Identity Management

A tipping point for biometrics?

ID card

The Department of Homeland Security is about to embark on an ambitious project to add biometrics to its smart card identification system. Other government efforts have demonstrated that such projects can go horribly awry, but it also has the potential to profoundly change DHS for the better.

The exact path the agency takes, analysts say, depends on how well it prepares itself and possibly on how well it incorporates some new technical guidance.

In May, DHS issued a request for proposals to add facial, fingerprint and iris recognition capabilities to its ID system as part of a $102 million upgrade. The agency is seeking a new contractor to take over the ID management project currently overseen by XTec and establish a new biometric-based card system that complies with Homeland Security Presidential Directive 12 (HSPD-12). The contractor would replace 161,924 personal identity verification (PIV) cards by the end of 2013 and another 116,172 in 2014, DHS officials said.

According to the agency, the winning contractor would also install enrollment and issuance stations at as many as 300 DHS locations to manage at least 300,000 PIV cards. Those locations could include sites outside the United States.

Accenture Federal Services, Booz Allen Hamilton, Deloitte, General Dynamics Information Technology, Northrop Grumman, Science Applications International Corp. and Unisys have all expressed interest in the project.

Biometric challenges

Many agencies are meeting HSPD-12's requirement for physical and logical access to their buildings and computer systems, but few have been adequately incorporating biometric capabilities. DHS' project takes that bull by the horns, but not without risk.

Heidi Shey, an analyst at Forrester Research who covers security and risk markets, said the relatively short timeline for completing such a large project could lead to big problems if sound planning is not done upfront. For the agency to avoid trouble down the road, it should be working on — or, better yet, completing — programs that establish enrollment processes for employees, define what kind of information each employee needs embedded in his or her card, and create backup plans in case of failure, she added.

DHS is hard at work on that kind of due diligence, said Jim Williams, senior vice president of business development at Daon. The software and professional services company is helping India's government develop and manage a national biometric-based ID program. The project, which aims to issue identity cards for roughly 1.4 billion people, enrolls about 1 million people a day, taking fingerprint, iris and facial images from each. Those images are stored in a massive central database.

Williams said that although DHS is doing a great job in setting up the procurement for its project, it faces some challenges, primarily related to ensuring that the ID card and management system comply with a 2011 Office of Management and Budget directive that seeks to further the implementation of HSPD-12 by making PIV credentials the common means of authentication for access to agency facilities, networks and information systems.

Furthermore, Williams said coordinating numerous biometric identifiers can be complicated, and information storage for such a huge project is potentially costly.

The New Smart Card

Today's smart cards might look like the laminated flash passes of old, but they now go far beyond name, address and photo. Onboard computer chips can carry complete identification records and other documentation, including digitized fingerprint or facial recognition images.

Cards can incorporate not only bar codes, RFID tags and magnetic stripes, but also have onboard data processors to segment and store information, even allowing for automatic remote information updates. These cards can take up to 30 steps to construct, print and laminate.

He added that another big challenge for DHS is keeping its systems efficient and up-to-date. Other large identity management programs use increasingly effective commercial software to do that, and DHS could take the same approach. But Williams added that avoiding proprietary solutions and other forms of technology lock-in is essential for DHS.

A model for other agencies

DHS' plans got a boost from the National Institute of Standards and Technology in mid-July. After a long delay, NIST released specifications for iris recognition capabilities under Federal Information Processing Standard 201-2 — the latest installment in a series of NIST publications that provide technical guidance for complying with HSPD-12.

By consulting the FIPS 201-2 publication, federal agencies can implement standards-based biometrics and identity management solutions that are accurate and interoperable, said Charles Romine, director of NIST's Information Technology Laboratory.

The recently released guidelines include specifications for federal agencies to use iris recognition as an optional add-on for authentication of their PIV cardholders, Romine said. The publication also describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV card itself. The specialized format requirements for iris images are based on the international standard for compact storage, he added.

DHS declined to provide specifics about its plans for the new identity management system, but agency spokeswoman Marsha Catron said DHS continues to implement HSPD-12, which works to improve the secure, reliable identification of federal employees and contractors.

If DHS is successful in implementing its biometric ID program, it could provide a model for other agencies. For instance, Williams said the national wireless communications network for first responders that the National Telecommunications and Information Administration is spearheading will need some kind of identifier for users to access it.

He added that because DHS operations touch such a wide range of markets — including border security, air travel and emergency response — it is a trend-setter for organizations at all levels of government and in industry.

DHS is "moving to a new world," Williams said.

ID management map

TWIC: A cautionary tale?

The Transportation Worker Identification Credential (TWIC), an ambitious biometric ID card project overseen by the Transportation Security Administration and the U.S. Coast Guard, has been underway for more than a decade. Congressional overseers and critics say its history shows how important upfront management can be for large biometric ID installations.

The program began in 2003 as part of an effort to protect ports and transportation infrastructure in the wake of the 2001 terrorist attacks by establishing a national, tamper-proof secure ID for transportation workers.

Millions of truckers and port workers pay $65 to $135 to get TWIC cards, which numerous critics on Capitol Hill have called nothing more than a glorified "flash pass" because their more advanced biometric and data storage capabilities have not lived up to their billing.

The card has a computer chip that stores the holder's information and biometric data, usually a fingerprint. The chip is read by inserting it into a reader or holding it near a contactless reader. The card also has a magnetic stripe like the ones on credit cards and a linear bar code as alternative reading methods.

However, over the years, the program has been hobbled by faulty card readers, inadequate fingerprint data collection, expiration-date errors, dark photos and other problems. A recent study by the Government Accountability Office said the results of a test of TWIC card readers "were incomplete, inaccurate and unreliable for informing Congress and for developing a regulation (rule) about the readers.... These issues call into question the program's premise and effectiveness in enhancing security."

At a hearing convened by the House Homeland Security Committee's Border and Maritime Security Subcommittee in June, Chairwoman Candice Miller (R-Mich.) and others questioned whether the TWIC program was dying or already dead.

Rear Adm. Joseph Servidio, assistant commandant for prevention policy at the Coast Guard, said TWIC was not dead. "We will be able to justify the technology as it matures," he said. "The systems are more robust now."

"Are we where we need to be?" Servidio asked rhetorically. "No, sir, but I think we are moving in that direction."

 

 

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Mon, Sep 23, 2013

What a joke! Daon software is TERRIBLE! One can barely install it and get it running...let alone expect it to provide any real security!

Thu, Aug 22, 2013 Frank

I don't WANT a I.D. card, smokes. Biometric or otherwise. The ignorant American sheeple just keep marching to their orders, just like the Germans did to the Nazi's in pre-war Germany.

Fri, Aug 16, 2013

It's interesting to note that while Daon warns here about the difficulty involved in fielding biometric systems, they played a major role in implementing the TWIC program.

Fri, Aug 16, 2013

All this money so that we can rely on a database somewhere to validate that the card belongs to the person who has it? What they tend to ignore is that whatever a team can come up with, another team somewhere else can defeat. Just look at the CAC card - how many years ago did the Chinese crack that 'uncrackable' system?

Granted, as long as there are people (including ones in our government) who wish to control others or to destroy what they have, we need something. But so far (including this article), all I see is making it harder for people who just want to get on with a life being the ones affected, the bad guys just get a workaround and go on with what they want to do while the rest of us are fumbling around with the 'security' system.

(Oh, and I do not like the thought of several to many times a day having a bright light in my eye, the eye was not designed for that abuse.)

Fri, Aug 16, 2013 Beltway Bill

Placing too much trust into smartcards can add risk. Multi-factor authenciation *also* means the remote network must validate each factor.. right now DoD smartcard only authenticate one factor, the PKI cert presented from the smartcard. If biometrics AND a PIN is required to use / release the PKI cert in the card, its likely the system will still only have single-factor validation (authentication).

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above