NIST touchless fingerprint biometrics guidance confirms interoperability
Veridium Chief Technical Officer John Callahan says the new National Institute of Standards and Technology (NIST) 500-334 is “Kind of the document we’ve been waiting for all these years,” to provide updated guidance to the market on touchless fingerprinting biometrics.
The company has been providing touchless fingerprint acquisition, such as through its patented 4 Fingers TouchlessID, to customers ranging from law enforcement in Germany to financial services in Latin America, for years. The technology was also integrated with Jumio’s technology earlier this year.
Now, the technology has been validated by NIST, with Special Publication 500-334, ‘Contactless Fingerprint Capture and Data Interchange Best Practice Recommendation’ providing guidance for customers to implement the technology. This represents a step in a process that has been ongoing for some time.
“They saw the writing the wall five years ago when they set up the CRADA,” Callahan says, referring to the Cooperative Research and Development Agreement formed by NIST and a handful of industry players, including Veridium.
A lot of work had to be done to produce the guidance, according to Callahan, including fundamental work on physics and optics of contactless fingerprint biometrics. The FBI’s Appendix F fingerprint specifications have been in use for decades, but many of the standards that go into them do not apply to contactless fingerprints.
The recommendations include how to encode the images captured in the NIST ITL container standard for biometrics. That is the set of standards that enables back-end systems to process images for matching, Callahan explains.
“If you think about back-end AFIS systems, they sell to large enterprises, governments and so forth, it has to be compatible with that. Meaning that the input files, the fingerprint standard, how you capture it, how you encode it, had to be compatible with existing AFIS systems. This is what this publication does. This publication is actually not a new standard, because that would have taken three more years basically.”
Instead, the best practice recommendation was produced to instead to deal with demand, providing new definitions in type 9, 14 and 20 within that container to fit within current practice.
What it means
The guidance validates the decision of Veridium’s contactless fingerprint technology customers, rewarding their investment and showing that “their bet was correct,” Callahan says.
Those customers in many cases had to get exceptions to use contactless fingerprinting, and Appendix F certification is often a requirement in RFPs. Certification for touchless fingerprint biometrics, however, remains a long way off.
“NIST only does the science, and comes up with the testing procedures,” Callahan points out. “The certification process based on those testing procedures is up to the agencies.”
NIST was busy with optical calibration and constructing test fingers, and had the additional challenge of getting live subjects to perform tests during the pandemic. “There’s a lot of science behind getting quality prints for matches to legacy fingerprint systems,” Callahan says, with images enrolled through the use of contact devices, or even ink.
There were a handful of other companies with contactless fingerprint technology that participated in the CRADA, but they were divided between those that require dedicated capture devices, and those that like Veridium, do not. They are anonymized in report, but Callahan says an interim report 2 years ago found Veridium has the best performing software for mobile phones.
The science behind the guidance is included in NISTIR 8307, which covers a much wider scope. The 500-334 document does not address data transmission from device to server, but only the biometric container and its standardization of the NIST ITL format, Callahan clarifies.
In practice, the data is transported on the customer’s existing transfer system, such as a closed VPN network, from the capture device to a secure back-end.
“Most of our customers take our SDK and then they built it into their own secure app,” Callahan says. “We are simply the acquisition of a quality fingerprint and encoding it in that interoperability format for going to the AFIS.”
Some customers have closed ecosystems, used only for authentication, not deduplication or identification, which do not interface with national systems, and therefore have very different requirements.
No NFIQ, but customers say it works
While the contactless fingerprint images collected are interoperable with biometric matching systems using traditional fingerprint images, they are not compatible with contact image assessment methodology.
“One of the things that they had to caution in these best practices was many of the existing AFIS systems, when imagery comes in, either on enrollment or doing a match check, often many times they will score the acquired images with a quality score,” Callahan explains. “The NIST 334 section 6, which is probably the most critical finding here besides the formats, ‘shall not be used on contactless collected imagery.’”
Veridium is on national science foundation (CITER) working group trying to find a way to quantify the image quality of contactless fingerprints.
Due to the realities of the market, NIST decided to put best practice out now without the quality score.
In the meantime, Veridium has active proof-of-concepts ready to go into production for financial inclusion with remote biometric enrollment, that he says were “basically awaiting reports like this, to get the confidence that it’s okay. But they wanted the technology to be in the pipeline to facilitate KYC for low-balance accounts; this is 90 percent of bank accounts that are opened, or more.”
Government awareness of the state of the art for contactless fingerprint technology is all over the map, according to Callahan, but interest has picked up since the report was published.
“Obviously it’s a challenge because we have to take them on this journey as the quality standards roll out,” he says.
New use cases
Ultimately, Callahan says, NIST’s guidance confirms that contactless fingerprint capture via a mobile phone fits with the long-established use of fingerprint in other areas. It avoids issues with face, image quality and demographic disparity, and “enables lots of new use cases,” he believes.
The technology reduced wait times for new bank accounts in Mexico from 2 weeks after branch visit, to under an hour from your own home. Governments all over the world are trying to get people banked, and even becoming authorized to practice as a doctor in some U.S. states requires fingerprint submission – currently in-person at a state-licensed facility.
Contactless fingerprint biometric capture does not require a high-end camera, either.
“Camera ability varies widely, but most cameras are able to operate for verification purposes at 5MP or better with a flash. For verification; for enrollment you need better quality on the device than that.”
Typically, Veridium has the customer run a trial with different devices from the region’s popular manufacturers, measure their performance with an in-house PoC, and then exclude non-performant devices. Those devices are usually not among the region’s top 10 phones, Callahan says.
Touchless fingerprints can also support applications requiring strong security. PAD testing addressed in the NIST document, and Veridium’s technology addresses level 1 and 2 spoof attacks, according to Callahan.
“For many of our customers that are already in production with our SDK, this confirms their investment,” he concludes. “Other customers can explore new use cases for remote contactless fingerprint with existing AFIS systems – or not – and be able to explore lots of use cases for identity verification, remote KYC, and authentication purposes.”
The technology is, however, still maturing. A lot of hard work remains for NIST and the FIDO Alliance, Callahan notes.