7November/December 2008 Biometric Technology Today

Biometrics – It’s not what you know, it’s who you are!

Protecting your personal information with ‘what you know’ is no longer good enough. In this digitised, Web 2.0 era it is now too easy to find out information like a birth date, address or mother’s maiden name when they are freely posted on social networking sites like Facebook, MySpace and Bebo.

Additional measures of combining ‘what you know’ (e.g. PINs) with ‘what you have (e.g. smart cards or tokens) provide another layer of protection for consumers against identity fraud. To illustrate the point, since 2006 and the

introduction of chip and PIN card technology in the UK, bank card fraud losses fell by nearly £80 million, according to APACS.

But in some instances, where even greater assurances of identity are required, organisa-tions are seeking even better protection via another layer, ‘what you are’, through the use of biometric technology such as fingerprint-ing, iris scanning and vascular technology. These identification technologies have the potential to improve both security and privacy – with corresponding benefits to consumers,

corporations and government agencies alike. Consumers experience the advantages of greater convenience, ease-of-use and privacy in their interactions with trusted parties such as banks, airlines, and government agencies. Corporations and government departments thrive on stronger forms of authentication, improved security, less susceptibility to identity theft and fraud, reduced costs, and lower risk in terms of regula-tory compliance.

It is therefore not surprising that we are increasingly seeing appropriate security meas-ures being put in place to reduce exposure to today’s complex range of security threats. According to the Unisys Security Index (www.unisyssecurityindex.com), a global research report designed to help businesses and

Managing identity is quickly becoming the dominant issue shaping the way governments operate, people communicate and businesses interact with their customers. But, says Neil Fisher, VP Identity Management, Unisys Global Public Sector, traditional ways to prove your identity are becoming redundant.

BUSINESS WATCH / FEATURE

compete for AFIS work with the FBI or on the UK national ID project, the company has enough capabilities in other areas of the identity universe (iris, face, handhelds, credentialing) to win busi-ness on major identity projects.”

results

L-1 reports Q3 2008 results

L-1 Identity Solutions has announced its financial results for the third

quarter and nine months ended 30 September 2008.

Revenue for the third quarter of 2008 was US$154.5 million compared to US$115.5 mil-lion in the third quarter of 2007, an increase of US$39.0 million or 34 percent. Organic growth in the quarter was approximately 10% reflecting strong growth in Secure Credentialing Solutions, Government Security Consulting Services and Enrolment Services, although offset by lower revenues in the Biometrics Division because of a significant shipment in Q3 2007.

The company reported a third quarter net loss of US$1.2 million, or (US$0.01) per diluted share compared to net income of US$1.5 million, or US$0.02 per diluted share in the third quarter of 2007. The third quarter loss reflects an increase in interest and merger-related expense of US$5.0

million, primarily associated with the Digimarc ID Systems business acquisition.

Highlights of the third quarter include the completion of the acquisition of the ID Systems business of Digimarc Corporation by the Secure Credentialing Division. The division also announced driver’s license contracts in the quarter totalling US$83.5 million including US$47.0 million in new awards and US$36.5 million in contract extensions. The Biometrics Division of L1 also received more than US$29.0 million in task orders for mobile bio-metric enrolment devices, HIIDEs and HIIDE expansion module jumpkits and accessories in August and October.

Looking forward, the company has stated that it expects revenue for the fourth quarter ending 31 December 2008 of between US$155.0 mil-lion and US$160.0 million and revenue for the full year ending 31 December 2008 of approxi-mately US$570.0 million to US$575.0 million.

contract

EC Biometric Matching System contract award

Accenture and Sagem Defense Securite, as lead partners in the

Bridge consortium, have won the contract to develop the European

Commission’s Biometric Matching System. The system is the central biometric com-ponent of a collection of European Union identity programs for the protection of citizens and Schengen borders.

The contract was awarded following an invitation to tender issued by the European Commission’s Directorate-General for Justice, Freedom and Security.

Under the terms of the consortium contract, Accenture has overall program management responsibilities, with Sagem responsible for pro-viding the biometric matching software. The companies will share responsibility for analysis, design, integration testing, deployment and main-tenance of the system along with other mem-bers of the Bridge consortium, including Bull, Uniqkey and Daon.

Daon will provide its biometric messaging platform for the secure management of all inbound and outbound biometric messages between BMS and the EU central systems.

The Biometric Matching System (BMS) is designed to enable justice and immigration authorities to deal with security and other issues related to terrorism, organized crime, ille-gal immigration, visa shopping, identity theft and fraud. The database will be able to store the fingerprints of up to 70 million people and process more than 100 000 verification and identification requests per day. The system will perform one-to-one comparisons for biometric verifications and one-to-many searches for bio-metric identifications.

8Biometric Technology Today November/December 2008

governments understand consumer attitudes towards financial, personal, internet and nation-al security, the issue of identity management is a key concern around the world. The report published earlier this year shows that more than 61% of British respondents are concerned or extremely concerned about identity fraud, while in the US this figure sits at 70%.

Given this level of trepidation, there is a strong rationale for embracing innovative secu-rity techniques to prove our identity with better and stronger assurances and make the transac-tional world a safer one for us all. However, cool rationale sometimes gives way to hyperbole.

Keep public informedTo fully integrate biometric technology into estab-lished security protocol, we need to reassure the public that biometric technology will strengthen rather than threaten their privacy. They deserve to be informed as to how the technology works and what the data will be used for. For example, why is a fingerprint taken? Where will their photo-graphs be stored? How is this data secured? Once these and similar questions are addressed and their concerns allayed, it would not be farfetched to imagine that many original sceptics may actually emerge as keen advocates of biometric technology and come to question those issues that are limiting biometrics’ wider adoption. With the advantage of hindsight and once the technology has been fully integrated into society, predictably people will wonder how they ever managed to mitigate risk without robust authentication; in the same way that we have come to depend upon mobile phones and email.

To get to this point, we must support the need for education to combat baseless fear and suspicion around how these technologies work. The conditions for the use of biometric tech-nology are ripe, as evidenced in research Unisys conducted to explore business, government and consumer perceptions of trust, security and privacy issues (Unisys Trusted Enterprise research). The report revealed that a majority of consumers in the UK (87%) believe the rise in ID fraud will emerge as a significant future security threat and financial institutions and governments are not doing enough to stop this happening. In addition, some 92% of UK respondents and 69% of US respondents stated that they would like banks, insurance compa-nies and government organisations to adopt biometrics over other technologies, citing con-venience and speed in the identity verification process as the main benefits. These findings suggest that, contrary to mistrust of biometric technology and its big brother effect, organisa-tions which adopt these technologies and make their security measures transparent will take the

lead in creating trust and confidence among their customers and achieve the biggest prize of all – loyalty.

Multi-purpose ID credentialAnother global Unisys study (Unisys Global Study on the Public’s Perceptions about Identity Management) found that most consumers (71%) are willing to have a multi-purpose identity credential that organisations would use to verify a person’s identity, allowing them to securely access transportation channels (such as airplanes, trains and buses), enter public locations (stadiums, airports and others), cross borders (customs), and use when transacting over the web. The study also revealed that more than two-thirds (67%) of consumers worldwide would support using biometrics such as voice authentication or fingerprints and compared to other security devices such as smart cards and tokens, 66% favoured biometrics as the ideal method to combat fraud and identity theft, suggesting that consumers worldwide are more willing to use advanced identity credentials than might otherwise have been anticipated.

This willingness is driven by a stronger expectation that people should have the free-dom to trade online and across borders while enjoying absolute security and protection. As the use of biometrics continues to mature along with public acceptance of the technology, inno-vation will inevitably expand into new domains and beyond familiar methods of voice, face, fin-ger and iris recognition. One promising alterna-tive is vascular recognition technology, of which Unisys is a strong proponent.

Vascular scanning technology is a rugged and robust tool. Infra-red cameras read the back of the hands from a small distance away. Verification is instantaneous and achieved when the blood flow pattern of the holder’s hand matches the pattern of the scan stored on a smart card. The technology carries a high degree of accuracy, is easy to use and overcomes most physical disabilities. Unisys has already successfully integrated vascular credentialing biometrics into its security credentials pro-cedures to identify 4000 workers in the Port of Halifax, Canada. So when an employee is banned from a site, this change cascades to every site networked with the central system.

Unisys has also worked with the Canadian Air Transport Security Authority (CATSA) to supply, integrate and manage a new identification management solution, using fingerprint and iris biometric technology to confirm the identities of airport workers throughout Canada. The Restricted Area

Identification Card (RAIC) system enhances aviation security by verifying the identities of airport workers via biometrics and ensuring that only those workers with security clear-ance can enter restricted areas. It also allows CATSA to instantly update the security clear-ance status of all 100 000 airport workers across the country.

Both deployments illustrate the commercial benefits of using biometric technology to iden-tify workers and ensure anyone with criminal intentions is prevented from entering a closed area. However to advance the adoption of bio-metrics, considerable work needs to be under-taken to impress upon the public the wider benefits of this technology, in particular by developing a more people-centric approach to identity management and governance. Stronger, robust authentication is crucial in a joined-up world where information is shared. In order to improve quality of life and increase prosperity on an individual basis it is necessary to identify ‘Mr Smith’ the person rather than ‘Mr Smith’ a member of the population. The implications are far ranging; for instance, a known terrorist should be very afraid of the potential of people centric security. National identity credentialing provides better services to those who need it and very few places to hide for those who try.

Pushing the boundariesDevelopments in biometric technology con-tinue to push boundaries and provide fertile ground for innovation. The main challenge will be to achieve a zero False Acceptance Rate (FAR). Whilst automation allows for greater efficiency, quick manual checks should also be made to ensure that an unauthorised person has not managed to fool the system. However, advances in biometric technology are mov-ing ahead at a swift pace. Project IRIS (Iris Recognition Immigration System) was intro-duced three years ago to provide fast and secure automated clearance through the UK immigra-tion control for certain categories of regular travellers using biometric technology. The sys-tem stores and verifies the iris patterns of quali-fying travellers, giving watertight confirmation of their identity when they arrive in the UK. It is now considered antiquated, in comparison to the latest Glance and Go iris technology, which enables people to pass through border checkpoints more swiftly and get assured while ‘on the move’. Investment in biometrics is also driving research and development and expan-sion into new markets, such as home access and aged care services. The most significant applica-tions will combine multiple biometric solutions with other security or identity measures, such as radio frequency identification (RFID) and

FEATURE

9

FEATURE

November/December 2008 Biometric Technology Today

Early research into automated methods of Level 3 extraction and matching demonstrated the use of microfeatures for identification in evaluations over small datasets of fragment images and larger datasets of full-area 1000 dpi images.[1, 2] The most advanced matching method compares the Level 3 features from the probe and target fingerprints in corresponding local neighbourhoods associated with Level 2 minutiae.[2]

In a study of automated analysis of finger-print microfeatures in high resolution images, Level 3 feature extraction software was devel-oped and matching performance evaluated over images at a resolution of 2000 dpi and containing physical area of 0.27 inches × 0.34 inches, roughly one-seventh the physical

area captured in conventional non-rolled 500 dpi images. Figure 1 (p12) shows the raw image captured by the high resolution sensor, Figure 2 (p12) shows the pores highlighted, and Figure 3 (p12) shows the outline of the ridge contours. The objective of the study was to determine the feasibility of using Level 3 features to match fingerprints in large scale automated systems by evaluating Level 3 feature matching performance over a large database, and to further the state-of-the-art of Level 3 feature matching for potential and eventual incorporation into law enforcement applications. The technical report and the fea-ture extraction software and documentation, distributed under an open source license, are available free at level3tk.sourceforge.net.

BackgroundInformation contained in fingerprint images can be categorised as Level 1, Level 2, or Level 3 features. Level 1 features are global ridge flow patterns such as loops, whorls, and arches. They are very broadly defined and alone do not contain sufficient infor-mation to uniquely identify fingerprints. Level 2 features refer primarily to Galton features, namely ridge endings and ridge bifurcations. Commercially available automated fingerprint matching systems (including those used in law enforcement applica-tions) use Level 2 features for fingerprint compari-son. Level 3 features are the extremely fine features such as sweat pores and ridge contours.

Research has been conducted on Level 3 data extraction and utilisation since the mid-1990s. The US Department of Defense originally devel-oped techniques for automating Level 3 authen-tication using pore information extracted from images.[3] Later researchers developed automated extraction and matching techniques using pores and ridge contour information.[1, 2] While test results suggested that analysis of Level 3 features has considerable potential to improve matching performance, the size of the datasets used limited the significance of the results.

Feature extraction softwareIBG developed software based on existing tech-niques to extract the pores and ridge contours.

Level 3 friction ridge researchForensic examiners in law enforcement analyse fingerprint microfeatures, such as sweat pores and ridge contours, to compare fingerprint samples when insufficient minutia points are present in the fingerprint image or poor image quality hampers minutiae analysis. Automation of such analysis has been inhibited by the low resolu-tion of conventional fingerprint imaging and the lack of software capable of extracting and matching microfeature data. The declining cost of high resolution fingerprint capture technology has brought the need for software that takes advantage of the Level 3 feature set to the attention of the law enforcement practitioners, says Michael Chaberski, senior engineer at International Biometric Group (IBG). A software research toolkit for extraction of Level 3 features has now been made available to the public. Evaluation of the software over a dataset of high resolution fingerprint images has demonstrated that analysis of Level 3 features can reduce error rates in automated matching of fingerprint fragment images. Biometric engineers and forensic research-ers are encouraged to use the toolkit to optimise microfeature analysis techniques for incorporation into the next generation of fingerprint software.

smart card technology. In any real-life applica-tion it should be heeded that the most effective approach to security is a holistic one, which assesses all possible security risks, internal and external.

Aside from product development, the next step is for industry to go beyond the current requirements of the legal system and guide-lines for regulatory compliance by publicly adhering to a code of conduct or bill of rights that helps raise the bar for identity assur-ance on a worldwide basis. This is an issue that is becoming increasingly important on a global scale as more of our transactions are conducted online and an increasing amount of information is collected about us. It will take the collaboration of all stakeholders, including government agencies, corporations, service providers, academia, industry associa-tions, standards bodies and privacy advocates, to help further develop and refine global best

practices, frameworks and standards so that we can ensure the safety, security, and trust of our end-user communities.

In this vein, the global Centre for Ethical Identity Assurance (CEIA) – an alliance of industry, government and academia – was cre-ated to develop and promote standards for identity credentials and support business prac-tices within an ethical privacy framework that is compatible with a diverse range of industries and geographies. Key among CEIA’s initia-tives is the development of a draft Consumer Bill of Rights to protect personal informa-tion and safeguard against identity fraud. In the UK Unisys is also a board member of the well-respected Information Assurance Advisory Council (IAAC), which has several key govern-ment bodies as members and recently com-pleted a two year research stream on Identity Assurance as part of its wider remit to produce forward-looking policy advice based on pro-

fessional research and global best practice on information assurance.

The reality is technology-based security improvements in identity and biometrics can enhance people’s privacy, convenience and choice. There is a growing community rec-ognition of this, but if the benefits are to be fully realised, government and business need to clearly convey the facts to consumers, high-lighting that privacy and security aren’t mutu-ally exclusive ideals. Technology has empowered organisations to choose the right combina-tion of solutions to meet their security needs. Biometrics will undoubtedly play an increas-ingly significant role in the security solutions of government and industry seeking to take a holistic approach to identity management.

This feature was provided by Neil Fisher, VP Identity

Management, Unisys Global Public Sector. He can be

contacted at Neil.Fisher1@gb.unisys.com