Mobile ID, the Size Compromise Carl Gohringer, Strategic Business Development E-MOBIDIG Meeting, Bern, 25/26 September 1
Presentation Plan The quest for increased matching accuracy. Increased adoption of Palm prints and 1000 PPI resolution Increased adoption of mobile ID Increased no. of projects; Early history ; Observations & Standards Standards explained A) PIV & Appendix F; B) Mobile ID best practices explained 3 rd Party tests and results: A) UIDAI; B) NIST Conclusions Questions? 2
The quest for increased accuracy: Palm print + 1000PPI Proven fact: Fingerprint/Palm print Image quality and size directly correlate to matching performance. Result: Law Enforcement around the globe is adopting devices with larger scanning areas and higher scanning resolutions to feed their AFIS. Examples (only). Adoption of / By Palm LS 1000 PPI LS UK Ident1/NPIA 2002 - FBI 2002 2010 or 2011 RCMP 2002 2010 Norway PDMT 1998 2005 3
The quest for increased accuracy: Multi-Factor Identification 4
The quest for increased accuracy: Palm print + 1000PPI Increase in image quality True1000ppi L Scan 1000P VS. 500ppi re-sampled to 1000ppi 1000ppi L Scan 1000PX VS. 500ppi on L Scan 500P Main objective: increase ID accuracy Increase in scanning area / size 5
Mobile ID Definition: Rapid Mobile Identification w/ 2 fp against an AFIS Increasing demand and multiple applications: Mobile ID, Special Operative/forces, Forensic investigation, port police, border control, etc. Increasing offer: Mobile ID: Rapidly increasing demand Increasing quantity of projects: Rapid ID: Several US States/counties. Swiss Mobile AFIS, Police, Switzerland Lantern/MIDAS/Mobile ID, UK Mobile ID, PSNI, Northern Ireland 6
Mobile ID: Early History and Standards Result: Increased no. of public tenders and deployments. Requirements mainly driven by operational needs and the Officer s convenience/tolerance. Size, weight and usability (ergonomics, functionality) = main selectors 7
Mobile ID: Early History and Standards Observations: The contrast between no-mobility and mobility = positive But little to no benchmarking done on matching accuracy between devices and vendors. Few to no credible industry 3 rd party standards and best practices considered or reflected in evaluation criteria. Some earlier projects specified FBI PIV standard Was the only NIST / FBI standard related to mobile handheld devices. Since 2010 we have: NIST Mobile ID best practices and SAP levels. Under Appendix F certification, specifically for Mobile Identification scenarios. 8
Milestones of Image quality at FBI (FBI / NIST EBTS standard) the FBI has developed this standard for electronically encoding and transmitting biometric image, identification, and arrest data Major milestones for image quality evaluation FBI Appendix G 1995 FBI Appendix F 1999 FBI PIV 2006 FBI Mobile ID 2010 Interim image quality specifications Final image quality specifications with increased requirements Lower-level standard for one-to-one fingerprint verification New category within App. F for Mobile Identification 9
Mobile ID: PIV and Appendix F Standards What are the standards? There are two standards currently in use for fingerprints: Appendix F and PIV-071006. Appendix F has stringent image quality conditions, focusing on the human fingerprint comparison and facilitating large scale machine manyto-many matching operation. PIV-071006 is a lower-level standard designed to support one-to-one fingerprint verification. Certification is available for devices intended for use in the FIPS 201 PIV program. Reference: https://www.fbibiospecs.org/iafis_faq.html 10
FBI scanner certification categories PIV (Personal Identity Verification) For enrolment and ID authentication (mainly single finger scanners) Mobile ID For scanners capturing flat and rolled fingers in a portable acquisition station FBI scanner certification categories ID FLATS For scanners capturing flat fingers only in a 3.2 x 3.0 image capture area. Livescan For scanners capturing flat and rolled fingers in a 3.2 x 3.0 image capture area ID Verification = 1:1 Match Identification = 1:n Match 11
Mobile ID: FBI image quality requirements 4 Cert. Categories 2 Image Quality Standards PIV Appendix F PIV Identification Flats Livescan Mobile ID 12
Mobile ID: NIST Best Practice Recommendation NIST NIST stands for National Institute of Standards and Technology Body of standards recognized not only in the USA, but also worldwide In August 2009, NIST published «Mobile ID Device Best Practice Recommendation» 2012 2011 Cross Cross Match Match Technologies 13
Mobile ID: Understanding SAP / FAP levels A mobile identification device is a livescanner viewed in the context of a portable biometric acquisition station SAP means Subject Acquisition Profile FAP = is the SAP for Fingerprint Set of characteristics concerning the capture of a biometric sample. Device capture dimensions It is Applicable to 3 biometric modalities: fingerprint (FAP), face and iris. The higher the SAP/FAP level value, the stronger the acquisition requirements FAP Levels Number of fingers Image quality specification 14
Mobile ID: SAP / FAP levels Verification Mobile ID Minimum SAP Level Source: Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information from NIST 2012 2011 Cross Cross Match Match Technologies 15
Mobile ID: Operational Environment & Risk Level Risk levels according to NIST Severe risk levels imply that loss of life and/or property can result if accurate identification or verification is not made. A moderate risk environment is defined for those encounters with a subject with no or questionable identification. An officer cannot detain a subject for more than a limited amount of time without making an arrest. In this situation, it is necessary to quickly identify the subject or retain biometric information sufficient to verify the subject s identity at a later date. A mild risk environment is defined for those encounters where enrollment and identification data will be used at a later date. At that time the subject would be available for comparison to the data previously retained. Examples of mild enrollments include preparing for future logical or physical access control for a subject, or retaining one or more biometric images for verification in court while the subject is available. Verification examples include tracking a subject through the jail or court system using the retained biometric images. In these cases a failure to match would result in additional action to verify the subject s identity, primarily inconveniencing no one but the subject. 2012 Cross CONFIDENTIAL Match Technologies & PROPRIETARY FOR INTERNAL USE ONLY 16
Mobile ID: Understanding the function Enrollment (example: a complete civil or criminal booking) Identification (trying to determine the identity of someone): 1:n comparaison Verification (trying to validate the identity of someone): 1:1 comparaison 2012 Cross CONFIDENTIAL Match Technologies & PROPRIETARY FOR INTERNAL USE ONLY 17
Mobile ID: SAP level for police work The case for SAP 30 We can safely assume that the risk factor would be moderate We also know what we are trying to achieve: identification So what do NIST Best Practices recommend for such a scenario? 2012 Cross CONFIDENTIAL Match Technologies & PROPRIETARY FOR INTERNAL USE ONLY 18
19
Mobile ID: Capture dimensions of FAP levels Rolled impressions FAP 10 FAP 20 FAP 30 Flat impressions FAP 10 FAP 20 FAP 30 20
FAP Level Mobile ID: Conclusion on Size Compromise Certification category Specification Capture dimension (WxH) Number of simultaneous captured flat fingers FAP 10 PIV-071006 0.5 x 0.65 12.7mm x 16.5mm 1 FAP 20 PIV-071006 0.6 x 0.8 15.2mm x 20,3mm 1 FAP 30 PIV-071006 0.8 x 1.0 20,3mm x 25,4mm 1 Direct correlation between Scanner Size and device FAP Level. The > the size, the > FAP level FAP 30 > and Image Quality level than FAP 10 or FAP 20 (Apx F vs. PIV) The > size = > Quality = > weight = > $ Size/Weight/Costs 21
UID study: Determining best authentication accuracy using fingerprints > 620 million people enrolled 22
The UID study The Size Compromise: 3 rd Party tests Unique ID Authority of India (UIDAI) overseeing largest biometric deployment in the history of mankind Stringent requirements + a certification authority to authorize devices + technologies UIDIA published study evaluating SAP levels corrolation to matching accuracy Results: «Amongst the 26 devices studies, the single finger unlabeled FRR (False Rejection Rate) for up to 3 attempts varied from 2% to 23%! Concretely, we have: SAP10 SAP20 FRR 9,69% @ FAR 0.0001 FRR 2,92% @ FAR 0.0001 FRR 6,51% @ FAR 0.001 FRR 1,68% @ FAR 0.001 Single finger, 3 attempts Which led UIDIA to conclude: «Larger sensors provided better accuracy than smaller sensors» 2012 Cross CONFIDENTIAL Match Technologies & PROPRIETARY FOR INTERNAL USE ONLY 23
The Size Compromise: UID Fingerprint accuracy study Test setup Proof-of-Concept studies in 8 states Period: Apr. 2011 Jan 2012 35.000 Aadhaar holders (mixed by gender, age and place of living) 15 scanner models Factors investigated Different sensor technologies Different minutiae extractors Number of fingers Fingerprint quality Best finger analysis Network (availability, bandwidth, service provider, landline vs. mobile, reliability & latency factors across networks) 24
The Size Compromise: UID study results 25
The Size Compromise: UID study results Device impact on matching accuracy Large sensors (FAP 20 compliant) provide better accuraccy than smaller sensors (FAP10 compliant) Other findings Highlights Using Best Finger for authentication, FRR is much lower (up to 6 times) than using any specific finger Residents in 15-60 years age group showed the best authentication accuracy. Senior residents (60+) had the highest rejection rates. Enrolment NFIQ is poor a indicator to determine the best finger 26
NIST study: Impact of fingerprint capture dimension on matching performance Test setup A. Probe set: 100000 randomly selected images from FBI platinum repository 50.000 images with mated record 50.000 images with non-mated record B. Cut images according to FAP levels 10, 20 and 30 (+ control image) Gallery of 1.615.228 images 1 2 3 27
The Size Compromise: NIST, FAP level vs. accuracy FAP 10 FAP 20 FAP 30 FNIR / FPIR: False Non-Identification Rate / False Positive-Identification Rate FNIR false non-identification rate with FAP 10 almost double that of FAP 20 FAP 30 excels over all FAP levels FPIR not impacted by different FAP levels 28
The Size Compromise: NIST, 2-finger combinations The more fingers the better the matching performance Except for two thumbs, FAP 20/30 with two fingers better matching performance than FAP 10 with four fingers Two thumbs lowest performance across all FAP levels 29
NIST study results (4) Optimization strategy for given systems All test cases against (FAP10/20/30 and finger combinations) against all gallery configurations (flats, rolled, ten-prints) FAP 30 with two index fingers best combination FAP 10 with two index and two middle fingers as alternative Two thumbs lowest performance (all FAP levels) 30
The Size Compromise: 3 rd Party tests Capture dimensions vs. matching performance 1 2 31
The Size Compromise: NIST study conclusions The larger the capture size dimensions, the better the matching performance FAP 30 excels in matching performance over all 3 FAP levels For legacy FAP 10 systems: A combination of 2 index + 2 middle fingers can be an alternative to 2 FAP 30 index fingers. Ten flat fingers provide best matching performance compared to other flat only combinations Using only two fingers: Two index finger provides best and two thumbs provides lowest matching performance Attention: Sequence issues to be considered 32
In the End; Lessons learned: The Size Compromise: Conclusions PIV SAP 10 and SAP 20 = Made for verification, not Identification Better than nothing but not recommended for Mobile ID against AFIS. SAP 30 (PIV and Appendix F certified) = Minimum recommended level for sufficient Identification accuracy against an AFIS. 3 rd party tests show significant % of IDs missed using FAP 10 or FAP 20 (PIV) devices that would have been hits with FAP 30 devices. Scanner Size / weight / cost should be minimized, while avoiding to significantly compromise on matching accuracy (SAP level). Flash new! (of 2014-09-08): PSNI concluded initial trial of SAP 30 mobile ID devices in Belfast. One (1) single weekend. 40-50 transactions. 8 Hits. 8 arrested. 1 jailed. 1 st SAP 30 Mobile ID deployment in UK. Past = SAP 10. 33
THANK YOU! QUESTIONS? Carl Gohringer, 34