The Biometric Kiosk

chocolatehookSecurity

Nov 30, 2013 (3 years and 11 months ago)

109 views

The Biometric Kiosk




Introduction


Designing a kiosk with biometric capabilities is not just a question of gathering together OEM components
and somehow getting them to work in situ. There are many other considerations around relative
performance, inter
operability and scalability, ongoing maintenance and sustainability, relationships with
other components and of course intelligent integration with host systems. While there have been numerous
prototypes and various examples offered for sale, we have yet t
o see this issue addressed from an in
-
depth
perspective, in such a way that would satisfy typical usage aspirations in both the short and longer terms.
This is particularly pertinent with respect to the aviation and travel sector, where parallel developmen
ts in
both documentation and security processes will point increasingly towards the use of such a device.


This paper consequently explores some of the relevant issues and offers suggestions for those either
designing or aspiring to deploy such devices, es
pecially where relevant to large scale public applications.



The simple view


It is tempting to think simply in terms of hardware and how the various components may be brought
together. Taking this approach almost anyone could build a biometric kiosk and,

in isolation, demonstrate
it to work. However, if random examples of such devices were variously distributed throughout the
operational environment, it would be difficult to achieve an acceptable level of consistency, either locally
or across operational
sites, such as would be the case for cross
-
border travel.





Camera Device
Touch Screen
Passport Reader
Fingerprint Reader
Document Delivery


Figure 1. The conceptual biometric kiosk



Furthermore, without a consistent and sustainable operation, one would have to seriously question any
advantage in deploying

such devices at all. There would be little value in biometric identity verification
checks returning different results for the same individual when using different kiosks. We could of course
reduce the matching threshold to such a low level that virtually

any transaction returns a positive result,
but this would again have questionable real value, except perhaps for a temporary psychological one.

It is not enough to simply integrate the hardware and get it working within an attractive looking package.
We m
ust understand both usage aspirations and the related operational implications, before taking an in
depth look at how best to design and deploy such devices.



Getting back to basics


Perhaps the first question is why would anyone contemplate the use of s
uch a device in the first place? In
this respect, there are certain recent developments which are hard to ignore. The forthcoming ICAO
recommendations for next generation passports incorporating biometrics, the US aspirations for biometric
visas, existing
border control operations using biometrics in Singapore, Malaysia, The Netherlands and
elsewhere being just a few. It is clear that several governments are taking an active interest in the use of
biometrics for general citizen ID purposes and, in particula
r, for border crossing applications. If we are to
see biometrics being used increasingly within the airport environment, how does this sit with the general
aspiration towards self service? Will it be possible to successfully integrate biometrics into self
service
kiosks? Will governments start to link biometric identity verification checks with authority to carry and
the provision of advance passenger information? Will carriers seek to collect API information via kiosks?


If we follow this train of thought,

the vision of the airport of the future featuring automated identity
verification checks for travellers becomes a real possibility


assuming that a robust and sustainable
infrastructure can be provided which meets such aspirations without an undue impact

upon operations.


The first task therefore is to predict the processes which may be required. If, for example, a particular
country requested a biometric check for all incoming travellers, where could this check be undertaken and
against what reference d
ata? It would be possible for each country to maintain a huge database of
biometric samples registered against identities in order to provide a reference to check against, but this
may be far from an ideal situation, resulting in much duplication, not to m
ention the potential for well
organised fraud. Countries could share such databases of biometric templates, but what happens if the
claimed identity matches in one database and not the other? Also, at what point is the verification
undertaken? We would not

particularly wish to start sending huge quantities of biometric data across
networks. A more realistic approach would be to verify identity against a known document, such as the
biometric passport or citizens identity card at the point where verification
is required. This could be at one
or both ends of a journey. If the primary question is ”does the biometric match that of the claimed
individual identity” then this approach could work well. Indeed, it is already working well for certain
border crossing
scenarios, but in a relatively isolated manner where interoperability has not hitherto been
an issue.


When we consider the broader perspective, it becomes clear that we should also consider factors such as
interoperability, scalability and sustainability.

We should be striving for a consistent user experience
delivering consistent results in a manner which promotes confidence in the concept for all concerned. For
this, we require confidence in the registration process and confidence in the infrastructure w
hich enables
automated identity verification checks. The former is mostly in the hands of government. The latter may
be a product of intelligent design.



Some of the issues


Many of the issues around providing a competent biometric kiosk lie in the realms

of variables. Variable
environmental conditions, variable transducer alignment and calibration, variable performance between
component samples, variable reference template quality and, especially, human factor variables such as
ethnicity, ageing, relative

fitness and user psychology. Managing these variables will always involve
compromises of one sort or another. However, before we can manage them, we must understand them. We
must also understand what this means with regard to interoperability. Many equate

the term
interoperability with technical interoperability, often managed via the simple alignment of specifications.
However, in the context of cross border travel and biometrics we have a much broader definition to
consider, including equivalence of proc
ess , relative matching performance, quality of registration and a
host of other factors which could result in variable results from one location to another, even within the
same country. In such a scenario, what happens when a traveller’s identity is veri
fied at the start of a
journey and rejected at the other end due to a mis
-
match of biometric data? What happens on a multi
-
segment journey which may return several conflicting results? What happens when a traveller’s biometric
identity verification check r
eturns positive on one day and negative on the next?



Match
Arrival
Intermediate Points
Departure
Fail
Match
Fail


Figure 2. Equivalence of process and performance



It would be quite possible to have multiple instances of the scenario depicted in Figure 2, whereby the
same individual ha
s a chequered experience and audit trail of biometric identity checks. What does this
mean in terms of really verifying their identity? Clearly we must have clearly defined processes and
exception handling in place, but we should also ensure that we don’t
accentuate the problem with ill
conceived infrastructures and components. In this respect, we must understand how the infrastructural
components might contribute to overall variability and seek to minimise this impact accordingly. A well
designed kiosk may

enhance the potential for consistency, whereas an ill
-
conceived device will almost
certainly achieve the opposite affect.



Some of the requirements


Let us examine some of the requirements and consider how they may be met by a kiosk device.


1.

The kiosk s
hould be capable of reading the widest range of accepted travel documents. This
includes the ability to read both passive documents and their MRZ as well as the new generation
ICAO passports with integral contact
-
less chips using rf technology. This requir
es the ability to
extract the biometric data from the passport in a secure manner ready for use within an identity
verification transaction if required at that point. Furthermore, there may be more than one
biometric present on the passport and a decision
may need to be made accordingly. Another
consideration will be the potential use of keys and certificates in relation to new generation
passports and kiosk designers must understand this area and be prepared to interface accordingly.
The capability to read

both current and new generation ICAO passports with the same reading
device has already been demonstrated by more than one technology provider and interaction with
a PKI should present no particular problems in this respect.

2.

The kiosk should be capable of

seamlessly integrating biometric capture devices in a manner
which ensures their usage only in relation to a specific transaction and with full knowledge and
permission of the user. This may involve (with non
-
contact techniques such as face and iris) a
sh
uttered approach to the device in question.

3.

The kiosk should be capable of undertaking a biometric identity verification check using a live
sample against a stored reference. This stored reference would ordinarily be provided by the travel
document. Howev
er, it may be useful to include the capability to access a template within an
external database. The pertinence of the biometric check will depend partly upon the calibration of
the device in question. Most devices have a variable threshold which may be ad
justed in software,
biasing the probability of errors towards either false matches or false non
-
matches accordingly.
There are two issues here. Firstly, that kiosks featuring biometric capability should have this
function calibrated to an equivalent, known

level across different deployment areas. Secondly, that
there should be a published specification showing precisely how different calibration settings
affect the expected performance of the device. This specification should cover each biometric
device sep
arately and should include reference against a benchmark for each biometric technique.
At present, an internationally agreed performance benchmark does not exist, although separate
research will address this issue.

4.

The kiosk should be capable of meeting al
l known and anticipated requirements for API. This will
involve a close collaboration with those providing or maintaining the associated airline systems
which are providing this information at present. However, there is much that kiosk providers could
do t
o anticipate this requirement, both in understanding the broader API situation and ensuring
that the kiosk operational software is modular and capable of easy communication with other
systems. Similarly, the biometric functionality may be configured in a m
odular manner, enabling it
to be called, if necessary, at an appropriate point within a transaction.

5.

The kiosk should comply with all accepted principles of data protection and privacy and should
not store any user related data, including biometric data, o
r use it for any purpose other than that
expressly stated in relation to a given transaction.

6.

The kiosk should be designed in a modular fashion, enabling components such as document
readers and biometric capture devices to be replaced in the field in a ho
t
-
swappable manner,
without prejudice as to version. In this respect, both physical and logical interfaces must be
provided to a known and accepted standard.

7.

Usability should be carefully considered to ensure that the majority of individuals may use the fu
ll
functionality of the kiosk. We must therefore consider variables of stature, age and disability in
order to provide the most consistent experience for the majority.

8.

The kiosk functionality should also be considered for alternative physical deployments,
for
example in conjunction with automatic gates. If designed in a modular fashion, this should be
easily possible.



Moving on


Before we can comply with an agreed operational methodology, including calibration for a given
performance level, such a method
ology must exist and be agreed on a bi
-
lateral or multi
-
lateral basis. It
must also be properly documented and made available throughout the community concerned, including
government agencies, carriers and technology providers. Background research currentl
y being undertaken
will provide a framework in this context. However, technology providers can do much to prepare by
understanding the related issues in depth, testing capture devices and operational performance in a realistic

manner and documenting their
findings. Government agencies must also understand the implications and
consider their future requirements accordingly. This is also the case for stand alone points of presence
where biometric identity verification checks are currently undertaken. Much goo
d information and
experience exists, but we need a higher level of coordination and documentation. In addition, we need to
take a more international approach to the situation. Background developments already referred to should
help to facilitate this in 20
04, producing a blueprint for performance and calibration, interoperability,
scalability and sustainability.



Julian Ashbourn


January 2004