ITU News

Tells you what's happening in Telecommunications around the world

عربي  |  中文  |  Español  |  Français  |  Русский  |  download pdf
                     

Biometrics and standards
A Technology Watch report
05_01
photo credit: Shutterstock
 
image
Photo Credit: Shutterstock

Usually, we recognize people we know by looking at their faces, sometimes by their voices or handwriting, or by the way they move. In times past, human scrutiny was the only way of checking the identity of travellers moving from one country to another, visitors seeking to enter private areas, or traders withdrawing cash from banks. This is no longer realistic, given the growth of international travel, the need for security in workplaces, and the spread of electronic banking, among many other changes in our daily lives. Nowadays, there is a new way of checking identity, using automated methods and information and communication technologies (ICT) to recognize individuals based on physical or behavioural traits — a field known as biometrics. This is the topic of a new Technology Watch report from ITU on “Biometrics and Standards”*.

Biometrics are now applied in electronic passports, as well as for finger-vein recognition in automatic teller machines (ATM) in banks, and even to prevent vending machines from selling cigarettes to children. In each case, some combination of inherent characteristics is measured and automatically compared with templates stored on a token or in a database to find a match. The measured characteristics are often physical but may also be behavioural, such as a pattern of keystrokes in entering a word or phrase. With the wide acceptance of biometrics for identity verification, especially in an open network environment, the challenges of privacy, reliability and the security of biometric data become more complicated and demanding.

Anyone who has queued at a check-in point at an airport will appreciate the importance of speed and accuracy in reading an electronic passport. Similarly, when you draw money from an ATM, you expect to be the only person able to gain access to your account. These uses of biometrics grew out of the development of measures to meet the need for accurate identification in the fields of criminology and forensics — the fingerprints and DNA samples that feature so prominently in crime stories. There are now three main categories of biometric applications: forensic, governmental (passports, identity cards, voter registration, and so on), and commercial (for example, network login systems, ATM, credit-card processing, and face recognition in photographic software).

To ensure that biometric identification systems are reliable, secure, interoperable and easy to use, there is an evident need for the development of international standards. Governmental authorities, in particular, are unlikely to accept a non-standardized system offered by a single manufacturer. There has to be general agreement on what biometric traits to measure, and confidence that the chosen metrics will distinguish between any two individuals. Standards are also needed to protect biometric data, both to maintain personal privacy and to prevent attacks that would open the way for fraud or impersonation. The underlying objectives in standardization are to make biometric systems easier to install, cheaper to run and more reliable to use.

Standards-setting organizations

Although the earliest biometric standards were created by governments and law-enforcement agencies in the 1980s to exchange fingerprint data, the current accelerated pace of standards development did not begin until 2002. Now, several national and international players are developing these standards. They include the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and ITU’s Telecommunication Standardization Sector (ITU–T). Industry consortia also develop standards that support the objectives of their membership, while United Nations specialized agencies, such as the International Civil Aviation Organization (ICAO) and the International Labour Organization (ILO), develop standards within their specific domains that might not have been addressed by other organizations. In particular, ICAO is responsible for the standardization of machine-readable travel documents, including electronic passports, while ILO has provided guidelines on biometric identity documents for seafarers.

Over 30 international standards on biometrics have been developed by the ISO/IEC Joint Technical Committee 1 (JTC 1) since the establishment of its Subcommittee 37 on Biometrics in June 2002. The work of JTC 1 on biometric standards is also carried out in its Subcommittee 27 on IT Security Techniques (which covers template protection, algorithm security, and security evaluation), and in Subcommittee 17 on Cards and Personal Identification.

Within ITU–T, work on biometrics began in 2001, led by ITU–T Study Group 17 which coordinates this work across all study groups. In particular, ITU–T Study Group 17 is responsible for looking at identity management; that is, technical methods for identifying individuals and protecting those identities.

Work is intensifying to meet current challenges for more secure network infrastructure, services and applications. Clearly, telecommunication applications using mobile terminals and Internet services call for authentication methods that not only provide high security, but are also convenient for users. More than 70 ITU–T Recommendations on security have been published.

Biometric systems

All biometric systems have a storage component containing biometric data samples of individuals linked to information on their identity. There is also a sensor to capture the person’s biometric data. The captured data sample is compared with a reference template, and a decision is taken on whether it matches. In telebiometrics, the communication channels between these components of a biometric system may be wired or wireless telecommunications, or private or public networks, including the Internet. Whether the biometric trait is physical (such as DNA) or behavioural (such as a keystroke pattern), each individual should have that trait uniquely. Also, the biometric trait should be invariant over a certain period of time, and should be measurable.

Overview of some biometric methods
2 3 4 5
Fingerprints Iris recognition DNA Keystroke pattern

Recommendation ITU–T X.1081 “The telebiometric multimodal model — A framework for the specifi cation of security and safety aspects of biometrics” is the first biometric standard to be published. It provides a model that can be used as a framework for identifying and specifying safety aspects of telebiometrics, and for classifying biometric technologies used for identification. The multimodal model covers both the physical and behavioural interactions between a person and the environment, providing a taxonomy of over 1600 combinations of measurement units, modalities and fields of study. The model is based on earlier theoretical work dealing with the way humans interact with their environment, and on the ISO/IEC 80000 series of international standards, specifying the quantities and units for all known forms of measurement of the magnitude of interactions between individuals and their environment.

Over 50 countries issue their citizens with machine-readable passports, which store biometric data that can be used to verify identity at the border. A facial image, and perhaps a digital representation of fingerprints or the iris, is stored on a tiny radiofrequency identification (RFID) chip, and this can be compared with information in a biometric database. The Joint Photographic Experts Group (JPEG), a Working Group of ISO/IEC and ITU, is responsible for the JPEG, JPEG2000, JPSearch and JPEG XR families of imaging standards. These are methods of image compression, and such methods are usually used to store a digital photograph on the chip in an electronic passport. The standards for the JPEG or JPEG2000 format are given respectively in Recommendations ITU–T T.81 and T.800, developed by ITU–T Study Group 16. JPEG XR (ISO/IEC 29199-2) is now an international standard, reflected in Recommendation ITU–T T.832. It specifies a coded image format, designed primarily for storage and interchange of continuous- tone photographic content.

Keeping data secure

     
6
More than 50 countries now issue passports with stored biometric data
 

A key can be lost, stolen or duplicated. A password can be forgotten. It is generally considered that biometric traits have the advantage of being virtually impossible to steal or forget, and difficult to guess. Yet biometric systems are vulnerable to attack. Any element of the biometric system could be the target: the sensor, the feature extractor, the matcher, the stored biometric templates or the decision endpoint. An attack could also take place by bypassing the biometric sensor, or by tampering with the feature extractor or template.

Biometrics are increasingly used to complement or replace traditional authentication schemes such as personal identification numbers (PIN) or passwords. But biometric data cannot be kept secret. Photographs of faces, recordings of voices and copies of signatures, for instance, are all easily made. Biometrics rely on highly sensitive personal information, but the security of an authentication system cannot rely on the secrecy of biometric data. A system must ensure the integrity and authenticity of biometric data in order to be operationally effective, and additional protective measures are needed to safeguard privacy.

To allow for secure authentication, Recommendations ITU–T X.1084 and X.1085 specify nine authentication protocols for telebiometrics and describe protection profiles, while Recommendation ITU–T X.1086 provides guidance on countermeasures to establish a safe environment and privacy. Recommendation ITU–T X.1087 sets out procedures to protect multimodal biometric data against attempts to intercept, modify or replace the data. The procedures include encrypting, watermarking and transforming data. Recommendations ITU–T X.1088 and X.1089 provide respectively a framework for generating and protecting biometric digital keys, and a way of managing biometric authentication.

Commercial and government applications to drive growth

Advances in ICT, increased performance and availability of equipment at lower cost have smoothed the way for automated biometric recognition. Future e-commerce, e-health and e-government services may require authentication with the help of biometric personal documents issued by governments. For example, some developing countries have already started using biometrics for voter registration in the run-up to elections in order to avoid outdated voter lists and election fraud.

Market forecasts on biometric spending are generally positive. Growth is expected to come mainly from commercial and government applications, where the biometrics and smart card chip industries will benefit from government decisions to adopt electronic personal documents and biometrics. From an estimated USD 3 billion spent on biometric technologies in 2008, market researchers now forecast investment of USD 7.3 billion by 2013.

Alongside fingerprints, which will remain the dominant biometric trait, face, iris, hand and speech recognition systems are expected to emerge and be widely adopted in biometric applications.

What next?

Standards allow for the effective development of biometric systems by establishing common criteria and setting guidelines for the protection of privacy. Agreements on data formats and application software interfaces will help to reduce the cost of developing systems. Furthermore, the development of standards for applying biometrics and for testing accuracy contributes to clarifying vulnerabilities and guides the search for countermeasures to attacks.

As well as being universal and unique, biometric characteristics should be reasonably permanent and easy to collect and measure. A biometric system should deliver accurate results under varied environmental circumstances, and should be difficult to deceive. Perhaps the most crucial aspect of a biometric system is its acceptance by the general public. For obvious reasons, non-intrusive methods are more acceptable than intrusive techniques. Although DNA is considered the ultimate biometric for identifying a person (other than an identical twin), DNA matching is too intrusive for extensive use in authenticating identity. Facial thermography, which detects the heat patterns created by blood vessels and emitted from the skin, is non-intrusive but too costly. Among the biometrics currently being considered for future deployment are blood pulse, body odour, skin composition, nail-bed pattern, gait and ear shape. More research is needed to see whether any of these will emerge as the biometric of choice.

Whatever system is used, it must be secure, ensure privacy and produce accurate results. A system that is insecure, unreliable or invasive will undermine public trust and may lead to a general lack of acceptance of biometric recognition techniques. The development of international standards is a key strategy in guaranteeing the appropriate choice and use of biometric methods. In less than a decade, huge progress has been made in improving biometric sensors, algorithms and procedures, but there remain vulnerabilities that need to be addressed. The need to protect privacy and safeguard sensitive biometric data remains fundamental.

 


* This article is based on the Technology Watch Report “Biometrics and Standards” issued by ITU’s Telecommunication Standardization Sector (ITU–T) in December 2009. Technology Watch reports are prepared by the ITU–T Policy & Technology Watch Division. They evaluate emerging technologies to assess their implications for the ITU membership, especially developing countries, and to identify candidates for standardization work. The reports can be viewed and downloaded at www.itu.int/ITU-T/techwatch.

 

  Previous Printable version Top email to a friend Next © Copyright ITU News 2019
Disclaimer - Privacy policy