Feds want compatible smart cards: Biometrics vendors resist giving up unique features

That's why the federal government is nudging ? some say pushing ? the biometrics industry toward greater interoperability, to make the cards scannable by multiple systems.

Vendors appear to be supporting the new federal requirements, albeit reluctantly. Smart-card vendors may have to give up some features that make their own biometrics systems unique in order to make their cards compatible with other systems, experts said.

And there are technical concerns about how to demonstrate and test the interoperability of biometric cards' capabilities.

"Biometrics vendors have not had to face an interoperability requirement before," said Paul Griffin, chief technology officer for Identix Inc., a biometrics services company in Minnetonka, Minn.

Overall, analysts said that greater interoperability ultimately will help create a much larger market for biometric smart cards. The global biometric market of $1.8 billion in 2005 is expected to double to $4.6 billion by 2008, according to the International Biometric Group, a New York market research firm.

"Ultimately, having a larger market would allow the best players to win," said Phil Scarfo, senior vice president for NEC Solutions America, a Sacramento, Calif., provider of integrated solutions.

Big kid on the block

The federal government is a substantial part of the biometric smart-card market. Fifteen federal agencies support 34 smart-card projects, the Government Accountability Office reported in October. Nine federal agencies, including the Defense Department, are pursuing large-scale smart-card deployments. DOD is developing the Open Access Card for 3.5 million Pentagon employees.

Similarly, the Homeland Security Department intends to issue 250,000 smart cards to employees, and the Veterans Affairs Department expects to distribute 500,000 smart cards to employees at an estimated cost of $162 million, GAO said.

In biometrics, physical characteristics such as a fingerprint or face or iris image are used to identify a person.

When such information is stored on an integrated circuit chip, it can be embedded in a plastic identity card called a smart card. The chips have the advantage of being able to store and process data, in comparison to simpler technologies such as magnetic strips or bar codes, which only store data.

On Feb. 25, the Commerce Department released the final Federal Information Processing Standard for Personal Identity Verification, FIPS 201. For federal employee smart cards Commerce laid out the operational and technical requirements under Homeland Security Presidential Directive-12. The smart cards and access systems for federal workers are supposed to be largely in place by October.

Under FIPS 201, federal employee smart cards must contain computer chips with images of two fingerprints. A facial image must be printed on the card, though an electronic facial image is optional.

Use of images is key to developing interoperability among smart cards, experts said. The cards' proprietary digital formats, which are templates for categorizing the biological data, and their proprietary mathematical algorithms for capturing patterns in the data depend on the images of physical characteristics such as fingerprints and faces.

"The image is the lowest common denominator," Scarfo said.

Producers of smart cards see the value in gaining interoperability through the use of the FIPS 201 standard, because it will help create a huge federal market for their products, Scarfo said. But they fear possibly losing some of their competitive edge if they go to a common, minimal standard.

"Smart cards have evolved through proprietary technologies. Right now, each vendor has his own 'special sauce' that makes the difference in how the algorithms work," he said. "The market is forcing greater interoperability, but the vendors are resisting it."

Ideally, Scarfo said, future smart-card chips may be large enough to contain not only images to meet basic standards, but also to provide an optional, higher tier of security through use of proprietary data templates and algorithms. That would be applicable in such cases as when a federal worker may need a low-level credential to enter a federal building and a second layer of security to authorize access to specific areas of the building.

For now, though, vendors are "dragging their feet" about giving up their proprietary formats, Scarfo said. NEC, too, may have to do some retrofitting of its biometrics products to meet the FIPS 201 requirements, he said.

NIST tests new solution

Another possible way to achieve smart-card interoperability would be to develop a common biometric data format standard, said Patrick Grother, a computer scientist with the Visual Image Processing Group at the National Institute of Standards and Technology in Gaithersburg, Md. Grother spoke March 8 at a cybersecurity conference in Washington sponsored by Government Computer News, a sister publication of Washington Technology.

Grother said NIST this year will conduct a large-scale biometric interoperability test, the Minutiae Interoperability Exchange test. The Minex test will help NIST evaluate the interoperability of a standard fingerprint minutiae template, which is a digitized fingerprint. However, he said, the notion of interchangeable data formats is still an open question.

"There is no proven interoperability," he said.

In addition, there still is no ability to conduct quickly a standardized test to judge whether a particular vendor's smart card is effective, or to categorize accurately and quickly the quality of the original fingerprint and face images that form the basis of a particular biometric identification, Grother said. Both are priority projects for NIST this year, he said.

"A lot of systems work badly with low-quality data," Grother said.

Ultimately, the FIPS 201 and other government efforts in the direction of interoperability will benefit the industry, Scarfo said. "These kinds of directions, unfortunately, are necessary to get everyone to play ball. They will make people pay attention," he said.

"For contractors, the challenge is interoperability," said Jeff Vining, research vice president for Garner Inc., a market research firm in Stamford, Conn. "Otherwise, we'll have 50 national ID cards instead of one. They will have to learn how to play with others." n

Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.com.