The DLR Standard
When mobile phones threaten security, it’s time to 'decellerate’
- By Ron Martin
- Feb 01, 2012
The most inefficient method of identification
document authentication is the use of the
DLR standard. This requires the police officer,
physical security officer, security guard and/
or facility entry screener to have “Calibrated
Eyeballs” (CAL-EYEs). CAL-EYE screeners
are required to have, in some cases, the requisite
knowledge of more than 9,000 identity documents typically
used as proof of a person’s claimed identity. The screener
must adhere to the DLR standard and determine document
authenticity. Security postures in most organizations rely on
the screener’s ability to apply the DLR standard, also known
as the “Don’t-Look-Right” evaluation.
Many security professionals have used the DLR standard to
conduct security operations. Personal recognition is the most
accurate form of identification; use of the DLR standard is at
the other end of the identification spectrum. CAL-EYE screeners
must detect with consistency fraudulent identification documents,
but as identification counterfeiting becomes more sophisticated,
this will become an increasingly difficult task.
In 2004, Breeder Document Authentication (BDA) was
chosen by the National Institute of Standards and Technology
(NIST) as the recommended technology for the Federal Information
Processing Standard 201 (FIPS-201) Enrollment Workstation,
created in response to the Homeland Security Presidential
Directive 12 (HSPD-12). BDA technology powers the credentialing
of workers and employees in airports, seaports and the Coast
Guard as part of the Transportation Workers Identification and
Credentialing (TWIC) program. BDA technology is used for visitor
management at sensitive facilities such as the departments of
State, Homeland Security and the National Institutes of Health
headquarters.
Most official IDs have productivity and security devices built
into them. A magstripe or bar code is an example of a productivity
device, which typically encodes biographic details printed
on the document. Using a magstripe, bar code or combination
reader, the biographic data can be quickly populated into an accompanying
application. On passports and visas, the machinereadable
zone (MRZ) serves a similar purpose. Comparison of
the biographic data on the productivity devices with the printed
information provides a minimal level of security that may be acceptable
for some applications. Some additional security can be
built into two-dimensional bar codes by encrypting the information
on them. Fluorescent ink that glows in UV light is an example
of a security device that requires a considerable amount
of sophistication to reproduce correctly. A digital watermark is
another example.
Today, the vast majority of people charged with inspecting
identity documents—such as TSA agents, border and customs
inspectors or bank officials—use manual forensic techniques to
check security features that are incorporated in the document.
For the examination, screeners might use specialty optical equipment
or computer-attached document readers to identify the expected
ultraviolet and near-infrared (NIR) properties, guilloche,
optically variable device (OVD) presence, embossing, perforation,
retro-reflective laminate background patterns and overlay
patterns (visible, UV, NIR). However, CAL-EYEs cannot evaluate
every UV property and associate the issuer’s UV to the presented
credential.
Universal ID authentication. Depending on the customer’s
needs, the authentication method should be able to recognize and
validate all possible IDs that could be used by ID holders. For example,
a border control station might need to validate passports,
visas, transit cards, driver licenses, green cards, and so on from
various countries, whereas a liquor store located in the heartland
may only need to validate driver’s licenses for a few states.
A good automated ID authentication system should meet the
following criteria:
- It must be able to detect any type of fake ID using all possible
integrity checks for the document type to ensure highest levels
of confidence.
- It must be able to accommodate minute variations in legitimate
IDs, to keep false rejects to a minimum.
- It must be fast, to enable speedy processing.
- It must strive to eliminate false accepts.
- It must be easy to use so that even untrained operators cannot
compromise the integrity of the system.
- It must be easily and quickly update-able so that as new IDs
come into play, the system will continue to function without
work stoppage or an overhaul.
The notion of universality, such as the ability to perform a variety
of tests on sundry document types, is especially important.
Different jurisdictions produce IDs with different security and
productivity devices. A system that can read only smart cards,
for example, will serve a singular purpose of validating IDs with
those devices quite well; however, considering that smart cards
are not universally used, there would be a need
Another example is a system for checking digital watermarks,
which are sophisticated and hard-to-reproduce security devices. If
you have a system that can validate the integrity of digital watermarks,
it is clearly a secure system; however, it may not serve the
purpose of universal ID authentication too well, because there are
only a limited number of jurisdictions that use digital watermarks.
The government’s Office of Government-wide product evaluation
criteria document states the FIPS 201-1 requirement for
identity proofing of applicants:
1.1-15 During identity proofing, the applicant shall be required
to provide two forms of identity source documents in
original form. The identity source documents must come from
the list of acceptable documents included in Form I-9, OMB No.
1115-0136, Employment Eligibility Verification. At least one document
shall be a valid State or Federal government-issued picture
ID. Reference: FIPS 201, Section 2.2 PIV Identity Proofing and
Registration Requirements.
To authenticate an ID, you first need to determine precisely
what type of document you are examining. For example, just
knowing that you’re looking at a U.S. passport is not sufficient.
You need to know what series, what year and place of issue, possibly
even the issue date and more, depending on the document.
This is not only because the format of the document itself may
differ from series to series, but also because there could be minute
variations in the document, depending on a variety of human
factors such as place issued, place and time printed and wearand-
tear. For example, with U.S. driver licenses, there are many
centers that issue IDs and, depending on when and where the
license was issued, there could be minor and sometimes not-sominor
variations in document quality.
In fact, in one state, all licenses issued over a three-month period
from a particular office were printed using an ink that did
not have the appropriate near-infrared response. A good ID authentication
system should be able to detect all variations and
account for them appropriately so that the percentage of false
rejects is kept to a minimum while also not increasing the possibility
of false accepts.
The government has expended enormous resources designing
strong visual topographical attributes of the PIV card to comply
with the DLR Standard. Agencies and organizations require the
use of the DLR standard instead of a technological solution. The
convergence imperative requires that we use IT to support our
physical security officers and screeners. Therefore, the use of the
DLR standard must be rescinded. Senior security officers must
migrate to BDA technology.
This article originally appeared in the February 2012 issue of Security Today.