One-of-a-kind biometric identifiers are finding many security applications.
Sep 1, 1997 12:00 PM
Biometric technology has reached the lives of everyday people, who may use it when collecting a welfare check, getting a driver's license, or entering a health club.
Biometrics-the measurement of biological data-can be incorporated into security devices to verify identity based on analysis of a unique physiological or behavioral characteristic. Biometric identifiers, such as fingerprints and iris patterns, are highly reliable, because they cannot be easily faked, altered, or appropriated.
Biometric security devices are coming into the mainstream.
At the 1996 Summer Olympic Games in Atlanta, for example, hand readers supplied by Recognition Systems Inc., Campbell, Calif., were used to protect access to the Olympic Village. More than 65,000 people were enrolled in 140 hand geometry units. In a 28-day period, there were more than 1 million transactions. Bill Rathburn, director of security for the Games, said the addition of biometrics was probably the single biggest security improvement since the 1984 Olympics in Los Angeles.
Nobody-and nothing-is perfect
No biometric device is 100 percent accurate 100 percent of the time, and the error rate is an important criterion when selecting the right biometric for an application.
There are two kinds of error rates: a false reject rate-how often authorized users are rejected; and a false accept rate-how often unauthorized users are accepted. The rates can be inversely proportional, i.e., if a security device is user-configured to prevent false accepts, there may be more false rejects.
The best advice for someone looking for a biometric device for an access control application is to look for a vendor and product with a track record, says Ben Miller, chairman and founder of CardTech/SecurTech, an annual conference and exposition where biometric technology is heavily represented.
Miller says a lot of the variability in error rates-especially in the false reject rate-comes from the fact that people are involved, perhaps using a device incorrectly. People aren't perfect, therefore biometric systems will never be perfect. But, he says, they are sometimes better than the alternative.
The thing to look for is a leveling of the rates, says Tony Slinn, editor of the International Security Review. There are devices on the market that can balance the error rates at the 0.02 percent range. But depending on the application, he says, it can be critical to maximize one rate at the expense of the other. He uses banks as an example:
"Magnetic stripe card technology was developed in the '60s as an airline technology for quick transfer of information. Today, mag stripe cards are vulnerable to street-level crime; anyone can copy them with $200 worth of equipment. But banks have not yet agreed on a new standard, because they are in competition and do not want to inconvenience or embarrass their customers [with false rejects]. But if you look at a nuclear facility where the concern is terrorism, it's the opposite: having no false accepts is worth the inconvenience of a few false rejects."
Bill Spence of Recognition Systems points out a problem with using cards for security. "If I have my card in my hand and I swipe my card, then all is fine. But if my card gets into someone else's hands who uses it, the false accept rate is 100 percent." The goal of any access control system is to let in only authorized people; a card-based system lets in only authorized pieces of plastic, says Spence.
Sound product choices
Ben Miller says an exciting thing about biometrics today is the variety of good product choices. "There has been a stabilization among the players who seem to be running stable businesses with solid products," he says. "And the new people tend to be larger, better-funded efforts-less of the garage-entrepeneur variety."
It is harder for a company that does not have its act together to survive in the market, says Miller, because a high level of professionalism and research and development is bringing performance up and prices down.
"The most significant thing is really the fact that the biometrics industry now has behind it more than 10 years of history and thousands of organizations that have successfully used the products," says Miller.
There are two classifications of biometric identifiers: physiological and behavioral.
Physiological identifiers include:
* fingerprints, * hand geometry, * eye patterns, and * facial features. *Behavioral identifiers include: * voice prints, and * signatures.
Behavioral identifiers are more subjective than physiological identifiers; they can vary because of external conditions such as illness, and can conceivably be imitated. Slinn points out that choosing the right biometric often presents a compromise. "Most people are comfortable with giving a signature and would find that fairly acceptable," he says. "But they may not be comfortable with giving a fingerprint, because of associations with police and crime, regardless of the reliability of fingerprinting."
The reliability of fingerprinting was established about 100 years ago when fingerprints were first used as evidence in a criminal matter. Today, automated fingerprint verification is the most common biometric, as the number of companies making inroads into the technology attests.
The most common type of fingerprint verification has been minutia-based. Because the skin on human fingertips is ridged, either ending or splitting into forks called bifurcations, fingerprint characteristics-or minutia-are unique. Before computers, minutia-based comparison was a time-consuming process done by forensic experts with a discerning eye.
But with computers came automation.
The largest application of automated fingerprint identification is automated fingerprint identification systems (AFIS), the massive database systems used by law enforcement. Morpho Systems, Tacoma, Wash., is a supplier of AFIS systems.
For some end-users, a system based on a law enforcement standard has appeal. PrintScan International, Martinsville, N.J., offers a patented fingerprint identification and verification system that uses Coincident Sequencing software. According to PrintScan president Torben Hugh-Jensen, Coincident Sequencing is the comparison standard accepted by the international law enforcement community. The process examines type, location and direction of minutia, as well as the number of ridges between minutia. According to Hugh-Jensen, the U.S. law enforcement standard for verification is 12 minutia in coincident sequence. But for commercial applications, he says, fewer matching minutia are acceptable. And commercial applications-access control, computer and information security, time and attendance-are booming.
Observers list several hurdles fingerprint verification must overcome, including: the stigma that fingerprinting is associated with criminal behavior; fear of lost privacy; sometimes lengthy verification time; and the large template size needed to store a fingerprint. Many vendors are jumping these hurdles. Following are a few.
* Identix, Sunnyvale, Calif., offers the TouchLock II verification terminal, designed for physical access control applications. The terminal allows any one of the 10 fingers and up to three fingers to be enrolled under one PIN. It operates in stand-alone or networked configurations and has a user-programmable Wiegand interface. Verification takes less than a second, and each terminal stores up to 1,100 finger templates. Identix was recently chosen to participate in a pilot program at Chicago's O'Hare International Airport in which Identix' technology is to be integrated with smart card technology. The application will be evaluated on its effectiveness and speed in enhancing the security of air cargo personnel and shipments.
* In 1995, Ultra-Scan Corp., Amherst, N.Y., demonstrated a prototype fingerprint scanner that uses ultrasound for image capture. Since, the company has developed the Series 500/600 Ultrasonic Fingerprint Scanners. Series 500 images meet the FBI/NIST specification for image quality, and Series 600 scanners are designed for fast verification. The patented technology relies on the acoustic impedance of skin, air and the fingerprint platen and is unaffected by the surface grime and distortion that can adversely affect optical scanners, says Ultra-Scan. It can also produce a template as small as 25 bytes. Lockheed Martin chose the technology for the fingerprint portion of its information management system in a jail management application.
* Sony, Tokyo, Japan, is making a foray into the biometric field with a self-contained fingerprint identification unit, the FIU, which has an internal CPU and 1,000-print capacity and fits in the palm of the hand. It can be integrated or used as a stand-alone desktop device. Sony also offers a Software Developer's Kit (SDK), developed by I/O Software. The SDK is a collection of application program interfaces that enable software developers to write to DOS, 16-bit and 32-bit Windows applications that use the FIU.
* Harris Corp., Melbourne, Fla., recently introduced its PowerMatch Search Server software and MatchBase search service under the brand name AuthenTec, a line of software, hardware and services for fingerprint identification. According to Harris, PSS is scaleable to fit any size search problem. It can be expanded by adding processors to multiprocessor servers, and by adding servers to the search complex. MatchBase is a centralized fingerprint matching service based on PSS. Databases are maintained centrally by AuthenTec, and searches are billed on a per-transaction basis.
* And at CardTech/SecurTech '97, SAC Technologies, Edina, Minn., introduced its SACMan fingerprint reader, a desktop device about the size of a computer mouse that uses optics and electronic sensing for image capture. The reader is available in three configurations, ranging from the basic raw image capture optic sub-assembly, to a SACMan unit without the external base. The reader offers optics of over 1,000 dpi and end-to-end distortion of less than 0.004 percent, says SAC.
SACMan is a fingerprint-based computer log-on, security and encryption tool. SAC Technologies offers a scaleable 1-to-many identification system using vector-line-type analysis, which processes the entire pattern of the fingerprint to derive vector-line types and their relationships; the unique characteristics of the fingerprint are then transformed into a vector-line-type mathematical model, according to the company.
Other manufacturers of fingerprint verification products include Identicator, Finger/Matrix, Polaroid, Cross Check Corp. and Advanced Precision Technology, among others.
Hand geometry was the biometric of choice at the Olympics in part because, according to Bill Spence, some of the athletes were not receptive to fingerprint verification.
The HandKey product from Recognition Systems Inc. (RSI) uses three-dimensional hand geometry to verify a person's identity. The hand is optically scanned using infrared lights and a digital camera. The image is then stored as a 9-byte reference template-the industry's smallest, according to RSI-allowing up to 27,000 templates in internal memory.
Though primarily designed for access control applications, HandKey is increasingly being used for time and attendance, and, recently, in a border-crossing system called INSPASS that has been in pilot application at airports including JFK, Newark and Miami. Over the next 12 months, the system is expected to be in Dallas, Honolulu, Los Angeles, San Francisco, Chicago and Boston airports. INSPASS is a voluntary program designed to speed processing of frequent international travelers.
Spence says that if you feel comfortable using a device, you will most likely use it correctly, and if you use it correctly and give it good data, it will give you the right answer.
Currently, RSI dominates the hand geometry market. Other types of geometry-based systems include those made by MicroIdentification Systems, Coral Gables, Fla., and by Biomet Partners, which has headquarters in Switzerland.
The retina, with its unique vascular patterns, and the iris, with its unique, randomly formed features, are excellent biometric identifiers.
* Retina recognition. EyeDentify, Baton Rouge, La., serves the retina verification market with its patented EyeDentify 2001 retinal recognition technology. Here's how it works: When a user looks at the alignment target, an eye template is acquired from the light naturally reflected and absorbed by the retina. The system uses an incandescent lamp similar to a lightbulb that outputs 0.07 watts of light-less than a night light. The retinal field has 192 data points identified that are used as the basis for a 96-byte template, or eye signature. The template is then stored for future recognitions. The system does not require the eye make contact with anything; a reading can be acquired from 1.5 to 2 inches away from the optical lens.
Retinal recognition systems are used in some of the United States' most secure areas, including the Department of Energy, Cape Canaveral and CIA, NASA and FBI buildings nationwide. Systems are also in use throughout Europe and in South America.
When first released in the early 1980s, the devices were expensive-between $30,000 and $50,000. But in the 1990s, the price has come down to the $2,000 range. According to EyeDentify, no false accept has been reported in more than a decade of use.
* Iris recognition is the process of identifying individuals by computer analysis of the unique, randomly formed features in the iris, the colored portion of the eye that surrounds the pupil. IriScan, Mt. Laurel, N.J., holds the patent on iris recognition technology. In the IriScan process, iris images are captured from 10 to 12 inches away by a video camera, digitized, processed into an IrisCode, and stored for future recognitions.
IriScan has also had success licensing its technology to companies such as Sensar, a supplier of iris recognition technology for the banking industry. Sensar, Moorestown, N.J., has teamed with NCR Corp., a supplier of ATMs, to develop, distribute and supply Sensar's IrisIdent identity verification system. The IrisIdent product is based on technology licensed from IriScan.
IriScan's latest offering, the System 2100, is a distributed processing network with a central enroller/server that allows "one-stop" enrollment and downloading of IrisCode files. It can function independently or as an integrated part of a host access control system, as well as in stand-alone or networked mode.
* Visionics, Metuchen, N.J., is the developer of the FaceIt face recognition technology, real-time software that allows a PC connected to a video camera to automatically detect a human head, locate the face, extract the facial image and identify who it is by matching against its database of known people-up to 50,000-in about 1 second. According to Visionics, the software is based on local feature analysis, and the benefit is the user is required to do nothing. It can handle faces up to plus or minus 25 degrees from frontal, in vertical as well as horizontal orientations.
The technology is used in applications from physical access control to transit control to computer and information security. The Army Research Lab will use FaceIt for access control and to monitor restricted computer terminals. FaceIt can secure a system if the user leaves the field of view. Immigration and Naturalization Services (INS) will use the technology for its SENTRI project, which provides rapid transit for commuters across the Mexico/U.S. border. INS says it selected Visionics after a market survey showed FaceIt to have been successfully tested against the FERET database. FERET is a test of facial verification systems conducted by the U.S. Army.
* Miros, Wellesley, Mass., produces the TrueFace line of face recognition products, which range from a 32-bit C-callable DLL engine to a complete access control system and a stand-alone computer application verification system. Miros' face recognition technology is based on neural network technology, which mimics the way the brain processes information. TrueFace compares images, then scores the confidence of a match between two images on a scale of 1 to 10. The TrueFace GateWatch system is currently being used by a large financial institution in Boston to protect its data center. Other applications for the technology include physical security, time and attendance, medical information systems, financial data and also electronic commerce, imaging, law enforcement and benefits administration.
* Technology Recognition Systems, Alexandria, Va., is a relatively new company with a different approach to face recognition. It holds the patent on facial thermogram technology. Here's how it works: The vascular system in the face produces a unique facial "signature" when heat passes through facial tissue and is emitted from the skin. An infrared camera captures the patterns, or thermograms, which are digitized and stored by a computer. When a computer reads the thermogram, it eliminates the patterns produced by the nose and ears which are sensitive to changes in temperature. A new image taken by an infrared camera is compared to a stored thermogram to verify identity.
TRS says the system is invulnerable to disguise because even plastic surgery does not re-route the flow of blood through the veins. Also, it requires only 2 to 4 kilobytes of digitized imagery to be stored. TRS can adapt the core technology to be used for applications such as access control and computer security.
TRS expects the technology to be used in a production system-an access control system-to be available in January. The access control system will be manufactured by Unisys.
Some other manufacturers of face verification systems are: Polaroid, Bedford, Mass.; Identification Technologies Intl., Columbia, Md.; and Viisage, Littleton, Mass.
Voice recognition is classified as a behavioral biometric identifier. The notion of voice command is certainly appealing, and has great potential for access control and for fraud prevention, especially in the financial industry: credit card use over the phone, wireless communications and electronic commerce could be made more secure.
An advantage of voice verification technology is easy and remote data collection.
* According to Graphco Technologies, West Trenton, N.J., user acceptance of their VoicePass speaker verification technology is high because, to humans, speech is the most natural means of communication. The VoicePass system, debuted in January 1997, performs voice verification and identification against a database of enrolled speakers. The former verifies whether a speaker is who he/she claims to be, the latter determines which registered speaker provides a given utterance against a database of enrollees.
Applications of the VoicePass technology can be text-dependent or text-independent and use custom or random verification phrases, with or without passwords. A sequential strategy is used to improve the valid user acceptance rate. The company is in contract negotiations with a Long Island-based security company and with a New Jersey-based bank.
* Another company that offers voice verification as a security solution is Keyware Technologies, Woburn, Mass.
The Keyware Security Server combines voice verification technology called VoiceGuardian and face recognition technology in an integrated security system. The server software uses layered verification algorithms to integrate the matching of facial images, spoken language and standard password or ID card recognition. VoiceGuardian is based on voice verification technology developed by Lernout and Hauspie Speech Products. The pattern matching and facial image recognition is from Excalibur Technologies.
The first access control system to incorporate the Security Server has recently been installed in a building owned by Cofinimmo, a property company in Brussels. Signature
A signature is also classified as a behavioral biometric identifier. Communication Intelligence Corp. (CIC), Redwood Shores, Calif., develops, markets and licenses "natural input computer technolgoy"-products that use pen and image for input. The company offers Handwriter, a pen input peripheral for Windows-based PCs that plugs into a serial port, as well as InkTools, a software tool kit for application developers. InkTools includes SigCheck, a software module that verifies the identity of a person by confirming that a signature is signed with the same velocity, acceleration and stroke sequences that usually occur out of muscle memory, says CIC.
Chase Manhattan Corp. uses CIC products to protect financial transactions for GinnieMae (the Government National Mortgage Association). Handwriter and Inktools have been integrated into GinnieMae's electronic mortgage pool processing system, GinnieNET, to verify the identity of people accessing the system.
Signature verification systems are also made by Atlanta-based Cadix, New York-based PenOp., and by Advanced Recognition Technologies, Chatsworth, Calif., among others.
What will they identify next?
There are other potential biometric identifiers being researched and developed. Keystroke dynamics is seen as promising based on the fact that during WWII, people could be recognized by the speed and the way they tapped out Morse code. Another potential identifer is human scent, which is reputedly unique. Tony Slinn notes that the most interesting potential identifier he has heard of is brain waves. Only time will tell.
According to Miller, many biometrics are finding success in time and attendance applications, where vendors have embraced biometrics as enhancing their systems. In the access control market, the distribution channels have not been as enthusiastic.
The consensus among biometric proponents is that the applications to watch are banks and financial institutions. If, as those in-the-know forecast, the advent of the smart card in America is only a few years off, biometrics could be critical to protecting the privacy of stored data and to protecting card transactions. The biometrics industry could grow exponentially.