April 1998, Vol. 15, No. 4

After coasting along quietly for the past couple years, the biometrics field has catapulted into the spotlight with small-but-exuberant companies popping out of every high-tech nook and cranny. As with most other technology-driven industries these days, biometrics owes its recent emergence primarily to the Internet.

Biometrics use unique personal characteristics — fingerprints, voiceprints, patterns of the iris on an eye — to establish and verify identity. Such products, when combined with some form of intelligent software or pattern recognition technology, can provide security in a wide range of applications. Where biometrics are carving a sizable niche right now, however, is in providing security for computer applications, from simply accessing a personal computer to protecting electronic commerce transactions over the Web.

Consider, for instance, the TrueFace technology developed by Miros Inc. (Wellesley, Mass.; www.miros.com). The company's CyberWatch product uses neural network software and a small video camera mounted on a PC monitor to verify computer users when they try to access protected data on their computers. CyberWatch determines whether the useršs face is the same as the face image stored in its memory. If not, access to secure data is denied.

Miros' latest product, TrueFace Web, employs face recognition to compare a previously-stored image to a live video image of a user's face while accessing the Web. Web sites, on-line activities and e-commerce functions can now be securely accessed and used. Web surfers can use their face as their password to browse a secured website or intranet.

"The Internet has grown at such an incomprehensible rate, leaving vulnerable a tremendous amount of unprotected information," said Michael Kuperstein, president and CEO of Miros. "TrueFace Web provides a Web administrator with the ability to limit Web site access to only authorized users through the personalized power of face recognition."

TrueFace has two elements: an Active X client and a Web server component. The TrueFace Web client automatically downloads to the browsers of the user attempting access to the Web site or page. The client captures an image of the user and securely returns it to the TrueFace server where identification takes place. If the user is authenticated, the desired Web pages are downloaded in the normal way.

Another biometrics vendor, IriScan, has pioneered the development of iris recognition, which identifies individuals by computer analysis of the randomly formed patterns found in the eye's iris. IriScan and its partners are developing iris technology-reliant products for securing various activities such as telecommunications links, point-of-sale and credit card transactions, Internet access, and cash machine (ATM) transactions (see sidebar for another IriScan application being developed by Spring Technologies).

Computer access at your fingertips
Who? Vision Systems Inc. (Irvine, Calif.; www.whovision.com) has developed TactileSense, which allows computer users to securely access their desktops and the Internet with the touch of a finger. The technology eliminates passwords and enhances security for system login, smart cards, network access, Internet, intranet and extranet security, and e-commerce transactions. Future versions of TactileSense will target notebook computers.

The TactileSense system is composed of an electro-optical polymer film sensor, which is roughly the size of a postage stamp, and integrated print matching software that identifies the user's fingerprint data. The sensor transforms a finger's electric field into a high-resolution optical image, then digitizes the optical image of the fingerprint. This digital representation is passed to the PC host, where application software processes, stores and matches the print. Products based on the TactileSense system are expected to ship in mid-1998.

INS employs Identix devices
Identix Inc. (Sunnyvale, Calif.; www.identix.com), a provider of live-scan identification and biometric imaging systems, is providing the U.S. Immigration & Naturalization Service (INS) more than 40 TouchPrint 600 live-scan fingerprint image systems. Identix's devices combine optical scanning technology, image processing software and pattern-matching algorithms.

The TouchPrint systems will be employed by the INS at centers nationwide to screen individuals from other countries applying for various benefits and entitlements ranging from work cards to citizenship. While this is the first use of Identix technology by the INS for benefits verification, the enforcement arm of the agency has used the TP-600 for some time, primarily at deportation centers.

According to Randall Fowler, Identix's president and CEO, the ongoing deployment by the INS of Identix single-digit scanners is an integral part of Ident, a security network extending along the U.S./Mexico border from California to Texas, as well as the use of Identix equipment for identification and verification at other major ports of entry throughout the U.S.

IBM helps speed travelers through airport security
Computer giant IBM Corp. (Armonk, N.Y.; www.ibm.com) has thrown its hat into the biometrics arena with, among other projects, the Fastgate ID program, an automated system for speeding passengers through airport immigration checkpoints. Developed by IBM's Hursley Laboratory in the U.K., Fastgate has been in testing at Bermuda International Airport.

Fastgate is an ATM-like device that combines network technology with biometrics to verify a traveler's identity. It compares passengers' fingerprints, hand geometry or voice prints with those previously placed on file by the traveler. Fastgate functions much like INSPASS, a biometrics-based U.S. government system in testing at several airports. The systems are designed to help goverments and airport authorities manage the growing demand for fast, secure border crossings by confirming that travelers do not pose a known security threat.

Travelers access Fastgate with a standard credit/debit, frequent traveler or other commercial card issued by a participating card issuer. To enroll, travelers provide their card issuer with information such as name, address, date of birth and passport number. Travelers need to register at airports offering Fastgate service by having biometric information recorded digitally. Once enrolled, Fastgate travelers just insert a card into a reader to allow a biometric "read." While the traveler uses a touchscreen to answer some basic questions, Fastgate retrieves the traveler's information from the IBM-managed database, and compares the biometric information to verify identity.

Via a point-to-point connection, Fastgate then requests an online confirmation from the border control authority database that there are no security alerts issued for the traveler. In general, the process takes less than 15 seconds to clear the traveler through an immigration checkpoint.

The push to standardize
One of the hallmarks of all emerging technologies is the push to establish a de facto standard, which by its very nature helps to legitimize the technology. With biometrics exploding onto the scene so rapidly, a couple standards are already jockeying for position, hoping to gain the critical mass needed to nudge the other contenders aside.

One such standard that has the cachet of being developed under contract to the U.S. Department of Defense is the Human Authentication Application Program Interface (HA-API), introduced by The National Registry Inc. (Tampa, Fla.; www.nrid.com), a provider of biometric technology. The HA-API specification defines a generic biometric interface between a software application incorporating biometric technology and the underlying biometric technology itself. HA-API is being developed under the auspices of the U.S. Biometric Consortium.

HA-API is written as a high-level specification covering the primary functions needed to integrate a biometric identification technology. As such, it should complement other emerging biometric APIs that are written to a more detailed level of functionality, such as the Speaker Verification API (SVAPI) developed by a committee chaired by Novell and a generic biometric API announced by IBM.

HA-API is designed to hide (as much as possible) the unique aspects and complexities of individual biometric types and products while providing the maximum flexibility for the biometric vendor to provide competitive product features. This is done by providing a toolbox of biometric functions, which is accessed via a standard interface. This allows integrators to select the right biometric(s) for the job. It supports use of multiple biometrics (singularly or layered), and both local and server-based verification.

Currently, HA-API is defined for a Microsoft Windows 32-bit environment, with plans to expand to other environments, such as UNIX, in the future.

BAPI
Meanwhile, I/O Software Inc. (Riverside, Calif.; www.iosoftware. com), a developer of software applications and device drivers for biometric devices, has introduced what it calls the Biometric Application Programming Interface (BAPI) specification. BAPI is a means of standardizing the way different biometric devices, such as fingerprint scanners and facial recognition devices, communicate with the application software that uses them.

Presently, all biometric devices use different, incompatible protocols and drivers. As a result, it is difficult to write applications that work with more than just a single brand or model of biometric device. "It's as though you had to have a completely different word processor to work with each type of printer you bought," said William Saito, president of I/O Software. BAPI aims to solve this by creating a common driver scheme.

I/O Software will begin supporting the BAPI standard by introducing BAPI-compliant versions of its Secure Logon System for Windows NT and the Secure Logon System for Windows 95, both of which let users log onto their computers with fingerprints or other biometrics, instead of or in addition to passwords. "The introduction of generic APIs for biometric devices opens up a new field of opportunity in this market sector," said Julian Ashbourn, deputy chairman of the Association for Biometrics.

According to Judith Markowitz of J. Markowitz, Consultants (Evanston, Ill.), a frequent contributor to ISR, "One of the attractive features of the BAPI specification is its levels. New developers can use Level 3 functions to rapidly move up the learning curve; experienced developers can access the operations of Levels 1 and 2 to create innovative products and applications." An overview of the BAPI specification and its design philosophy is available at www.iosoftware.com/bapi.

Along similar lines, the International Computer Security Association (ICSA) (Carlisle, Pa.; www.icsa.net) has launched a biometric product certification process. The ICSA's biometrics certification lab has begun what will be a six-week certification process, in which an initial six biometric products from five vendors will be tested. The products that successfully achieve certification will be announced at the end of this month.

The ICSA's Commercial Biometrics Developers Consortium, comprised of a number of biometrics vendors, works to promote biometrics education, establish testing and certification standards, and promote ethical industry practices.

Since many of the leading biometrics vendors are aligned in different standards camps, any hope that a single standard effort will soon emerge to simplify matters is probably delusional. One can only hope that some kind of consensus can be agreed upon by the majority of the players, ensuring that consumers won't just throw up their hands in dismay at yet another promising high-tech industry bogged down by its own in-fighting. ISR will of course continue to report on all future developments.

Web Site Š Copyright 1997, 1998 by Lionheart Publishing, Inc.
All rights reserved.



Lionheart Publishing, Inc.
2555 Cumberland Parkway, Suite 299, Atlanta, GA 30339 USA
Phone: 770-431-0867 | Fax: 770-432-6969
E-mail: lpi@lionhrtpub.com
Web: www.lionheartpub.com


Web Design by Premier Web Designs
E-mail: lionwebmaster@preweb.com