Trusted identity management across the entire enterprise

NIST report, experts say security of IoT, mobile devices must be addressed (Biometric Update)

“Physical, sensing, actuating, computing and other security access control systems — including the spectrum of biometric usage such as biometric access and security systems; door, parking facilities, elevators, communication facilities, and rooms; occupant interface dashboards; and universal control and monitoring systems — are among the issues discussed in the recently released National Institute of Standards and Technology’s (NIST) Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), prepared by the Interagency International Cybersecurity Standardization Working Group.”

Securlinx CEO Barry Hodge noted this morning:

IdentiTrac is the Securlinx flagship identity assurance platform that supports all of our ID management applications and integrates with users’ existing data infrastructure.

The source NIST draft report is available here:
Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (NIST.gov)

US: IBIA wants NIST to do more for biometrics

NIST Urged to Expanded Role of Biometric Authentication (Find Biometrics)

…IBIA Vice Chairman Walter Hamilton pointed to recent years’ “surge in the use of biometric technologies for mobile banking and other e-authentication applications,” adding that “NIST should support this trend by providing guidance on how to ensure the effective implementation of biometrics as an authentication token rather than narrowly limiting its use.”

Good news for iris biometrics


Notice: Link goes to a 22 MB pdf…

IREX VI – Temporal Stability of Iris Recognition Accuracy (United States National Institute of Standards and Technology – NIST)

Using two large operational datasets, we find no evidence of a widespread iris ageing effect. Specifically, the population statistics (mean and variance) are constant over periods of up to nine years. This is consistent with the ability to enroll most individuals and see no degradation in overall recognition accuracy. Furthermore, we compute an ageing rate for how quickly recognition degrades with changes in the iris anatomy; this estimate suggests that iris recognition of average individuals will remain viable over decades.

There’s a whole lot of technical detail in the full report.

The executive summary continues on to say…

However, given the large population sizes, we identify a small percentage of individuals whose recognition scores do degrade consistent with disease or an ageing effect. These results are confined to adult populations. Additionally, we show that the template ageing reported in the Notre Dame studies is largely due to systematic dilation change over the collection period. Pupil dilation varies under environmental and several biological influences, with variations occuring on timescales ranging from below one second up to several decades. Our data suggests that the natural constriction of pupil size over decades does not necessitate re-enrollment of a well enrolled iris.

Some people really love stovepipes…

…otherwise there wouldn’t be so many.

Congress demands progress on advanced ID cards  (FCW)

“We’ve spent billions and we have nothing to show for it,” said Rep. John Mica (R-Fla.) at a June 19 hearing addressing lagging implementation of fingerprint and iris recognition technology. Mica, who chairs the House Oversight and Government Reform Committee’s Subcommittee on Government Operations, noted various examples of flawed federal biometric ID efforts, including the Transportation Workers Identification Credential, or TWIC card, and the Federal Aviation Administration’s new pilot’s license — which does not include a photo of the licensee.

“It’s mind boggling that we have nothing close to meeting with the intent of the 2004 law,” said Mica. “Is there any sense of urgency here?” asked Rep. Gerry Connolly (D-Va.), the subcommittee’s ranking minority member.

Witnesses included managers from the National Institute of Standards and Technology, FAA, Customs and Border Protection and the State Department.

It’s stunning that pilots licenses still don’t have photographs on them. Lots of good information awaits those who click the link.

NIST seeks to refine standards for oral biometric modalities, among others

NIST Biometric Workshop Studies Voice, Dental, Oral Standards (Press Release via Thomas Net)

A working group of international dental and forensic experts has developed a draft dental and oral biometric data record that would ease identification of bodies in disasters such as an airplane crash. For instance, if bodies are burned beyond recognition, photographs or fingerprints might not offer practical means of identification; in such instances, forensic analysts turn next to dental and oral information. Developing this standard was challenging due to the variety of ways dentists around the keep dental records, but could offer an interoperable mechanism to exchange such information in the future.

“Oral” measurements and images include attributes such as lip prints and soft palate impressions. Lip prints can sometimes be linked to specific persons and may be found on objects at crime scenes.

The proposed Dental and Oral Supplement would enable the exchange of images and descriptions of pattern injuries on persons, some of which may resemble bite marks, and to allow transmission of imagery such as X-rays and sonograms.

The workshop also will collect information to develop recommended best practices for identifying disaster victims. A panel will discuss the use of various biometric data in identifying victims, including DNA, facial characteristics, tattoos, dental records and fingerprints. This project is in conjunction with the international Scientific Working Group for Disaster Victim Identification

More at the link above.

More information on the NIST Biometric Conformance Test Software

Are your biometrics up to snuff? Free suite tests for compliance (GCN.com)

The BioCTS suite checks that the record of an iris image or other piece of biometric data being used has the correct data and in the order called for by the standard, so that it can be sent to and received correctly and filed accurately by any user, from the Homeland Security Department to state and local police departments. The conformance testing provides programmers, users and product purchasers with an increased level of confidence in product compliance and increases the probability of successful interoperability.

The tests do not ensure interoperability of different products, however; only that they adhere to common standards, Podio said. “Conformance increases the probability of interoperability, but cannot ensure it because of all the possible implementations that can be included” in a product. Each developer can implement different profiles from the standard, depending on how the product will be used.

More good analysis and links at the GCN link above.

National Strategy for Trusted Identities in Cyberspace (NSTIC) Background and Progress Report

ID management: A matter of trust (Federal Computer Week)

In April 2011, the Obama administration launched a plan called the National Strategy for Trusted Identities in Cyberspace (NSTIC) to encourage the private sector to develop, with federal support and input, online ID and authentication systems that people could use and government agencies, other organizations and commercial players could accept without each needing to create their own vetting systems.

At this point, NSTIC supporters are making headway, though perhaps not in a headline-grabbing way. Earlier this month, the Identity Ecosystem Steering Group, a federally supported committee led by the private sector that will guide creation of NSTIC-style systems, met for the first time in Chicago to hash out plans for addressing privacy, standards, usability, contracts and other key components.

National Strategy for Trusted Identities in Cyberspace (NSTIC) is being run by National Institute of Standards and Technology (NIST) to encourage the development and adoption of standards for ID management. The recent Apple-Amazon hack points to why this is important.

In an environment where everyone has to create their own ID management system, it is inevitable that organizations will create exploitable gaps in the way they emphasize the importance of information. In this case, Amazon (like many other companies, just check your restaurant receipt) treated the last four numbers of a credit card as non-secure information, while Apple used the same information for logical access control.

Initiatives like NSTIC hope to facilitate companies and government agencies to work through ways to make this kind of thing less likely.