No two alike
- By Jennifer Jones
- Jun 24, 2002
Despite several early, meaningful attempts at standardization, biometric technology has been stalled in adolescence longer than expected. And now the homeland security movement is both helping and hindering the technology's progress.
Biometric tools use complex algorithms to assign quantitative measurements to human traits, such as fingerprints, voice qualities or facial structures.
Since Sept. 11, pressure to improve security at all levels of government is swelling the demand for biometrics.
"The need for biometrics in general was understood even before the events of September," said Fernando
Podio, a team leader at the National Institute of Standards and Technology and co-chairman of the Biometric Consortium. "But homeland security and the need for applications to prevent identification theft have accelerated that need."
As the industry races to keep pace with this new surge in demand, many experts agree that it is under equal pressure to jump-start its efforts to create biometric standards and ensure interoperability.
Yet, given the sense of urgency behind homeland security efforts, government officials are eager to harvest the benefits of biometric technology as quickly as possible — and are not willing to wait for further standards development.
"Nothing is going to grind to a halt" while the private sector hunts for ways to improve interoperability, said Rosanne Hynes, information technology adviser to the Defense Department's Homeland Security Task Force. "We will be cooperating across the federal family for common opportunities and common solutions, but our attention is on homeland defense."
And there is plenty to work with because initiatives to establish biometric standards for modern technology date to the 1980s.
"At this point, there is at least enough in the way of standards to give customers 'warm fuzzies' on product integration," said M. Paul Collier, executive director of the Biometric Foundation.
Standards recently pushed to the forefront include the Biometrics Application Program Interface (BioAPI), an industry standard designed to provide a uniform way to stitch biometric identification features into other systems. The American National Standards Institute (ANSI) formalized BioAPI in late February.
"Using the same, common interface, a programmer doesn't have to be cognizant of how biometrics work," said Cathy Tilton, director of special projects at SAFLink Corp. and chairwoman of the BioAPI Consortium.
BioAPI compliance requirements have lately worked their way into more government IT solicitations, largely because of the focus on homeland security. "As the government customer starts to ask for it, it puts pressure on the vendors," Tilton said.
On the vendor side, executives at smart card provider ActivCard Inc. acknowledged feeling pressure to adopt BioAPI and other standards. In fact, for some time, BioAPI has "been on our road map," said Larry Hamid, ActivCard's director of research.
However, for ActivCard and other biometrics companies — many of which are newcomers to the security market — any effort expended on BioAPI means fewer resources to be spent elsewhere, such as on developing new product features, Hamid said.
In the meantime, the Biometric Consortium is forging ahead with its Common Biometric Exchange File Format (CBEFF) standard, which aims to ensure interoperability among biometric systems.
CBEFF defines biometric data objects and encodes them with headers containing the data's format, origin and other attributes, Podio said. All of this makes it easier to exchange
biometric information among components and systems, so that, for example, one agency's database of fingerprints can be more easily shared with other agencies.
With the new focus on homeland security, the Biometric Consortium is now "fast-tracking" CBEFF as an ANSI standard. The group is also tweaking it to "accommodate the use of biometrics in smart cards," Podio said.
Along those same lines, the General Services Administration is exploring interoperability issues so it can develop a five-year plan for the government's smart card initiative, said Bill Holcombe, director of e-business technologies at GSA.
"One of the areas we want to add is biometrics," he said, "so one of the topics we are looking at is whether the next iteration of our interoperability specification should include a biometric spec."
In addition to BioAPI and CBEFF, ANSI has two other biometric standards in place — X.509, which designates where biometric data resides in a document and is used for digital certificates, and X.9.84, which spells out how to secure biometric data.
Agencies such as DOD are using standards as the basis to build their own biometric application profiles.
For instance, DOD's Biometrics Management Office is moving forward on an initiative designed to incorporate biometric technology into homeland security efforts. In May, the office released a biometric protection profile for public comment. The profile — the first in a family of profiles — sets minimum standards the agency would require of biometric systems used in "medium threat-level environments."
DOD has also long been at work adding biometrics to security measures within the department, particularly the Common Access Card initiative (see "DOD to pair biometrics and smart cards," Page S20).
Many experts point out that the list of biometric standards is impressive given the relative immaturity of the market.
"Fortunately, we have had a good head start," said BioAPI's Tilton. "This industry — unlike many new technologies — was focused on standards early on. Honestly, though, the market has not taken off as fast as we would have liked."
According to Tilton, many of the most advanced federal biometric
applications focus on public safety, including law enforcement uses of fingerprint technology. Agencies minding the nation's borders also have biometric applications in place.
Other than that, the use of biometrics has been limited to pilot projects, which thus far has minimized any demand for interoperability. "Agencies are just starting to look at what they want to do and how they want to interact with each other," Tilton said.
Yet, for biometric technology to reach its full potential and rise to the challenges of homeland security, most experts agree that existing standards have a way to go.
"The standards aren't fully in place, and they are not fully adopted, even though there are plenty of standards out there," said John Sabo, vice president of security solutions at Computer Associates International Inc.
What's missing, these experts say, is a common way to interpret biometric data. "Most of the standards have to do with the transmission of data itself," said Tim Corcoran, director of biometric systems for Northrop Grumman Corp.
Krishna Pendyala, senior vice president of strategy and consulting at Sonic Foundry Inc., agreed. "Standards so far have been focused on the interoperability not the interpretation layer," he said.
Help may be on the way. An international standards group met in May to tackle biometric standard issues, particularly those hampering homeland security efforts.
Specifically, members of Technical Committee M1, Biometrics — the arm of the International Committee for Information Technology Standards charged with developing generic biometric standards — will soon vote on accelerating the development and adoption of standards.
The group is also focusing on new standards that address the crucial interpretation layer. For instance, there is now a proposal for a Finger Minutiae Format for Data Interchange standard, which would prescribe ways to represent and compare fingerprint images.
Similar proposals have been floated for facial and iris recognition technology. Additionally, the group is examining the use of biometrics to identify transportation workers.
"I will say this: There is room for more standards," Tilton said. In the end, homeland security efforts may force the government to address weaknesses in many areas, including biometric standards.
Jones is a freelance writer based in