- Email: [email protected]
An eye on security
SURVEY
An eye on security The potential for the combined usage of biometrics and smart cards continues to emerge. With technology developments enabling costs to fall, and a growing impetus for the use of strong authentication in a number of applications, could the time be ripe for more deployments combining the two technologies? In the months following September 11th, the mainstream media talked up the value of biometrics as a technology that could address many of the problems in a world dominated by fears of security threats and identity thefts. Stock values in some biometrics companies rose rapidly in the immediate aftermath of the terror attacks and it seemed as if the industry was heading for rapid growth. Unsurprisingly, this was followed by strong criticisms of the companies and analysts who had made unrealistic claims about the potential of the technology and the market as a whole. Almost three years on, analysts are far more realistic about the state of the industry, and people at all levels seem to understand both the strengths and the weaknesses of the technology. This is leading, in turn, to more concrete contracts and a growing number of satisfied customers. Today, many consumers have a vague understanding of what biometrics is, and with new decisions made at the governmental level, more people are being exposed to the technology first hand.
Card and biometric While biometric technology provides an innovative answer to many authentication problems, the technology on its own has weaknesses – especially in the face of powerful privacy and security concerns. One answer is to use the biometric in conjunction with a token. Biometric templates do not have to be large (for example a fingerprint template may be as small as a few hundred bytes), so can be adequately stored on a barcode or magnetic stripe card. While these approaches help provide basic two-factor authentication (something you have – the card; something you are – the biometric), they do not have the power of a smart card, which as Philippe Ruffin, marketing manager, Automotive, Banking and ID, Atmel, explains: “adds another security level and can perform processing functionality”. Taking the strong authentication model a step further, three-factor authentication can also be provided via a smart card and a biometric when something you know – a PIN – is added.
12
However, it is sometimes difficult to make a business case for the use of strong authentication, as Jacques Seneca, executive vice president, Business Development Group, Gemplus, comments: “You can talk of the probability of risk – but it can be difficult to quantify some risks.” If a biometric template is stored on a smart card rather than a central database this will give the owner of the biometric more control over what happens to his or her personal data. However, storage of the template only addresses a part of the security lobby’s concerns. For example, if the card communicates with a computer for biometric matching to take place, concerns remain that biometrics could still be threatened by attackers. One answer is to use the smart card for match on card and even offline authentication. Taking this idea a step further, it could also be possible in the future to embed a fingerprint reader into the smart card itself, which would have the advantage of not needing to secure data links between the smart card and the reader, while providing everyone with a personal authentication token in their own pocket. However, some significant technical challenges would still have to be overcome, as Philippe Ruffin explains: “Technical constraints remain a problem and there are also a number of application requirements that vary between application.”
Figure 1. Types of biometric technology: Physical biometrics • Face • Fingerprint/Palmprint • Iris • Hand geometry • Vein • Retina Behavioural biometrics • Dynamic signature • Gait recognition • Keystroke recognition • Speaker verification
Passports Individual market sectors are now forging ahead. The terrorist attacks of September 11th combined with the ongoing war against terrorism has led to efforts at national and international levels to boost border security. In 2003, the International Civil Aviation Organisation (ICAO) formally adopted a global standard for the integration of high capacity contactless smart card chips and biometric information into passports and other Machine Readable Travel Documents (MRTDs). The organisation mandated that facial recognition be used in all passports, while permitting countries individually to choose one or two secondary biometrics. The ICAO’s decision is a major opportunity for the smart card industry because it covers all passports throughout the world. It introduces the potential for a new form factor which must be future-proof and able to operate for a lifetime of 10 years. Meanwhile, in Europe, the widespread introduction of biometric and smart chipenabled passports in the EU came one step closer earlier this year when the European Commission decided to back a proposal that will make it mandatory for member states to introduce the technology. A number of trials and rollouts are now being conducted throughout the continent. In the Netherlands, for example, 15,000 people are to take part in a trial that will create and test biometric passports using fingerprint and facial recognition technologies. A number of other countries are also advanced in their preparations to roll out biometric passports. Notably, earlier this year, Denmark ordered three million passports to be made by Finnish company Setec. This order is thought to be the first for identification documents that meets the ICAO and US visa waiver requirements.
US market Although the US market has been fairly slow in the take-up of smart cards compared with other parts of the world, this market is being penetrated fairly rapidly by the biometrics industry. A number of schemes are being deployed across industry sectors, especially corporate and
Card Technology Today July/August 2004
SURVEY government. Biometric technology is also being deployed in the retail and leisure sectors – although these markets rarely combine the use of a biometric with a smart card. The governmental market is building momentum, with deployments being made for staff access control applications as well as welfare applications. In the Department of Defense (DoD), approximately four million Common Access Cards (CAC) have been deployed, and fingerprint recognition is planned for the next step of this programme, which is being evaluated by the Biometrics Management Office (BMO). The CAC system is now in the process of evaluating larger memory sizes in order to fit additional applications such as biometrics and digital signatures. Meanwhile, the Transport Workers Identification Credential (TWIC) programme, which could involve 12-15 million cards for US transportation workers, also plans to include biometric technology for strong authentication and to simplify employee background checks. For border control situations, the US-VISIT scheme has been launched which requires most foreign nationals travelling to the US on a visa to have their two index fingers scanned and a digital photograph taken to verify their identity at the port of entry. According to the US-VISIT web site (www.dhs.gov/us-visit): “Visas are required for most students, business travellers (depending on their length of stay) and millions of other visitors, regardless of where they live…” At present, travellers entering the US under the Visa Waiver Programme are not required to carry biometric data on their passports, although it was initially envisaged that new passports would need to carry ICAO-specified biometric data from October 2004. However, with October rapidly approaching, it is now almost certain that this deadline will be missed by many large countries, including the UK, France, Germany, Italy, Spain and Japan, with the most likely date for compliance now being towards the end of 2005. In the US, there are different levels of consumer acceptance for different types of biometric. “Resistance remains for iris and retinal biometrics because of (unfounded) fears that they could damage the eye,” Randy Vanderhoof, executive director of the Smart Card Alliance told Ctt. “Fingerprint technology is being accepted – with suspicion – as there is a perception that this is reserved for criminals. Facial recognition seems to have the most acceptance, but this is limited in its availability due to its higher cost compared to fingerprint. Security integrators prefer fingerprint because of its small size, current availability of access readers with biometrics and low cost.”
Card Technology Today July/August 2004
Error rates False Acceptance Rate – the probability that a biometric verification device will fail to reject an impostor. False Rejection Rate – the probability that a biometric verification device will fail to recognise the identity, or verify the claimed identity of an enrolee.
Rest of the world Throughout the rest of the world, the governmental and border control market also provide the biggest push for the combination of smart cards and biometrics. In particular, the demand for the technology at border control settings or for national ID projects should see deployments rise considerably. In the Middle East, a strong desire to demonstrate that countries are adopting the latest in security technology has led to a number of well-documented projects, including biometric identity cards in the UAE, Saudi Arabia and Oman being announced within the past couple of years. Meanwhile, the longrunning Basel System in Israel has seen an extension of its programme at the Erez checkpoint at the northern end of the Gaza strip. Here, Palestinian workers passing through the checkpoint are using contactless smart cards from On Track Innovations (OTI) in conjunction with face and hand biometrics. Speaking in December 2003, Ohad Bashan, director of global marketing at OTI, said: “Such a dual biometric system has never been used with the contactless cards before. It is significantly quicker than other systems that check handprints and retinas to identify users. The device takes between four and nine seconds to check each worker.”
Beyond borders As we have seen, at present most demand for biometric and smart card combined systems are for border control and national ID applications. However, when end-users become more comfortable with the idea of biometrics following experience of government-based applications, they may then be more willing to adopt the technology in other areas of life. Beyond the governmental market, the payments sector has for some time looked like a potentially strong segment to penetrate with a combination of biometrics and smart cards. So far though, market performance has been disappointing. Rollouts to this sector have often attracted considerable media attention, but although a raft of pilot schemes has taken place in many parts of the world, most have failed to move to live rollout and become a real commercial success. On the surface, biometric technology has much to offer the banking industry: it could address the
problem of identity theft; it provides a strong method of authentication, which is less likely to be compromised than PINs; it provides a high level of non-repudiation; and from a customer perspective, speed and convenience may be provided through a well-integrated system. However, in the UK, the Association for Payment Clearing Services (APACS) made a decision in 1999 not to deploy biometrics for 10 years. “This decision was made because retailers need to have time to prepare for any kind of new technology and therefore need to know the financial industry’s position,” comments Sandra Quinn, director of Corporate Communications, APACS. The organisation made its decision for two key reasons: reliability and concerns over the compromise of a biometric template. The issue of accuracy has dogged the biometrics community, and although work continues to improve the accuracy of the technology, most banks still consider that it is not good enough for use in a customer-facing environment. “Currently the very best technology has a False Rejection Rate (FRR) of 4 in 10,000. This means a genuine and honest customer could potentially be humiliated and wrongly identified as a fraudster at a cash point or POS,” says Sandra Quinn. “In the UK, 13 million card payments are made each day, which means that you could be looking at an average of 5,000 people being falsely rejected each day.” In the short term, therefore, most demand for smart cards and biometrics will be limited to the back office, where several banks and credit card organisations are known to have deployed a combination of smart cards and fingerprint biometrics for their physical and logical access control systems. Other markets that could prove interesting include the healthcare and telecoms sectors. In the case of healthcare, a combination of biometrics and smart cards could address the requirements of the US Health Insurance Portability Accountability Act (HIPAA), and could also be used in Europe, where initiatives are being developed aimed at empowering patients. A large part of the mobile telecoms industry, meanwhile, already uses two-factor authentication in the form of a SIM card and a PIN. As the SIM card is already used to authenticate the user’s PIN,
13
SURVEY Figure 3. A selection of recent announcements concerning smart cards and biometrics Market segment Project name
Biometric
Technical info
Canada Government
Restricted Area Identification Card Fingerprint and iris Additional information: Pilot tests began in 2004 at Vancouver and Montreal airports.
Contactless cards conforming to ISO 14443B
Denmark Transport
Bornholmercard
Fingerprint
Solution provided by Precise Biometrics and PayVend Solutions
Additional information: Designed to enable fast processing of frequent travellers between the Danish island of Bornholm and the Danish and Swedish mainland. Fingerprint technology is stored directly on the smart card. France Airports Roissy Charles de Gaulle Fingerprint Contactless smart cards and Orly airports Additional information: Designed to control access of staff to secure areas. The project will affect 90,000 people across the two airports and has more than 100 fixed and 15 mobile security checkpoints. Sagem is the prime contractor on the project, which will be implemented with Omnitech. Hong Kong Government Smartics Fingerprint and face Uses Multos smart card technology (Smart Identity Card Scheme) Additional information: Technical partners include PCCW (consortium leader), Keycorp (and Infineon), Trub, ACI-worldwide, MasterCard (KMA), Muhlbauer, SecureNet Asia, Cogent Systems, Digimarc. The card will be issued to all citizens over the age of 18. Italy Government Carta d’Identia Elettronica Optical/Smart card (Citizen’s ID Card) Additional information: Designed for e-government applications. 56 million people are expected to be enrolled by 2008. Personal and biometric data will be stored on the card. Government Defence Multipurpose Card Fingerprint 32KB smart cards supplied via Siemens Informatica Additional information: Cards are used for identification across the Italian military. The card contains personal data and photo of cardholder, fingerprint, medical health data and various digital certificates. Macao Government
National ID
Fingerprint
Multifunctional smart card from Siemens Business Services and Giesecke and Devrient.
Additional information: e-government card that will be issued to 460,000 people over a four-year period. Malaysia Government
MyKad
Thumbprint
Multi-application smart card delivered by the Government of Malaysia and the Government Multi-Purpose Card (GMPC) consortium.
Additional information: Designed for all citizens over the age of 12. 15 million people are expected to be enrolled by 2005. Oman Government
National ID solution Fingerprint Java Card technology delivered by Gemplus Additional information: Launched in 2003, the card is being deployed to 1.2 million users. The card contains name, address, digital photo ID and biometrics of the cardholder. Initially it is being used for personal digital identification, but this may be extended to include driver’s license, emergency medical data and any border control applications. Philippines Government I-Card system Face and Fingerprint Additional information: Issued by the Bureau of Immigration to identify foreigners entering and leaving the country. Saudi Arabia Government
National ID card Face/fingerprint/iris Additional information: It is believed that this scheme could include a 32KB multi-application smart card based on Multos. Facial images will be stored on optical memory stripes, with fingerprints or iris images most likely being added at a later stage. UK Government
National ID card
Iris/fingerprint/face
Technical delivery by SchlumbergerSema (now part of ATOS Origin) and a consortium of partners
Additional information: The proposal must still clear numerous hurdles. In May 2004, the UK government began a pilot involving 10,000 volunteers. United Arab Emirates (UAE) Government Nationwide ID programme AFIS ResIDent Secure ID from Gemplus Additional information: Two million cards to be rolled out for personal ID. Functionality of card could extend to driver’s license, border control and emergency medical data. USA Government Common Access Card (CAC) Fingerprint planned Now moving to dual interface cards Additional information: The CAC is a smart card designed to improve security at DOD installations worldwide by enabling physical, authorised access to installations, buildings and controlled spaces, as well as to gain access to military computer networks and systems. Government Undisclosed US state Fingerprint Precise Match on Card licenses from Precise Biometrics for the roll out of smart cards that can perform on-board fingerprint matching. Additional information: Pilot ID programme at an undisclosed US State. The initial programme will run until the end of 2004. Worldwide Corporate Boeing corporate ID card Suppliers to the project are Bell ID, Gemplus and Siemens Additional information: Over 200,000 corporate ID smart cards are being deployed to Boeing staff worldwide. Biometrics-based access control and other applications are expected to be added to the scheme in later stages.
14
Card Technology Today July/August 2004
SURVEY there is no reason why it should not be used to authenticate the user’s biometric. In the Japanese market, mobile phones are being issued with fingerprint sensors. And in Europe, prototypes of the technology have been on display at trade shows since the 1990s. Obvious biometrics for this market are fingerprint recognition and speaker verification. In the case of fingerprint recognition, sweeping sensors are desirable as their small silicon size makes them easy – and cheaper– to embed in mobile phones.
Not just yet, thanks In spite of the very strong drivers for the use of smart cards and biometrics, the two industries still face significant hurdles. Cost remains a problem, which sometimes makes it difficult to define a clear business case for the use of the technology. Added to this, although smart cards can help address some privacy lobby concerns, there is still a vocal civil liberties lobby that rejects the idea of smart cards and biometrics in many facets of life. Biometric technology standardisation is also a major challenge for the market. Work is ongoing in this area – and insiders report that things are becoming easier – but there is still some way to go. For example, it is not yet possible to use an extraction algorithm from one supplier and perform matching with another supplier’s algorithm, although standards governing the use of images before template creation are being worked on.
Standards The issue of standards remains a hindrance to biometrics market penetration. However, plenty of work is taking place via a number of different groups aimed at addressing this problem. Globally, the International Standards Organization (ISO) has formed a biometric standards committee to specify industry standards for biometrics and smart cards. In the US, the National Institute of Standards and Technology (NIST) and the Biometric Consortium have established a working group to accelerate the development of biometric standards for homeland security. Also in the US, the DoD aims to promote greater
interoperability of biometric technology through the development and adoption of standards. In August 2003, deputy secretary of defense Paul Wolfowitz announced the DoD Biometrics Enterprise Vision. He directed the DoD Biometrics Management Office (BMO) to ensure that a scalable biometric component of the Global Information Grid (GIG) infrastructure is in place, and that the appropriate standards, interoperability tools, testing frameworks, and approved product validations are available to assist the DoD community in using this technology. The BMO established the BMO Standards Working Group to coordinate biometric standards activities within the DoD. One of the BMO Standards Working Group’s major efforts has been developing the DoD Biometrics Standards Development Recommended Approach. This details an approach for identifying, participating in, and developing biometric standards.
Technology Beyond the work undertaken by the various standards groups, a number of technical developments are helping the industries advance. Match on card technology has been developed to allow biometric matching to be performed on the smart card chip, maintaining speed and accuracy. This provides the advantages of complete security for the template and also for the matching mechanism, both protected in the secure environment of the smart card chip. This technology addresses many privacy questions – and is well suited for national ID situations where there may be significant political pressures to ensure that privacy is not compromised. A number of countries have adopted the technology for national ID, including the UAE. It is also being used for other applications: in 2003, Swedish data security company Comex Electronics teamed up with Oberthur Card Systems and Fingerprint Cards to develop an IT security system based on match on card technology using smart cards and finger pattern verification. Card companies are working hard to develop better software so they can perform match on
card faster and with less memory space. One approach is the cheap microprocessor card route taken by the proprietary technology known as BioEasy. As Jacques Seneca, executive vice president, Business Development Group, Gemplus explains: “BioEasy … externalises the heavy computing to the reader so that instead of doing the computing on the card itself, the reader extracts minutiae from the fingerprint. The card then sends a set of true and false minutiae to the reader. The reader checks the information and says to the card ‘these are the errors I have found’. If the errors reported by the reader match the errors sent by the card, the card holder will be permitted to enter the system.”
The next step The smart cards and biometrics industries have made significant progress over recent years. There is no doubt that the two technologies could work well together to provide enhanced security and privacy to end-users in a diversity of market sectors. However, this will only be fully achieved when technical and interoperability problems are ironed out. Memory capacity will increasingly be expanded as buyers opt for more sophisticated processes incorporating multiple applications and even multiple biometrics. As Smart Card Alliance’s Randy Vanderhoof comments: “Memory capacity could be strained with demands for multiple applications on one card or when a full image is stored on the smart card. This is driving a move to larger cards and, as a result, we’re seeing a move from EEPROM to Flash memory.” The biometrics industry needs to work its way through issues such as encryption technology, template technology, false positives and false negatives. Once these issues are addressed biometrics will really come in contact with the card as a mode of application. And from the smart card industry’s point of view, contactless technology appears to be the obvious next step for use with biometrics. Although the majority of deployments currently use contact technology, this could change over the next three years with more organisations opting for a biometric and contactless chips, such as the next generation of passports.
Market Survey Contacts: Company Atmel APACS Atos Origin Fingerprint Cards Gemplus Oberthur Precise Biometrics Smart Card Alliance
Name Philippe Ruffin Sandra Quinn Carl Norell - +33 1 47 85 54 00 Christer Bergman Randy Vanderhoof
Card Technology Today July/August 2004
Tel +33 4 7658 3074 +44 20 7711 6200 +33 1 55 91 20 00 +46 31 607 820 +1 215 390 2899 +33 1 56 05 05 82 +1 703 319 9664 +1 609 587 4208
Fax +44 20 7256 5527 +33 1 55 91 20 05 +46 31 137 385 +1 215 390 2927 [email protected] +1 609 587 4248
email [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
15
An eye on security The potential for the combined usage of biometrics and smart cards continues to emerge. With technology developments enabling costs to fall, and a growing impetus for the use of strong authentication in a number of applications, could the time be ripe for more deployments combining the two technologies? In the months following September 11th, the mainstream media talked up the value of biometrics as a technology that could address many of the problems in a world dominated by fears of security threats and identity thefts. Stock values in some biometrics companies rose rapidly in the immediate aftermath of the terror attacks and it seemed as if the industry was heading for rapid growth. Unsurprisingly, this was followed by strong criticisms of the companies and analysts who had made unrealistic claims about the potential of the technology and the market as a whole. Almost three years on, analysts are far more realistic about the state of the industry, and people at all levels seem to understand both the strengths and the weaknesses of the technology. This is leading, in turn, to more concrete contracts and a growing number of satisfied customers. Today, many consumers have a vague understanding of what biometrics is, and with new decisions made at the governmental level, more people are being exposed to the technology first hand.
Card and biometric While biometric technology provides an innovative answer to many authentication problems, the technology on its own has weaknesses – especially in the face of powerful privacy and security concerns. One answer is to use the biometric in conjunction with a token. Biometric templates do not have to be large (for example a fingerprint template may be as small as a few hundred bytes), so can be adequately stored on a barcode or magnetic stripe card. While these approaches help provide basic two-factor authentication (something you have – the card; something you are – the biometric), they do not have the power of a smart card, which as Philippe Ruffin, marketing manager, Automotive, Banking and ID, Atmel, explains: “adds another security level and can perform processing functionality”. Taking the strong authentication model a step further, three-factor authentication can also be provided via a smart card and a biometric when something you know – a PIN – is added.
12
However, it is sometimes difficult to make a business case for the use of strong authentication, as Jacques Seneca, executive vice president, Business Development Group, Gemplus, comments: “You can talk of the probability of risk – but it can be difficult to quantify some risks.” If a biometric template is stored on a smart card rather than a central database this will give the owner of the biometric more control over what happens to his or her personal data. However, storage of the template only addresses a part of the security lobby’s concerns. For example, if the card communicates with a computer for biometric matching to take place, concerns remain that biometrics could still be threatened by attackers. One answer is to use the smart card for match on card and even offline authentication. Taking this idea a step further, it could also be possible in the future to embed a fingerprint reader into the smart card itself, which would have the advantage of not needing to secure data links between the smart card and the reader, while providing everyone with a personal authentication token in their own pocket. However, some significant technical challenges would still have to be overcome, as Philippe Ruffin explains: “Technical constraints remain a problem and there are also a number of application requirements that vary between application.”
Figure 1. Types of biometric technology: Physical biometrics • Face • Fingerprint/Palmprint • Iris • Hand geometry • Vein • Retina Behavioural biometrics • Dynamic signature • Gait recognition • Keystroke recognition • Speaker verification
Passports Individual market sectors are now forging ahead. The terrorist attacks of September 11th combined with the ongoing war against terrorism has led to efforts at national and international levels to boost border security. In 2003, the International Civil Aviation Organisation (ICAO) formally adopted a global standard for the integration of high capacity contactless smart card chips and biometric information into passports and other Machine Readable Travel Documents (MRTDs). The organisation mandated that facial recognition be used in all passports, while permitting countries individually to choose one or two secondary biometrics. The ICAO’s decision is a major opportunity for the smart card industry because it covers all passports throughout the world. It introduces the potential for a new form factor which must be future-proof and able to operate for a lifetime of 10 years. Meanwhile, in Europe, the widespread introduction of biometric and smart chipenabled passports in the EU came one step closer earlier this year when the European Commission decided to back a proposal that will make it mandatory for member states to introduce the technology. A number of trials and rollouts are now being conducted throughout the continent. In the Netherlands, for example, 15,000 people are to take part in a trial that will create and test biometric passports using fingerprint and facial recognition technologies. A number of other countries are also advanced in their preparations to roll out biometric passports. Notably, earlier this year, Denmark ordered three million passports to be made by Finnish company Setec. This order is thought to be the first for identification documents that meets the ICAO and US visa waiver requirements.
US market Although the US market has been fairly slow in the take-up of smart cards compared with other parts of the world, this market is being penetrated fairly rapidly by the biometrics industry. A number of schemes are being deployed across industry sectors, especially corporate and
Card Technology Today July/August 2004
SURVEY government. Biometric technology is also being deployed in the retail and leisure sectors – although these markets rarely combine the use of a biometric with a smart card. The governmental market is building momentum, with deployments being made for staff access control applications as well as welfare applications. In the Department of Defense (DoD), approximately four million Common Access Cards (CAC) have been deployed, and fingerprint recognition is planned for the next step of this programme, which is being evaluated by the Biometrics Management Office (BMO). The CAC system is now in the process of evaluating larger memory sizes in order to fit additional applications such as biometrics and digital signatures. Meanwhile, the Transport Workers Identification Credential (TWIC) programme, which could involve 12-15 million cards for US transportation workers, also plans to include biometric technology for strong authentication and to simplify employee background checks. For border control situations, the US-VISIT scheme has been launched which requires most foreign nationals travelling to the US on a visa to have their two index fingers scanned and a digital photograph taken to verify their identity at the port of entry. According to the US-VISIT web site (www.dhs.gov/us-visit): “Visas are required for most students, business travellers (depending on their length of stay) and millions of other visitors, regardless of where they live…” At present, travellers entering the US under the Visa Waiver Programme are not required to carry biometric data on their passports, although it was initially envisaged that new passports would need to carry ICAO-specified biometric data from October 2004. However, with October rapidly approaching, it is now almost certain that this deadline will be missed by many large countries, including the UK, France, Germany, Italy, Spain and Japan, with the most likely date for compliance now being towards the end of 2005. In the US, there are different levels of consumer acceptance for different types of biometric. “Resistance remains for iris and retinal biometrics because of (unfounded) fears that they could damage the eye,” Randy Vanderhoof, executive director of the Smart Card Alliance told Ctt. “Fingerprint technology is being accepted – with suspicion – as there is a perception that this is reserved for criminals. Facial recognition seems to have the most acceptance, but this is limited in its availability due to its higher cost compared to fingerprint. Security integrators prefer fingerprint because of its small size, current availability of access readers with biometrics and low cost.”
Card Technology Today July/August 2004
Error rates False Acceptance Rate – the probability that a biometric verification device will fail to reject an impostor. False Rejection Rate – the probability that a biometric verification device will fail to recognise the identity, or verify the claimed identity of an enrolee.
Rest of the world Throughout the rest of the world, the governmental and border control market also provide the biggest push for the combination of smart cards and biometrics. In particular, the demand for the technology at border control settings or for national ID projects should see deployments rise considerably. In the Middle East, a strong desire to demonstrate that countries are adopting the latest in security technology has led to a number of well-documented projects, including biometric identity cards in the UAE, Saudi Arabia and Oman being announced within the past couple of years. Meanwhile, the longrunning Basel System in Israel has seen an extension of its programme at the Erez checkpoint at the northern end of the Gaza strip. Here, Palestinian workers passing through the checkpoint are using contactless smart cards from On Track Innovations (OTI) in conjunction with face and hand biometrics. Speaking in December 2003, Ohad Bashan, director of global marketing at OTI, said: “Such a dual biometric system has never been used with the contactless cards before. It is significantly quicker than other systems that check handprints and retinas to identify users. The device takes between four and nine seconds to check each worker.”
Beyond borders As we have seen, at present most demand for biometric and smart card combined systems are for border control and national ID applications. However, when end-users become more comfortable with the idea of biometrics following experience of government-based applications, they may then be more willing to adopt the technology in other areas of life. Beyond the governmental market, the payments sector has for some time looked like a potentially strong segment to penetrate with a combination of biometrics and smart cards. So far though, market performance has been disappointing. Rollouts to this sector have often attracted considerable media attention, but although a raft of pilot schemes has taken place in many parts of the world, most have failed to move to live rollout and become a real commercial success. On the surface, biometric technology has much to offer the banking industry: it could address the
problem of identity theft; it provides a strong method of authentication, which is less likely to be compromised than PINs; it provides a high level of non-repudiation; and from a customer perspective, speed and convenience may be provided through a well-integrated system. However, in the UK, the Association for Payment Clearing Services (APACS) made a decision in 1999 not to deploy biometrics for 10 years. “This decision was made because retailers need to have time to prepare for any kind of new technology and therefore need to know the financial industry’s position,” comments Sandra Quinn, director of Corporate Communications, APACS. The organisation made its decision for two key reasons: reliability and concerns over the compromise of a biometric template. The issue of accuracy has dogged the biometrics community, and although work continues to improve the accuracy of the technology, most banks still consider that it is not good enough for use in a customer-facing environment. “Currently the very best technology has a False Rejection Rate (FRR) of 4 in 10,000. This means a genuine and honest customer could potentially be humiliated and wrongly identified as a fraudster at a cash point or POS,” says Sandra Quinn. “In the UK, 13 million card payments are made each day, which means that you could be looking at an average of 5,000 people being falsely rejected each day.” In the short term, therefore, most demand for smart cards and biometrics will be limited to the back office, where several banks and credit card organisations are known to have deployed a combination of smart cards and fingerprint biometrics for their physical and logical access control systems. Other markets that could prove interesting include the healthcare and telecoms sectors. In the case of healthcare, a combination of biometrics and smart cards could address the requirements of the US Health Insurance Portability Accountability Act (HIPAA), and could also be used in Europe, where initiatives are being developed aimed at empowering patients. A large part of the mobile telecoms industry, meanwhile, already uses two-factor authentication in the form of a SIM card and a PIN. As the SIM card is already used to authenticate the user’s PIN,
13
SURVEY Figure 3. A selection of recent announcements concerning smart cards and biometrics Market segment Project name
Biometric
Technical info
Canada Government
Restricted Area Identification Card Fingerprint and iris Additional information: Pilot tests began in 2004 at Vancouver and Montreal airports.
Contactless cards conforming to ISO 14443B
Denmark Transport
Bornholmercard
Fingerprint
Solution provided by Precise Biometrics and PayVend Solutions
Additional information: Designed to enable fast processing of frequent travellers between the Danish island of Bornholm and the Danish and Swedish mainland. Fingerprint technology is stored directly on the smart card. France Airports Roissy Charles de Gaulle Fingerprint Contactless smart cards and Orly airports Additional information: Designed to control access of staff to secure areas. The project will affect 90,000 people across the two airports and has more than 100 fixed and 15 mobile security checkpoints. Sagem is the prime contractor on the project, which will be implemented with Omnitech. Hong Kong Government Smartics Fingerprint and face Uses Multos smart card technology (Smart Identity Card Scheme) Additional information: Technical partners include PCCW (consortium leader), Keycorp (and Infineon), Trub, ACI-worldwide, MasterCard (KMA), Muhlbauer, SecureNet Asia, Cogent Systems, Digimarc. The card will be issued to all citizens over the age of 18. Italy Government Carta d’Identia Elettronica Optical/Smart card (Citizen’s ID Card) Additional information: Designed for e-government applications. 56 million people are expected to be enrolled by 2008. Personal and biometric data will be stored on the card. Government Defence Multipurpose Card Fingerprint 32KB smart cards supplied via Siemens Informatica Additional information: Cards are used for identification across the Italian military. The card contains personal data and photo of cardholder, fingerprint, medical health data and various digital certificates. Macao Government
National ID
Fingerprint
Multifunctional smart card from Siemens Business Services and Giesecke and Devrient.
Additional information: e-government card that will be issued to 460,000 people over a four-year period. Malaysia Government
MyKad
Thumbprint
Multi-application smart card delivered by the Government of Malaysia and the Government Multi-Purpose Card (GMPC) consortium.
Additional information: Designed for all citizens over the age of 12. 15 million people are expected to be enrolled by 2005. Oman Government
National ID solution Fingerprint Java Card technology delivered by Gemplus Additional information: Launched in 2003, the card is being deployed to 1.2 million users. The card contains name, address, digital photo ID and biometrics of the cardholder. Initially it is being used for personal digital identification, but this may be extended to include driver’s license, emergency medical data and any border control applications. Philippines Government I-Card system Face and Fingerprint Additional information: Issued by the Bureau of Immigration to identify foreigners entering and leaving the country. Saudi Arabia Government
National ID card Face/fingerprint/iris Additional information: It is believed that this scheme could include a 32KB multi-application smart card based on Multos. Facial images will be stored on optical memory stripes, with fingerprints or iris images most likely being added at a later stage. UK Government
National ID card
Iris/fingerprint/face
Technical delivery by SchlumbergerSema (now part of ATOS Origin) and a consortium of partners
Additional information: The proposal must still clear numerous hurdles. In May 2004, the UK government began a pilot involving 10,000 volunteers. United Arab Emirates (UAE) Government Nationwide ID programme AFIS ResIDent Secure ID from Gemplus Additional information: Two million cards to be rolled out for personal ID. Functionality of card could extend to driver’s license, border control and emergency medical data. USA Government Common Access Card (CAC) Fingerprint planned Now moving to dual interface cards Additional information: The CAC is a smart card designed to improve security at DOD installations worldwide by enabling physical, authorised access to installations, buildings and controlled spaces, as well as to gain access to military computer networks and systems. Government Undisclosed US state Fingerprint Precise Match on Card licenses from Precise Biometrics for the roll out of smart cards that can perform on-board fingerprint matching. Additional information: Pilot ID programme at an undisclosed US State. The initial programme will run until the end of 2004. Worldwide Corporate Boeing corporate ID card Suppliers to the project are Bell ID, Gemplus and Siemens Additional information: Over 200,000 corporate ID smart cards are being deployed to Boeing staff worldwide. Biometrics-based access control and other applications are expected to be added to the scheme in later stages.
14
Card Technology Today July/August 2004
SURVEY there is no reason why it should not be used to authenticate the user’s biometric. In the Japanese market, mobile phones are being issued with fingerprint sensors. And in Europe, prototypes of the technology have been on display at trade shows since the 1990s. Obvious biometrics for this market are fingerprint recognition and speaker verification. In the case of fingerprint recognition, sweeping sensors are desirable as their small silicon size makes them easy – and cheaper– to embed in mobile phones.
Not just yet, thanks In spite of the very strong drivers for the use of smart cards and biometrics, the two industries still face significant hurdles. Cost remains a problem, which sometimes makes it difficult to define a clear business case for the use of the technology. Added to this, although smart cards can help address some privacy lobby concerns, there is still a vocal civil liberties lobby that rejects the idea of smart cards and biometrics in many facets of life. Biometric technology standardisation is also a major challenge for the market. Work is ongoing in this area – and insiders report that things are becoming easier – but there is still some way to go. For example, it is not yet possible to use an extraction algorithm from one supplier and perform matching with another supplier’s algorithm, although standards governing the use of images before template creation are being worked on.
Standards The issue of standards remains a hindrance to biometrics market penetration. However, plenty of work is taking place via a number of different groups aimed at addressing this problem. Globally, the International Standards Organization (ISO) has formed a biometric standards committee to specify industry standards for biometrics and smart cards. In the US, the National Institute of Standards and Technology (NIST) and the Biometric Consortium have established a working group to accelerate the development of biometric standards for homeland security. Also in the US, the DoD aims to promote greater
interoperability of biometric technology through the development and adoption of standards. In August 2003, deputy secretary of defense Paul Wolfowitz announced the DoD Biometrics Enterprise Vision. He directed the DoD Biometrics Management Office (BMO) to ensure that a scalable biometric component of the Global Information Grid (GIG) infrastructure is in place, and that the appropriate standards, interoperability tools, testing frameworks, and approved product validations are available to assist the DoD community in using this technology. The BMO established the BMO Standards Working Group to coordinate biometric standards activities within the DoD. One of the BMO Standards Working Group’s major efforts has been developing the DoD Biometrics Standards Development Recommended Approach. This details an approach for identifying, participating in, and developing biometric standards.
Technology Beyond the work undertaken by the various standards groups, a number of technical developments are helping the industries advance. Match on card technology has been developed to allow biometric matching to be performed on the smart card chip, maintaining speed and accuracy. This provides the advantages of complete security for the template and also for the matching mechanism, both protected in the secure environment of the smart card chip. This technology addresses many privacy questions – and is well suited for national ID situations where there may be significant political pressures to ensure that privacy is not compromised. A number of countries have adopted the technology for national ID, including the UAE. It is also being used for other applications: in 2003, Swedish data security company Comex Electronics teamed up with Oberthur Card Systems and Fingerprint Cards to develop an IT security system based on match on card technology using smart cards and finger pattern verification. Card companies are working hard to develop better software so they can perform match on
card faster and with less memory space. One approach is the cheap microprocessor card route taken by the proprietary technology known as BioEasy. As Jacques Seneca, executive vice president, Business Development Group, Gemplus explains: “BioEasy … externalises the heavy computing to the reader so that instead of doing the computing on the card itself, the reader extracts minutiae from the fingerprint. The card then sends a set of true and false minutiae to the reader. The reader checks the information and says to the card ‘these are the errors I have found’. If the errors reported by the reader match the errors sent by the card, the card holder will be permitted to enter the system.”
The next step The smart cards and biometrics industries have made significant progress over recent years. There is no doubt that the two technologies could work well together to provide enhanced security and privacy to end-users in a diversity of market sectors. However, this will only be fully achieved when technical and interoperability problems are ironed out. Memory capacity will increasingly be expanded as buyers opt for more sophisticated processes incorporating multiple applications and even multiple biometrics. As Smart Card Alliance’s Randy Vanderhoof comments: “Memory capacity could be strained with demands for multiple applications on one card or when a full image is stored on the smart card. This is driving a move to larger cards and, as a result, we’re seeing a move from EEPROM to Flash memory.” The biometrics industry needs to work its way through issues such as encryption technology, template technology, false positives and false negatives. Once these issues are addressed biometrics will really come in contact with the card as a mode of application. And from the smart card industry’s point of view, contactless technology appears to be the obvious next step for use with biometrics. Although the majority of deployments currently use contact technology, this could change over the next three years with more organisations opting for a biometric and contactless chips, such as the next generation of passports.
Market Survey Contacts: Company Atmel APACS Atos Origin Fingerprint Cards Gemplus Oberthur Precise Biometrics Smart Card Alliance
Name Philippe Ruffin Sandra Quinn Carl Norell - +33 1 47 85 54 00 Christer Bergman Randy Vanderhoof
Card Technology Today July/August 2004
Tel +33 4 7658 3074 +44 20 7711 6200 +33 1 55 91 20 00 +46 31 607 820 +1 215 390 2899 +33 1 56 05 05 82 +1 703 319 9664 +1 609 587 4208
Fax +44 20 7256 5527 +33 1 55 91 20 05 +46 31 137 385 +1 215 390 2927 [email protected] +1 609 587 4248
email [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]
15