Having His Subordinate's Back: NIST Director Patrick Gallagher
"Iris recognition algorithms themselves are still a subject of a considerable amount of work and that centers around our finding the iris in an image," Grother said in an interview with GovInfoSecurity.com (transcript below). "Once you have found an iris, it is usually possible to match it with high accuracy, but the iris segmentation problem, that initial detection and segmentation, is still a subject of research."
In an interview, Grother discusses:
Grother was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.
ERIC CHABROW: What is NIST's role in developing new biometric tools, tests, metrics and standards and what type of work is NIST performing regarding biometrics?
PATRICK GROTHER: NIST executes the function of measurements and standardization in various technical areas ranging from physics to chemistry to IT and biometrics is part of the IT laboratory at NIST and we support standardization of a new and emerging field.
CHABROW: Where do biometrics fit as a means of authentication and providing access to key federal information systems? What is the current status and where do you see biometrics as a tool for authentication evolving over the next year, five years, and into the future?
GROTHER: Biometrics, of course, allows you to bind the person to the credential so that you have a technical means of verifying the person is who they say that they are. Fingerprints have been used extensively in the past and they are the main biometric element on the federal personal identity verification credential, the PIV Card. That credential is issued to all federal employees and contractors and I think there are in excess of $3 million of those cards currently being issued.
The status of the project is that the PIV Card will be extended to include other biometrics going forward, and the first one of those will be an iris image to give government agencies a second option for using biometric authentication.
CHABROW: Let's talk a little bit about the iris. NIST recently issued a report about iris biometrics, which you helped co-author. From the Iris Exchange, known by the acronym IREX, first off what is IREX?
GROTHER: IREX is an umbrella program to support iris image interoperability. It is getting away from iris codes, which are proprietary template representations of irises and instead having a standard image and so IREX supports the format for those images, the standards for those images and the properties of those images so we can think about image quality and interruptability and accuracy from the image.
CHABROW: The report from IREX demonstrated that iris recognition algorhythms can maintain their accuracy and interoperability with compact images affirming their potential for large-scale management applications, such as the personal identity verification program, cyber security and counter terrorism. First, in this context, what does compact image mean and why is that significant?
GROTHER: For all biometrics there is an operational reality that you want to have small amounts of biometric data and that is particularly true for biometrically enabled smart cards, identity credentials, but it is also true for network-based biometric applications like the big government agencies would run. And so there are these two use cases, one is to put the biometric element on the smart card and then you are interested in a small record, a few kilobytes; and the other application is the network centric application where you pass data across a bandwidth limited network, and in both cases operational constraints mean that you want to use as small amount of data as possible.
In the past, the FBI has sponsored work to establish the limits of compression for fingerprints and there is being work done similarly for face recognition and the IREX program, one of its tasks, was to find out how far you could compress an iris image so that it could be stored on an identity credential or sent across a network.
CHABROW: I am trying to visualize how a smart card would work with irus code in there; is it swiping it to identify the card holder and then looking into some kind of mechanism that looks at the iris? How does that work?
GROTHER: If we look just for a moment at the e-passport, the electronic passport, that today contains a face image, and that is read across a contact with interface. There are systems where you would appear at an airport, you would stand in front of a camera, place your passport on the reader and the facial image would be read from the passport and compared to an image from the camera. If the images are a match, then that is part of the authentication of the passport and the passport holder.
Similarly, with something like a PIV card, you would have the biometric data on the card and you could read an iris image or fingerprint template from the card and match it against a newly acquired sample, either as part of physical access control or logical access control. In either case, you seek to bind the identity, verify the identity.
CHABROW: The new research seems to suggest that the images don't have to be as sophisticated as they once were. Is that correct?
GROTHER: The image itself has changed a little bit. Back in 2005, the image format that had been standardized was a polar format and that means the iris texture was sampled circumferentially and radially. Now, that format has been deprecated and instead we have what are called rectilinear formats, which are really just master images of the eye, gray-scale images of the eye. They are somewhat specialized to support compression and that allows iris images to be stored on a smart card credential and it is something like three kilobytes and that is appreciably smaller than, for example, a face image but somewhat bigger than a fingerprint minutia template.
CHABROW: The idea is that it takes up less space and therefore can be placed on a card or more easily sent through an information system thus it would make the use of iris recognition as a biometric more useable. Is that correct?
GROTHER: Yes, that's correct. The smaller that you can make the image, the faster it will be read from the card and the more usable the system will be.
CHABROW: At some point would the card be necessary from going to seek access whether it is to a physical facility or to an IT system if there is somewhere in the database my iris, why would I need the token in addition to just having that scanned?
GROTHER: You would not and certainly there are applications where biometric data is used in a one-to-many mode without the presentation of a credential. My gymnasium just requires me to put the fingerprint on a sensor and it compares me with 2,600 people that are members of that gym and it says am I one of them or not; am I allowed into the gym or not? Similarly, you can do that with an iris and an iris is quite suitable for one-to-many applications like that, and of course 2,600 is not that big of a population compared to a national scale ID system. There are operational systems that work with iris today in that mode.
CHABROW: So it depends on obviously the system that you are dealing with whether you would need a token or not?
GROTHER: Right. And the operational requirements, if you present a token than that takes some time and it is better to do things in a one-to-many mode if that throughput is a constraint for you.
CHABROW: Where are we now in a sense of having these applications being very practical using the iris as a biometric tool to gain access to a system?
GROTHER: There has been considerable investment in iris camera technology, both government investment and also private sector investment and venture capital. The number of camera providers and the number of algorhythm providers have increased in the last five years by something like an order of magnitudes. The iris recognition industry is somewhat bigger than the face recognition industry; both of them are quite a bit smaller than the fingerprint industry. That investment in iris capture technology and iris recognition technology is giving a lot more options for people to use iris recognition.
CHABROW: Is iris a better biometric than fingerprints?
GROTHER: You know that is a very difficult question to ask and it is sort of the most common question to be asked. Iris is a biometric, fingerprint is a biometric; to evaluate which one is better you really want to think about what the application requires. If it requires that somebody cannot touch the sensor, then fingerprint is off the table. In some cultures, much of the body is covered up, the headscarf would obviously prevent face recognition and in that point iris recognition would come into its own. So which is the best biometric is not really the right question, it is which is the most appropriate biometric?
CHABROW: Let me back up a bit. The ability to create biometrics that require less code, does that also help in the sense of the reading device that you could maybe have or maybe a standard camera that you don't necessarily have to put your eye up against something, you just make sure your eye is open and snap the photo and then check the iris?
GROTHER: The format for the image that comes out of an iris camera, it doesn't have so much to do with the actual function of the iris camera so there is a lot of effort being put into iris camera technology to make them easier to use. Now you can capture iris from somebody who is standing just a few meters from the camera, and also people who are moving toward the camera. Both of those cases, the lack of constraints around the capture and that opportunity allows you to capture an image more quickly and that can be operationally useful. But the image itself will come out of that camera and be passed to a recognition algorhythm downstream.
CHABROW: So could you have a system set up sort of like EZ-Pass you know, just kind of capturing people as they walk through an area?
GROTHER: Certainly. And that is being tested and evaluated and companies have products aimed at just that application.
CHABROW: Are biometrics something that should or could replace passwords and other forms of authentication? I mean this way you don't have to store passwords or PIN numbers and things like that that often could be stolen.
GROTHER: Certainly that is an argument that is being made for biometrics for a long time. It hasn't quite come to fruition and I am not really sure of the reasons why; it may be economics as the prospect or it may be that some people are unable to present the biometric in the general case and that corresponds to people forgetting their PIN, but the PIN can be replaced and the biometric cannot.
CHABROW: Would we be more secure if we didn't have to worry about storing things such as PINs and passwords?
GROTHER: That argument is being made, too. I haven't done an analysis of this in any detail and it is an issue because it is security related; it warrants some analysis.
CHABROW: What are some of the challenges in making iris scanning more practical as a means of authentication?
GROTHER: The challenges are imaging technology and how you capture an iris and a lot of work is being done there. The standardization aspect has been largely covered now with the revision of the ISO Iris Image Standard, which is expected in 2010. And, then iris recognition algorhythms themselves are still a subject of a considerable amount of work and that centers around our finding the iris in an image. Once you have found an iris it is usually possible to match it with high accuracy, but the iris segmentation problem, that initial detection and segmentation, is still a subject of research.
CHABROW: The idea is that as a means of authenticating the data from an iris that you don't need the entire iris, just a segment of the iris?
GROTHER: You do need the entire iris. It is better to have the entire iris, but you want to locate it correctly. So you don't want to find part of the eye socket for example and think that is the iris and some algorhythms will make mistakes like that. They have to run in an automated mode and they may actually find the wrong object in the scene.
CHABROW: So that is still a challenge then to come up with these algorhythms that can correctly identify the iris?
GROTHER: Right. You know the eyelids can occlude the iris, there can be eyelashes, there can be some reflections and these things are an image processing challenge to some extent. There has been an enormous amount of work that is being done on that and the technology has improved.
CHABROW: So how promising do you find iris and other kinds of biometric technologies and do you find iris the most promising?
GROTHER: To answer that question you really need to roll out the various biometrics in the application that you are targeting. So if it was physical access control into a federal workplace, for example, you should really run some kind of scenario test or operational pilot to see which technology is capable of being used in that environment. Some of that depends, for example, on whether the users of the system are cooperative or not and are familiar with the system or not. If they use it daily that is somewhat different than using it just every six months. These factors, these measurements that you would have to make are what would drive the decision on what biometric.
CHABROW: It is interesting, I don't know if this is something that you consider when you are developing standards or other forms of testing, but the human factor, the human element, how comfortable an individual is with using a certain form of data, whether it is a biometric or a PIN and verifying who they are.
GROTHER: Yes, certainly the human factor aspect is intrinsic to the whole biometric field of course because we start off with an analog object like a fingerprint or an iris or a face and we digitize it and then pass it to a computer algorithm. So that interface. of course. is subject to human factors work and the discipline of testing, which is usually scenario testing, has long understood that people present to systems in varied ways. Not everybody can hold their head up to a face recognition camera or an iris camera. Not everybody can flatten their palm for a hand geometry reader and some people don't have fingerprints and it's handling these cases and understanding that they exist, which is the driver for the operational use of biometrics.
CHABROW: When you develop standards or metrics, are you ever concerned about privacy issues?
GROTHER: Certainly, there have been standardization efforts around the security of biometric data and the privacy of biometric data. Using cryptography to protect biometric data is an ongoing topic. Using something called cancelable biometrics is another approach to looking after privacy. A third approach is to do match on card, which involves templates or biometric samples that are always stored on the credential and never leave the credential.
