Setting the Standard on Biometrics

Oct. 27, 2008
How do you know which technology will meet your requirements? The industry is working on a yardstick.
Untitled Document Biometric technologies are being integrated into a host of security and non-security applications.
Advertisements tout biometric automobile access, laptop access and retail payment applications. There’s even speculation that big guns like Wal-Mart and Costco are thinking about trying it out. Some of this growth can be attributed to increased standards activity and more robust testing programs.

A Comprehensive Approach
As biometrics become more critical in the protection of civil infrastructure, they will have to become more interoperable, scalable, usable, reliable and secure. That will require comprehensive biometric standards. And the more you know about proposed biometric standards, the better equipped you will be to evaluate the biometric products you’re considering for your own systems.
Figure 1 (p.62) is commonly called an onion diagram. It displays biometric standards as a series of layers. If we start with the heart of the onion, the first four layers cover standards of direct relevance to biometric system developers and companies. The next layer deals with the interfaces that link biometric components to the rest of a system. The outer two layers define how we deal with biometrics in terms of privacy, legal issues, and even language. Finally, the thin shells that separate and surround each layer represent the testing requirements that describe how we should measure adherence to each of the other standards.

The First Three Layers

The inner core of the onion comprises the biometric data interchange formats. These define the basic format of biometric images or templates and tell the technology manufacturers how to format data from their systems and interpret data coming.
The next layer is the logical data structure or exchange format framework, which is used to wrap the biometric data so that systems receiving a file know how to interpret the data fields in it. These might include demographic information or a digital signature to verify that the data packet has not been tampered with.

Once the core biometric data in a standardized form has been wrapped in a standardized file format, it may be necessary to protect the data with digital signatures and other encryption techniques.

Measuring Performance and Interoperability
The next layer involves the properties of the biometric system, including performance and interoperability. You’ll make your decision to deploy a biometric system, or not, based on the system’s performance first and foremost. If it can’t enroll a sufficient percentage of the target population, or if it produces too many false positives or false negatives, then the system is unsuitable for deployment. Significant progress has been made in biometric performance testing standards over the last year, both in the United States and internationally, and several standards will be ready to publish in the near future.

One of the key purposes of biometric standards is to allow interoperability among components and systems involving biometrics. Performance-based interoperability testing is then important because it determines not simply that two systems can work together but how well they work together, which is critical for system design and procurement decisions.

Systems, Meet the Outside World
Biometric interfaces form the next layer. These are the interfaces between the core biometric systems and the outside world. As interface standards continue to develop, it will be important to ensure that there is proper coordination between the biometrics experts and the experts in other areas of information technology so that the technical interfaces being developed adequately reflect modern system design principles and requirements.

Know the Language

The final two layers of the onion represent how the outside world deals with biometrics. A harmonized biometric vocabulary allows different groups to avoid miscommunication when discussing biometrics.

Perception and Legislation
Societal and cross-jurisdictional issues involve the impact of biometrics on privacy, health, safety and similar areas. Within each country and region there are different legislative issues and public perceptions that may influence how biometrics are used. The goal here is to develop a standardized way of managing these issues and, if possible, a set of guidelines that can be internationally standardized. The international standards in this area will be particularly important for the deployment of large-scale, cross-border systems.

Conformance Testing
Finally, surrounding and pervading the entire onion are conformance testing standards. Most of the standards I’ve mentioned so far do not provide a formal method for certifying that a technology or product conforms to them. Most standards, however, do benefit from a detailed conformance testing standard, and this is an area that will require a great deal of work over the next two years. In the past two years the number of published biometric standards has grown from 10 to 33, while the number of emerging standards has increased to 95.

Testing 1, 2, 3
Over time, three important types of testing have emerged as the primary approaches to biometric product testing: technology testing (algorithm verification), scenario testing, and operational testing.

Technology testing is concerned with understanding and comparing software techniques for acquiring, processing and comparing biometric data. The main focus is on the pattern-matching technique that is used for comparing biometric data. In technology testing programs, a gallery of stored biometric templates is repeatedly replayed to the tested software to determine its false accept/false reject rates under presumably ideal operating conditions.

Hardware isn’t evaluated in this type of test, and neither are the human-factor aspects of product use, so this test process lacks some key components of field operating conditions. Although technology tests are useful and repeatable, the results generally do not reflect real-life performance.

Scenario testing evaluates and compares performance across biometric devices in a modeled real-world application. Each system has its own acquisition sensor and therefore receives unique data inputs. In other words, a scenario test determines how well the technology works in the context of the proposed application. Scenario evaluation will help you decide which biometric device will work best for your needs.

Operational testing typically evaluates pilot programs, going beyond the scenario testing to determine the performance of a complete biometric system in a specific environment with a specific target population.

A List of Compliant Products
Commercial vendors and biometric consultants have evaluated biometric devices and systems, but vendor testing alone fails to provide adequate information. Vendors’ reasons for testing include improving their devices and using the test results to advance products. Instead, you should look for test results that will aid you in selecting a device that best fits your needs, with a focus that is specific to your application and enrollee group(s).

Current independent biometric testing programs (technology, scenario and operational) do not provide a reference list of biometric products that can meet the minimum performance requirements of security applications.

To address this issue, the National Biometric Security Project developed a set of public protocols for biometric hardware and software testing to support the NBSP Qualified Products List (QPL) program. This program will evaluate commercially available biometric products and certify those that meet basic performance thresholds. While operators may decide to specify even more stringent requirements in their own applications, the QPL will provide a baseline for objective assessment.

The QPL should help you as a technology user to determine basic technology qualifications. If the Common Performance Standards (CPS) met by products on the QPL are in the public domain, and if those criteria meet the requirements of any interested user, it will save that user both money and time in the acquisition/selection process. It may also preclude the necessity for separate pilot tests. In this respect, it also serves the biometric manufacturing and vendor community by reducing the repetitive step of qualifying a product for every buyer.

Tips for Deployment
There are a number of factors that should be considered when one is evaluating the deployment of biometric technology as a risk management tool for identity assurance. These include:

• Cost: Some applications (i.e.: consumer applications such as retail banking) may require thousands of devices, which could translate into hundreds of thousands of dollars in device costs alone.
• User Acceptance: Privacy, hygiene and cultural concerns may impact user acceptance of the technology despite the security enhancements it offers.
• Quality of Breeder Documents: The vetting of ID verification enrollment documents is especially critical in biometric applications.
• Storage and Management of Templates: Who will store and manage the biometric templates? What resources will be required to protect the data? Will the user organization assume this responsibility or will it be outsourced to a “trusted advisor” whose security measures are beyond reproach?

To properly address these factors, a comprehensive requirements definition is critical. This should include:

• Operational requirements surveys to assess the vulnerability of the operating environment.
• Application impact studies to frame the commercial/operational issues that will affect the biometric technology and to minimize impact on the ability of the organization to function efficiently.
• Statements of work and source selection criteria, both of which need to be requirements-focused as opposed to technology-focused.
Biometrics are not an overnight sensation. The development of this automated technology is now in its fourth decade, and comprehensive standards and testing will enable the technology to address security more effectively in the future.

Russ Ryan is a member of the executive launch team of the National Biometric Security Project (NBSP). NBSP provides unbiased analysis, consultation and operational support for the deployment of biometric technology. For information about this non-profit organization, visit