The Promise of Biometric Technologies Bio Asia Biometrics

The Promise of Biometric Technologies Bio. Asia – Biometrics in Security Symposium Kush Wadhwa, Director EMEA International Biometric Group www. biometricgroup. com 27 March 2004 © Copyright 2004 International Biometric Group

Agenda l l l About International Biometric Group Biometric Basics Market and Industry Leading Biometric Technologies Privacy www. biometricgroup. com © Copyright 2004 International Biometric Group Page 2

International Biometric Group l l Independent biometric technology solutions, consulting, and research & testing firm, founded in 1996 Offices in New York, Washington, D. C. , London – Including Biometric Showroom, a hands-on showroom and test facility with more than 100 hardware and software solutions l Technology-neutral and vendor-independent – Extensive experience across all biometric technologies – IBG does not resell or distribute biometric hardware l Key services – Evaluate large-scale biometric projects for government agencies, recommending technologies, process design, system design – Build product and services development strategies for systems integration, high-tech, and industrial firms – Conduct scenario-based biometric accuracy testing – Design and deploy custom solutions for IT security, e-commerce, access control, public sector ID systems www. biometricgroup. com © Copyright 2004 International Biometric Group Page 3

Representative IBG Clients Technology & Transportation Federal - State - Local Government Agencies Financial Services American Airlines AAMVA AIG Diebold California DMV Charles Schwab EDS White House OSTP Chase Manhattan Bank Ingersoll-Rand Federal Aviation Administration Citibank Intel Ontario, Canada MBS Dresdner Bank Kensington National Institute of Justice Fidelity Investments Lockheed Martin NYPD FSTC Microsoft Transport Canada Visa Raytheon U. S. Navy/SPAWAR World Bank www. biometricgroup. com © Copyright 2004 International Biometric Group Page 4

Biometric Basics www. biometricgroup. com © Copyright 2004 International Biometric Group Page 5

Baseline Facts on Biometrics l l Biometric technology’s viability is not in question Millions of people enrolled, tens of thousands of devices deployed – FINGER: IAFIS, UK Asylum, South Africa pensioners, NY welfare – IRIS: Schipol trusted travel, Afghan refugees – HAND: Ben Gurion, San Francisco Airports – FACE: Illinois drivers’ licensing, London surveillance l Biometric systems do not provide 100% accuracy – 2 or more data elements compared, degree of similarity rated – Certain biometrics can provide a high degree of assurance (well over 99. 9%) that the person is or isn’t who he claims to be l Biometrics are part of, not the entire, security solution www. biometricgroup. com © Copyright 2004 International Biometric Group Page 6

Behavioral and Physiological Biometrics l Behavioral - Voice, Signature, Keystroke – Easier to use, often less expensive, less accurate, more subject to day-to-day fluctuation – Appropriate for relatively low-security, low-risk applications where acquisition devices are already in place (camera, telephone, signature pad) l Physiological - Finger, Hand, Iris, Retina, Face – Higher accuracy, stable, require slightly more effort l Biometric usage is both behavioral and physiological – Finger-scan, for example, requires the appropriate “behavior” – placing finger on device correctly – Voice patterns are based, to some degree, on physiological characteristics www. biometricgroup. com © Copyright 2004 International Biometric Group Page 7

Why Are Biometrics Used? l Biometrics – The automated use of behavioral or physiological characteristics to verify or determine identity l Security – Protect sensitive data and physical assets – Provide high degree of identity certainty in transactions – Create databases with singular identities l Accountability – Improve auditing / reporting / record keeping l Convenience – Reduce password-related problems – Simplified access to controlled areas www. biometricgroup. com © Copyright 2004 International Biometric Group Page 8

Biometric Templates l Definition – Distinctive, encoded files derived and encoded from the unique features of a biometric sample l A basic element of biometric systems – – – – Templates, not samples, are used in biometric matching Created during enrollment and verification Much smaller amount of data than sample (1/100 th, 1/1000 th) Cannot reverse-engineer sample from template Size facilitates encryption, storage on various tokens Vendor templates are not interchangeable Different templates are generated each time an individual provides a biometric sample www. biometricgroup. com © Copyright 2004 International Biometric Group Page 9

Matching l l l Biometric systems do not provide a 100% match Comparing strings of binary data (templates) Result of match (“score”) compared to pre-determined threshold – system indicates “match” or “no match” Enrollment data 0010100100111 Vendor Algorithm Verification data 1011010100101 Scoring Threshold Match / No Match Decision www. biometricgroup. com © Copyright 2004 International Biometric Group Page 10

Real-World Accuracy l l Vendor claims (1/1000, 1/1000000) are not always based on experience in real-world deployments System accuracy defined through three metrics – False match (imposter breaks in) – False non-match (correct user locked out) – Failure to enroll (user cannot register in system) l l Comparative testing shows that some devices and technologies provide very high accuracy, others very low accuracy Regardless of technology, some small percentage will be unable to enroll www. biometricgroup. com © Copyright 2004 International Biometric Group Page 11

Biometric Market and Industry www. biometricgroup. com © Copyright 2004 International Biometric Group Page 12

Biometric Market Size l l l 2003 Total Revenue: $719 m USD Projected 2006 Revenue: $2. 7 b USD Projected 2008 Revenue: $4. 6 b USD Most revenues today from law enforcement / public sector identification 2003 Revenues – Fingerprint: $198 m – Middleware: $48 m – Less than $25 m: voice, signature Source: IBG’s “Biometrics Market and Industry Report 2004 -2008” www. biometricgroup. com © Copyright 2004 International Biometric Group Page 13

Comparative Technology Growth 2003 2006 $198 $858 Facial Recognition $50 $417 Hand Geometry $43 $137 Middleware $48 $209 Iris Recognition $36 $190 Voice Verification $23 $114 $9 $54 $11 $106 AFIS $312 $705 Total $719 $2684 Fingerprint Signature Verification Multimodal All Figures USD Source: IBG’s “Biometrics Market and Industry Report 2004 -2008” www. biometricgroup. com © Copyright 2004 International Biometric Group Page 14

Growth of the Biometric Market Total Biometric Revenues 2003 - 2008 ($m) 4, 639 5, 000 4, 500 3, 682 4, 000 3, 500 3, 000 2, 684 2, 500 1, 847 2, 000 1, 500 1, 000 1, 201 719 500 0 2003 2004 2005 2006 2007 2008 Copyright (c) 2004 International Biometric Group Source: IBG’s “Biometrics Market and Industry Report 2004 -2008” www. biometricgroup. com © Copyright 2004 International Biometric Group Page 15

Biometric Technologies 2003 Comparative Market Share by Technology (not including AFIS revenue) Source: IBG’s “Biometrics Market and Industry Report 2004 -2008” www. biometricgroup. com © Copyright 2004 International Biometric Group Page 16

Who’s Using Biometrics? l Hand geometry – Countless implementations (power plant, day care, campuses) – 70 k units deployed l Fingerprint – Hundreds of thousands of units in operation – Peripherals, PDAs, access control devices l Iris recognition – Air travelers in London, Netherlands; Singapore border control – Inmate tracking (several applications) – Medical centers for access control l Facial recognition – Passports/travel documents – Casinos – DL/ID applications: CO, IL l Speaker verification – Account verification for financial services institutions www. biometricgroup. com © Copyright 2004 International Biometric Group Page 17

Biometric Technologies www. biometricgroup. com © Copyright 2004 International Biometric Group Page 18

Fingerprint Technology, Industry l Technology – – – – l 1: 1 or “One-to-Few” matching of fingerprint characteristics Most mature biometric technology for IT, desktop applications Becoming more integrated with smart card technology Template Size: 200 -1000 bytes Pro: strong combination of accuracy, speed, ease of use Pro: competition in marketplace Con: Small percentage of users cannot enroll Con: Changes over time impact accuracy Industry – Prominent companies are developing or manufacturing fingerscan technology: Motorola, Siemens, Fujitsu, Sony – Reduced cost, development of swipe scanners – Increased presence in laptops, mobile phones, PDAs – Dozens of vendors, little inter-compatibility www. biometricgroup. com © Copyright 2004 International Biometric Group Page 19

Fingerprint Applications l Logical Security Applications – Deployed internally at dozens of Fortune 500 companies as IT security solution: network, PC access – Many deployment in the several-thousand seat range – Verification of cardholders at healthcare, employment and pension kiosks l Physical Security Applications – Many deployments, not as large-scale as logical access l Consumer-oriented deployments – In-person payments, declining balance systems – Emerging revenue models www. biometricgroup. com © Copyright 2004 International Biometric Group Page 20

Optical, Silicon, Ultrasound l Optical – – l Silicon – – l Advantages: durable, relatively inexpensive, more mature Disadvantages: susceptible to surface wear; power consumption Commonly deployed in higher traffic environments Identix, Digital. Persona, Secu. Gen Advantages: small form factor, lower cost, consume less power Disadvantages: small form factor; refresh/cycle rates; Increasingly used in PDAs, portable devices, peripherals Authen. Tec, Infineon / Siemens, STMicroelectronics Ultrasound – Advantages: works best in difficult environments – Disadvantages: size, cost – Ultra-Scan only manufactured technology www. biometricgroup. com © Copyright 2004 International Biometric Group Page 21

Live-Scan Acquisition Devices l High-resolution “Live-scan” devices used to enroll in AFIS systems – Live-scan devices may be designed to acquire 1, 2, or 10 fingerprints – Most live-scan devices are optical, ultrasound an alternative approach – FBI standards define live-scan resolution, DPI, and image quality – Main live-scan providers include Identix/Visionics, Cross Match, Heimann – Costs can range from several hundred dollars for single-finger device to tens of thousands for ten-print devices – Criminal and background check live-scan systems acquire rolled prints, civil ID systems acquire flat fingerprints www. biometricgroup. com © Copyright 2004 International Biometric Group Page 22

Hand Geometry Technology, Applications l Hand Geometry Technology – – l Measures dimensions of hands and fingers One vendor full hand geometry: Recognition Systems Alternative implementation: Two Finger (Biomet Partners) Most widely used biometric in physical security applications Typical Applications – – – Ben Gurion Airport: kiosk-based frequent traveler verification Walt Disney World: season pass holders Columbia Presbyterian Hospital: Building Security Citibank: Physical access to data center Bank Slaviansky (Ukraine): Cashless transactions Bermuda International Airport: Fastgate – Lotus Development Corp: Verify parents picking up children – University of Georgia: Verify holder of meal card – INSpass Travel / Immigration www. biometricgroup. com © Copyright 2004 International Biometric Group Page 23

Enterprise Security Technology – Hand l Hand-Scan – – l l l Pro: Proven reliable in difficult environments Pro: Simple operation Con: Fairly low accuracy Con: Large form factor Template size: 9 bytes One manufacturer: Recognition Systems Directly compatible with Wiegand protocols for door control systems www. biometricgroup. com © Copyright 2004 International Biometric Group Page 24

Facial Recognition Technology, Industry l Technology – Based on distinctive facial features – Most technologies 2 -dimensional, not 3 -dimensional – Only technology capable of surveillance, but does not operate reliably in this mode – Template size: 80 bytes – 1300 bytes – Pro: Contactless operation – Pro: Leverage existing capture technology – Con: Lower accuracy – Con: Environmental and behavioral difficulties (sub-optimal lighting, changes in facial features, angled capture) l Industry – Major vendors include Identix, Viisage, and Cognitec – Has generally moved from consumer/retail market to large-scale government applications (passport, driver’s license) www. biometricgroup. com © Copyright 2004 International Biometric Group Page 25

Facial Recognition Applications l l Successful deployments normally require existing cameras and a stable, consistent image acquisition environment Public Sector – IL and WV duplicate drivers’ licenses – Mexican voter registration l Scanning and Surveillance – Deployed at Super Bowl for scanning, surveillance – U. K. -based surveillance deployments – Dozens of pilots in U. S. airports l Private sector – Casino surveillance, check cashing ATMs, integration into security systems www. biometricgroup. com © Copyright 2004 International Biometric Group Page 26

Iris Recognition Technology, Industry l Technology – Based on unique ridges, furrows, and striations of iris – Provides very high levels of accuracy – Acquisition devices becoming much easier to use, but accuracy of technology contingent on quality of enrollment device – Some discomfort with eye-based technology – Still not proven in real-world, large-scale 1: N applications – Server-based matching – Template: 512 byte l Industry – Iridian owns the core iris-scan technology – LG, OKI access control solutions moved to market through resellers, integrators www. biometricgroup. com © Copyright 2004 International Biometric Group Page 27

Iris Recognition Applications l Logical Access, Account Access – Bank United, Takefuji Bank: ATM-based identification – Handful of desktop applications l Physical Access – Pennsylvania and Florida Prisons: inmate identification – Air travel pilots for employee verification l Identification – – l Traveler pilots at Heathrow, Charlotte NC, Frankfurt, and others Canadian immigration Pakistani immigration Saudi borders Traditionally used in high-risk applications, now positioned for use in wider range of applications www. biometricgroup. com © Copyright 2004 International Biometric Group Page 28

Enterprise Technology – Iris l Pro: Very high accuracy – Not perfect l l Pro: Simpler operation Con: Cost (for physical access / security) Con: Throughput Con: User perception - sensitivity about eyes www. biometricgroup. com © Copyright 2004 International Biometric Group Page 29

Voice Technology, Industry l Technology – Measures voice patterns for 1: 1 verification of claimed identity – Advances in ability to handle background noise and use of lowerquality phones – Illness and environmental changes still cause problems, but more accurate than commonly perceived – Can encounter issues with smart card storage due to template size l Industry – Nuance, Buytel, T-NETIX, Veri. Voice, Veritel leading players – Logical choice for mobile phone market www. biometricgroup. com © Copyright 2004 International Biometric Group Page 30

Voice Applications l Applications – Ideal for applications where telephone already used, such as account access, call-center authentication – Probationary offenders/home arrest verification – Evaluation by various mobile providers www. biometricgroup. com © Copyright 2004 International Biometric Group Page 31

Other Biometrics l Vein Identification – Based upon vein pattern on back of hand – Designed for physical access l Lip Movement – Camera captures images while user speaks a phrase – Combined with voice and face l Gait, thermal facial-scan, others under development www. biometricgroup. com © Copyright 2004 International Biometric Group Page 32

Multiple Biometric Access l l l By using more than one biometric, system accuracy can be increased significantly Both technologies can “vote”, deciding false rejections and false acceptances Fusion vs. binary approaches Reduce the number of false matches and non-matches, depending on system requirements Potentially no increase in transaction time – If one of the technologies is passive www. biometricgroup. com © Copyright 2004 International Biometric Group Page 33

Biometrics and Privacy www. biometricgroup. com © Copyright 2004 International Biometric Group Page 34

Privacy Protection, Privacy Erosion l Biometric Protection of Privacy – Limiting access to sensitive data – Individual control over personal information – Potential weapon against identity fraud / theft l Biometric Erosion of Privacy – If used for broader purposes than originally intended (linking disparate data, tracking behavior) – If captured without informed consent www. biometricgroup. com © Copyright 2004 International Biometric Group Page 35

Privacy Fears l Informational Privacy – – – l Function creep Use as unique identifier Associating unrelated data Use by law enforcement agencies without oversight Generally based on misuse of technology as opposed to intended uses Personal Privacy – Inherent discomfort with or opposition to biometrics – Perception of invasiveness www. biometricgroup. com © Copyright 2004 International Biometric Group Page 36

Mitigating Factors l l l l Most biometrics incapable of identification Substantial amount of biometric data required for largescale identification Very few shared public or private sector systems aside from law enforcement Core matching algorithms not cross-compatible Deployers can implement operational and designoriented protections against system abuse Technology not infallible or foolproof Legislation accompanies public sector deployment to protect against misuse Biometric usage has been closely monitored www. biometricgroup. com © Copyright 2004 International Biometric Group Page 37

IBG’s Bio. Privacy™ Initiative l Analysis of biometric applications – Bio. Privacy Impact Framework Not all biometric deployments bear the same privacy risks: specific features of biometric deployments increase or decrease the likelihood of misuse l Analysis of core biometric technologies – Bio. Privacy Technology Risk Ratings Certain technologies are more prone to be misused than others and require extra precautions l Steps towards a privacy-sympathetic system – Bio. Privacy Best Practices Ensure that deployers adhere to privacy principles regarding consent, use limitation, storage limitation, and accountability www. biometricgroup. com © Copyright 2004 International Biometric Group Page 38

Bio. Privacy Impact Framework l l l l l Overt vs. Covert Opt-in vs. Mandatory Verification vs. Identification Fixed Duration vs. Indefinite Duration Private Sector vs. Public Sector Individual / Customer vs. Employee / Citizen User Ownership vs. Institutional Ownership Personal Storage vs. Template Database Behavioral vs. Physiological Templates vs. Identifiable Data www. biometricgroup. com © Copyright 2004 International Biometric Group Page 39

Technology Risk Rating Criteria l l l Verification/Identification Overt/Covert Behavioral/Physiological www. biometricgroup. com © Copyright 2004 International Biometric Group Page 40

Bio. Privacy 25 Best Practices l l Implement as many Best Practices as possible without undermining the basic operations of the biometric system Few deployers will be able to adhere to all Bio. Privacy Best Practices Inability to comply with certain Best Practices is balanced by adherence to others Four Categories – – Scope and Capabilities Data Protection User Control Of Personal Data Disclosure, Auditing and Accountability www. biometricgroup. com © Copyright 2004 International Biometric Group Page 41

Thank You kwadhwa@biometricgroup. com www. biometricgroup. com © Copyright 2004 International Biometric Group Page 42