Getting Started - Mobile Biometrics

David Benini

Vice President, Marketing I Aware, Inc.

September 2013 Update

Getting Started – Mobile Biometrics

Welcome to Planet Biometrics’ In Focus page on mobile biometrics. While use of mobile biometric solutions has evolved in step with the larger biometrics market for some time, the growing ubiquity of smart phones and the rapid and dramatic improvements in their features and performance are accelerating the trend. As a result, mobility is becoming an increasingly important part of the biometrics landscape. The time is right to take a closer look at mobile biometrics, and to investigate in greater depth how they can be used to their full potential. The purpose of this article is to initiate a dialog that ultimately establishes a useful and up-to- date source of information about mobile biometrics. We’ll continue to add new content, with particular interest in learning about new technologies and products, and how they are faring in the field. Hopefully in the process, we as an industry can educate potential users about what’s possible and also learn about what users are looking for.

Getting us started on the topic, we’ll take a quick review of biometrics, and get squared away on our technology fundamentals and terminology. We’ll then discuss the current state of the mobile biometrics market: applications, form factors, workflows, and products. We’ll finish up with a look at what’s on the horizon in mobile biometrics and speculate on what might be headed our way. Please feel free to contact me with ideas and material that can help educate the market with fresh information.

August 2013 Update In the months since this white paper was first posted, there have been several developments that suggest we are on the cusp of a surge in mobile biometric technology adoption. In July 2012, Apple acquired fingerprint sensor manufacturer Authentec. As we approach the anticipated iPhone launch date, rumours abound, but consensus seems to be that the iPhone will in fact include a sensor. There is further consensus that if Apple can successfully integrate a fingerprint sensor into a smart phone, we can expect to see rapid growth in use of biometric- based smart phone applications that did not follow their broad integration into laptops several years ago. We can also anticipate that application developers to quickly find fresh and innovative ways to make use of the sensors towards improved security.

On another important front, the US Government has provided seed funding to private industry towards improved cyber security; to essentially find alternatives to passwords to better secure our online interactions. This comes in the form of “NSTIC”, created and administrated by NIST to launch an open industry working group “IDESG” tasked with envisioning a new “identity ecosystem”. The goal is to specify models for secure online transactions for a wide range of applications in several verticals. Mobile solutions are on the forefront, and biometrics will play a role. On a similar mission, the FIDO Alliance has defined a model utilizing existing security standards that proposes to eliminate passwords altogether.

It’s expected that over the course of the next year, we will see these market dynamics converge to drive the introduction and adoption of biometrics–based applications and solution for smart phones. We can only imagine what people will come up with, but it promises to make 2014 an interesting year for mobile biometric solution providers.

Getting Started – Mobile Biometrics

Why go mobile? trust in identity—proving we are the person we say we are—is useful. Being Mobile biometrics are about achieving able to do so with mobility is even more biometric functionality with portability. so, and this is the focus of our article. Achieving portability means trading one set of physical constraints for another; we The biometrics pie can be sliced in many trade the power of computer workstations, ways, but here we’ll divide the space by reliability of power outlets and Ethernet application into three parts: 1) access jacks, and predictability of an office-like control, 2) watchlist checking, and 3) environment for portable, miniaturized duplicate checking: capture and computing hardware in convenient but potentially non-ideal, Access control involves securing access unpredictable environments. to either a physical asset, such as a room or building, or to a digital asset, such as a Why is mobility important for biometrics? computer application or database. Biometric tasks can’t always be performed Biometrics can be used to enhance in a controlled environment. Biometrics access control by performing a need to go where people go... outside or mathematical comparison of a person’s in public spaces, for example, and they live biometric sample to a trusted stored might be needed somewhere different sample. This stored sample might reside each day. Achieving mobility while either in a central database or on a maintaining sufficient biometric credential such as a smart card ID. This performance is difficult, but the challenges process can be called a “one-to-one are not unlike those associated with other verification” of an individual’s biometrics. familiar mobile technologies (laptops and In this way, we can “authenticate” the cell phones): power consumption, assertion of a person’s identity, answering security, durability, reliability, portability, the question “are you really who you claim ergonomics, processing power, and to be?” and using the comparison result to connectivity. either grant or deny their access to a particular asset. Use of biometrics for Biometric Applications access control is of particular interest for The first application of biometrics was for commercial or personal security criminal investigation and law applications. Mobility is useful for some enforcement: to use “latent” fingerprints access control applications; perhaps most found in a crime scene to help identify notably physical access control to a who might have left them behind. Today secure perimeter such as a nuclear plant this application remains an extremely or corporate research facility. important one, but with the help of modern Watchlist checking is a very different digital computing we’ve also learned to process that serves to assess whether an use biometrics for another very useful individual’s biometrics are stored in a purpose: to establish trust in a person’s database of “persons of interest”. In this identity. Modern biometrics, at their core, process, an individual’s live biometrics are are about using an individual’s physical submitted to a biometric search system for characteristics or behaviour to generate a “one-to-many identification.” The system set of numbers that can be used (with the mathematically compares the live “probe” help of a computer) to uniquely identify sample to many samples in a “gallery” of them consistently over time. Establishing

Getting Started – Mobile Biometrics persons-of-interest in a watchlist. In doing Comparison: extraction and matching, so, we can identify an individual even if interoperability and performance they are not truthfully identifying Comparison of biometric samples involves themselves. Watchlist checking is two computations: template extraction and performed most often by governments for algorithmic matching. First, a numeric a variety of purposes where trusted representation of the biometric sample identity is important, including criminal called a ‘template’ is generated. This investigation and law enforcement, visa template is then algorithmically compared issuance and border management, to other templates, yielding a match score. employment screening, and defence. In most cases, these templates are Again, mobility is potentially useful for proprietary and can’t be used with these applications, such as when potential comparison algorithms from different persons-of-interest are encountered vendors. This can be important in mobile outdoors. systems where the extraction and matching processes take place in different Duplicate checking is yet another locations. For example, templates can be biometric process performed to determine stored on a smart card, and then matched whether there are individuals represented later on a mobile device. MINEX-certified more than once in a database. This might minutiae-based fingerprint template be performed to detect fraud, such as in generators and matching algorithms were the case where an individual has enrolled designed for this application; they have multiple times in a social benefits been tested and verified to be program. This process involves matching interoperable between different vendors every biometric sample in the database to for one-to-one verification applications. every other, and could be called a “many- to-many duplicate search.” Duplicate A high-performance biometric system is searching is a centralized function that characterized by a low rate of false does not require mobility. matches and false non-matches. Generally speaking, higher quantities of Biometric Processes data (e.g. more fingerprints) and higher- Enrolment quality samples are required for one-to- many and many-to-many processes than Biometric systems rely on two distinct for one-to-one verification. It is helpful to processes: enrolment and comparison. understand that a mobile one-to-one The purpose of enrolment is to capture verification solution will not have as and store the biometric samples (e.g. on a stringent biometrics sample quality smart card or in a watchlist) that will be requirements as a one-to-many used for future comparisons with live identification. In some cases, the samples. Enrolment of high-quality enrolment might take place at a stationary samples can contribute to enabling a workstation, with only the verification or sufficient level of matching performance, identification process requiring mobility. which is particularly important for one-to- For example, an access control many identification tasks. Enrolment may application might require a new employee be performed on a mobile device if to submit biometrics in a controlled necessary, but is typically done on a environment as part of a new-hire stationary workstation if possible. introduction process, but then need to submit biometrics using a mobile device

Getting Started – Mobile Biometrics when attempting access at a control point can be either full-finger or swipe. It is somewhere on the property perimeter. important for fingerprints to be of sufficient resolution (500 ppi) and contrast, and be Modalities, Hardware and free of distortion. An optical sensor uses a Software prism, light source, and light sensor to capture images of fingerprints. Capacitive Much is made about the breadth of sensors are based on a silicon chip that biometric modalities, and indeed some of detects electrical currents when the finger the research into new, more exotic ridges make contact. Optical sensors biometrics (ear, gait, odor, etc.) is generally provide higher-quality images compelling. But the “big three” modalities than capacitive sensors but are also larger that are field-proven and currently in use and consume more power. Full-image are fingerprint, face, and iris. Each is capacitive sensors generate higher-quality currently used extensively in mobile images than swipe sensors but are also applications. In a mobile context, voice is larger. Swipe sensors do not generate also important, given the inherent audio image quality sufficient for one-to-many capture and playback capabilities of a identification. smart phone. There is no perfect biometric; each has advantages and Capture of facial images has traditionally disadvantages, such as having more been performed using off-the-shelf reliable matching performance, or being consumer-grade digital cameras such as a easier to capture. Some mobile Canon PowerShot. But camera approaches are multi-modal, incorporating technology has changed dramatically in more than one modality and utilizing only the last several years, making facial “fused” match results. capture with mobile devices far more viable. We have all seen the vast All biometric solutions include hardware improvements in image quality of web and software components, and many cams and smart phone cameras, many of include both client- and server-based which are now capable of eight components. Mobile biometric hardware megapixels or more. This is compelling, includes capture peripherals, power considering that the best digital cameras source, network interface, and computing on the market were on the order of four platforms. Mobile biometric software megapixels only five years ago. Digital includes a user interface, peripheral facial images traditionally require an interface, biographic data capture and interocular resolution of about 60 pixels for validation, biometric image capture and one-to-one matching and 90 pixels for processing workflow, and biometric one-to-many matching. But resolution is template extraction and matching. Mobile not the only factor affecting facial matcher capture solutions vary in the degree of performance; perhaps even more required miniaturization and portability, important are the distortion, brightness, and as such sometimes use the same contrast, sharpness, and background hardware and software components as for clutter of the image. Improvements in stationary solutions. these areas have not been as dramatic Hardware with smart phone cameras as resolution, Fingerprint sensors are currently designed but improvements are nevertheless upon either one of two technologies: compelling. But the challenge here is less optical and capacitive. Capacitive sensors with the camera performance and more

Getting Started – Mobile Biometrics with the fact that with mobile solutions, the systems available for this application and capture conditions are highly variable as are desirable for their speed and low compared to stationary environments; degree of interference with a person’s lighting, background, and distance to the activity. Facial and iris biometric systems subject can change from photo to photo, are available, and fingerprint systems are and have a substantial impact on currently in advanced research stage. matching performance. In mobile facial image matching systems, it is helpful to Hardware challenges: durability, keep photo capture conditions as ergonomics, power consumption consistent as possible. Capture hardware must be designed to accommodate a wide variety of Iris is probably the fastest growing environmental and ergonomic factors biometric modality, and has also particular to mobile devices used outside benefitted from the dramatic changes in an office environment. They must operate the camera and sensor arena. But iris in direct sunlight, temperature and differs from face in that it requires an humidity extremes, and by operators with infrared image of the iris. The degree to gloved fingers. They must be sufficiently which a pure infrared image can be durable to withstand moisture, dust, dirt, captured (with minimal “pollution” from and impact. Power consumption is a visible light), the better the matching significant factor and is very use-case performance. This is why off-the-shelf specific, but typically a device must cameras aren’t used for iris image operate reliably by battery power for at capture, and a special camera is required; least one work-day. A consideration is a system must illuminate the iris with whether batteries can be replaced on-the- infrared light and then filter out other fly, or whether the entire device must be wavelengths. offline during a battery charge. Biometric capture peripherals often require lighting, Voice biometrics are a particularly viable and one-to-many search software can means of one-to-one verification using a consume processing. They must be smart phone, given its obvious audio ergonomically designed such that an capabilities. But in this application mobile operator can quickly and reliably collect voice biometrics suffer from the same high-quality biometric samples from challenges as other biometrics in that the inexperienced or even uncooperative environment is unpredictable; background individuals. noise can interfere with the matching process just as the background of a facial Software image can. Voice samples (such as those Software for mobile capture is functionally collected from a surveillance device) can similar to stationary biometric solutions, be used as a “latent” like fingerprints, and but with meaningful differences. Mobile the background of voice signals can also devices typically run operating systems have forensic value for law enforcement designed for smaller devices, such as and military applications. Windows CE, Windows Mobile, Apple A different take on mobile biometrics is iOS, Blackberry, and Android, so biometric “biometrics in motion,” where biometrics software libraries need to be ported to are taken of an individual in motion using these operating systems. Processors are stationary equipment. There are several less powerful, and there is less memory and RAM, so processing-intensive

Getting Started – Mobile Biometrics operations such as compression and keep confidential the individuals listed on template extraction must be optimized a watchlist, so this data must also be kept appropriately. Video screens are smaller private; a compromised mobile device and utilize touch screens and gestures, so could be used by an adversary to learn the user interface must be designed to whose biometrics are on the watchlist, or accommodate these. Special software is to enroll false information. Storage of applied to help make up for shortcomings templates as opposed to images can be of the hardware, such as by providing effective in helping secure biometric data more advanced image processing and because it is difficult but not impossible to quality control. Some more powerful spoof a live sample from template data. mobile devices such as those used in the military run Windows XP but still need For these reasons, particular care is given software that accommodates a small to securing mobile biometric capture touch screen and less processing power. solutions by securing 1) data at rest on the device, 2) data in motion on a Device independence is a particularly communication network between the important consideration in implementing a device and central system, and 3) data in mobile system. Ideally, an owner of a system, such as stored on a central server system can support different kinds of and accessible by the device. Enhanced mobile devices in their system so that they security is achieved through traditional are not reliant on a single vendor for means, such as password- or biometric- devices. This can be achieved by controlled access to the software requiring that an open, standards- application, encryption of data at rest and compliant interface be implemented in motion, and firewalls. Watchlists stored between the device and wherever the on mobile devices can be encrypted, but trusted sample is stored (i.e. a smart card will reduce the speed with which or central server). Another approach is to identifications can be performed, a factor operate a hardware-agnostic software for particularly large watchlists stored on application on the mobile device. The the mobile device. advantage here is that different hardware devices can be used in the system and Match Modes and Networks can be procured separately, but the Owner-based, permission-based, software, user interface, workflow, etc. are operator-based, kiosk-based the same. An “owner-based” biometric application is Security one by which a single person (or a few) is using a mobile biometric device to secure Security is of particular concern in mobile access to their own assets, such as the biometric solutions because physically device itself. A “permission-based” system securing access to the device is much involves the controller of an asset to grant more challenging. Biometric data on a self-access to an asset, (e.g., a company device needs to be protected for purposes using biometrics to grant employees of personal privacy, because it is possible access to their data). “Operator-based” though not trivial for a stolen biometric to applications require an authorized, trained be used to generate a false identity and operator of the device to collect biometrics spoof the system. Biometrics may also be from the individual providing the biometric accompanied by sensitive, private sample. “Kiosk-based” applications can be biographic data. It is typically desirable to

Getting Started – Mobile Biometrics semi-mobile and require capture to be Bluetooth, Wi-Fi, or GSM/CDMA network. performed without any training or With connectivity, mobile biometric experience and minimal instruction. These matching can be performed between live are important distinctions in designing a samples and trusted samples or watchlists mobile solution because they have an stored somewhere else in a network. The impact on its ergonomics and workflow, feasibility of such an architecture is and users of the device will not determined by the reliability, speed, necessarily be located where assistance security of the network, and sensitivity of is readily available. Will one person or two the application. Image-based biometric require simultaneous access to the samples can be somewhat cumbersome device? Must a person be trained to use to transport in a mobile system; it? compressed samples are typically on the order of 10 to 20 Kbytes each and vary Match onboard, match-to-chip, widely between modality and vendor, so match-to-code, match-to-server it’s an important consideration in system One-to-one and one-to-many biometric design. If matching to a watchlist residing matching can be performed onboard the on a mobile device, a mechanism must be mobile device in any of several modes; implemented that is capable of updating security, watchlist size, and required the watchlist on the device. This can be response time are often the done over a wireless network, but considerations in their design and depending on its size can be prohibitively selection. A live sample must be time consuming. Another option is to compared to a trusted sample stored update the watchlist while the device is either on the device itself, in memory on a connected to a wired network, such as smart card, or encoded in a bar code. during a battery recharge. Each approach presents different pros and cons and depends on the application; Mobile Biometrics Form Factors importantly it must be feasible to securely As discussed, mobile biometric devices enroll, encode, and store the trusted take many forms and are designed to sample in the location of choice, and then facilitate a wide range of applications and retrieve the sample upon matching, usage environments. Following are some whether it be on the device, card, code, or product categories and a list of products server. Bar codes can be used to store that is by no means exhaustive. A biometric templates, such as specified by summary is provided at the end of the the ILO Seafarers’ identity document paper. technical report ILO SID-0002. Biometrics can also be stored in a smart card (e.g. Integrated. This form factor is comprised PIV card) and retrieved by the mobile of a traditional mobile device that is device via the contact interface. Ideally, equipped with one or more integrated interoperability is facilitated by using capture devices. Examples are laptops or standards-compliant products. FIPS 201 mobile phones equipped with Authentec for Personal Identity Verification (PIV) is a Mobile Smart Sensors, and web cameras. standard that specifies biometric smart cards and systems and is in broad use. Handheld. This is a device that is custom designed specifically for biometric capture. Mobile biometric devices are often It will incorporate capture peripherals for equipped with mobile connectivity via one or more modalities, a CPU, network

Getting Started – Mobile Biometrics connectivity functionality, and human Apple iPad equipped with the SIC iFMID interface devices such as touch screen 500 . and/or keyboard. They have custom software applications that enable the user Mobile Applications and SDKs. Some to operate the device. Examples are the solutions are hardware-independent Iris ID iCAM H100, 3M Cogent BlueCheck software programs or software II, and MorphoIDent. development kits designed to operate on different hardware devices. An example is Suitcase. This form factor utilizes a laptop Aware URC Mobile, designed for and traditional biometric hardware ruggedized devices. peripherals that are organized into a compact, hardened, portable suitcase. Mobile Infrastructure. An infrastructure They are generally somewhat solution is designed to support use of configurable, enabling the selection of mobile devices to achieve authentication either one or several modalities; e.g. or other biometric functions. They typically single finger optical scanner or slap scan include both device- and server-based device. An example is the Cross Match software and are largely hardware- Guardian Jump Kit. independent. Examples include Daon IdentityX and Aware Biometric Services Kiosk. A kiosk is generally semi-portable, Platform (BioSP). with integrated biometric capture components, document readers, and other Biometrics in Motion. “Biometrics in peripherals; they are often designed to motion” are enabled by stationary systems enable self-enrolment and verification. that enable biometric capture from Examples are Speed Identity G3 and subjects who are themselves mobile, such SmartMatic PARmobile. as when they walk through a gateway. An example is SRI/Sarnoff Iris on the Move. Ruggedized. A ruggedized mobile solution is designed specifically for military On the Horizon - Emerging and law enforcement applications, and is Trends thus designed to capture high-quality data What does the future hold for mobile suitable for identification while being biometrics? It is fairly clear that smart extremely durable and reliable. Examples phones and tablets will be the most fertile are the Cross Match SEEK II, area of biometric innovation for the next MorphoTrust HIIDE 5, and Northrop several years. The devices will continue to Grumman BioTRAC. become more powerful, and the market Smart Phone and Tablets. Modern smart will likely have on the order of 100 phones and tablets are equipped with biometric solutions designed around smart powerful processors, multiple high-quality phones and tablets within 18 months. cameras, network connectivity, and Smart phones will be able to communicate intuitive user interfaces. They can be with smart cards via near field equipped with biometric capture communication, which will enable them to peripherals and integrate with server- authenticate a live biometric sample with a based systems to provide an advanced template stored on a smart card. mobile biometric solution. Examples are Standards compliance will be a key driver the Apple iPod Touch equipped with the of adoption of this technology. Fulcrum Biometrics mobileOne, and the

Getting Started – Mobile Biometrics

But general-purpose mobile devices will never be able to fulfil all requirements for all biometric applications. Identification of a biometric sample within a large gallery will require capture of a lot of high-quality biometric data, and this won’t ever be practical on a device designed to perform such a breadth of consumer-based applications. There will be a role for these devices in defence and military applications, but it will likely be limited to one-to-one verification for access control or humanitarian missions. Durability will remain a critical factor for many applications where reliability is required.

Getting Started – Mobile Biometrics

Following is a product summary; feel free to contact me to add your product to the Mobile Biometrics In Focus web page.

Product Name Product Vendor Integrated Sherlock Integrated Biometrics VFS Validity FPC Fingerprint Cards OEM Modules Digital Persona Handheld iCAM H100 Iris ID 3M Cogent BlueCheck II 3M Cogent MorphoIDent MorphoTrust Stratus AOptix Suitcase Guardian Jump Kit Cross Match Kiosk G3 Speed Identity PARmobile SmartMatic Ruggedized SEEK II Cross Match SEEK Avenger Cross Match HIIDE 5 MorphoTrust BioTRAC Northrop Grumman Smart Phones and Tablets mobileOne Fulcrum Biometrics iFMID SIC Tactivo Precise Biometrics Mobile Applications and SDKs URC Mobile Aware Onyx Diamond Fortress Mobile Infrastructure Biometric Services Platform (BioSP) Aware IdentityX Daon Biometrics in Motion Iris on the Move SRI/Sarnoff