The Magic Touch

Biometrics offers the best solution for identifying people at border crossings

• By Alain Jutant
• Dec 01, 2006

THE fluctuating state of global migration, combined with international terrorism threats, make ID verification increasingly important at border crossings. According to Customs and Border Protection, in 2005, the United States had an average of 1.2 million visitors per day at the 314 land, air and seaports last year. Approximately 3,000 entries were denied. Since 2002, more than 6 million people have been expelled while attempting to enter the United States illegally (7 percent of them had criminal records). However, in August, the Department of Homeland Security reported that there were still around 10.5 million unauthorized immigrants living in the United States in January 2005. Around 72 percent of the unauthorized immigrants living in the United States were from North and Central America (Canada, Mexico, Bermuda and the Caribbean). And Mexico accounted for nearly 6 million people.

One of the reasons for these high figures is that traditional IDs can easily be counterfeited or falsified, and conventional ID verification technology is no longer sufficient to detect such falsifications.

Consequently, the Secure Border Initiative is designed to reduce illegal immigration and strengthen security and controls along U.S. borders and in international airports. For instance, the number of border patrols agents has increased significantly, and investments in modern technology is being expanded.

On the ID side, HSPD-12 establishes a "government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors." The directive also promulgates a federal standard for secure and reliable forms of identification. It explicitly says that identification should be strongly resistant to identity fraud, tampering, counterfeiting and terrorist exploitation and should be rapidly authenticated electronically. In addition, the policy states that the directive will be implemented in accordance with the Privacy Act and other statutes protecting the rights of Americans.

This directive is a key driver for governments and ID applications everywhere in the world. Both the deployment of FIPS 201-compliant ID applications within federal agencies and the e-passport project are expected to lead to the implementation of reliable, secure and interoperable solutions to authenticate individuals.

Integration of Biometric Requirements
Already, within the frame of the U.S. government's Personal Identity Verification (PIV) card program, security templates will include a fingerprint identifier and embedded personal information. Smart card IDs will also be used for the Transportation Worker Identification Credential (TWIC) program that aims to issue approximately 10 million IDs to transportation workers over the next two to three years. In May 2003, the International Civil Aviation Organization, recommended that biometrics be used in e-passports and other machine-readable travel documents. In Europe, the Visa Information System (VIS) is a border control project that will use biometrics to enhance security and facilitate traveling within the EU. England also will begin issuing biometric passports with facial recognition in 2006 and fingerprint technology by 2009. Hong Kong, Malaysia and Thailand also are early adopters of ID card programs.

Currently, smart cards are the most secure medium for personal and confidential data. Due to embedded computing power and advanced security features, smart cards are widely used in corporate, military and governmental security applications. Since the Sept. 11, 2001, terrorist attacks, government agencies and airport authorities, in particular, have been looking for ways to strengthen security, stepping up their investigations of biometrics technology. Biometrics, in combination with smart cards, can be used to quickly verify the identity of an individual entering the country. Large government and private organizations have identified biometric technologies as key in raising the level of ID authentication accuracy and plan to invest substantial amounts into biometric security solutions for future security needs.

Due to the increasing reliability of biometrics, the technology is now being used in many more applications. Today, solution prices are more affordable and biometrics system manufacturers have established technical standards to leverage the technology's requirements and uses.

Fingerprint recognition is the most widely used biometric recognition method because it is highly accurate, relatively non-intrusive, uses an existing reference database and is affordable. Fingerprint identification is based on optical, capacitive, thermal, ultrasound or pressure/tactile sensors. Optical sensors have several advantages, including ease of use, durability, lower cost per surface area, as well as high detection accuracy. Conventional optical technology is based on external optics and is the oldest and most widely proven technology, but so far, has been too bulky and costly for smart card integration. Currently, there are nearly 40 companies worldwide developing and/or manufacturing fingerprint sensors. Most companies are using silicon sensors and a capacitive detection process.

Smart cards are already used in financial and other fingerprint identification-compliant applications, offering high security for the storage and processing of sensitive data. High-security smart cards provide state-of-the-art digital signature technologies for secure e-business transactions and reliable ID solutions. But even the strongest security mechanisms are protected by PINs or passwords that are subject to being compromised or forgotten. Combining high-security smart cards with biometrics eliminates the weakest point -- PINs and passwords. By linking the user directly to the identification process through their unique physiological and/or behavioral traits, it is possible to determine that the authorized user is indeed present -- not just someone who happens to know a combination of numbers or letters.

Many biometric and smart card manufacturers are developing biometric smart card solutions. Smart card-based biometric authentication solutions are subdivided into three technical categories: template-on-card, match-on-card and biometric system-on-card.

Template-on-card. Template-on-card solutions allow only the storage of biometric templates on the smart card. Acquisition, feature extraction and matching are conducted in an external device -- such as a PC with biometric sensor and software. Today, almost all smart cards have sufficient memory capacity for the storage of biometric templates, and many biometric vendors offer template-on-card solutions.

The storage of biometric templates on a smart card offers much more security and privacy than the storage on PC's, servers or centralized databases. But, compared to the other biometric smart card solutions, template-on-card solutions have the lowest security level. The technology requires the biometric template leave the smart card's secure memory and be transferred into a more vulnerable environment such as a PC. Template-on-card solutions always need external biometric devices with additional biometric software, so the cost for the complete identification infrastructure is substantial.

Match-on-card. Match-on-card solutions offer the second-highest level of security and convenience. A state-of-the-art smart card has enough processing power and memory for the storage of biometric templates and the matching of fingerprints. The processing-intensive acquisition and feature extraction are conducted in an external device?a smart card reader with integrated biometric sensor, microprocessor and memory. Therefore, match-on-card solutions always require external biometric devices with additional biometric software, which includes an investment in identification infrastructure. However, match-on-card solutions are more secure, since the biometric template does not need to leave the smart card.

There are currently only a few smart card and biometrics companies -- Giesecke & Devrient, Precise Biometrics AB, Activcard and Oberthur Cards -- that offer match-on-card solutions.

Biometric system-on-card. The biometric system-on-card concept offers the highest level of security, privacy and convenience. In a system-on-card solution, the smart card contains a complete biometric verification system with biometric sensor, secure biometric controller and memory. The acquisition, feature extraction, match and storage of the biometric template are conducted directly on the smart card. Therefore, system-on-card solutions need neither external biometric devices or readers, nor additional biometric software. These cards are designed to use existing smart card infrastructure.

Due to technological restrictions specific to smart cards (memory size, computing power, power consumption, mechanical dimensions, bending resistance), only fingerprint and voice recognition technologies can actually be integrated into ISO/IEC 7816-compatible smart cards. Face and iris recognition technologies require more computing power and memory than what is currently possible with smart card processors. Furthermore, paper-thin and flexible optics for smart cards are not yet widely commercially available, though the field of printed electronics and organic semiconductor-based devices holds great promise for alternatives to conventional silicon-based technologies.

An ISO/IEC 7816-compatible system-on-card solution is based on fingerprint biometrics, requires a thin and unbreakable life-scan fingerprint sensor and a highly integrated biometric controller with sufficient non-volatile memory for biometric template storage.

There are at least three limiting factors as to why no commercially available fingerprint sensor can be integrated into ISO/IEC 7816-compatible smart cards -- a thickness of more than 0.8 millimeters, insufficient bending resistance and cost.

Silicon sensors have technical potential for integration into smart cards, if new thinning technologies are applied, but price will still be an issue.

Biometric Smart Card ID Requirements
There are a number of important requirements for biometric verification systems embedded on a smart card. The first is high recognition accuracy and high reliability. The smart card must fulfill the highest security requirements. The system must be evaluated and certified according to worldwide accepted security standards like Common Criteria EAL4+, ITSEC E4 hoch, FIPS 140, ZKA, Visa and EMV. The card must also offer a high degree of protection against identity theft. The fingerprint verification system must provide advanced fraud detection capabilities to prevent identity theft through fake fingers.

In addition, it's a requirement to offer strong protection of biometric data against forgery and misuse. The fingerprint verification system must provide strong protection techniques for personal and biometric data to meet the requirements of data protection laws and consumer organizations. Once the integrity of biometric data is compromised, it can never be regained. Unlike a password, biometric data cannot be changed. In this, the system must provide low false-acceptance and rejection rates, and acceptance of a wide range of finger types, from very dry fingers to very wet fingers.

And in being ISO/IEC 7816-compliant, the system must meet the strong demands of low production prices while at the same time being compatible and interoperable with existing readers, applications, production equipment and processes.

Outlook and Opportunities
Some technologies, like 2-D barcodes or a dot matrix, will likely be used in some ID applications. But in such cases, the achieved security level is far below what is required to secure borders against illegal immigration or terrorist attacks. In addition, the use of RFID in national ID programs will enable border agents to collect ID data more quickly but, if used alone, cannot improve the ID verification accuracy level. RFID chips embedded in a visa or in an ID card can only help track the document, but not the actual and legal owner of the document. Similarly, PINs used in smart cards are only useful to authenticate the smart card itself, not the owner of the smart card.

Biometrics creates the required link between any individual crossing a border, that person's ID and the threat assessment. This is key in securing ID authentication and ensuring that an individual is who he or she claims to be at a border checkpoint or during a border patrol check.

Currently, template-on-card solutions are, and will be, the most widely used solutions for national biometric IDs in the short term. Some biometric ID solutions that are based on two different biometric traits or a combination of fingerprint data and a PIN code have already been successfully evaluated in major ID programs like TWIC. Alternately, several match-on-card solutions also are being seriously investigated for security and privacy advantages. These solutions can be considered for some near-term applications like PIV.

What was not possible with conventional silicon fingerprint sensors now seems feasible thanks to recent developments in the field of thin-and-flexible printed sensors, which can be integrated into smart cards. Multimodal biometric sensors that can detect surface fingerprints, blood parameters and underlying tissue structures are being developed through printed electronics manufacturing techniques. The multimodal capacity increases the identity verification accuracy and protects against the possibility of fraud through the use of fake fingers. A combination of multimodal smart card-embedded biometric systems and RFID can be a secure and efficient way to authenticate ID at U.S. borders, as well as sea or airports anywhere in the world.

Emerging technologies widen the possibilities of incorporating biometrics into smart card solutions that are currently in use and paves the way for a secure and reliable ID authentication system for use at border crossings that meet both the security and privacy requirements listed in HSPD-12.