These days, there are only a few people left who haven’t heard of biometrics. This technology is becoming popular for a variety of applications where personal identity verification is needed. Typically, this is based on improvements in security, convenience, or both.

Biometric devices are now being embedded into many platforms, including laptops, PDAs, cell phones, memory sticks, automobiles, and personal verification devices. They have even been integrated into smartcards. Over the last few years, the size, cost, and power consumption have decreased, and OEM sensor modules are available for several biometrics. Some are able to leverage existing components, such as miniaturized cameras or microphones, while others require special purpose components, such as fingerprint sensors. The latter remains the most widely used, as exemplified by manufacturer Authentec, Melbourne, Fla., which has shipped over 15 million of its fingerprint sensors.

In the post-9/11 era, interest has increased and has led to technology improvements in accuracy, usability, anti-spoofing countermeasures, size and cost reductions, and also in the area of standards. Prior to that time, very few standards existed for biometrics, most addressing law enforcement uses. However, since then two new standards committees were formed to specifically address biometric standards and other existing groups have initiated biometric related projects. This has lead to the publication of over 25 biometric standards in the last five years.

Biometric standards now exist in the area of data formatting and packaging, technical interfaces, application profiles, and performance testing. In addition, areas such as IT security, smartcards, and finance have issued standards related to biometrics. Most are targeted at larger system implementations and where inter-system interoperability is needed. However, some are applicable to embedded systems, and more are on the way. A sampling of these are highlighted here.

Data formats

Enlarge this picture Bottom and top views of an OEM fingerprint sensing module from Authentec, which is designed to make it easier for OEM to embed biometric security into a device.

One area where standards were most needed was data formatting as proprietary solutions used proprietary data, preventing cross-vendor implementations. This meant that it was not possible to enroll on system/device A and verify on system/device B, or to capture on device A and match on device B. Much progress has been made in this area, and both U.S. and international data-interchange format standards now exist for fingerprint, face, iris, signature, hand geometry, and vascular (vein) technologies.

This has been particularly important in the credentialing market, where biometrics are stored on a smart ID card and verification may be performed at various physical or logical access sites. Examples of this include the U.S. government PIV (Personal Identity Verification) program, which implements Homeland Security Presidential Directive (HSPD) 12 requiring interoperable smartcard-based identification cards for all federal employees, TSA’s Registered Traveler program, and the ICAO ePassport.

Biometric data can be found in three forms or processing levels: raw data (as captured at the sensor), intermediate data (partially processed), or fully processed (sometimes referred to as a biometric “template”). It is important to note that most of the data format standards are at the intermediate level, many still containing image or other forms of raw information. For example, the iris format contains either a (usually compressed) rectilinear or polar image of the iris, along with other processing information. This is due to the need for the industry to agree upon a format that can be supported by a wide range of product implementations.

Fingerprint biometrics, which have been around the longest, are the exception in that two different template formats are also standardized. One is based on fingerprint minutiae (the ridge endings and bifurcation points), and one is based on fingerprint patterns (generally, the spectral components of image cells). Templates are smaller than the raw data, which means they take up less storage space and transmission bandwidth, and they can be directly matched, not requiring the feature-extraction step (which is already done when the template is generated).

In addition to the biometric data itself, standards for the packaging of that data have also been developed. These provide a basic structure, common metadata, and security elements to support interchange. The base standard in this area is called Common Biometric Exchange Formats Framework (CBEFF) for which a U.S. and international version exists, and upon which other standards are based.

Standards related to biometric sample quality, which is of great importance to performance of biometric systems, has been initiated, but is still in the early stages at this point.

Interfaces

Most of the standardization of technical interfaces has addressed software interfaces and general purpose computing platforms. Some work has begun in the area of lower level interfaces and protocols, but these are not yet mature.

The primary interface standard is the BioAPI, which defines a general API for interfacing to any biometric technology (biometric service provider, or BSP). This API supports the basic biometric operations of enroll, verify (1:1 matching), and identify (1:N matching), primitive functions (e.g., capture, create template), nominal data management (e.g., store/get BIR – biometric information record), as well as general management and control functions, including discovery.

Device control is minimal, but does include the ability to set power mode and indicators and to initiate a calibration. It does, however, include a lower-level, function-provider-interface (FPI) that will allow for control of lower-level components such as algorithms or devices. Though the architectural mechanism exists, the device-level FPI is not yet defined.

A new, streamlined version of BioAPI, called BioAPI Lite, has recently been initiated that targets embedded systems in resource constrained environments (less capable, for example, than a PDA). Whereas the current BioAPI requires a framework component or layer, the BioAPI Lite will be a direct interface with a streamlined set of operations. The intent is to define a common interface that will allow an OEM sensor unit to be used in a variety of different devices (and manufacturers) using the same interface and firmware version.

Conversely, a device manufacturer would be able to integrate a variety of different OEM sensors using a common firmware/interface (footprint issues aside). It has recently been proposed that this interface should take the form of a hardware protocol rather than a software type interface. First drafts of this approach are still forthcoming.

A second framework-less version of BioAPI for small, but more capable platforms that have more operating system support, such as PDAs and cell phones, has also been initiated and is likely to take the form of a conformance category of the parent BioAPI.

A related standards project is the BioAPI Interworking Protocol (BIP), which allows the use of BioAPI across a network.

Other interface standards in progress include the Biometric Identity Assurance Services (BIAS) project, a collaborative effort of INCITS and OASIS, which supports the remote invocation of biometric services over a services-based framework, such as Web services, and the ITU-T project called Telebiometrics System Mechanism (TSM).

Other standards

Standards have been published that specify performance testing methodologies, the proper way to conduct and report on biometric accuracy (e.g., false match and non-match rates). These address technology (algorithm), scenario, and operational testing environments. The IT security groups are also working on a standard that defines methods and criteria for security testing of biometric products and systems. The financial sector has defined a standard for the use of biometrics in that environment that addresses the management and security of biometric data throughout its life cycle.

Several application-profile standards have been published that define requirements for the use of biometrics in a specific application domain/environment. In particular, these profiles narrow the use of base standards, specifying which requirements and options apply. Most of these are written for broad functional areas such as border management or transportation worker identification. However, a profile for commercial physical access control was recently published.

It should be noted that conformance standards, which specify how conformance to a given standard is to be evaluated, are in progress for many of the standards identified.  Conformance, by default, is through a vendor’s self-claim of conformance, which is adequate for many markets. However, some will require more rigorous certifications. In this event, third party laboratories may offer such programs.

Conclusion

Biometric standards development has accelerated over the past few years, and many standards are now available. Work remains, however, in areas such as commercial and consumer applications in which biometrics will play an increasing role as time goes on, and for which sensor manufacturers are already developing devices.

Further convergence of U.S. and international standards is needed. This will allow manufacturers to implement to a single standard and reduce confusion in the marketplace and to users.