Morphing of digital fingerprint tests startles contractors

Federal testing of digital fingerprint compatibility begun two years ago has morphed into an eligibility test for vendors that want to participate in the massive, upcoming federal identification card program under Homeland Security Presidential Directive-12.

And that has raised concerns that some biometric companies may have inadvertently missed an opportunity to take part in one of the largest smart card procurements of the decade.

Large-scale testing for the Minutiae Interoperability Exchange Test (Minex) was initiated by the National Institute of Standards and Technology in August 2004. It was a test of the interoperability of vendors' fingerprint minutiae templates, which are digitized descriptions of fingerprints and their characteristics, including the position and orientation of ridges and other features.

In February 2006, NIST said Minex vendors also could apply for certification for the federal Personal Identity Verification card initiative under HSPD-12. About 12 million federal employees are expected to be issued ID cards in that program. In April, NIST certified eight Minex vendors for both interoperability and personal identity verification.

However, the expansion of Minex certifications in the final months of testing has raised concerns.

Walter Hamilton, chairman of the International Biometric Industry Association and vice president of Saflink Corp. of Bellevue, Wash., said companies that considered submitting products to Minex in 2004 and early 2005 did not necessarily realize the eventual significance of the tests.

"Companies that submitted [to Minex] didn't know the criticality of the submission," Hamilton said. "They did not realize then the importance of participation. If they had, then some companies that did not participate would have done so."

As a result of Minex, 14 vendor products, including extraction and matching products from Cogent Systems Inc., Bioscrypt Inc., Dermalog Identification Systems and NEC Corp., were certified interoperable last month.

NIST also said, based on guidelines in its Special Publication 800-76 released in February, that the 14 products meet performance requirements for use in the federal personal identity verification card under Homeland Security Presidential Directive-12.

HSPD-12, released in August 2004, mandates that government agencies issue personal identity cards to their employees. To set standards for products to meet the goals of the directive, the final Federal Information Processing Standard 201 was released in February 2005. The addition of the personal identity verification certification occurred following Special Publication 800-76 in February 2006.

"NIST testing was pre-FIPS 201," Hamilton said. "Never was it represented that the (NIST) tests could get a company on the magical list of products for FIPS-201, but that is exactly what has happened."

Overall, 15 vendors participated in Minex, and eight earned certification for both interoperability and personal identity verification.

However, one of the best known biometric companies submitting algorithms to be tested, Identix Inc. of Minnetonka, Minn., did not receive a certification in Minex. The company has a $27 million blanket purchasing agreement to provide biometric services and equipment to the Homeland Security Department and has sold $6 million in facial recognition biometric applications to the State Department.

Several industry executives met with NIST officials April 27 to air concerns about the timing, scope and interpretation of the fingerprint minutiae tests, especially in their context as a qualification for meeting HSPD-12 requirements.

NIST has taken steps to remedy the situation and to let more vendors participate, Hamilton said. Shortly before the April 27 meeting, NIST announced it would conduct ongoing testing of vendor products for the Minex and PIV certifications. A NIST official did not respond to a phone call requesting comment.

"NIST has addressed most of our concerns," Hamilton said.

An Identix spokesman said the company intends to resubmit a new algorithm.

The algorithm that failed to win certification by NIST was older and "not one of our top performers," Identix spokesman Damon Wright said. "I don't believe the [NIST] list is final in any way, shape or form. We are in the process of submitting our latest BioEngine algorithm, and we feel very confident it will be certified."

Identix has reason to be optimistic. In a separate test of accuracy in March, NIST identified BioEngine as one of three top-performing algorithms out of 21 tested.