Biometric Recoverability: The Path to Identity Assurance

By Joseph Iseman, PhD, Andrew J. Polcha, Robert Schechter, and Brent M. Eastwood, PhD
Biometrics Watch, Spring 2007
The ability to perform secure financial transactions, control access to restricted areas, and protect
the dissemination of information are paramount concerns in the public and private sectors.
Biometrics have proven to be effective in reducing the time to verify and process identities-authentication simply with the touch of a finger.
Unfortunately, many existing global biometrics device vulnerabilities still put the world
biometric market at risk and this market is estimated to reach $3.01 billion by this year and may
grow to $7.4 billion by 2012.[1] Biometric device manufacturers and products have a common
validation process. Because this verification process is the same throughout the global device
marketthey are all plagued with the same vulnerabilities to theft. This process naturally places
a market value on the biometric.
Since the majority of global biometric integration includes finger, facial, and iris scanning, the
following process using the finger and iris is a good example. The most basic system for
validation of these natural identifiers is as follows:

One or more physical characteristics is captured and stored

Database

The sample characteristic is compared

Identification (database)

Dongle/Device

Authentication (dongle/device)

Negative/Positive confirmation is returned

Although this validation scheme is very simple, the process is inherently universal to biometric
devices and it places a natural market value on the biometric component. If a biometric such as
a users eye or fingerprint is ever stolen; how can the missing biometric be recovered? If
biometric input devices such as cameras and scanners substantiate identity; then a camera or a

scanner is required to steal an identity. Most trusted validation authorities such as government or
financial institutions leverage encryption to protect biometric images within a storage depository.
However, what can be encrypted can also be decrypted. Even the heaviest encryption applied to
a depository does not remove the value of the biometric.
Currently some device manufactures claim to guard privacy by declaring that the image of the
biometric (finger/eye) is never stored within their product line. These types of validation
schemes are expanded at the registration point with complex algorithms that reduce the biometric
component to a mathematical expression. It is a better scheme than storing the image, but it is
still a repeatable representation of that specific user. If that (number) were ever stolen, the users
identity is compromised at every access point where the manufacturer is integrated. If that
manufacturer had a sufficient market share, a theft of a biometric could pose a substantial threat
to security.
This type of public exposure to biometrics is a problem that currently can not be solved. In order
for the biometrics market to expand, the owner of any biometric should be in control of its use.
By eliminating the market value of the stand-alone biometric identifier protects identity and
preserve privacy.
Based on patent-pending technology, one company is focusing on these types of
solutions. Personal Identity Solutions is an OEM solutions company that builds products that
eliminate biometrics as primary attributes of interest for theft. This is accomplished by
developing OEM/Bio-ID (BID) management products that interweave complex, non-linear
attributes with biometric-producing recoverability and privacy. These solutions include stronger
authentication than stand-alone biometric identifiers. PISIs products target biometric input
device manufacturers by creating unique identifying attributes; Bio-IDs (BIDs) using
combination of biometric(s); and one or more unique independent attributes. BIDs maintain the
same user specificity as biometrics alone, but natural identity attributes are composites with two
or more degrees of uniqueness.
To illustrate this concept, the following UML-based sequence diagram depicts PISIs
combinational protection scheme. This example illustrates a retinal enrollment, but the same
technology is applicable to many different biometric identifiers. The Biometric labeled in the
diagram is the physical characteristic native to the user. The biometric alone has no value to the
enrollment process as well as to the validation authority. PISIs OEM products represented by a

lens (Distortion Element), creates unique attribute(s) associated with the biometric. The
enrolled identity or (BID) is the combinational image seen through the other side of the lens. It is
this combined representation that is the users identifier enrolled within the validation
authority.

PISIs OEM Products

If the biometric and/or lens is lost, then the user just needs to acquire a new lens and re-enroll
within the validation authority with the new distorted image. PISIs products and development
efforts are not disruptive to the universal validation process globally leveraged by biometric
devices. PISIs OEM-based products are designed to protect biometric data prior to transmission.
Nothing from the process of the capture, compare, and confirm scheme is removed. It is only
enhanced; making easy integration and operability with trusted product lines and current
entrenched technologies.
The above diagram illustrates a retinal enrollment. When the OEM application is positioned to
protect a fingerprint, PISI intends to manufacture low-cost consumer-carried thin distortion
film/pieces of plastic that lie between a persons finger and the biometric scanner carefully
cradled for enhancing biometric registration. Merely building a better reader or sensor is not
going to strengthen a device or its protocol vulnerabilities. It is necessary to change the
methodology of biometric deployment; amend public policies, even implement new marketing
procedures. The theory is that users will give up a little of the convenience factor to assure,
control, and maintain the control of their own identities.
In November 2006, Personal Identity Solutions also wrote an article for Biometric
Watchs (Volume 4, Issue 9 (#35) reader base entitled Expanding Privacy to Expand the
Biometrics Market.

[1] Biometrics Market and Industry Report 2007-2012. International Biometric Group.
Security World Magazine Online.