Government drives match-on-card, new commercial uses emerge
For many, the use of biometrics for physical access to facilities–whether placing a finger on a scanner or looking at an iris camera–continues to evoke futuristic images. But the technology is prevalent in applications that many use every day, for accessing the gym or tracking of time and attendance at work.
That said the high-security applications still exist and remain a primary driver for the technology. Biometric authentication was loosely included in the first FIPS 201 standard for PIV cards, the credentials mandated for U.S. government employees and contractors. But the new draft FIPS 201-2 revision more specifically calls for match-on-card biometric technology for physical access control.
Government applications paving the way
Governments across the globe are driving the use of biometrics, says Dave Adams, senior product marketing manager for Identity and Access Management at HID Global. India, South Africa and Brazil are looking at fingerprint technology to secure facilities. Iris is also on the radar, he adds, but not nearly as prevalent to date.
Fingerprint continues to gain in popularity because of its improved accuracy and lower cost. In the past, Adams explains, biometric technology had issues. “The reality hit that you would be holding up people at the front door with false accepts and false rejects,” he says. “The technology has improved dramatically over the past decade.”
Many countries are looking at what the U.S. has done with FIPS 201, trying to create a similar specification for use by their government employees, Adams says.
The current FIPS 201 standard utilizes biometrics in a three-factor architecture: smart card, PIN and biometric. The fingerprint can only be accessed through the contact interface of the card and only after the PIN has unlocked it. This has been an impediment to its use for physical access control because it slows throughput at busy gates and doors. Both users and industry representatives have long wanted the removal of the PIN requirement and the subsequent ability to use the biometric over the contactless interface.
A new revision to FIPS 201 is underway with the draft version calling for the use of match-on-card, a technology considered attractive for privacy protection, says Patrick Grother, a computer scientist at the National Institute of Standards and Technology who worked on the MINEX standardized match-on-card technology tests conducted by NIST.
Match-on-card is exactly what it sounds like–the biometric matching is performed on the card. The benefit is that the enrolled biometric template never leaves the card. The individual places the card in the reader and places a finger on a sensor to create a template. This template is transmitted to the card where it is matched against the enrolled template stored on the card. In other biometric architectures, the match is performed on the reader or in a backend database, which means the template could more easily be compromised.
“The alternatives (to match-on-card) aren’t attractive,” says Grother. They include requiring a PIN to unlock the biometric or having the biometric as a free read. A PIN requirement is problematic because individuals forget PINs and the PIN entry process can slow throughput to unacceptable levels. “(With match-on-card) if I lose my card and someone else picks it up … because the biometric never leaves the card there is no possibility to read it,” he adds.
NIST conducted a series of trials, called Minutiae Interoperability Exchange (MINEX) tests, to see if vendors could submit cards and fingerprint algorithms that could work with the ISO standardized templates. “Before 2008 nobody had published how well a minutia matcher could work on an unpowered smart card,” Grother says.
Teams were invited to participate; typically it was smart card vendors with biometric providers. The card and algorithms were tested tens of thousands of times and then the software was also tested with a virtual card millions of times, Grother says.
They found that the speed and accuracy of the cards and matchers has improved, with transaction times less than a quarter of a second and sometimes less than one-seventh of a second, Grother says. The transaction time is negligible compared to the time it takes to place the card in the reader and finger on the sensor.
The main reason for the tests was to determine if match-on-card technology could be used with government-issued PIV cards, Grother says. Clearly, the most recent MINEX results released in March suggest the technology is ready for prime time.
The draft FIPS 201-2 specification calls for match-on-card to be enabled over the chip’s contact interface. Contactless may be added in the future, but the standards regarding encryption of the template from the reader to the card need to be finalized before Grother believes NIST would endorse that functionality.
No coffee mugs allowed
Vendors say they can do match-on-card via the contactless interface already, says Neville Pattinson, vice president of business development and government affairs at Gemalto. The workflow for contactless match-on-card would require that both of the user’s hands are free. “It’s a two-handed operation, one hand to hold the card to the reader and one to present the finger,” he explains. “You need to leave the card in the reader field as you present the finger.”
Fingerprint technology is being used at seaports across the U.S. for physical access control using the Transportation Worker Identification Credential (TWIC), says Walter Hamilton, chairman of the International Biometric and Identification Association and a partner at ID Technology Partners.
There are a few ways the U.S. Coast Guard, which is in charge of security at ports, validates an identity with the TWIC, Hamilton says. The card itself can be inspected for visual security features, the digital certificate stored on the chip can be validated or the fingerprint template stored on the card can be checked against the cardholder’s finger. Both standalone and handheld readers have been used to authenticate individuals with TWIC credentials.
A final report on fingerprint reader performance is due shortly, Hamilton says. After that the Coast Guard will create a rule as to how biometrics will be used at ports. Due to the lengthy rule making process, it will likely be 2013 before wide scale deployment of fingerprint readers occurs.
While the government may be a large future consumer of match-on-card technology, some in the commercial sector are already using it, Pattinson says. “Enterprises want it for three-factor authentication. Card present, PIN and biometric for access to the highest-security areas, such as server rooms,” he adds.
Both government and high security corporate applications want to use biometrics to strongly tie the individual to the access transaction, but in much of the commercial arena it’s a combination of security and convenience driving biometric use.
This combination led 24 Hour Fitness to deploy biometric readers for access to its facilities, says Patrick Flanagan, senior vice president at the fitness chain. The fitness chain was also looking to reduce the number of ID cards it printed in an effort to be greener. “We were printing more than one million cards each year and now we’ll be able to stop that,” he says.
24 Hour Fitness partnered with MorphoTrak to offer cardless check-in for its 4 million members and 420 locations. Some 97% of members have opted into the biometric check-in program with the remaining holdouts using a government-issued ID to gain access to the club, Flanagan says.
When registering with the system, members choose a 10-digit PIN and record the fingerprint biometric, explains Flanagan. Using the PIN, the club is able to do a one-to-one biometric match reducing the possibility of false accepts or false rejects.
“It makes it easy for our members to access the club,” Flanagan says. “All they need to bring is a towel.” Additionally, the biometric ties the membership to the individual ensuring friends don’t share ID numbers or cards.
The system started rolling out in the fall of 2010 and was fully implemented by spring 2011. It took about three months to enroll existing members.
The embrace of the biometric access system at 24 Hour Fitness makes Gary Jones, head of sales for biometric access control at MorphoTrak, believe that the American public is ready for the technology. “This gave us confirmation that if you design a system correctly you can get great acceptance,” he says.
Demand for biometrics access control has been growing, says Jones. “There isn’t a vertical market in which we don’t have a reader installed,” he says. “It ranges from consumer applications like health clubs and entertainment all the way to banking, manufacturing and agriculture.”
Food production facilities have been adopting biometrics because of their potential vulnerability to terrorist attacks, Jones says. Manufacturing is using biometrics because it enables secure access for a large number of people.
It can also keep track of who’s coming and going, says Phil Scarfo, senior vice president of worldwide sales and marketing at Lumidigm. Manufacturing uses biometric not just to make sure the correct people are getting in the door but also to keep track of the hours they work. “There’s always been a desire for biometrics at the door because with time and attendance applications that use a card, (the card) can be shared,” Scarfo says.
Morphotrak’s Jones adds that companies need not switch all doors to biometrics, but only those controlling access to sensitive areas such as servers or IT rooms. “If they have 100 doors they may start off with five or six with biometrics and after they see how it works they expand,” he says.
The Bank of America headquarters in Charlotte, N.C. went a different direction when it deployed iris recognition throughout the building, says Hector Hoyos, CEO at Hoyos, an iris recognition provider. Cameras capture the employee’s iris before they walk through a turnstile and, if approved, open the gate. The cameras are used on each of the 48 floors for access to different areas.
There are 12,000 employees enrolled in the system, Hoyos says. Guests are also enrolled and allowed access to the approved areas.
Bank of America had an existing card-based physical access control system but made the switch to iris to expedite access, Hoyos says.
More than doors
Most people think of physical access as opening and closing doors. But biometrics can also keep track of a fleet of trucks, individuals packing a shipping crates or operators of heavy equipment.
Fleet and asset managers want to use biometrics to know who is driving a particular vehicle or who packed a particular container, Scarfo explains. “In essence there will be a biometric switch instead of an ignition that will enable the driver to be identified at the home office,” he says.
A similar system could be used to verify that trained people are operating special equipment. For example, instead of using a key to operate a forklift at a warehouse or store, a biometric could ensure that the key isn’t left in the machine enabling an untrained individual to operate it.
Biometrics have long been touted as a technology to secure access, be it to a facility or a computer network. Such high-security government and corporate needs have driven its use and that will continue but as acceptance of the technology grows more commercial applications will also appear.
Match-on-card gains accuracy, speed
The MINEX II tests were conducted to evaluate the accuracy and speed of match-on-card verification algorithms. These run on standard smart cards and compare reference and verification data conformant to the ISO/IEC 19794-2 Compact Card fingerprint minutia standard.
The test assesses the core viability of matching on personal identity credentials based on industry-standard smart cards.
This latest test results were released in March, with the prior two releases published in Feb. 2008 and May 2009. The number of match-on-card implementations that passed the minimum government standards has increased each year along with the number of card-provider/algorithm-provider teams more than doubling in that same span.
The results support the proposed inclusion of match-on-card in the U. S. government’s PIV program. Initial requirements appear in the recently drafted FIPS 201-2, and NIST is now developing match-on-card specifications for PIV.
Match-on-card implementations from five providers met the minimum error rate interoperability specifications set for the PIV program for match-off-card solutions. The increase in interoperable accuracy and in the number of PIV-capable commercial providers–from two in 2009 to five in 2010–represents a maturation of the marketplace for standards-compliant products.
The tests show that PIV compliance and the success of match-on-card deployments depend on more than the on-card matching algorithm. The minutia detection algorithm used to prepare the card’s reference template and authentication templates is critical, such that the selection of the template generator is now more influential on error rates than is the matching algorithm itself.
Good minutia detection algorithms reliably find the same minutiae in two captured images of the same finger. Poor generators caused several match-on-card implementations to narrowly miss PIV compliance. This calls for further development, standardization, test and calibration work.
The technology does remain technically difficult to deploy. Algorithms from two providers missed the PIV requirements despite having PIV-compliant match-off-card implementations. This shows that the porting of algorithms running on general-purpose computers to smart cards is a not an easy task. It also helps explain why the number of providers of off-card minutiae matching algorithms greatly exceeds that for on card.
The results of the tests give credence to the argument that match-on-card deployments should adopt template generators that report minutia quality values, such as those submitted to MINEX II. Reliable quality values are vital in the preparation of the compact-format templates sent to the card.
Match-on-card for logical access, health care, banking
Match-on-card is often touted as an application for physical access control, but there is some debate as to whether the technology has an application in the logical access world.
Walter Hamilton, chairman of the International Biometrics and Industry Association and partner at ID Technology partners, says match-on-card could be more useful for logical access. “I don’t see match-on-card for physical access because it would be a two-handed operation,” he says. He is referring to the fact that physical access is largely the realm of contactless and for match-on-card to be used over a contactless interface, the user must keep the card in the reader’s RF field while presenting the fingerprint.
But logical security applications do not present the same two-handed challenge. “Elimination of the PIN is the biggest thing match-on-card brings,” explains Hamilton. “Being able to authorize a transaction using cryptography without entering a PIN is a big deal.” This, he suggests, is an ideal solution for network access control.
But Neville Pattinson, vice president of business development and government affairs at Gemalto, says match-on-card for logical access is tough because it’s more expensive. “It’s the cost of the readers on the logical access side that could be prohibitive,” he says. “Biometric readers are not cheap. In logical access there is a one-to-one correlation with the number of readers needed, (but) it’s not the same with physical access control.”
Even with that said, Pattinson says match-on-card may take off in certain logical access control settings. Health care providers might have to start using smart cards with match-on-card fingerprint capabilities to file Medicare claims. The idea is proposed as a way to reduce fraud in Medicare. There’s a possibility that Medicare recipients would use similar technology, but there’s debate on whether patients should use a biometric or a PIN.
In addition to health care applications, Oberthur sees applications in banking. Match-on-card is being eyed in the financial services arena, says Patrick Hearn, vice president of Government and Identification Markets North America at Oberthur Technologies. Some banks in lower-income areas or areas with high rates of illiteracy are considering match-on-card at ATMs as a replacement to traditional PINs.