Mobile Device Remote Identity Proofing Part 3 - Apples to Oranges

Download PDF of complete paper

IV. Apples to Oranges:   

Can a camera in a smart phone be used to capture the necessary images, to include those used for biometric identification, required for the enrollment and subsequent vetting of an individual in an Identity Management System (IDMS)?  Smart phone manufacturers are equipping their newest products with cameras capable of ten or more megapixels with Nokia’s latest offering claiming a forty plus megapixel camera!  This paper proposes using the camera to capture all of the required components to establish and vet an identity so it is important to understand some of the terminology involved.  

Contrary to popular belief more megapixels do not make for a better image.  It is important to understand what makes up a good image and how it is defined within the multiple industries involved. Most people base image quality on the output / final product, the best example being print media.  So this is where we are going to start.

Pictures are printed in DPI or Dots per Inch. For example a newspaper image is printed at 200 to 250 DPI, A magazine image is 400-600 DPI, yet a billboard is typically 30 dpi.  When you print a photo on your desktop printer the optimal setting is for 250 DPI.  Don’t be fooled by the fact your typical desktop printer is capable of far greater resolution, typically from 720 to 1440 dpi. The printer may be able to print very small dots but it can only accurately reproduce colors by combining a large number of dots to emulate various tints. That is why a 250 dpi image offers perfect output quality on a 1000+ dpi printer.  

PPI is Pixels per Inch.  PPI is the resolution terminology used in the Standards promulgated by the American National Standards Institute (ANSI) and the National Institute for Standards and Technology (NIST).  Within the context of this paper PPI is used to define the resolution of the scanning mechanism used to capture a fingerprint.  PPI is an appropriate term to describe scanner input and it is the term used by the applicable Federal standards, but technically, samples per inch (SPI) is more accurate. “For example, if you scan at 200% at 300 PPI or if you scan at 100% at 600 PPI, the scanner [sees] the same data.  The PPI is different for each file, but the sampling of the original by the scanner is the same.  Maximum SPI of a given device is the optical resolution at 100% “(Creamer, 2006)  

How do dots per inch equate to pixels?  The term pixel is predominantly used to describe the digital resolution on monitors, televisions, and smart phones.  A pixel is one dot of information in a digital photograph. Digital photos today are made up of millions of tiny pixel/dots (Mega = Million).  A digital photo that is made up of 15 megapixels is physically larger than a digital photo made up of 1.5 megapixels, not clearer or sharper.  The notable difference is in file size, not picture quality.   If you print a 250 DPI picture on an 8.5 by 11 piece of paper you will be printing a maximum of 2125 by 2750 pixels. Most computer screens display at 100 DPI.  A 1280 by 1024 resolution on your monitor equates to 1310720 pixels or 1.3 megapixels.  This begs the question, why do you need a ten plus megapixel camera to capture a very high quality image?  The answer is you do not.  

V.  Camera Technology

With an explanation of some of the terminology behind us we can explore the use of a digital camera or variant, for the capture of the necessary data for enrollment in an identity management system.  When the FIPS 201 standard was first published capturing a facial image of an individual required, by standard, the use of a three point five megapixel camera.  This level of resolution was at the top end of the capabilities of digital cameras readily available to the public at the time.  Costs in excess of a thousand or more dollars a for a camera meeting FIPS requirements were not uncommon.  That same Camera was also unable to do anything more than capture an individual’s picture.  Today native resolutions on smart phone integrated cameras are commonly five times the historical benchmark.  Exponential improvements in the image capture hardware, firmware and supporting software should also enable these same devices to not only capture a photo but be multi purposed for barcode reading, OCR enabled document capture, Fingerprint image capture, and even iris image capture.  4G and LTE networks now make it possible for high speed efficient exchange of data with next generation networks coming on line reinforcing and bolstering the capability.  Consistent with Moore’s Law the capability of cell phones is on the steep end of the climb with exponential growth and improvements in power, processors, and memory.  

“A digital camera can capture data based on the mega-pixel ability of its CCD.  For example, a 2 megapixel digital camera shoots at approximately 1600x1200. 1600 pixels times 1200 pixels = 1,920,000 total pixels (rounded up)  Usually the camera images have no resolution assigned to them (although some cameras can do this)  When you open a file into an image editing program such as Photoshop, a resolution HAS  to be assigned to the file.  Most programs, including Photoshop, use 72 PPI as a default resolution. (Creamer, 2006)

VI. Establishing ownership

Biometrics is the science and technology of measuring and analyzing biological data.  Biometric identifiers are the distinctive, measurable characteristics used to identify individuals. (Jain, Hong, & Pankanti, 2000) The two categories of biometric identifiers include physiological and behavioral characteristics. (Jain, Flynn, & Ross, 2008)  Physiological characteristics are related to the shape of the body, and include but are not limited to: fingerprint, face recognition, DNA, palm print, hand geometry, iris recognition (which has largely replaced retina), and odor/scent.  Behavioral characteristics are related to the behavior of a person, including but not limited to: typing rhythm, gait, and voice.  

The most common biometric identifiers currently used in IdM systems are fingerprint and facial recognition.  With the current PIV and PIV-I programs a dual approach in accordance with NIST recommendations (NIST, 2003)is used.  The capture of these biometric identifiers is easily within the scope of commonly available commercial technologies incorporated into today’s smart devices.  It is the analogous algorithms required for image analysis and development of minutia for analytical and comparison purposes that pose the challenge.  Current facial recognition software is more than capable of effectively using images captured within the common 8-14 megapixel range of the average smart phone.  The technology is rapidly outpacing the market’s ability to sustain new releases and/or uses as evidenced by Nokia’s release of a smart phone with a 41 megapixel camera sensor dubbed the 808 PureView (Foresman, 2012)  So the specific challenge relates to the fingerprint.

 

Works Cited

Creamer, D. (2006). Understanding Resolution and the meaning of DPI, PPI, SPI, & LPI. Retrieved May 30, 2012, from http://www.ideastraining.com: http://www.ideastraining.com/PDFs/UnderstandingResolution.pdf

Foresman, C. (2012, March 2). Innovation or hype? Ars examines Nokia's 41 megapixel smartphone camera. Retrieved March 5, 2012, from arc technica: http://arstechnica.com/gadgets/news/2012/03/innovation-or-hype-ars-examines-nokias-41-megapixel-smartphone-camerainnovation-or-hype-ars-examines-nokias-41-megapixel-smartphone-camera.ars?clicked=related_right

Jain, A. K., Flynn, P., & Ross, A. A. (2008). Handbook of Biometrics. New York, NY, USA: Springer Publishing Company.

Jain, A., Hong, L., & Pankanti, S. (2000, February). BIOMETRIC IDENTIFICATION. (W. Sipser, Ed.) COMMUNICATIONS OF THE ACM , 43, pp. p. 91-98.

NIST. (2003, February 11). Both Fingerprints, Facial Recognition Needed to Protect U.S. Borders. Retrieved March 5, 2012, from NIST; Public and Business Affairs: http://www.nist.gov/public_affairs/releases/n03-01.cfm

Mobile Device Remote Identity Proofing Part 2 - The requirement for ownership

Download PDF of complete paper

I.  Introduction

Although it is unlikely that development and adoption of a single ubiquitous identity will occur in the next five years it is reasonable to assume that various manifestations of a individuals identities are, and will continue to be established at various and increasing levels of trust and assurance.  The challenge to be faced is to fast track the ecosystems ability to work at moderate and high levels of assurance.  Historical barriers to widespread use of trusted identities at a high level of assurance are predominantly based on the high cost and limited availability of “approved” identity proofing “tools” and the infrastructure requirements in the security and maintenance of the “representation” of that identity.  This concept paper explorers the former challenge, the later being a topic that deserves its own attention.  

II.  Origins

Being able to establish and prove an identity and then use that proof of identity to ones advantage is as old as humanity itself.  It could be argued that gender, a genotype, as a biometric identifier was first used in the Garden of Eden when Adam, on being asked if he took fruit from the tree of knowledge, said “she gave it to me”.  The story in Genesis involves the only two living humans on earth and an omnipotent creator which makes identification straight forward.  This did not deter Adam from making a clear identification in order to shift guilt away from him.   Traditional methods of establishing and/or confirming the identity of an unknown person have relied on secret knowledge or possession of a token of some type.  Passwords and pins, the proverbial what you know, used so commonly today date back to the Roman Empire. The Hellenistic Greek Historian Polybius chronicled how passwords were used among the Roman Legions.

The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword - that is a wooden tablet with the word inscribed on it - takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.  (About.com, 2012)

Tokens, what you have, date to the Bronze Age.  “A. Leo Oppenheim of the Oriental Institute of the University of Chicago reported the existence of a recording system that made use of counters, or tokens. According to the Nuzi texts, such tokens were used for accounting purposes; they were spoken of as being deposited, transferred, and removed.” (Schmandt-Besserat, 1977) 

Today the pin, password, and token are synonymous with modern society.  There are seemingly endless equipments for passwords from the moment you turn on your computer through the moment you click on the accept agreement or purchase icon.  Where would you be without your ATM card, pin, and the ability to access your cash anywhere, at any time, worldwide?  The problem is that the methodology we are using in modern America has changed little since its antiquarian origins.  We are still only commonly testing for knowledge or possession, not ownership.  Enter Biometrics

III. The requirement for ownership

Testing for possession or knowledge has become the standard for commercial identity management.  In the 21^st century most people have a virtual identity presence, one that resides in the World Wide Web.  This is the identity they use to move among the social networking sites, bank, pay bills, and shop.   With the massive increase in the use of the web has come a corresponding increase in identity theft.  “In 2011 identity fraud increased by 13 percent.  More than 11.6 million adults became a victim of identity fraud in the United States, while the dollar amount stolen held steady”. (Javelin Strategy & Research, 2012)  Steps have been taken to strengthen identity security especially in the financial sector with the addition of images, secret questions, and a plethora of additional knowledge based steps that are far more effective at frustrating users than they are at increasing security.  Each of these additional security features is still nothing more than additional knowledge and additional knowledge can easily be stolen.  What is required is something that is definitively tied to the identity holder, something that cannot be forged, lost or stolen.  That something is biometrics.

Biometrics, like passwords and tokens are not a 21^st or even 20^th century phenomenon. Handprints were used for identification purposes nearly four thousand years ago when Babylonian Kings used an imprint of the hand to prove the authenticity of certain engravings and works.  Babylonia had an abundance of clay and lack of stone which led to the extensive use of mudbrick.  Ancient Babylonians understood that no two hands were exactly alike and used this principle as a means of identity verification.  Modern dactylosscopy, the science of fingerprints was used as early as 1888 when Argentinean police officer Juan Vucetich published the first treatise on the subject. (Ashbourn, 2000)

Biometrics can be defined as observable physical or biochemical characteristics that can typically be placed into two categories, phenotype and genotype.  The phenotype biometrics category contains the identifiers most commonly used for transactional identification today.  Fingerprints, iris, facial features, signature patterns, are all phenotype identifiers based on features or behaviors that are influenced by experiences and physical development.  From the owners perspective these are often viewed as non-threatening and non intrusive.  The Genotype category measures genetically determined traits such as gender, blood type, and DNA, the collection of which is generally viewed as very intrusive.  DNA, the ultimate biometric signature, is generally considered the most intrusive often vilified in popular fiction.  In the 1997 film Gattaca DNA determines an individual’s status in society with each person categorized as a Valid or In-valid. In the 2012 blockbuster The Hunger Games DNA serves as a signature for children entering the Reaping, a lottery culminating in a morbid death match. Both of these examples of pop culture reflect the underlying distrust society has in the government’s possession of such an intimate identifier.  

Biometrics is primarily used in two modes, each with a different purpose; identification, and verification.  The term recognition is a generic one encompassing the one to one and one too many modes in which biometric systems operate.   Biometric identification is the process of associating a sample to a set of known signatures.  For example, the US Visit program which checks a presented set of fingerprints [sample] against multiple databases, containing known signatures.  The results of a one to many searches are usually displayed as a group of the most probable matches often associated with a probability score as a percentile that illustrates the degree of match between the sample and the matched group.  Biometric verification is the process of authenticating the sample to the record of a specific user with the results delivered in binary fashion, yes or no.  Real world examples of this one to one verification include fingerprint match on card in the PIV program or as a third factor of authentication to an access control system where what you have and what you know needs to be validated against ownership.  Most commercial systems operate in verification mode.

Before identification or verification can ever occur some type of enrollment process must take place in order to establish to some level of trust that the biometric signature is owned by a specific individual.  Only then can varied rights and privileges (attributes) be assigned to that owner and subsequently secured by means of PKI or similar technology.   One of the primary impediments to broad scale use of biometric signatures is the expense and inconvenience of enrollment programs.  But what if it were as easy as using your mobile phone in your living room?

Using a mobile device to establish the validly of the claim of a specific identity is simple in principle but problematic in execution.  The capture of the required information can be divided into the following two steps: creation of a claimant’s profile, and binding a known identity to the claimant.    Creation of the profile typically includes the identification and capture of two data types.  The first is biographical /descriptive data, the second is biometric data.  For the purposes of this paper, we shall refer to these combined datasets as the Individual Profile or IP.  

This concept is based on leveraging the rapidly increasing level of hardware technology and network availability incorporated into the worldwide wireless telecommunications system to provide a mechanism for the validation of claims to a specific identity, binding that identity to the claimant, and securing the identity for use in an environment requiring various levels of trust by a wide array of relying parties. 

Mobile Device Remote Identity Proofing Part One

Download PDF of Complete Paper

How smart phones could change the identity management system ecosystem

Part One:

This concept paper was recently submitted for consideration for an up coming technical conference. After receiving notification that the abstract met with positive peer review I decided that a healthy topical discussion may be in order before I finished up the final version.  Rather than posting a lengthy paper in one shot I decided to break it up into its key components to allow you, the reader, to digest each section and focus any comments you may have accordingly.  This first post is the abstract with which I hope to whet your appetite. I have a bit of time before the final paper must be submitted.  I rather selfishly hope that any comments you may make over the next week or so as each section is posted will help in its refinement.

The Abstract

Questions regarding an individual’s identity are addressed millions, if not billions, of times a day.  E-commerce, healthcare, government and financial institutions, among others, must constantly address the question, “is this person who he/she claims to be?”  Each institution struggles with results of varied “discrete multiplicities” (Deleuze, 1966) on which they must base a decision to the relying party’s pivotal question “what rights or privileges should be granted to this individual?”  This paper addresses the persistent challenges of extending strong identity management from government sponsored programs for government employees to privacy and security protection programs for the general population.  Among the proposed concepts is a solution based on leveraging the rapid acceleration in hardware/smart-phone sophistication and network availability incorporated into the worldwide wireless telecommunications system.   These elements provide a modality allowing validation of claims to a specific identity, binding that identity to the claimant, and securing the identity for use in an environment requiring various levels of trust by a wide array of relying parties.  

Although it is unlikely that development and adoption of a single ubiquitous identity will occur in the next five years it is reasonable to assume that various manifestations of an individual’s cyber identities are, and will continue to be established at various and increasing levels of trust and assurance.  The challenge to be faced is to fast track the ecosystem’s ability to work at moderate and high levels of assurance.  Historical barriers to widespread use of trusted identities at a high level of assurance are predominantly based on the high cost and limited availability of “approved” identity proofing “tools” and the infrastructure requirements in the security and maintenance of the “representation” of that identity.

The most common biometric identifiers currently used in IdM systems are fingerprint and facial recognition.  With the current PIV and PIV-I programs a dual approach in accordance with NIST recommendations (NIST, 2003)is used.  The capture of these biometric identifiers is easily within the scope of commonly available commercial technologies incorporated into today’s smart devices.  It is the analogous algorithms required for image analysis and development of minutia for analytical and comparison purposes that pose the challenge.  Obstacles include contrast, depth of field and background, or non-finger regions (Lee, Lee, & Kim, 2008)  Current facial recognition software is more than capable of effectively using images captured within the common 8-14 megapixel range of the average smart phone.  The technology is rapidly outpacing the market’s ability to sustain new releases and/or uses as evidenced by Nokia’s release of a smart phone with a 41 megapixel camera sensor dubbed the 808 PureView (Foresman, 2012)  So the specific challenge relates to the fingerprint.

(1966). In G. Deleuze, Bergsonism (H. Tomlinson, & B. Habberjam, Trans.). New York, New York: Zone Publishing Inc.

NIST. (2003, February 11). Both Fingerprints, Facial Recognition Needed to Protect U.S. Borders. Retrieved March 5, 2012, from NIST; Public and Business Affairs: http://www.nist.gov/public_affairs/releases/n03-01.cfm

Lee, S., Lee, C., & Kim, J. (2008). Image Preprocessing of Fingerprint Images. Biometrics Engineering Research Center at Yonsei University., Korea Science and Engineering Foundation, Seoul, Korea.

Foresman, C. (2012, March 2). Innovation or hype? Ars examines Nokia's 41 megapixel smartphone camera. Retrieved March 5, 2012, from arc technica: http://arstechnica.com/gadgets/news/2012/03/innovation-or-hype-ars-examines-nokias-41-megapixel-smartphone-camerainnovation-or-hype-ars-examines-nokias-41-megapixel-smartphone-camera.ars?clicked=related_right