Biometrics pass speed and security tests, accuracy not quite there
The National Institute of Standards and Technology is continuing its march towards approving an ID card with a stored fingerprint that can be quickly authenticated without the data on the card ever leaving. The match-on-card fingerprint trials show that existing technology will work, although accuracy of the comparison isn’t quite up to NIST standards yet.
According to HSPD-12, federal employees and contractors must migrate to federally-approved personal identity verification (PIV) cards to authenticate their identity when seeking entrance to federal facilities. NIST’s 2006 standard to implement this requirement states that each identity card must store the user’s digital fingerprint that will be compared against the person’s actual fingerprint when entering a facility.
Currently, anyone entering a biometrically-controlled access point would insert his or her PIV smart card into a slot and place his or her fingers on a scanner. The cardholder enters a PIN that enables his fingerprint information to be read from the card. The card reader then matches the stored data against the scanned image of the cardholder’s fingerprints.
The first goal of NIST’s match-on-card test was to determine whether biometric data from the fingerprint scanner can be sent to the PIV smart card wirelessly for matching by a microprocessor chip embedded in the card. The stored data would never leave the card, and the card never has to be inserted into a reader.
The other test was to determine whether the smart cards’ electronic keys can keep the wireless data transmissions between the fingerprint reader and the cards secure and execute the match operation within a 2.5 second timeframe. Scientists also investigated whether the match-on-card operation produces as few false acceptance and false rejection readings as traditional match-off-card schemes that require more computer power.
NIST report takeaways
The report also pointed out something probably already known. With respect to accuracy and speed, a number of factors should be considered, including the:
- operational card stock in use
- number of templates stored on the card
- number of fingers presented
- quality of the enrollment procedure, particularly whether verification was done at time of card issuance
- communications channel and interface
- cryptographic operations needed to secure the channel and to authenticate the card and data elements
The results? The fingerprints can be read. But accuracy isn’t quite there yet. NIST tested smart cards – 10 with a 128-byte-long key and seven using the more secure 256-byte key. They all passed the security and timing wireless tests. In accuracy testing, just one of the card batches met the criteria set by NIST while the two others narrowly missed. More tests with additional cards are planned soon.
Regardless, NIST says that match-on-card ID technology does fall within the agency’s standardized accuracy criteria, good news for vendors waiting to produce the cards. Around 20-fingerprint products were involved in some or all aspects of the testing.
The tests, referred to as MINEX II (the generic name for NIST’s Minutia Interoperability Exchange) cover ISO/IEC 7816 smart cards with match-on-card capabilities. The MINEX II evaluation in 2008, known as Phase III, will continue “to gauge improvements over existing implementations, and to evaluate others,” according to the MINEX II report. The testing also confirmed from earlier MINEX evaluations that “the use of two fingers greatly improves accuracy.”
MINEX II did not evaluate interface standards, secure transmission protocols, nor card and algorithm vulnerabilities. In addition, it did not mimic a particular verification scenario, and it did not compare fingerprint sensors or system-on-card implementations.
Several caveats were issued in the report regarding real-world usage. For example, low humidity is associated with higher false rejections; younger adult populations are considered to be easier to match and users who regularly interact with a system experience lower rejection rates.