical Infrastructures and Key Assets and The
National Strategy to Secure Cyberspace which were developed by the Department of
Homeland Security after the terrorist attacks of September 2001.
4/7/2008 155
Intelligent Biometric Techniques in Fingerprint and Face Recognition
Author: L.C. Jain, et al
Publisher: CRC Press, 1999
Consistent advances in biometrics help to address problems that plague traditional human
recognition methods and offer significant promise for applications in security as well as
general convenience. This book provides an accessible, focused examination of the
science and technology behind multimodal human recognition systems, as well as their
ramifications for security systems and other areas of application. It also describes the
various scenarios possible when consolidating evidence from multiple biometric systems
and examines multimodal system design and methods for computing user-specific
parameters.
Text reveals the truth about 'feel-good' security policies and spending programs that mask
real threats and do nothing tangible to improve public safety.
4/7/2008 156
Practical Biometrics: From Aspiration to Implementation
Author: Julian Ashbourn
Publisher: Springer Verlag, 2003
Containing a wealth of real world advice and written from an operational rather than
purely academic perspective, "Practical Biometrics" examines the many issues raised by
the application of biometric technologies to practical situations. This book concentrates
on the practical implementation of biometric verification techniques, with specific regard
to wide scale public applications. It acts as a practical guide to implementation,
identifying the associated issues around: * Scalability * Interoperability * Ethnicity *
Failure to enroll * User psychology * Features and Benefits. Highlights non device-
specific issues such as human factors, environment, privacy and data protection. Focuses
on the practical aspects of managing large-scale systems Provides an invaluable resource
to program managers, application developers and consultants working in this area
Preparing the U.S. Army for Homeland Security: Concepts, Issues, and Options
Author: Eric Larson, et al
Publisher: Rand
Homeland security encompasses five distinct missions: domestic preparedness and civil
support in case of attacks on civilians, continuity of government, continuity of military
operations, border and coastal defense, and national missile defense. This report
extensively details four of those mission areas (national missile defense having been
covered in great detail elsewhere). The authors define homeland security and its mission
areas, provide a methodology for assessing homeland security response options, and
review relevant trend data for each mission area. They also assess the adequacy of the
doctrine, organizations, training, leadership, materiel, and soldier systems and provide
illustrative scenarios to help clarify Army planning priorities. The report concludes with
options and recommendations for developing more cost-effective programs and
recommends a planning framework that can facilitate planning to meet homeland security
needs.
4/7/2008 157
Secrets and Lies: Digital Security in a Networked World
Author: Bruce Schneier
Publisher: John Wiley & Sons, 2000
4/7/2008 158
Voice Recognition
Author: Richard Klevans
Publisher Artech House, 1995
Biometrics systems have become common over the years. Their ease of use for the end
user and their perceived security make them seem to be the best solution to any problem
involving user authentication. Although biometric systems can provide fast and secure
user authentication with minimal user intervention, they have several inherant limitations
making them inappropriate for most environments where authentication is used. The
focus of this paper is not the possible use-cases of biometry, but rather it is those
limitations that are neither biometry type-specific nor implementation-specific and that
make biometric measures limited in their scope of possible users.
4/7/2008 159
Market and Technology Reports
With concern about its information assurance systems and physical access control
increasing, the Army has undertaken an assessment of how it can use biometrics to
improve security, efficiency, and convenience. This report examines the sociocultural
concerns that arise among soldiers, civilian employees, and the general public when the
military mandates widespread use of biometrics. The authors see no significant legal
obstacles to Army use of biometrics but recommend that the Army go beyond the
provisions of the Privacy Act of 1974 to allay concerns related to this emerging
technology. This report should be of interest to those responsible for access control as
well as anyone concerned about privacy and technology issues.
4/7/2008 160
Biometrics and Smart Cards
Author/Publisher: International Biometric Group, 2003
Smart cards and biometrics are strongly synergistic technologies whose acceptance in the
U.S. market are being driven by the desire in many applications for token-based as
opposed to centralized biometric functionality. Increased opportunities are present for
large-scale biometrics and smart card usage in public sector ID applications. However,
various competing and proprietary technologies in both the biometric and smart card
markets pose problems for institutions interested in large-scale deployment, as there is
risk of technology obsolescence or over-reliance on a single vendor. This report identifies
challenges that deployers and vendors face in adopting and developing this technology.
Exclusive analysis in this report leverages years of hands-on experience testing and
deploying biometrics and smart card technologies, years of interaction with leading
vendors, and extensive evaluation of the technology for large-scale applications.
The second edition of The Biometrics Industry Report - Forecasts and Analysis to 2006
examines the current use and future growth of biometrics. It analyses the trends in
markets, technologies and industry structure and profiles the major players. The report
provides key market statistics and forecasts essential for companies to plot their future
growth strategies.
4/7/2008 161
Biometrics: A Look at Facial Recognition
Author: John D. Woodward, et al
Publisher: RAND, 2003
During the 2002 Virginia General Assembly, Delegate H. Morgan Griffith sponsored
legislation setting legal parameters for public sector use of facial recognition technology
in Virginia. The Virginia State Crime Commission, a standing legislative commission of
the Virginia General Assembly, is statutorily mandated to make recommendations on all
areas of public safety in the Commonwealth of Virginia. RAND analyst John D.
Woodward, Jr. presented this briefing to the Virginia State Crime Commission Facial
Recognition Sub-committee in September 2002. It does not make specific policy
recommendations, rather defines biometrics and discusses examples of the technology,
explaining how biometrics may be used for authentication and surveillance purposes.
Facial recognition is examined in depth, to include technical, operational, and testing
considerations. It concludes with a discussion of the legal status quo with respect to
public sector use of facial recognition.
For organizations not yet prepared to execute a full privacy impact assessment of a
biometric deployment or technology, this report provides a framework for understanding
privacy issues in biometric technologies. With a review of framing legislation, discussion
of information and personal privacy issues, and detailed evaluation of the application-
specific and technology-specific risks posed by biometric technology, this report is
essential due diligence for any biometric deployer in the commercial, civil, or
employment sector.
4/7/2008 162
Biometric Systems: Worldwide Deployments, Market Drivers, and Major Players
December 2002
Author: John Chang
Publisher: Allied Business Intelligence
4/7/2008 163
Face Recognition: Cognitive and Computational Processes
Author: Sam S. Rakover, et al
Publisher: University of Haifa/Oakland University, Michigan, 2001
The objective of this report is to analyze the market opportunity for homeland defense-
related products and services. It is intended to help interested investors make timely
investment decisions; assist current market participants in devising expansion plans, and
advise potential participants in evaluating market opportunities. The assessment is based
on the perspective of a variety of industry executives, including manufacturers,
distributors, end-users, and a wealth of third party and secondary research sources. This
report includes fact and opinion-based information and is presented with charts,
discussion, and analysis that describes and assesses the raw data. The information in this
study pertains to the US market for homeland defense-related products and services.
4/7/2008 164
Industry Insight: President Gives Homeland Security the Green Light but Vendors
Should Proceed with Caution
Author/Publisher: IDC
This IDC Flash analyzes the newly approved Department of Homeland Security's impact
on IT spending.
Multimodal Biometrics
Author/Publisher: International Biometric Group, 2003
4/7/2008 165
National Strategy for Homeland Security
Author: George W. Bush
Publisher: Diane Publishing Co., 2003
Includes an appraisal of the areas where various biometrics are most applicable.
This report provides essential material gathered from a number of IBG deliverables, and
is the culmination of IBG’s work to date on the complex topic of biometrics in border
control, immigration, and MRTD (machine readable travel document)/visa issuance. It is
designed to help agencies mitigate risks and gain an up-to-the-minute understanding of
performance, technology, policy, privacy, and standards issues involved in the use of
biometrics in MRTD and border entry applications.
4/7/2008 166
State of Biometric Technology Standards
Author/Publisher: International Biometric Group, 2003
Designed for vendors, integrators, and deployers, the "State of Biometric Technology
Standards" report provides critical information on standards relevant to biometric
products, applications, and deployments. Standards addressed include BioAPI, BAPI,
CDSA/HRS, CBEFF, X9.84, M1 activities and SC37 activities (including interoperable
template formats, interoperable data formats, biometric performance testing, biometric
security evaluations), ANSI/NIST ITL 2000, ANSI B10.8, ICAO (SC17), biometrics and
card technologies, and biometrics and cryptographic systems (x.509). This report is
absolutely essential for organizations looking to use biometrics in government or
financial services applications.
This report provides a detailed assessment of fingerprint recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying fingerprint technology, years of interaction with leading fingerprint recognition
vendors, and extensive evaluation of the technology for large-scale applications.
This report provides a detailed assessment of facial recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying facial recognition technology, years of interaction with leading facial
recognition vendors, and extensive evaluation of the technology for large-scale
applications. The report profiles key facial recognition vendors, including Identix,
Viisage and Cognitec, and provides facial recognition market projections through 2007. It
also examines significant facial recognition deployments and the impact of facial
recognition’s incorporation in machine readable travel document applications. The report
offers an in-depth analysis of facial recognition performance tests such as FRVT 2002,
discusses the use of facial recognition in multimodal biometric applications, and details
relevant facial recognition standards. The report also examines the emergence of 3D
facial recognition technology and details the landscape of the 3D facial recognition
marketplace, profiling vendors such as 3Dbiometrics, A4Vision, Geometrix,
Neurodynamics and Genex Technologies.
4/7/2008 167
State of Iris Recognition Technology
Author/Publisher: International Biometric Group, 2003
This report provides a detailed assessment of iris recognition from an industry and
technology perspective. The report leverages years of hands-on experience testing and
deploying iris technology, years of interaction with leading iris recognition vendors, and
extensive evaluation of the technology for large-scale applications.
4/7/2008 168
Appendix D – Education/Training Resources
For those exploring the possibility who have not yet committed to a biometric system
there are symposia, conferences, and short courses available to give a broad overview of
biometrics, highlighting different technologies (“modalities”), applications, and pros and
cons of each.
For those organizations which have decided to implement biometrics, or who want more
detail, there are longer courses available to provide more detail relative to technology
selection, pros & cons, and implementation details. These courses can be attended by
middle managers, project officers, members of the IT staff and in some cases IT or
biometric technicians.
21
Center for Identification Technology Research (CITeR). www.citer.wvu.edu/links.php
22
http://www.itl.nist.gov/div893/biometrics/
4/7/2008 169
• The Center for Automatic Identification, Ohio University
• The Speech Recognition Group, Rutgers University23
• University at Buffalo Center for Unified Biometrics and Sensors (CUBS)
• West Virginia University/FBI Forensic Identification Degree Program
For academics and those who want to know details of algorithms, the matching process,
statistical bass for matching, and testing and evaluation or individuals interested in
earning a certificate in biometrics.
Consultants and systems integrators can provide needed guidance when evaluating the
need and implementation of biometric systems. Following is a list of selected providers,
according to The Biometric Consortium.
4/7/2008 170
• Trans Biometric Technologies
• Transecure, Inc.
4/7/2008 171
Bibliography and References
In researching and compiling the BTAM, the authors relied heavily on secondary
research from already-published, public sources. The following sources and resources
represent works from which information and knowledge was used and referenced, and
for which the authors are acknowledged and thanked for sharing this knowledge.
Adams, Mason. Cafeteria ID System Fingers Students. The Roanoke Times. December
10, 2005.
“An Arresting Case for Biometrics.” Biometric Technology Today. May 2005
Blackburn, Duane and Turner, Allan. Biometrics: Separating Myth From Reality.
Reprinted from the December 2002 issue of Corrections Today, Vol. 64, No. 7
“Body Language: Using biometric Technology” March 1, 2002, American City &
County.
Cohn, Jeffrey P., Miles, Christopher A. Tracking Prisoners in Jail with Biometrics: An
Experiment in a Navy Brig. National Institute of Justice Journal. NIJ Journal No. 253.
January 2006.
4/7/2008 172
Floyd, J. Michael. “Biometrics-The Future Competitive Edge” FE&S. January 2003
“University of Georgia Migrates Recognition Systems HandReaders Campus-wide” press
release from IR Recognition Systems. July 30, 1999
Haber, Lynn. “Glendale Locks Down PCs with Digital Persona Biometrics”, October
18, 2001, Ziff Davis http://techupdate.zdnet.com
“Indian housing plan uses local technology.” Passage to India Business Weekly. July
2005.
Kiernan, Vincent. “Show Your Hand, Not Your ID” The Chronicle of Higher
Education-Information Technology. December 2, 2005
Kharif, Olga. “IriScan’s Leader Looks Secure” Business Week Online. July 5, 2005
“LG Electronics lands huge iris scan program in India.” Government Security News.
September 2005.
“LGE Iris Tech Win in India Redefines Biometric Scalability.” LG Electronics press
release dated September 8, 2005.
4/7/2008 173
Peck, Bruce. “Rx for Password Headaches” Health Management Technology magazine.
January 2003
Riley, Jr., Richard A.; Kleist, Virginia Franke. “The biometric technologies business
case: a systematic approach” Information Management & Computer Security, Apr 2005
Volume: 13 Issue: 2 Page: 89 – 105.
Sullivan, Laurie. Iris Scanning for New Jersey Grade School. TechWeb.
www.techweb.com January 23, 2006.
“St. Vincent’s Hospital and Healthcare Center” client profile from Saflink Corporation
“St. Vincent Solves Security Challenges with CA’s eTrust Single Sign-on” client profile
from Computer Associates
“The National Biometrics Challenge” National Science and Technology Council (NSTC)
Subcommittee on Biometrics. August 2006
“University of Georgia Secures Campus with RSI HandReaders” press release from IR
Recognition Systems
Verton, Dan. “Hospital Taps Biometrics for Single Sign-on” ComputerWorld. October
2001.
“Viisage Awarded $2.4 Million Facial Recognition Contract from Pinellas County.”
Viisage press release. October 8, 2002.
4/7/2008 174
Acknowledgements
A special thank you to the following individuals and organizations that contributed their
time and expertise to the development of this volume.
James Cambier
Valerie Evanoff
Eizen, Fineburg, and McCarthy, LP
Gates and Company
Walter Hamilton
Scott Harmon
Chris Hengensten
C.B. Boots Kuhla
Beth Langen
Scott McCallum
Mohammad Murad
Bruce Peck
Russ Ryan
John Siedlarz
Donald Smith
Samir Tamer
Cathy Tilton
Dr. James L. Wayman
Jerry Williams
Bill Wilson
4/7/2008 175