SP 800-76 gives agencies some flexibility, but requirements still daunting to many
By Marisa Torrieri, Contributing Editor
It wasn’t too long ago that biometrics seemed like an expensive proposition that would only work in sci-fi movie plots. But today, the technology that measures human physical and behavioral characteristics for authentication has come a long way. And in the United States, millions of federal government employees and contractors will be in touch with the technology soon. That is because federal agencies are required to include fingerprint-based biometric data on the new IDs mandated by HSPD-12.
So long as they are compliant with the FIPS 201 biometric fingerprint specs required for interoperability, as outlined in Special Publication 800-76 (Biometric Data Specification for Personal Identity Verification), agencies have plenty of leeway in choosing what contractors they want to work with, and which alternative types of biometrics they might want to use in conjunction with their IDs.
In fact, the difficulty may come from the wealth of choices presented, as agencies juggle offers from a growing number of vendors addressing the unique biometrics challenges and requirements of the mandate. Some are providing total solutions; others are providing components to a larger solution, prompting the issue of how to select a solution: go with one total-solutions provider, or use multiple vendors? Of course, interoperability and the agency’s own security needs are key factors driving choice.
SP 800-76, which was published in February 2006, describes technical acquisition and formatting specifications for the biometric credentials of the Personal Identity Verification (PIV) system, including the PIV Card itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high-performance universal interoperability.
Alternative biometric modalities can still be used
When designing its biometrics application, an agency should consider several things. First, the federal government allows for some flexibility – so long as agencies meet the minimum interoperability standards for fingerprint biometrics, they may opt to use alternative biometric approaches and technologies for their own internal operations. In other words, the mandated fingerprint templates ensure interoperability between agencies, but an agency may elect to use a different biometric for their internal, non-interoperable needs.
For example, says SafLink’s Walter Hamilton, who doubles as chairman of the International Biometric Industry Association, an agency might want to store hand-geometry templates on a server within their physical access control system, and use the PIV card simply as a pointer to where the record is stored at the server. Other biometric technologies may be chosen for a variety of reasons (e.g., existing investment, outdoor operation, or staff can’t use fingerprints because they must wear protective gloves)
But agencies are still largely unaware of their options, says Mr. Hamilton. The federal standard limits access to the fingerprint biometrics to direct contact with the smart card chip and then only after entry of a PIN number, he says. This is based on concerns that some have expressed that biometric data may be intercepted if it is transmitted through the contactless interface with the reader. But smart card developers say that fear is often overestimated and that such transmissions can be protected through encryption.
“That process is cumbersome for physical access to entry points that have high-volume usage, or in areas with outside readers,” says Mr. Hamilton, referring to the use of PIN entry and contact reader slots for card insertion.
Standardizing on fingerprint templates
What’s new in SP 800-76 is that the publication specifies a standardized fingerprint template in lieu of vendor-specific proprietary fingerprints used in other applications. Therefore, all who want to market products – from those producing cards, to those producing readers – must conform to it.
The fact that smart cards must be interoperable throughout the federal government presents hurdles to those vendors already working with their own – or other partners’ – proprietary technologies, adds Jim Miller, CEO of biometrics credentialing product developer ImageWare. His company addresses this challenge providing what he calls an “interoperable, multi-modal platform for biometrics.”
But even with the standards being established, there are still many challenges facing federal agencies as they approach biometric authentication techniques. “The devil is in the details,” says Mr. Hamilton, “of trying to figure it out.”
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.