Interesting article FYI. Jean
Web Postings To Fuel Science Of Biometrics
(02/06/98; 2:02 p.m. EST)
By Larry Lange, EE Times
Biometrics, the science of human identification, will
take a big step forward next week when IBM and a
leading fingerprint-ID company post the key software
underpinnings for this industry to their websites.
U.K.-based IBM Hursley Services & Technology
group, Big Blue's software research arm, and The
National Registry Inc. (NRI), in Tampa, Fla., will be
posting their APIs separately. But both APIs are
generic in nature, enabling developers to use them as a
springboard for any and all biometric arenas -- face,
voice, eye, and fingerprint.
Although it is not clear if either will lead the way in
becoming the de facto standard for the industry, they
seem likely to steal the limelight from a pair of related
APIs -- a voice-centric specification already in
existence and a new one tailored for the Japanese
market.
"Biometrics is one of the top 10 technologies to watch
this year," said Jackie Fenn, vice president and
research director at Stamford, Conn.-based Gartner
Group. "And with IBM and NRI getting serious about
APIs, development should start taking off."
With more stringent security requirements demanded
in a host of markets from immigration to commerce,
Fenn said biometric companies are moving swiftly to
accommodate the demand. "People will start to see
more than one technology utilized in biometrics -- face
and finger, or face and voice," he said. "Definitely a
hybrid environment is already happening."
Setting Standards
Enter the once-elusive standards that could jump-start
the fledgling industry. IBM said it will post its
Advanced Identification Services API (AIS-API) on
Monday; NRI plans to publish the run-time version for
its Human Authentication API, or HA-API
(pronounced "happy"), on the same day.
Both companies are actively involved with the two
major standards organizations in biometrics: the U.S.
government-sponsored Biometric Consortium and the
International Customer Service Association (ICSA)
on the commercial side.
Founded in 1992, the Biometric Consortium is
chartered by the National Security Policy Board. It
has several technical working groups, and even a
national test center based out of San Jose State
University. Formerly the National Computer Security
Association, the ICSA is an independent organization
geared to the commercial digital security industry.
Based in Carlisle, Pa., it has worldwide offices and
members.
"Traditionally, the application itself, the biometric
algorithm, and the biometric device have all been
linked together," said Richard Hopkins, chief architect
for IBM's advanced identification solutions group.
"You bought all of them from the same supplier and
you couldn't swap between them." But he said it had
become clear that IBM needed to integrate different
kinds of biometrics within its solutions. "We had to;
nobody knows which direction the industry's going to
go," he said.
There are two other APIs in the mix. I/O Software, in
Riverside, Calif., which works mainly with Japanese
fingerprint systems, is expected to announce the
Biometric API, or BAPI. The company is targeting
several key players and customers in Asia for support,
and has attained the backing of the Japan Electronic
Industry Development Association.
Meanwhile, the Speaker Verification API, or SVAPI,
developed and published last September by a
committee chaired by Novell, in Provo, Utah, focuses
solely on voice-recognition systems.
Overall, HA-API seems to have the momentum to
stay in the forefront. Both SVAPI and the specs from
IBM are being readied for integration with HA-API,
according to insiders.
Thanks to its advanced fingerprint-scanner product
line, NRI was asked to develop HA-API directly on
request for the U.S. Department of Defense.
Technically a high-level API, it has only 11 function
calls. Nevertheless, HA-API has its limitations. Any
swapping of devices, algorithms, or interfaces must still
be a complete one using HA-API, in effect forcing a
developer to replace the entire biometric scan system
with that of another vendor.
IBM contends its API is more complete, affording
multilevel function calls, and should be better-suited to
component swapping. "HA-API is on a higher level,
but it achieves less in algorithm, device, and
application independence," said IBM's Hopkins. "We
separate all those layers out -- but HA-API assumes
they're all one big clump. Our API allows you to select
which device and which algorithm you're going to use,
then verify. It's a lot more detailed."
Hopkins did concede that "there's no reason we can't
merge them; however, you'll start to see a lot of that
this year." He said his team is also working with
SVAPI to integrate that API, too, as needed.
Development Takes Time
The move to develop APIs is timely. There are now
an array of choices in biometric security: hand, face,
voice, signature, iris, and retina recognition. Fingerprint
technology has the longest history due to its popularity
in federal and law-enforcement applications.
Total sales of biometric hardware were more than $16
million in 1996, according to CardTech/SecurTech, a
Bethesda, Md., consultancy. Biometrics is being
actively deployed in employee and immigration
identification, for financial transactions, and for remote
network logons and Internet access. Gartner's Fenn
said acceptance is inevitable. "Within two years, most
organizations will have to take a look at it and see how
it fits into their overall security," he said.
The variety of technology choices is a good thing,
according to John Woodward, a former Cental
Intelligence Agency operations offer and now a
leading biometric consultant. Woodward favors what
he terms a "biometric balkanization," in the belief there
should be lots of biometric systems in place. "This
assures people's privacy -- nobody can access all the
records of a person at one time," he said.
Then, too, "You might have a user who isn't a good
candidate for a finger image -- maybe they're more
suited for a facial or a voice," said NRI's Cathy Tilton.
"Within the same database, we can have different
users enrolled with multiple biometrics."
IBM's Hopkins agreed: "It allows you to have a large
degree of device independence, algorithm
independence, and biometric independence, all within
the same API."
But not everyone agrees that more is better in
biometrics. One contrary voice is that of Jim Wayman,
the director of the Department of Defense-funded
National Biometric Test Center at San Jose State
University. "There's no technical justification for the
'hybrid' movement," he said. "If you've got a fingerprint
scanner and you want more information, then take
more fingerprints. You're better off with two
fingerprints than with one fingerprint and a face
[scan]."
Biometrics also looks likely to sweep further into
networking and Internet territory. Biometrics
Consortium member Miros, in Wellesley, Mass., a
pioneer in face recognition, is working with banking
giant Mr. Payroll, in Fort Worth, Texas, on
check-cashing ATMs, and with India Oil on employee
verification identification systems.
Miros is about ready to roll with TrueFace Web
server, a group of products that attaches directly to a
Windows NT network. The company is working with
encryption giant RSA Data Security on related
applications.
The National Registry also is incorporating Internet
access and RSA security in its products. And IBM's
Hopkins said, "We've already got network-computer
log-on with fingerprints at IBM, so there's the ability
there to extend it to cover Internet, as well."
However, San Jose State's Wayman isn't so sure
about Internet biometrics. His center, which answers
to the Biometric Consortium, is asking hard questions.
"Do you want to have your fingerprints floating around
on the Internet?" Wayman asked. "It's not like a credit
card on the Net -- you can't just cancel or replace it if
it's lost or stolen."
Indeed, Wayman said, "Nobody's agreed that
standardization [in biometrics] is a good thing. Look at
government agencies, such as the Metro Toronto
Department of Social Services. They want to be
assured that biometric information cannot be
exchanged in order to protect their people." |
