Who goes there?
Using biometrics such as fingerprints or iris scans to authenticate people's identities before granting access to government buildings or computer networks may not be common right now, but it's taken for granted that it will be routine in the future. It's how to get from here to there that's the fuzzy part.
One piece of the puzzle is getting vendors' products to work with one another. Although the necessary standards to make this happen are getting closer, they aren't here yet. Likewise, combining smart cards with biometrics is generally considered the best technical approach to the solution. But certain technology and turf issues have to be worked out first. And cost is always a factor.
Nevertheless, the situation is getting better. Just a couple of years ago, for example, the biometrics field was littered with scores of companies large and small, all seemingly going in their own proprietary directions. That has changed.
"Vendors have dropped the logic about their products being 'the one and only' solution," said Greg Johnson, a subject matter expert with the Defense Department's Biometrics Management Office. "People have realized that the use of multiple biometrics, and biometrics being tied in with different kinds of security tokens [such as smart cards], is the philosophy now."
That change in mind-set is paying obvious dividends. One of the big issues with physical access to facilities is that biometrics should integrate with access control systems already in place. Previously, this required a lot of customization for each installation, but today with the middleware that vendors have developed, it's much more a matter of plug and play, Johnson said. And it's no longer a question of whether the technologies themselves are ready for the big time. Again, just a few years ago many potential users complained that biometric technologies were too inconsistent in accuracy and reliability to be used in all but the most tightly controlled situations.
Now, according to Lolie Kull, access control smart card implementation manager for the State Department, there's no question that biometric technology has arrived and that people want to use it. However, she said, that still does not mean that all biometric technologies can be considered equal.
For example, facial recognition is one technology that could be used for physical access, but she thinks there are still too many variables, such as lighting and posture, that could produce false negatives. Iris scan technology has proven to be very accurate, she said, but it's too slow for most applications.
Fingerprint technology is the most mature biometric right now, Kull said. It's already being used for logical access to computer networks in many organizations, particularly in the commercial sector, and fingerprint readers are relatively cheap and readily available.
A drop in prices for equipment such as fingerprint readers and cameras used for face and iris scans has certainly alleviated many of the cost concerns that potential users of biometrics had several years ago, said Tim Corcoran, senior systems engineer for the government solutions division of integrator Northrop Grumman Information Technology.
If nothing else, it has produced an environment in which people can afford to make some mistakes.
"People do find the use of biometrics compelling, but it's still a very mixed bag," he said. "It will take time for a consensus to be reached for what, where and when biometrics can be used, and how they can move on to a consideration of the business case for them."
Many agency officials are still wrestling with basic questions, such as if they really need biometrics for security applications or whether they can get by with simple smart cards or bar codes printed on ID cards, Corcoran said.
"The good news is that some agencies are beginning to look at it from a cost/ benefit approach," he said. "They are using that kind of analysis to see what benefits other than just security, such as increased accountability or an overall reduction in agency costs, they can get from biometrics."
People are looking at biometrics in increasingly sophisticated ways. One trend is to use a combination of biometric technologies.
"We're seeing more and more of that," said Adam Albina, chief operating officer of Advanced Biometric Security Inc. "The biometrics are not necessarily being used all at once at the same point in an enterprise, but as part of a layered security. And that leads to a need for more integration with existing systems."
That could cause headaches, he added. If there's a mix of operating systems in an organization, trying to apply biometrics could introduce potential problems with higher implementation and support costs.
"Naturally, users could balk at that, so trade-offs may have to be considered," Albina said. "They'll have to decide if they want biometrics used for logical access for all of their networked systems, for example, or just some of them."
It's certainly a potential problem for the Navy, according to Dave Guerrino, the Space and Naval Warfare Systems Command (Spawar) representative at DOD's Biometrics Management Office. Spawar has been assigned to execute the Navy's biometrics program and has so far run about 25 pilot programs to test the application of biometrics in a range of environments.
"Most of the off-the-ship biometrics we are using work with Microsoft [Corp.] Windows, but a lot of the Navy's legacy systems use other things than Windows," Guerrino said. "We are working with Johns Hopkins University to see about applying biometrics to these legacy systems, but it could be hard to do. You need to write code, so we don't know how far we'll go with that."
It's more likely that the application of biometrics will follow the pattern of systems upgrades throughout the Navy, he said, because developments by biometrics manufacturers and original equipment manufacturers closely follow the development of computer systems. For example, some new laptop computers have fingerprint scanners built in.
"It's awfully expensive to go back and put biometrics into those older systems," Guerrino said.
Prints on File
The driving force behind the military's use of biometrics is the DOD Biometrics Enterprise Solution, which aims to store biometric credentials in a central repository for use with whatever biometric authentication systems are employed by DOD anywhere in the world.
A warfighter's fingerprints would be collected once, for example, and he or she could then use a fingerprint reader at any military installation. The same would go for iris, face, voice or handprint biometrics.
Biometric templates would be downloaded from DOD's central repository to local storage at the user level so warfighters wouldn't have to enter their biometrics into the local system every time they arrive at a new location. The question is how to get those templates from the central repository when needed and how to do it in a timely and cost-effective way.
A proof-of-concept demonstration is planned for this fall, Johnson said, with a departmentwide implementation of the production system targeted for 2005 or 2006. However, given the problems the Biometrics Management Office and others could face in pulling all of this together, that's a very soft target, he said.
A vital component of the Biometrics Enterprise Solution is incorporating biometrics into DOD's Common Access Card, a smart card intended to be the standard identification for all active-duty military personnel, as well as for DOD civilian employees and contractors. It will authorize both physical and logical access to DOD facilities.
Testing is under way to see which biometrics should be used for the card and how best to incorporate them — a process that addresses questions such as the size and number of biometrics to include, Guerrino said. The testing program should be completed within the next year.
The State Department is wrestling with the same issues as it works on its smart card deployment, Kull said. Besides DOD and State, the General Services Administration and Treasury Department also have smart card programs, and the intention is to make each agency's card interoperable with the other agencies' systems.
"For that you need standards," Kull said. "The ideal would be that, if one agency is using one kind of fingerprint, then others should use the same template, or interoperable standards should be in place so that it wouldn't matter which vendor's biometric was used."
Those standards are being developed, she said, but "we are still a little far off there." The alternative would be to cram as many biometric templates onto the card as possible, to include every agency's selection, "but there's a limit to the number of biometrics that a card can hold," Kull said.
There's no doubt that biometrics will be used at some point for both physical and logical access throughout government, Kull said, but it will still take some time.
"We just haven't worked through all of the [technical and policy] issues yet," she said.
Robinson is a freelance journalist based in Portland, Ore. He can be reached at firstname.lastname@example.org.