Biometrics

State of the Art Biometrics Excellence Roadmap

Certified Products List (CPL) Expansion: The Way Ahead

October 2008, v. 1.2

Margaret Lepley Joseph Marques Norman Nill Nicholas Orlans Rod Rivers Ron White

Sponsor:

Scott Swann, Program Manager

Contract No.:

J-FBI-07-164

Dept. No.:

G122

Project No.:

14008FC09-LA

The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.

This document was originally published June 2008, and reflects the state-or-the-art as of that date.

This software (or technical data) was produced for the U. S. Government under contract J-FBI-07-164, and is subject to the Rights in Data-General Clause 52.227-14 (JUNE 1987) © 2008 The MITRE Corporation. All Rights Reserved.

iii

Executive Summary The FBI has extensive experience in fingerprint product certification. The introduction of the Next Generation Identification (NGI) system with its integrated, multi-biometric focus increases the need for product certification services. As additional biometric modalities are added, the FBI will be called upon to certify an ever increasing number of products. Partners and other stakeholders around the world will continue to look to the FBI for product certification leadership in this growing and increasingly critical area. Broader FBI adoption of emerging biometrics requires acknowledging a prevailing commercial focus. The performance of non-contact modalities (non-fingerprint sensors) is susceptible to environmental and operational scenarios. Specifically, certification must consider device standards, environmental factors, collection guidelines, and feedback mechanisms to ensure that identification services are both enabled and sustained. Certification compliance must therefore strive to become lifecycle based, rather than act as a gatekeeper. Face recognition is probably the next non-contact modality to be implemented within NGI; however, the rapid development of digital cameras used for facial recognition throughout government and industry makes it impractical to propose a device certification process similar to fingerprint. Consumer cameras, made inexpensive by economies-of-scale, already exceed reasonable facial performance criteria. Requests for certification would not only overwhelm the process, but quickly become obsolete as new models are continuously replaced. In contrast, the currently smaller Iris camera market better lends itself to a device certification program. Our findings indicate that the FBI can achieve the greatest benefit by adopting a certification program process that leverages existing domestic standards efforts, formalizes biometric best practices and helps participating agencies test and sustain compliance. Studies have shown that many biometrics do provide accuracy and interoperability when properly implemented, but that deficiencies go unnoticed and remain without feedback. Booking site operators also require sensible, operational guidance.

Provide Compliance Services

Post-deployment identification accuracy is more difficult to maintain for non-contact biometrics because environmental issues have a greater influence. Continuous monitoring and feedback is integral to ensuring that devices operate at peak efficiency, operators follow best-practice guidance, and configuration changes are detected. We recommend that the FBI pursue quality monitoring services to sites and partners as follows: Develop open image-quality metrics for iris and face imagery assessment. Provide operationally relevant feedback to sites based on observations of biometric quality or other attributes. Generate CJIS reports describing the quantity, quality, and attributes of biometric submissions by state and agency.

iv

Encourage submission improvement over time based on measurable criteria. Enable early detection and correction of emerging quality issues (e.g., hardware production differences) before substantial data is gathered. Provide a way for sites to submit test enrollments for conformance testing, deployment, and training.

Promote and Extend ANSI/NIST Standards with Criminal Justice Focus

Historically, the FBI has promoted interoperability through American National Standards Institute (ANSI)/National Institute of Standards and Technology (NIST)-ITL 1-2007. The introduction of International Standards Organization (ISO) (19794-x) biometric standards has complicated matters. Despite many similarities, the ISO standards are not always an ideal vector for criminal justice and forensic applications. In order to sustain a long-term operational focus on criminal justice needs, the FBI should promote and extend the ANSI/NIST standards whenever possible to include certification processes, guidelines, and other practice recommendations. Distinct or conflicting needs should be harmonized with the ISO specification, but not be subject to its commercial interests. The FBI should continue to promote the ANSI/NIST standard since law enforcement agencies participated in its development and voted on its approval. Areas of specific reinforcement include: Review and adapt normative requirements for other biometric modalities to provide compatibility but permit criminal justice extensions Baseline the acquisition behavior of proprietary systems (e.g., iris) and create subject acquisition profiles for both historic and future collection standards Reflect the emerging biometric needs of forensic examiners and analysts.

Distill, Formalize, and Promote Best Practices for Image Acquisition

Investigations such as the FBI/Bureau of Prisons (BOP) Benchmark Study show that, despite the availability of informative standards guidance, image capture quality varies considerably. Environment, process, lighting, and camera differences negatively affect identification performance. The best practice guidance of ANSI/NIST and ISO standards exhibit a reasonable set of requirements and already have good stakeholder support. Given these precedents, it would be ineffective to introduce a new set of requirements. In conjunction with continued promotion of ANSI/NIST standards, we recommend that the FBI expand upon the best practices

...