Biometric Security Applications for Government











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Biometric Security Applications
for Government

by Kirk Woodward

Docid: 00018917

Publication Date: 1801

Publication Type: TUTORIAL

Preview

The international biometrics market is growing dramatically, fueled
primarily by government applications including protecting their borders
and resources from terrorist attacks and fraud. A sampling of current
government uses includes border control, government employee/contractor
identification, port worker access control, and other identification
applications.

Report Contents:

Executive Summary

[return to top of this
report]

Government applications dominate the biometrics market, although
commercial and residential uses are also steadily increasing.

Related Faulkner Reports

Biometric Market Trends

Mandated international programs for “ePassports,” as well as
nation-specific biometric applications, are fueling market growth.

Biometrics is the science of analyzing a person’s biological data
(fingerprint, hand, face, etc.) to authenticate that person’s identity.
The goal of adding biometrics to existing authentication measures is
to validate a person’s identity before allowing access to buildings,
systems, or countries.

To combat terrorist threats and prevent fraud, biometric security
technologies are being incorporated into government applications for
improving the security of vital data, strengthening national borders, and
preventing ID theft. Selecting the biometric best suited for a particular
application depends on several factors: accuracy, speed, safety versus
invasiveness, cost, and ease of use. However, during the planning process,
government organizations should not only carefully evaluate vendors and
products, but also develop an overall plan for deployment. The plan should
address issues such as integration with existing systems, privacy
procedures, and concerns of stakeholders.

Some current government applications include worker/contractor
identification, port worker access control, criminal/military
identification, and border control. Implementing biometrics isn’t always
easy; many projects start as pilot programs, and many are phased in over
time. In the future, look for an international focus on issues such as
biometrics in schools, development of biometric standards, and DNA as a
biometric.

For security reasons, governments may not fully divulge their biometric
programs. Therefore the increase of the use of biometrics by governments
is likely to be greater than reported.

Description

[return to top of this
report]

Biometrics is the science of analyzing a person’s biological data
(fingerprint, hand, face, etc.) to authenticate that person’s identity. In
the wake of international terrorist attacks, government requirements for
biometric identification of both visitors and citizens escalated.
Biometric security technologies are being incorporated into applications
for purposes such as improving airport security, strengthening national
borders, travel documents, and visas, and preventing identity theft. Some
countries are seriously considering biometric national ID cards. In the United States,
a variety of biometric applications have been implemented by federal and
state governments, with definite interest at the local level. Biometric
technology continues to evolve as it takes a more prominent place in
securing authentication.

Biometrics and Security

The security field uses three different types of authentication:

  • Something known by an individual – a password, PIN,
    or piece of personal information (for example, a mother’s maiden name).
  • Something in one’s possession – a card key, smart
    card, or token (like a SecurID card).
  • Something physical or behavioral – a biometric.

Of these, a biometric is the most secure authentication tool. It cannot
be borrowed, stolen, or forgotten, and forging one is difficult, while not
impossible. For this reason, using one or more authentication schemes in
conjunction with a biometric technology can minimize the incidence of
fraud or unauthorized access.

As a standalone method for secure access, complete reliance on biometrics
for access to systems and data still cannot be considered “100 percent
fool-proof”. For this reason biometrics can become a stronger method of
secure access to systems or data when used in conjunction with a password
or Personal Identification Number (PIN). Conjoining one or more of the
three security authentication types enhances the assurance that only
authorized individuals can access restricted facilities or systems. Yet in
many accessible facilities, only one, or even none of the
aforementioned authentication practices are implemented. Reliance on a
homogeneous security solution system of ID badges or sign-in sheets leaves
any system’s security open to being compromised.

The most widely accepted and viable methods of biometric technologies
that are being deployed in both the US and non-US Government
sectors can be summed up into two distinct categories: physical biometric
methods, and behavioral characteristics methods. Common physical
biometrics include fingerprints, hand geometry, retina, and iris
characteristics. Behavioral characteristics include signature, voice
(which also has a physical component), keystroke pattern (typing rhythm),
and gait. Of the behavioral class of biometrics, technologies for
signature and voice are the most developed.

Considerations for Biometric Applications

Planning is critical for the successful implementation of any project;
however, in the case of the complex nature of biometrics, careful project
planning is particularly essential. The following considerations should be
included in the process.

Uniqueness. Biometric applications can be used for two
distinct purposes, identification and verification. An identification
biometric system identifies a person within the entire enrolled population
by searching a database for a match. A verification biometric
system authenticates a person’s claimed identity from his/her previously
enrolled pattern, a pattern that can be embedded in a smartcard.

There are some advantages to using biometrics either for identification
or for authentication purposes. Biometric authentication bases an
identification on an intrinsic part of a human being that is fixed.
Articles that require possession such as smart cards, magnetic stripe
cards, physical keys, and so forth, can be lost, stolen, duplicated, or
left at home. Passwords can be forgotten, shared, or observed. Items that
are intrinsic are more difficult to duplicate.

Ease of Use. There are characteristics inherent in
every biometric technology that inhibit user-friendliness, and
user-friendliness is important in acceptance of any biometric technology.
Technologies that have the highest level of user acceptance, such as
fingerprint scanning and iris recognition, are also the least
invasive. People may also find it acceptable to have pictures of their
eyes taken by video cameras or to have fingerprints taken using a
fingerprint sensor. Such methods are quick, easy, and non-invasive.
Biometrics such as retinal scanning, however, are highly invasive and
trend to lead to lower acceptance.

There are also cultural issues to consider with respect to acceptance of
a particular biometric technology. What may be considered acceptable or
non-invasive in one culture may not be considered the same in another. In
the US,
fingerprint sensors are widely accepted and their use does not pose a
significant problem. In some other countries, however, there is strong
cultural opposition to touching something that has been touched by many
other people. Additionally, epidemic events such as the Severe Acute
Respiratory Syndrome (SARS) outbreak of 2003 can also create a problem
with a technology that many people come into contact with and/or touch.

Environment. Consider the environment where the sensing
device will be installed. If plans call for using the device in a small
location, a sensing device will need to be compact enough to fit. Devices
planned for harsh military environments need rugged design. In addition,
if sensing devices are planned for use in an area where workers wear
gloves, fingerprint readers will not work well. Similarly, in an
environment where users wear masks or hats, iris recognition will not be
the best solution.

Cost. As with all emerging technologies, over time
competition generally lowers costs, and biometric technology is no
exception. With respect to biometric technology, the key cost
considerations are not so much the initial cost of a sensor or device, but
ongoing life-cycle support costs. Cost components such as administration,
maintenance, and software upgrades can far outstrip the initial outlay of
capital.

Scalability and hardware resources must also be considered from an IT
perspective. A particular biometric technology may have a perceived low
initial cost point, but may require a high level of hardware and back
office resources for expansion. Resources such as processor, memory and
disk space can far exceed the cost of scanners or sensors if the
technology is resource heavy.

Accuracy. The demand for accuracy dominates the horizon
of biometric technology. Performance metrics are critical when evaluating
biometric technologies for accuracy. Unfortunately, no one single metric
clearly indicates how well a system performs when presented with
conflicting information. Multiple metrics are necessary to determine the
strengths and weaknesses of each technology and vendor for a given
application.

Key performance metrics evaluate a system against an individual’s
identity as already logged – or enrolled – into the system, and against
that of the individual who is being verified against the data the
individual has logged. Metrics include:

  • False Acceptance Rate (FAR) – FAR calculates the
    probability that one individual’s verification template will be
    incorrectly judged to be a match for a different individual’s enrollment
    template. This test may not apply to all biometric systems or system
    types.
  • False Rejection Rate (FRR) – FRR is the probability
    that an individual’s verification template will be incorrectly judged to
    not match that same individual’s enrollment template. Simply, FRR is the
    probability that an individual who already exists in a data base will
    not be matched in a search.
  • Crossover Error Rate (CER) – A comparison metric for
    different biometric devices and technologies. The CER is the error rate
    at which FAR equals FRR. The lower the CER, the more accurate and
    reliable the biometric device.

For some people, it may be difficult to provide an accurate fingerprint;
for others, eye disease or contact lenses may prohibit a valid iris scan.
To address these issues, some vendors provide multi-modal biometric
systems; these systems support several different biometric methods (such
as finger, iris, and hand geometry) in a single configuration. By
incorporating additional biometric authentication modes, accuracy and
security can be improved; however, multi-modal biometrics also add
complexity to the system.

Speed. Speed in biometric applications is relative to
the enrollment process, the time it takes to cycle through database
records for matches, and the size of the biometric record or template.
Speed is crucial to user acceptance, since most individuals have little
tolerance for a system that is perceived to be arduous or slow. Speed can
also impact accuracy, since biometric technologies with higher CERs will
have a high FRR. High FRRs can impress the user as slow regardless of
the system’s ability to process information. The potentially enormous
amount of data collected through biometrics presents a particular
challenge to speed of use.

Standards and Privacy. As the technology continues to
evolve, national and international organizations are working to establish
standards for biometric usage. Government organizations will want to be
aware of applicable standards and consider compliance, and not rely
totally on a vendor’s proprietary solution. Adhering to standards may
allow for smoother upgrades as the technology evolves.  Maintaining
the privacy of individuals’ biometric information is also a major
consideration that should be addressed early in the planning process.

Current View

[return to top of this
report]

Government applications drive the biometric market. Government
organizations, however, often must install biometrics in an IT environment
that is already populated with existing legacy systems that are parts of
vast networks. Implementing biometrics in an already complex IT system can
create a variety of integration issues, as witnessed by some of today’s
most actively supported government biometric initiatives such as US-VISIT.
Also, the most sophisticated biometric system becomes ineffective if
people refuse to use it.

That being said, the US
federal government remains an adamant supporter of biometrics. Several
departments not only consider biometric-based security procedures well
worth the investment, but are also implementing multiple types
simultaneously. Regardless of the current state of the economy or the
biometric industry, several of the world’s top developers are aggressively
developing biometric technology, believing it will find a lucrative place
in the overall IT industry. As a result, biometric technologies are
becoming the foundation for an extensive array of identification and
personal verification packages.

Leading the way among the numerous biometric technologies. by percentage
of market, are the Automatic Fingerprint Identification System (AFIS) and
fingerprint scanning, and to a lesser extent hand scanning. All of
these technologies utilize hand geometry algorithms for
identification; in combination, finger and hand scanning comprise more
than half the total market share of biometric technologies.

Government Biometric Applications

Government Worker/Contractor Identification. Under US
HSPD-12 (Homeland Security Presidential Directive, May 4, 2007), all
federal government employees and contractors are required to have some
form of biometric personal identity identification (PIV)
credentials. A “significant portion” of employees and contractors
were required to be enrolled by October 27, 2007,  with a “majority”
credentialed by October 2008. Virtually all federal government employees
and a very high percentage of contractors have now been enrolled. 

To help support HSPD-12 and other initiatives, NIST released a new
biometric standard in July 2007; the standard is called Data Format for
the Interchange of Fingerprint, Facial, & Other Biometric Information
(ANSI/NIST-ITL 1-2007 Part 1). Part 2 of the standard, addressing the XML
version of the data, was ratified in August 2008 as ANSI/NIST-ITL 2-2008.
Light Credentialing Solution (LCS), consisting of a kit containing all
equipment necessary for enrollment and activation of PIV credentials in
the field, is now widely in use (and can also be used by non-governmental
organizations). The standard was updated in 2015.

The Office of Biometric Identity Management (OBIM) reports that it
processes more than 300,000 biometric transactions each day, using a
database of more than 200 million unique identities.

Access and Law Enforcement. Numerous examples of
biometrics used for government purposes can be found in federal,
state, local, and foreign government projects. Early biometric
applications that government entities deployed generally involved
authentication for access to computer systems containing sensitive
information and physical access control to restricted areas. There
are many law enforcement applications – primarily for fingerprint
recognition – at the federal, state, and local levels. A few examples of
current biometric government applications used for law enforcement,
military, and  physical access are:

  • India
    – Aadhaar, a national identity program, is the world’s largest, using
    face, iris scan, and fingerprint biometrics as well as information like
    name, age, and address. To date, the program is not mandatory.
  • Belgium – citizens use biometric ID cards to conduct
    tax filings, request license plates, and manage their social security,
    among other purposes.
  • Hong Kong
    Police Force –
    In 2007, the Hong Kong Police Force replaced
    its Automated Fingerprint Identification System (AFIS) system with the
    Computer Assisted Palmprint and Fingerprint Identification System
    (CAPFIS) from Cogent Systems. More recently, Hong
    Kong
    mandated the Hong Kong Identity Card (HKIC), which
    stores fingerprints in a chip on the card.
  • United Kingdom National Policing Improvement Agency – In
    February 2010 the UK NPIA entered into a $25 million, 3 year contract
    with Cogent Systems for provision of the U.K. National MobileID service,
    an AFIS delivered over mobile devices to provide near real time
    identification in the field. The NPIA has now been replaced with its
    functions divided among other government agencies, including the
    National Crime Agency, established in 2013.
  • US
    Army –
    The US Army has implemented the SecuriMetrics (a
    subsidiary of L-1 Identity Solutions) Handheld Interagency Identity
    Detection Equipment (HIIDE); the contract includes both HIIDE biometric
    recognition devices and other related software. HIIDE is multi-modal and
    can enroll, identify, or verify subjects using any of three biometrics:
    iris, finger, or face. The device can operate in extreme and rugged
    mobile environments, as well as on a desktop connected to a host
    personal computer or network.
  • Halifax
    Port Authority –
    A
    biometric Credentialing and Access Control Database System (CACDS) using
    vascular scanning to identify port workers was developed and is managed
    by Unisys Canada.
    An infrared scan of the back of the cardholder’s hand is embedded in a
    smartcard that also includes the holder’s photograph. To be allowed
    access to secured areas, a port worker places the back of his or her
    hand on a non-invasive infrared sensor. The system verifies that
    the blood flow pattern on the back of the worker’s hand matches the
    pattern of the scan on the card.
  • US National Crime Information Center – The
    Integrated Automated Fingerprint Identification System (IAFI, is a
    national fingerprint and criminal history system maintained by the
    Federal Bureau of Investigation (FBI), Criminal Justice Information
    Services (CJIS) Division. The IAFIS maintains the largest biometric
    database in the world, containing the fingerprints and corresponding
    criminal history information for more than 70 million subjects in its
    Criminal Master File. The fingerprints and corresponding criminal
    history information are submitted voluntarily by state, local, and
    federal law enforcement agencies.
  • Project Midas – This United States project provides
    mobile scanners to law enforcement officials for immediate biometric
    identification in arrest situations.
  • AirportsHeathrow
    Airport
    used
    iris-scanning technology, after an experimental period. However, it was
    discontinued in 2013 because of the age of the system, according to an
    official statement. Airports in Frankfurt, Amsterdam, other parts ot the
    European Union, the United Arab Emirates, and Japan all use biometrics.
  • Royal Canadian Mounted Police – The Royal Canadian
    Mounted Police in British
    Columbia
    has one of the longest histories of
    the use of biometrics in law enforcement. Most recently, it purchased
    the CABS Computerized Arrest and Booking System by i2 Group (which
    acquired CABS vendor Knowledge Computing Corp. in July 2009). The
    integrated imaging and offender management system streamlines the
    booking process by capturing necessary images like faces, scars, tattoos
    and other distinguishing characteristics. The CABS system offers quick
    access to forensic lineup identification and investigations, and
    increases efficiency through production of jurisdictional reports.
  • Los Angeles
    County

    Regional Identification System –
    The Los Angeles Police
    Department (LAPD) procured 1500 Cogent BlueCheck mobile identification
    devices from Cogent Systems and deployed these devices to LAPD field
    officers and other local law enforcement agencies operating under the
    Los Angeles County Regional Identification System (LACRIS). The
    BlueCheck devices access the LACRIS Automated Fingerprint Identification
    System, providing mobile fingerprint identification for all law
    enforcement agencies in Los
    Angeles
    County
    .
    Biometrics4All was selected in 2012 to provide units to be used in the
    booking process. Mobile facial recognition has now been added to the
    system.
  • Canadian Air Transport Security Authority – Unisys is
    supplying, integrating and managing a system based on ImageWare Systems
    that uses fingerprint and iris images to provide access control for
    100,000 workers at 29 airports nationwide. The worker scans a
    contactless smart card, then undergoes a fingerprint or iris scan which
    matches against data stored in the card.
  • California Department of Motor Vehicles – California
    DMV signed a 5 year contract extension, worth $62.8 million, with
    L1 Identity Solutions, for the production of secure driver’s licenses
    with customer fingerprint verification to prevent substitutions during
    the application process. L1 will also provide fingerprint log on and
    application branding for the operator responsible for processing the
    application. Significantly, efforts to share this data with other
    databases were defeated after popular opposition arose.

Border Control Identification. With world tensions over
terrorism heightened as a result of attacks and threats of attacks, there
has been activity in the area of biometric technology monitoring the
movement of people and goods into and out of countries. Biometric
technology is giving governments the ability to develop new approaches for
meeting the challenges of securing their borders. In May 2003, the
International Civil Aviation Organization (ICAO), an agency of the United
Nations, adopted a blueprint for the integration of biometrics
identification information into passports and other Machine Readable
Travel Documents (MRTDs). This blueprint enables 200 Member States to
implement a global system of identity confirmation that adheres to
international standards.Since 2013, border control in the United States
has been managed by U.S. Customs and Border Protection (CBP).

Examples of border control and identification applications now being
implemented and shared across international boundaries are:

US-VISIT. US-VISIT is now officially renamed the Office
of Biometric Identity Management, a part of the Department of Homeland
Security. It manages a continuum of security measures. The US-VISIT
process begins overseas when a person applies for a visa to travel to the
US,
and continues through entry and exit at US air and seaports, and has been
tested at land border crossings. The US-VISIT program is designed to
enhance the security of US citizens and visitors by verifying the identity
of visitors with visas. The goal is to facilitate legitimate travel and
trade by leveraging technology, including the use of biometrics, to
expedite processing at US borders.

  • US-VISIT begins overseas, at the US consular offices
    issuing visas, where visitors’ biometrics (digital finger scans and
    photographs) are collected and checked against a database of known
    criminals and suspected terrorists.  When the visitor arrives at
    the port of entry, US-VISIT uses the same biometrics – digital “finger
    scans” – to verify that the person at the port of entry is the same
    person who received the visa.
  • US-VISIT biometric entry procedures are currently in place at 116
    airports, 15 seaports, and in the secondary inspection areas of 154 land
    ports of entry. In July 2007, the US Government Accountability Office
    (GAO) reported that it found “significant information security control
    weaknesses” in the systems supporting US-VISIT. The report added that
    “weaknesses existed in all control areas and device types reviewed.”
    Since the mainframe and network resources that support US-VISIT also
    support other information systems, these information systems could also
    be at risk. A 2009 revisit of the situation by the GAO still reported
    significant management issues. However, in 2013 Congress reaffirmed the
    program, also relocating it in the National Programs and Protection
    Directorate.

CANPASS-Air Program. The CANPASS-Air program, a joint
initiative of Citizenship and Immigration Canada and the Canada Customs
and Revenue Agency, facilitates efficient and secure entry into Canada
for pre-approved, low-risk commercial air travelers. CANPASS-Air allows
the participants to clear customs and immigration by simply looking into a
camera that recognizes the iris of their eyes as proof of identity; 
the program is delivered by the Canada Border Services Agency (CBSA).

The CANPASS Air program consists of:

  • CANPASS Air
  • CANPASS – Corporate Aircraft
  • CANPASS – Private Aircraft
  • CANPASS – Marine Travel

Australia SmartGate – SmartGate is an automated border
processing system. SmartGate takes a live image of the subject’s face and
using facial recognition technology matches this image with the digitized
image stored in an ePassport. SmartGate can also undertake immigration and
customs checks. If there is a successful match, the traveler is cleared
through the Customs control point. If there is not a successful match the
traveler is referred to a Customs Officer. Eligible Australian and New Zealand
ePassport holders are able to use SmartGate. SmartGate is available at
Sydney, Adelaide, Brisbane,
Cairns, Melbourne
and Perth and Gold Coast international
airports and at Auckland New Zealand.

Outlook

[return to top of this
report]

The maturation of biometric technology in terms of ease of use, speed,
accuracy, and reliability, is allowing governments to transcend the
traditional uses of biometric technology. Use of biometrics for home and
business security is increasing, and is predicted to grow at a rate of 11.9%
in the period between 2016 and 2020. National ID cards, benefits program
fraud prevention, time and attendance, background checks, and domestic
airline passenger screening are a few of the possible new markets for
biometric technology. The rapid market growth of biometrics and their
added capabilities have raised people’s concerns that applications are
invading personal privacy. Although people generally accept the need for
biometric security on ePassports, they continue to voice privacy concerns
about some applications proposed by national, state, and local
governments. In addition to dealing with public concerns, government
organizations should recognize that there are multiple and varied
biometrics standards. To reach their full potential, biometric
applications will require the development and implementation of
international generic biometric standards.

National ID Cards. After moving forward with plans for
national ID cards through its National Identity Scheme, in May 2010 the UK
announced that it planned to scrap the system and destroy the data in its
National Identity Register, although biometric residence permits for
foreign nationals, and biometric ID cards for certain high security
workers, were retained. The first national ID cards were issued to UK
citizens in 2009, However, the uptake was limited, in part due to privacy
concerns and in part because citizens were expected to absorb the cost of
the cards, at close to $50 each. The program has now been completely ended
and the data collected has been destroyed.

Some in the US assert
that including biometrics in the proposed REAL-ID national drivers’
license program could be a precursor to a US identity card. The
Department of Homeland Security (DHS) is currently requiring states to
fully comply with the REAL-ID mandate by December 2014 for those born on
or after December 1, 1964, and December 2017 for those born before
December 1, 1964. This is yet another extension from the May 2013
deadline, which was in turn an extension; originally, as early as May 11,
2008, federal agencies were to accept only REAL-ID compliant drivers’
licenses or non-drivers’ identification cards. To date, 28 states are
fully compliant, one is not compliant, and 27 states have received
extensions. States currently have the option to include biometrics on
REAL-ID cards. Current plans include full rollout of REAL-ID for air
travel by 2020.

Biometrics in Schools. Continuing questions about the
appropriateness of biometrics applications in children’s schools affect
the growth potential for this area. Over 1000 school districts in 40 US
states are estimated to use some form of biometric identification. Because
of parents’ concerns about their children’s privacy, states are divided
about support for biometrics in schools, and fourteen states have passed
legislation limiting the use of biometrics in schools. Parents in the United Kingdom
have raised similar issues, documenting their concerns to Parliament in a
signed petition and on a website (LeaveThemKidsAlone). Parents complain
that more than two million children have been fingerprinted. According to
the September 2007 petition, UK
schools were using or planned to use children’s biometrics for class
registration, library borrowing, and school meals. Yet the practice
continues, with schools implementing new systems for library checkout and
other functions.

Standards. As the biometrics market grows, so will the
need for biometrics standards. Today there are many international,
national, and proprietary standards. However, common standards must emerge
so that government  biometric security applications can communicate
with internal and external organizations as well as across national
boundaries. The InterNational Committee for Information Technology
Standards (INCITS) is a US
organization addressing the development of generic national and
international biometric standards. INCITS focuses on biometric
standards for data interchange formats, common file formats, application
program interfaces, profiles, and performance testing and reporting. The
organization includes members from the vendor community, the National Institute
of Standards and echnology (NIST), and the US Department of Homeland
Security (DHS). INCITS serves as the US Technical Advisory Group for the
international Organization for Standardization ISO/IEC JTC 1/SC 37.

DNA As a Biometric? DNA is an emerging biometric. For
DNA matching, physical samples are required, such as a mouth swab,
blood sample, or crime scene evidence. Since actual samples are required
to make a comparison, some phases of the process have not yet been
automated. The United
Kingdom
has one of the largest
reported DNA databases in the EU or US. The database includes DNA
samples primarily from criminals, but also from suspected criminals and
volunteers. Those who volunteer samples must sign a written consent form
before their DNA information can be added to the database; however, once
granted, permission is irrevocable. However, a December 2008 judgment by
the European courts ruled that it is unlawful for the UK to retain the DNA of 850,000 people
found innocent of crimes; controversy continues, but the UK is
still collecting DNA for “recordable offenses.” With the growing interest
in DNA as a biometric tool, more technologies and applications could
follow – and more litigation. This is an area that must be approached
cautiously.

Recommendations

[return to top of this
report]

At the international level, many government organizations are now
mandated to implement biometrics to comply with European Union and US
ePassport requirements. At the US
national level, US federal agencies are required to support a national
biometric directive,  HSPD-12, for federal employees and contractors,
first mandated by executive order by President George W. Bush. At other
government levels, biometrics applications could eventually become a
requirement, although there is significant resistance. 

To deal with the burgeoning use of biometrics within the government,
organizations should consider that there are no standalone “100 percent
foolproof” solutions to securing access to buildings, data, or borders,
only the ability to make authentication as foolproof as possible.
Complete reliance on biometrics is not the answer; implementing biometrics
along with other forms of identification such as smartcards or a
user-id/password system may be a more effective solution, less prone to
false acceptance and rejection.

It is also necessary to evaluate a biometric technology’s uniqueness,
ease of use, accuracy, cost, and speed with respect to the overall goal of
the application. A major concern for any organization is its
employee’s/users’ acceptance of security measures. If the security
measures seem too onerous or intrusive, no matter what the cost/security
benefit may be, the system will be prone to failure; users will try to
find ways to circumvent it. In addition, even the most well-designed
biometric system will fail if it is integrated into a poorly designed or
unsecure enterprise system.

Vendor/Technology Selection. When choosing a biometric
technology, look for vendors or vendor-independent integrators who offer
creative solutions that combine hardware and software. Determine whether
vendors can offer a variety of biometric modes. Request references from
other government customers. In this fast-growing biometrics market, how
stable are these vendors? Will they still exist in a decade? Recognize
that vendors who specialize in physical access devices may not be the best
candidates to protect Web access. Pay close attention to claims that
manufacturers make about adherence to standards. As good as any biometric
may be, proprietary solutions can be difficult to integrate with
non-proprietary systems. Consider which technology will best meet the
security needs of the organization and best integrate into legacy
systems. Design the biometric system so there is room to grow;
compliance with standards supports scalability. If a variety
of biometric solutions are introduced into the enterprise, it is
important to see that compatible standards are implemented. Set up trials
that closely match the conditions and day-to-day use of the product,
as well as the product’s ability to integrate into existing access
methods.

Stakeholders/Colleagues. In addition to biometrics
vendors and products, during planning consider an organization’s public
and private stakeholders. These colleagues may have strong opinions about
the implementation of biometrics and its effects on their “turf;” issues
like this should be addressed early.

Privacy. Build in privacy protection early. It is
difficult to retrofit.

Initial Registrations. Accurate initial registrations or
enrollments are critical. Since ID enrollments are the foundation of a
biometrics system, poor enrollments will produce poor security,
potentially providing undesirables with access. Develop plans to handle
people who have difficulty in providing valid scans.

Despite some claims, no one biometric technology or set of criteria
is right for all situations, and a single biometric will never be as
effective as multiple biometrics.

[return to top of this
report]

About the Author

[return to top of this
report]

Kirk Woodward is a technical writer and project manager.
Mr. Woodward’s areas of expertise also include enterprise software,
hardware systems, and the use of Internet resources.

[return to top of this
report]