Biometric Defense In Depth

May 2002
By Henry S. Kenyon

Positive identification is more than just a friendly face.

A recently developed software application will allow organizations to design layered access systems that scan individuals to recognize facial features, voices and lip movement characteristics. The program permits the deployment of a variety of digital-camera-based devices in kiosks and stations or desktop and laptop computers to control and monitor admittance to secure areas, networks or individual pieces of equipment.

The attacks on September 11 increased the emphasis on developing and deploying personnel authentication and tracking technologies. One area that is showing great promise is biometrics—the science of identifying people by unique traits such as fingerprints or iris patterns. Biometrics-based entry and authentication systems backed up by computer databases promise to improve security in restricted areas.

Systems such as fingerprint readers and face identification software are now available; however, they can be circumvented. Installing multiple biometric devices greatly increases accuracy while diminishing the possibility of the system being fooled.

One example of this layered security approach is a software application system developed by BioID, Berlin. The product, BioID software development kit (SDK) 3.0, integrates with and augments an organization’s network protection and access control systems.

SDK 3.0 allows users to provide highly accurate authentication and access control by combining facial recognition with observation of voice and lip movement characteristics. According to Michael Ruehle, president and chief executive officer of BioID America Incorporated, the firm’s Raleigh, North Carolina-based subsidiary, the development kit is a suite of software modules that can be launched in Web-based and smart card systems or integrated into existing network, e-commerce or physical access applications.

The tool suite allows clients to modify the program to suit their specific needs. When deployed, the technology is user-friendly, Ruehle explains. Personnel simply look into a digital camera that features the BioID software and speak into a microphone. The program then recognizes the person’s face, voice and lip movements from stored data.

Prior to the release of SDK 3.0, the identification techniques that combined face, voice and lip movement were linked and did not lend themselves to use in applications beyond access control. The latest version of the software permits programmers to access face finding, face recognition, voice recognition and lip movement modules separately.

When facial recognition is combined with other forms of authentication, accuracy greatly increases. Adding devices, however, requires subjects to become active participants in the identification process because they must be willing to look into a camera and say their names. But one of the major advantages of biometric technologies is that unlike passwords or smart cards, they are nontransferable between human beings. “The more factors of authentication you can pile up, the more secure the system is. The factors don’t all have to be biometric ones. They can be nonbiometric such as secure tokens, smart cards and additional pass codes. There are ways of increasing levels of security by piling on additional factors,” he explains.

The software consists of a series of application programming interfaces (APIs) that allow programmers to call up or highlight certain functions. For example, a programmer designing a health care system may want to include a biometric user identification device. The programmer writes a function call. When activated, this command launches BioID, which identifies a subject and reports back to the primary program. The software also supports the Bio API standard for biometric devices, which permits software applications such as BioID to operate with other products.

Ruehle speculates that the growing standardization of biometrics systems will lead major software providers to include the applications in their products. “In the future, it’s very likely that the Windows operating system will support biometric authentication out of the box—it will just be there. So if you install a biometric [device], the Windows operating system will recognize it and instead of putting up a password box, it will activate that device using the standard API,” he says. Ruehle notes that Microsoft recently licensed a biometric API that it plans to install in future versions of its operating system.

SDK 3.0 serves as a programming interface, permitting a third party to draw on BioID’s capabilities to design a solution to meet its specific needs. Ruehle claims that SDK 3.0 is highly flexible, noting that one of its advantages is the ability to function across a variety of platforms and operating environments. “It’s not limited to a network or physical access environment. It will run anywhere that a PC will run,” he says.

Ruehle believes organizations also are calling for a simple out-of-the-box solution that allows users to log on desktop computers and laptops securely. This capability is in the latest version of SDK. However, he cautions that because it is a software development kit intended for programmers, users should not buy it for that single application.

While the software works with most commercially available digital cameras, basic parameters are required for accurate imagery. Ruehle notes that the minimum requirement is roughly 80 pixels wide by 120 pixels high, explaining that it is more a question of a subject’s face being correctly oriented in the camera’s field of view. Proper camera focus and sufficient lighting also are very important. Harsh, high-contrast illumination such as a light shining directly down on a subject or heavy shadows will cause identification problems. “You and I have trouble identifying people if they hold a flashlight under their chin and shine the light up. It’s going to be a similar kind of problem [for a digital camera],” he says. However, because BioID’s technology is designed to be used mainly in a kiosk or doorway where the lighting can be controlled, this is not usually a problem, Ruehle explains.

Additional aids such as a ring of infrared light emitting diodes (LEDs) placed around the camera assist in image gathering. LEDs reflect infrared light off of the subject’s face, greatly improving camera performance even in very dark environments, he says.

Although the technology can be used for surveillance, Ruehle does not believe it is mature enough for such applications. “The software—anybody’s face-only recognition software—requires an eye-level camera placement so that it’s catching your face front on,” he maintains. If a face is viewed from too high an angle, then the subject’s features will be foreshortened, making it difficult to match with a template. As a result, the technology is still best used in controlled areas where people are required to stop and look directly into a camera. 

When facial recognition software is combined with surveillance cameras in public places such as sports arenas or parking lots the level of false alarms escalates. Ruehle describes an experiment that coupled face recognition software with surveillance cameras in Tampa, Florida. The effort failed after two months because it was unable to recognize people accurately. “Inevitably, you’re going to get lousy to terrible results,” he says.

Ruehle does not discount surveillance applications completely. He explains that while it is not practical to operate with the current technology, within several years processing technologies will advance enough that such applications will become feasible. However, it is currently unrealistic and premature to apply face recognition software to surveillance systems, he adds, noting that legal and civil rights issues must also be resolved.

Major defense department contractors in the United States and Europe have shown interest in BioID’s soft ware. Ruehle reveals that one contractor is interested in using the product for airport security applications. The envisioned system will provide employee identification and contain a surveillance component to determine whether personnel are in their assigned areas.

Ruehle notes that prior to September 11, his firm’s most important customers were in the health care and financial services industries. In the post-attack environment, health care remains important, but financial services firms—while remaining interested—are focusing on other areas at the moment, he says. The largest market growth has been in government and military applications, which have been put on the fast track. Several organizations plan to have pilot systems operating within six to nine months, he says.

Additional information on BioID is available on the World Wide Web at


No Free Lunch for Biometrics Applications

When the U.S. government evaluates a biometric product such as software from BioID, Berlin, it is sent to the Biometrics Fusion Center (BFC), part of the U.S. Army’s Biometrics Management Office, Bridgeport, West Virginia. Staff members at the facility determine whether new technologies are suitable for use by the U.S. Defense Department and federal agencies (SIGNAL, August 2001, page 35).

According to Paul Howe, the BFC’s deputy director, most biometric systems are not plug-and-play. They require modification to fit a specific user’s needs. Emphasizing that the center does not endorse specific products, he notes that an increasing number of biometrics companies are taking a layered approach. Facial recognition technology dates back to the 1950s, but advances in image processing within the last decade have made such systems commercially viable, Howe explains.

Facial recognition systems are appealing for a number of reasons, says Dr. Craig Arndt, the BFC’s lead contract program manager. No physical contact with the subject is required to gather data, and the information is easily stored and accessed. By combining these systems with fingerprint or iris scanners, performance is greatly enhanced. This creates the possibility for future technologies that can conduct iterative searches across a database for a variety of unique personal identification data. However, these new systems will be more complex and harder to maintain. “There’s no free lunch,” Arndt says.

There is also no single biometrics solution for all applications, Howe adds. Citing the recent example of several failed projects that sought to add facial recognition software to surveillance cameras, Howe believes they did not succeed because the technology was not applied properly. It was the completely automated nature of the application that caused the problems, Arndt explains, noting that many systems do not need to be autonomous but work well with a human operator in the loop.