Some scoff at the idea of emerging biometrics, saying that the identification technology as a whole is still emerging. In reality, however, fingerprints have been used to identify criminals for nearly a century and around the world biometrics are used to gain access to buildings, get cash at ATMs and authenticate online transactions.
The days when biometric scanners were merely props in James Bond movies are gone. The North American market appears to be on the precipice of a change. Use cases for secure authentication are everywhere, and the technology foundations to enable biometrics have matured.
Re:ID editors spoke with a group of industry leaders to get their thoughts on what's coming in the biometric market. The individuals deploy and look at biometric systems every day and the emerging trends they identified were remarkably consistent. They include the rise of two formerly outlying modalities and the coalescence of biometrics and mobile devices for two distinct applications.
Vein pattern biometrics is a modality that is garnering a lot of interest, says Rick Lazarick, chief scientist at the identity labs for CSC. Some large-scale test results show that both finger vein and palm vein biometrics are extremely accurate, he says, and possess some really important convenience attributes.
The modality is being used in ATMs throughout Japan as well as in Brazil and Poland. "The ATM implementations show that they have the capability to be used in large scale and mainstream applications," Lazarick says.
The Japanese ATMs use three-factor authentication for transactions–card, PIN and a vascular biometric, says Walter Hamilton, a senior consultant at ID Technology Partners and chairman of the International Biometrics and Identification Association.
The technology is starting to show up in North America as well. The Port of Halifax in Nova Scotia is using vascular technology for physical access control and Baycare Health System in Tampa, Fla. is using it for patient identification, Hamilton says.
"It works well, and based on independent testing, I see the technology being just as accurate as fingerprint for one-to-one matching," Hamilton says. "I also see the general population having fewer challenges submitting a good sample of their vein pattern in comparison to the problem some people have with fingerprints."
Some individuals have difficulty with enrolling a usable fingerprint sample, Hamilton says. Very fine fingerprints are tough to pick up and others may have damaged their fingerprints making it difficult to get an image and then match later.
Vein pattern biometrics use light to map the vascular pattern underneath the skin so the surface doesn't matter. Failure-to-enroll rates for vein pattern technologies are very low, Hamilton says.
Test results have shown that the technology is very reliable, adds Lazarick. "Many times vascular outperforms iris," he says.
It can also be viewed as a privacy-enabling technology compared to fingerprints, iris and facial, Hamilton says. Fingerprints leave a residue that can be lifted off a surface and potentially replicated.
"Some people doubt (fingerprint biometrics') ability for credentialing because there's a chance someone may copy a fingerprint from a glass," Hamilton says.
Since vein pattern records the pattern beneath the surface it's virtually impossible to covertly observe. "Unions and certain segments that would object to fingerprints would not object to vein pattern," Hamilton says.
Vascular is also touted as the hygienic biometric, Hamilton says. Typically with this technology a user places his hand or finger on a guide above the scanner whereas with contact scanners there is the possibility of germ transfer between users.
But there still are challenges vascular technologies will have to overcome, Hamilton says. Fujitsu and Hitachi are the two main vein recognition providers and each uses its own proprietary algorithm for matching. This means templates from a Hitachi scanner cannot be read by a Fujitsu scanner and vice versa.
This may change, however, as the National Institute for Standards and Technology is working on a standard for vein recognition. But, Hamilton explains, the work is in the early stages.
Iris is the other modality that seems to be on the cusp of widespread deployment, says Bryan Ichikawa, vice president of identity solutions at Unisys. "Long distance iris recognition opens up whole new worlds and works very well," he says.
The U.S. Department of Homeland Security contracted Unisys to test the different long distance iris products last year. The test, says Ichikawa, showed that iris solutions from multiple vendors could be used for one implementation.
Long distance iris systems from Sarnoff and AOptix show tremendous promise, Lazarick says. "They are close to having something pretty phenomenal," he says.
"Mainstream iris adoption has already begun," says Dale Bastian, VP of Sales – Biometrics, AOptix Technologies. "There are many large scale, production and final stage testing deployments underway that demonstrate that important end-users have fully accepted the modality."
In the Middle East iris is being used for immigration applications and to track individuals expelled from the country, Hamilton says. Airports are also considering using iris for employee access control to secure areas.
"The data from real-world, large scale deployments will demonstrate that iris offers significant advantages over other modalities for appropriate applications," adds Bastian.
The real innovation that is bringing iris to the forefront is its newfound flexibility. In the past, iris capture required a user to precisely and purposefully place the eye in front of a camera. Newer solutions enable the images to be captured from long range, while the subject is in motion and even without his knowledge.
"Longer distance identification means that an officer no longer has to be close to a subject to identify him so there can be a larger safety buffer," explains Mark Clifton, Sarnoff's acting president and CEO. "Distance enables identification in large venues, perimeter control and discrete applications."
Additionally, Clifton explains that longer distance also enables one system to capture both the iris image and face image simultaneously, providing multiple modalities to improve accuracy, speed and ease of use.
Iris nullifies a lot of the hygienic concerns that people have with fingerprints. It also has the potential, like it or not, to be used for non-intrusive or surreptitious identification as shown by a recent announced deployment in northern Mexico.
What may bring biometrics to the masses is its use in smart phones and mobile devices. These devices are being used more frequently for higher-value transactions and steps need to be taken to so they can be better secured. PINs and pattern-based applications exist but many argue they don't offer the level of security that biometrics can provide.
Traditionally the topic of biometrics and handsets has centered on hardware, most often the integration of fingerprint sensors into the phone. Globally a variety of handsets have launched with built-in sensors, and early this year LG released the first model with U.S. availability.
But it is software not hardware-centric biometrics that has the industry buzzing these days. Using the tools already built into phones, a range of biometric authentication is possible.
Adding biometrics to mobile devices could be relatively easy, says Cathy Tilton, vice president of standards and emerging technology at Daon. "The obvious (modalities) are face and voice," she says. "The devices already have cameras and microphones."
Adding iris to the mix wouldn't be much of a stretch either, adds Lazarick. "Without an additional infrastructure you could fuse them," he says. "As the functionality of these devices increases, the security of the transactions will more and more demand identity verification."
There is also the opportunity for multi-modal application via mobile devices. In a multi-modal environment, the system would take a score from a voice pattern, facial image and perhaps an iris image to determine if the individual is authorized to use the device or conduct the transaction, Lazarick says.
Getting acclimated to use the mobile device for biometric verification may be the biggest challenge. Because it is a one-to-one match, however, many of the issues that exist with large-scale one-to-many matches don't apply.
Because you are matching against a single known template, the captured image does not need to be as precise as it would to isolate a match from thousands or millions of templates in a one-to-many environment. "It's all manageable if you get used to using the device," Lazarick says.
And for most smart phones these features could be added with a software application and no additional hardware. "To coin a phrase, ‘there's an app for that,'" Hamilton says.
Enabling biometrics on mobile devices will take away the need for people to verify identity at fixed locations, says Ichikawa. A credential could be stored on the mobile device and confirmed via facial recognition iris, fingerprint or voice. "Once you create a level of mobility, you don't have to authenticate at fixed points," he says. "You can now identify them anywhere."
The next trend again matches biometrics with mobile devices, but this time leaves the realm of the consumer world for that of law enforcement. The days of being arrested and having your fingerprint placed on an inkpad and rolled onto paper are already history for many police departments. Paper-based collection has been replaced by electronic scanners in the station. But what's coming next is the extension of the capability to the street, says Tilton.
Mobile biometrics devices have been used by the military in Iraq and Afghanistan for years to identify insurgents and make sure only authorized individuals enter restricted areas. The devices are also becoming popular to confirm access to U.S. ports with the Transportation Worker Identification Credential.
While many of the devices used by military officials are dedicated for those purposes, there are different peripherals that can be added to the iPhone and other mobile devices so it can be used to check biometrics, Hamilton says. Most of these are aimed at law enforcement applications to enable officers to enroll and check biometrics in the field.
BI2 Technologies has a sleeve that works with the iPhone and can capture face, fingerprint and iris, Hamilton says. A number of law enforcement agencies are already using the system, he says.
At the same time companies providing systems to the military are releasing updated products with increased functionality. Analysts predict that these dedicated devices will be used for both military and law enforcement applications while add-ons build biometric functionality into other mobile devices such as smart phones.
While biometrics have been teetering on the edge of mass adoption for years in North America, the momentum may finally exist for widespread adoption.
Interestingly, the trends identified for this article suggest that it may be different modalities and use cases that ultimately provide the spark.
In the past, facial images and fingerprints were the modalities of choice, and most looked to physical security and one-to-many identification as the applications to drive adoption.
While these modalities and applications are certainly still important and even dominant, it may be this newer generation–call it Biometrics 2.0–that finally gives Sisyphus his much needed break from pushing the biometric rock up that adoption mountain.
Hitachi's VeinID finger vein scanners have been deployed since 2004 by major banks in Japan and more recently Poland," says Lew Iadarola, VeinID sales manager for Hitachi Security Solutions. "Some South American banks are conducting trials as well."
"In total we have more than 100,000 embedded modules in ATMs, time and attendance readers and other devices," says Iadarola. Another 100,000 of the company's USB-connected logical access readers have also been deployed for authentication to various networks and applications, he notes.
According to Iadarola, one of the largest use cases in the U.S. is with Konica Minolta's bizhub multi-function printers. The finger vein scanner secures document output in government, military and health care environments. Additionally, Japanese telecom giant KDDI has deployed more than 10,000 VeinID scanners for employee logon.
Rather than using the biometric to identify an unknown individual from a population, Iadarola sees vascular technology as ideal for operational biometrics. "Use the vein pattern to ensure the individual is who they claim to be and only then initiate the service, access or transaction," he says.
"Our focus with VeinID is one-to-one matching on a smart card or device," he explains. This comes from the company's historical preference to enhance privacy in public facing applications.
Many of our large customers preferred to minimize the liability that comes with handling personally identifiable information by performing match-on-card transactions rather than storing information in a database, he says. Government Integrators and end-users worldwide did not want to use the same technologies used and stored in databases by law enforcement.
"Some people want to buy a coke, rent a car, and pick up their prescriptions without providing something personally identifiable," he concludes. "People prefer to verify identity and walk away leaving nothing behind."
Sarnoff Corp., a subsidiary of SRI, is a leader in long distance iris recognition technology. The company offers two models in its Iris On the Move (IOM) line: a walk-thru gate called the IOM PassPort and a small mountable unit called the IOM Glance.
"Sarnoff revolutionized iris recognition by providing longer distance, higher speed, and higher throughput than traditional systems," says Mark Clifton, Sarnoff's acting president and CEO. "We have improved upon systems that require you to be uncomfortably close," he explains, "and have enabled recognition up to 3 meters in distance while walking at a natural pace. Because of that we can process up to 30 people per minute."
The initial adopters include airports, banks, stadiums, construction sites, he explains, "any place where you have need to get people in and out very quickly."
AOptix Technologies, a Campbell, Calif.-based iris innovator, launched its first "iris at a distance" product, the InSight VM, early in 2009. "It puts the advanced adaptive optics technology of the original InSight into a new form factor appropriate for access control, immigration control and eGate applications," says Dale Bastian, VP of Sales – Biometrics, AOptix.
Immigration control is a key application being addressed by the InSight line. "We recently completed three highly successful proof-of-concept studies in the Middle East where the adoption of iris recognition for enrollment of deportation subjects and the screening on in-bound travelers is underway," he explains. "They demonstrate extraordinary results on key criteria including failure-to-acquire and failure-to-enroll rates, average time of capture and accuracy."
Leading the adoption of iris are national identity programs following closely behind immigration applications, Bastian says. He suggests that governments around the globe are evaluating iris recognition technology, which could lead to cooperation between governments to share methodologies creating more secure immigration and travel environments.
Animetrics is offering facial recognition for Android, Windows Mobile and RIM (Blackberry) operating systems. Using the phone's embedded camera, a facial image patterns is generated at the point of access and compared to the enrolled pattern to grant or deny access.
On the voice front, PerSay, a spinoff from Verint Systems, SecuriMobile, Palo Alto, Calif., VoiceVault in the UK and Germany's VoiceSafe all offer voice biometric solutions to secure mobile devices and transactions.
Other companies are using mobile biometrics to add an additional factor to out of band authentication solutions.
PhoneFactor, Overland Park, Kan., uses the phone as the second authentication factor, ‘something you have.' They also use voice pattern biometrics via the phone to add the third factor, ‘something you are,' to the authentication process.
When a user authenticates to a PhoneFactor-enabled site, he enters his username and password. The PhoneFactor technology calls the user's pre-supplied phone number. The user answers the phone and hits the #-key to affirm the transaction and only then is the online access granted. Additionally, a secret passphrase can be required for voice pattern recognition to further increase security.