NIST Chooses Minutiae for HSPD-12 Biometric Access Control Standard

Despite lack of standards for how to store minutiae, institute chooses data points over images


After nearly a year in the making, the National Institute of Standards and Technology has been convinced that minutia is an acceptable way to store fingerprint biometric data on smart cards.

Amid pressure from industry, agencies and the administration, NIST yesterday released the biometric specification for Federal Information Processing Standard 201, Personal Identity Verification under Homeland Security Presidential Directive 12, calling for agencies to store two index fingerprints on the smart card using the InterNational Committee for Information Technology Standard 358 for minutia. Each fingerprint template shall be wrapped in the Common Biometric Exchange Formats Framework structure, NIST said in Special Publication 800-76.

NIST originally wanted to store fingerprints using a digital image because it is more entrenched, while minutia is still new and the standard hasn't been tested enough. During the past 11 months, the indecision caused the White House to get involved in the final decision. Agencies, vendors and other interested parties have until Jan. 13, 2006, to comment on this latest draft. NIST then will issue a final version about a month later.

"This decision keeps with what is currently available in the marketplace," said Randy Vanderhoof, executive director of the Smartcard Alliance, an industry association in Princeton Junction, N.J. "Most cards have 32K and 64K chips. If it went to full image or compressed full image it would have pushed the market to put 128K product into the pipeline, and that would have stressed the vendors because it is not generally available."

NIST issued the first draft of 800-76 Jan. 24, catching industry and others by surprise.

"NIST did not feel there was an adequate standard for minutia to recommend it as part of the PIV II platform," Vanderhoof said. "I think they were forced to recognize that they didn't have time to continue to evaluate the minutia standard, and had to make a decision based on the information they have now, and industry addressed their concerns."

Vanderhoof added that industry had been expecting NIST to decide on minutia, and had been working on cards and software to meet the requirements. He said that finally having SP-800-76 out will "speed the process of having products in the market in time for the deadlines set" by the Office of Management and Budget. Agencies must have their back end systems in place to issue PIV II-compliant cards, which includes the ability to store biometric fingerprints, by Oct. 26, 2006. In the special publication, NIST also provided a list of generic minutia components.

"These constraints are included to promote highly accurate and interoperable personal identity verification," the document said. "Ideally, minutiae records should be prepared immediately after the images are captured and before the images are compressed for storage."

SP-800-76 also discusses facial image biometrics, requiring agencies to use INCITS 385 standard, and offered minimum performance requirements and testing procedures.

(Newsbytes -- 12/19/05)