Trial and Error
Finding the right biometric solution for U.S. ports
- By Terry Wheeler
- Feb 01, 2009
With 1.3 million workers at 3,200 port facilities and on 10,000 U.S. flagged vessels, the initial TWIC roll-out seemed like a good place to start securing U.S. transportation locations. The Transportation Security Administration is requiring all port employees to use tamper-resistant smart cards, which include encrypted magnetic stripes, bar codes, and contact and contactless technologies.
However, the goal of getting all ports up to speed by April 15 is proving to be a Herculean task that TSA, its contractors, the Coast Guard and the individual port operators are all working extremely hard to meet. Some ports have achieved TWIC compliance on schedule, and this speaks volumes about the amount of work going on behind the scenes.
Adding to this stress is the fact that the TWIC mandate calls for the use of biometric technology to verify the identity of port workers at port entrances.
Testing Fingerprint Biometrics
The implementation of the TWIC initiative has proven troublesome as it was initially based only on one form of biometric security technology: fingerprinting. During an early pilot program, TSA learned that not all biometrics technologies are created equal. Because of its popularity, fingerprint reader technology was initially tested but ultimately failed, due to its fragility in the port environment and its lag time in enrollment and throughput.
In 2006, a one-year pilot program for fingerprint readers began at the Port of New York and New Jersey, one of the nation’s busiest ports. On Oct. 31, 2007, after the pilot program had concluded, a hearing on TWIC and homeland security was held in front of the U.S. House of Representatives Committee on Homeland Security.
In a statement that was read before the committee, Bethann Rooney, port security manager for the Port of New York and New Jersey, said, “In the outdoor environment, we experienced a false rejection rate of 9.5 percent as opposed to 1 percent that is called for in the TWIC specifications. We also experienced an average transaction time of six seconds, which is twice as long as the maximum transaction time that is required in the maritime industry.
“Our experience with this project clearly indicates that fingerprint biometric technology simply does not perform as well as advertised in an outdoor environment.”
Port of Halifax
The Port of Halifax is the world’s second largest ice-free port and a key transportation hub that serves as Canada’s east-coast connection to worldwide trade. With security issues being a top priority, in August 2007, the Port of Halifax deployed vascular biometrics technology, which uses patented recognition algorithms to capture and encrypt individuals’ unique vascular patterns on the back of the human hand.
The port found that VPR technology provided the highest degree in system security and speed. When compared with previous biometric technology (fingerprint, iris scanning or hand geometry), vascular biometrics is both accurate and foolproof, making it ideal for entry management and workforce time and attendance. It also is easily integrated into current, legacy and future TCP/IPbased systems.
The fingerprint reader pilot program uncovered the following key issues.
Port access. Key to the survival of a port is the amount of traffic that can enter and exit a port quickly and easily. Fingerprint readers can take up to 10 seconds to authenticate and verify the card holder. This, combined with the number of false rejections inherent to the technology, can create epic traffic holdups.
Port environments. Ports are not the cleanest places in the world. Their location near the water causes dirt and grime to collect on port workers’ hands, obscuring fingerprints and making a fingerprint scanner’s job a lot harder. Wash stations and hand sanitizers, installed near the readers, have been suggested as a solution. But this not only creates a bottleneck at the reader, there also would be an added cost to install and maintain.
Weather. Fingerprint reader technology is often affected by cold or dry skin and has a hard time surviving typical climatic conditions in a port environment. In her statement to the U.S. House of Representatives Committee on Homeland Security, Rooney said, “[D]espite manufacturers’ published environmental requirements, biometric [fingerprint] reader performance suffered greatly in both the rain and severe cold, and 71 percent of the readers needed to be replaced within a year due to hardware and display failures.”
At the same time, two other North American ports installed vascular readers, which excelled in security protocol and adaptability. The technology overcame many of the obstacles that thwarted fingerprint readers.
A New Method
Clearly, if the TWIC mandate states there has to be a biometric solution in place at the ports, fingerprint readers cannot be the only solution. This begs the question as to why fingerprint readers were initially tested.
The answer lies with the TWIC card enrollment process. To obtain a TWIC card, a port worker must go to a TWIC enrollment center and be fingerprinted for an FBI background check. After six to eight weeks, the worker is cleared and can pick up the TWIC card.
The initial idea was that since the worker needs to get fingerprinted for the background check, these prints could also be used for the biometric solution. However, the enrollment centers are not located at the ports. Once the worker obtains the TWIC card, he or she would have to go back to the port to be enrolled in the port access control system to be recognized when they arrive at a gate or turnstile.
This system is what is known as the “continuity of trust” or “chain of trust.” However, because the worker needs to be enrolled in the port’s access control system, there is an opportunity to employ biometric solutions outside of fingerprinting at the ports.
Biometric technologies are not cookie cutter. Depending on a number of factors, such as the environment, the amount of user traffic and enrollment, one solution will succeed where another won’t. In the case of the ports, vascular readers that scan the back of the user’s hand have proven very successful in circumventing the limitations of fingerprint scanners in the same environment, due to a number of factors.
• With a verification time of around 0.1 seconds, vascular readers allow for quicker traffic throughput. Vascular readers also allow for a speedy enrollment process. In recent test conducted by TSA, a vascular reader technology enrolled five people in the time allotted by the organization to enroll one person.
• Unlike fingerprint readers, vascular readers read the back of a workers hand, which does not get as dirty as the fingers. Also, as the reader scans millimeters below the skin, the hand does not have to be clean to verify the worker’s identity.
• Vascular readers can be contained in heated outdoor enclosures that support operation while withstanding all weather conditions.
During the recent Maritime Security Expo, a panel on TWIC, called “TWIC - Does it Help? Issues and Solutions,” was held. During the panel, participants discussed issues regarding the possibility of the TWIC initiative reverting to its original mandate that all transportation workers be enrolled in the program, not just port workers. Transportation workers in this instance would include all truck drivers, bus drivers, airport workers and contractors working at these locations.
This would balloon the enrollment numbers from 1.3 million workers to several million. Concerns were cited that, for instance, a non-TWIC enrolled driver could enlist an enrolled driver to go into a port, pick up a shipment, drive out and then hand it over to the unenrolled driver, legally circumventing the security solutions put into place by the program.
Though this is a legitimate concern, if TSA is to expand this program, the process needs to be much quicker than it has been with the ports. Applying the right biometric solution will be crucial in making this implementation work and getting the nation secured faster.
This article originally appeared in the February 2009 issue of Security Today.