Subcommittee on Aviation
The Use Of Biometrics To Improve Aviation Security
TABLE OF CONTENTS(Click on Section)
The purpose of this hearing is to discuss the use of biometric
technologies to improve aviation security, including the status
of efforts to develop operational and technical standards for biometrics.
each airport is responsible for securing its perimeter against
access by unauthorized
persons and vehicles. In addition,
each airport must control access to both "sterile" areas and "Secure
Identification Display Area" (SIDA) areas within the airport. The
sterile areas are the areas of the terminal beyond the passenger
screening checkpoints where properly screened passengers and properly
credentialed employees are allowed to be. The SIDA area is primarily
the "airside" of the airport but also includes those areas of the
terminal where no passengers are allowed.
has a badging office that issues "sterile badges" to
personnel requiring access to the sterile areas (e.g., employees
of businesses located beyond the screening checkpoint) and SIDA
badges to personnel requiring access to the SIDA areas (e.g., airline
employees and employees of companies that service aircraft). Flight
crews typically carry multiple SIDA badges, one for each airport
in which they work.
Federal law requires a criminal history record check to be performed
before sterile or SIDA badges are issued to an individual. In addition,
there are Federal requirements that a security feature, such as
a hologram, be incorporated into the sterile and SIDA badges. Local
jurisdictions have in some cases chosen to adopt additional security
requirements. For example, at least one airport performs a name-to-social
security number check before issuing sterile or SIDA badges.
Aviation Administration's air traffic control facilities
are often located within the SIDA area. The FAA is responsible
for controlling access to those facilities, and issues an additional
badge to its employees to authorize access to the air traffic control
tower. Therefore, FAA employees need to carry both a SIDA badge
and an FAA badge.
SIDA and sterile badges are often used in conjunction with other
security features such as a pin number that must be entered before
a controlled access door will open, but typically are not used
in conjunction with biometrics.
Biometrics could be used to improve employee identity verification
and access authorization, passenger identity verification, and
flight crew identity verification. Adding biometrics to existing
access control systems and security procedures could potentially
protect against unauthorized access using lost, stolen, or forged
badges; a terrorist on watch list attempting to obtain a credential
using an assumed identity; and impersonation of a pilot, other
flight crew member, or air traffic controller, by a terrorist.
HOW BIOMETRIC SYSTEMS WORK
There are many different types of biometric systems, including
facial recognition, hand geometry, iris recognition, retina recognition,
and speaker recognition1. Each
of these systems involve similar processes that can be divided
into two stages: (1) enrollment and (2) verification or identification.
the person provides an identification document to prove his or
The biometric will be linked to the
identity specified on the identification document. Therefore, if
the identification document does not specify the individual's true
identity, the reference template will be linked to a false identity.
The quality of the identifier presented during the enrollment process
is key to the integrity of a biometrics system.
an identification document, the person then presents the biometric
(e.g., fingertips, hand, or iris) to an acquisition
device. One or more samples are acquired, encoded and stored as
a reference template for future comparisons. How biometric systems
encode and store information in the template is based on the system
vendor's proprietary algorithms. Templates can be stored remotely
in a central database, within a biometric reader device itself,
or on smart cards.
changes in positioning, distance, pressure, environment, and
influence the generation of a template, each
time an individual's biometric data are captured and a new template
is generated, that template is likely to be unique. Therefore,
a person may need to present biometric data several times in order
to enroll. The reference template may then represent an amalgam
of the captured data, or several enrollment templates may be stored.
In addition, because biometric features can change over time, people
may have to reenroll to update their reference template. Some technologies
can update the reference template during matching operations.
systems, the goal is to verify that a person is in fact who he
claims to be. After a person presents his
or her identification document and biometric, the system captures
the biometric data and generates a trial template. It then compares
the trial template with the person's reference template, which
was stored in the system during enrollment, to determine whether
or not there is a match.
is often referred to as "one-to-one" matching. Even
though the system's database may contain millions of reference
templates, only one needs to be compared to the trial template.
Nearly all verification systems can render a match/no-match decision
in less than a second.
systems, the goal is to identify who the person is. Unlike verification
systems, no identification document is
necessary. Instead of locating and comparing the person's reference
template against his or her presented biometric, the trial template
is compared against the stored reference templates of all individuals
enrolled in the system. For this reason, identification systems
are referred to as "one-to-many" matching.
There are two
types of identification systems - positive and negative.
Positive identification systems determine whether a person seeking
access can be identified as having been enrolled in the system.
Negative identification systems are designed to ensure that a person's
biometric information is not present in a database. For example,
a negative identification system may be designed to identify people
on a watch list.
ACCURACY OF BIOMETRIC SYSTEMS
Biometric systems cannot identify individuals with 100 percent
accuracy. No match is ever perfect in either a verification or
identification system, because every time a biometric is captured,
the template is likely to be unique. In addition, the longer the
period of time since the individual enrolled in the system, the
less accurate the system may be, since biometric features may change
The key performance metrics related to accuracy are false match
rate, false non-match rate, and failure to enroll rate.
A false match
occurs when a system incorrectly matches an identity. In verification
and positive identification systems, a false match
could result in unauthorized people being granted access they should
not be granted. In a negative identification system, a false match
could result in an authorized person being denied access that they
should be granted. False matches may occur because there is a high
degree of similarity between two individuals' characteristics.
A false non-match
occurs when a system rejects a valid identity. In verification
identification systems, a false non-match
could result in authorized people being denied access they should
be granted. In negative identification systems, a false non-match
could result in an unauthorized person being granted access that
should not be granted. False non-matches occur because there is
not a sufficiently strong similarity between an individual's enrollment
and trial templates, which could be caused by aging or injury.
Failure to Enroll
The failure to enroll rate (FTER) measures the probability that
a person will be unable to enroll in the system. Failure to enroll
may be due to an insufficiently distinctive biometric sample. For
example, the fingerprints of people who work extensively at manual
labor often are too worn to be captured. Alternatively, failure
to enroll may be due to a system design that makes it difficult
to provide consistent biometric data. For example, a high percentage
of people are unable to enroll in retina recognition systems because
of the precision such systems require. In addition, between one
and three percent of the general public does not have the body
part required for using any one biometric system.
Since biometric systems are not 100 percent accurate, they are
usually set to make a match or no-match decision based on a predefined
threshold that establishes the acceptable degree of similarity
between the trial template and the enrolled reference template.
After the comparison, a score representing the degree of similarity
is generated, and this score is compared to the threshold to make
a match or no-match decision. Depending on how low the threshold
is set, it is possible for several reference templates to be considered
matches to the trial template, with the better scores corresponding
to better matches.
A trade-off exists between the false match rate and the false
non-match rate, which translates into a trade-off between risk
and convenience. The greater the risk entailed by a false match,
the lower the tolerable FMR is, and the higher the threshold score
will be set. Systems that integrate two or more biometrics could
allow the false match rate to be lowered without increasing the
false non-match rate, and could also lower the number of individuals
who fail to enroll.
Procedures must be developed to handle situations in which there
is a failure to enroll, a false match, or a false non-match. Exception
processing that is not as good as biometric-based primary processing
could be exploited as a security hole.
STANDARDS FOR USE OF BIOMETRICS
To fully realize the benefits of biometric technologies, comprehensive
technical and operational standards are necessary to ensure that
the systems are interoperable, effective, reliable, and secure.
Progress in this area is being made, but more work remains to be
National Institute of Standards and Technology
Institute of Standards and Technology (NIST) played a significant
in the development of the BioAPI (Application
Programming Interface) specification and the approval of this specification
as a formal national standard. The development of the BioAPI standard
promotes interoperability among applications by defining a generic
way of interfacing to a broad range of biometric technologies.
In addition, NIST also led, in collaboration with the National
Security Agency, the development of a Common Biometric Exchange
File Format (CBEFF). The CBEFF is a "technology-blind" common biometric
format that facilitates the exchange and interoperability of biometric
data from all types of biometrics, independent of the particular
vender that generates the biometric data. The development of this
single approach for a biometric data structure assured biometrics
companies and their potential customers that different biometric
devices and applications could exchange information efficiently.
This specification is being incorporated into U.S. government and
international requirements, such as the technical specifications
drafted by ICAO.
International Civil Aviation Organization
Civil Aviation Organization (ICAO) has been working for several
to establish international biometric
standards for Machine Readable Travel Documents. A Machine Readable
Travel Document (MRTD) is an international travel document (e.g.,
passport or visa) containing eye- and machine-readable data. In
June 2002, ICAO's Technical Advisory Group on Machine Readable
Travel Documents endorsed the use of face recognition as the globally
interoperable biometric for machine assisted identity confirmation
with machine-readable travel documents. While digital facial image
was endorsed as the primary biometric, the Technical Advisory Group
stated that ICAO Member States may elect to use fingerprint and/or
iris recognition as additional biometric technologies in support
of machine assisted identity confirmation.
In March 2003,
the Technical Advisory Group provided three key clarifications
to the June
2002 resolution. First, digitally stored
images (rather than templates) will be used, and these will be "on-board," i.e.,
electronically stored in the travel document. Storage of the image,
rather than a template created from the biometric feature by a
proprietary algorithm, is important to ensure global interoperability.
Second, these images are to be standardized. For example, ICAO
has issued standards on the degree to which an image may be compressed
and/or cropped. Third, high capacity contactless integrated circuit
(IC) chips will be used to store identification information in
MRTDs. These chips will provide the additional data storage capacity
necessary to incorporate compressed images of one or more biometrics
US VISIT will utilize internationally recognized standards, such
as those developed by NIST and ICAO, as provided for in section
303 of the Enhanced Border Security and Visa Entry Reform Act of
2002 (P.L. 107-173).
FEDERAL USES OF BIOMETRICS TO IMPROVE SECURITY
are now being used more extensively for border control through
the United States
Visitor and Immigrant Status Indication
Technology (US-VISIT) Program, which is being implemented by the
Department of Homeland Security. The USA Patriot Act of 2001 required
the Attorney General and Secretary of State jointly, through NIST,
to develop a technology standard that can be used to verify the
identity of a person applying for a U.S. visa or seeking to enter
the U.S. pursuant to a visa. NIST subsequently recommended the
use of face and fingerprints, since they were the only biometrics
with available databases large enough for operational testing.
Specifically, NIST recommended the use of 10 fingerprints for "identification" functions
(e.g., initial background check and enrollment in the system),
and a combination of facial image and two fingerprints for "verification" functions.
Based on NIST's recommendations, US-VISIT is using a live-capture
digital photograph and fingerprints for identity enrollment and
verification. However, the exact number of prints required for
identity enrollment is still a subject of internal debate within
In addition, the Enhanced Border Security Act of 2002 requires
that, by October 26, 2004, the visas and other travel and entry
documents issued by the U.S. to aliens must be machine-readable
and tamper-resistant, and must use biometric identifiers. The Act
also requires each visa waiver country to certify, by October 26,
2004, that it has a program to issue to its nationals machine-readable
passports that are tamper-resistant and incorporate biometric and
document authentication identifiers that comply with ICAO standards.
In addition, equipment and software must be installed at all ports
of entry to allow the biometric comparison and authentication of
all U.S. visas and other travel and entry documents issued to aliens
and machine-readable passports. Secretary Ridge recently requested
an extension of the certification deadline for visa waiver countries
to November 30, 2006, not only to give such countries more time
to convert their new passports to ICAO biometric standards, but
also because the U.S. will not have the equipment deployed by October
2004 to read the new passports.
Transportation Worker Identification Credential (TWIC)
Security Administration (TSA) is developing a system-wide common
which will incorporate biometrics,
to be used across all transportation modes for personnel requiring
unescorted physical and/or logical (i.e., computer) access to secure
areas of the national transportation system, such as airports,
seaports, and railroad terminals. TWIC is an identity management
system, not an access control system. A TWIC card by itself will
not grant access to any secure area. The decision to grant or deny
access to a secure area would continue to be made by each transportation
facility. However, TWIC is a tool that could be used in conjunction
with a facility's existing access control system to improve security
by providing a uniform background check and a credential that is
difficult to forge. In addition, if the facility's access control
system incorporates biometric readers, TWIC could further improve
security by verifying that the individual seeking access is who
they claim to be.
TSA, adding biometric identity authentication to an existing
system is simple. A biometric reader
can be added to an existing airport access control system card
reader. When the person uses their finger, iris, or other selected
biometric technology for a match, the card reader is activated
and then used as normal to grant access. The door would not open
unless the biometric template on the card matched the biometric
presented by the cardholder and the user has been granted access
privileges in the airport's access control system.
On May 10, 2004, TSA issued a Request for Proposals to participate
in a seven-month prototype evaluation as part of Phase 3 of the
TWIC pilot program. Under this RFP, each prototype TWIC system
must capture at least fingerprint or iris scan biometric data,
and conform to technical standards developed by the National Institute
of Standards and Technology. TSA expects to award contracts in
July 2004, and conduct prototype operations from August through
December 2004. A report evaluating the prototypes will be issued
during the prototype phase, after which a decision would be made
regarding whether or not to proceed to implementation.
Registered Traveler Program
TSA is also
developing the Registered Traveler pilot program, which will
test the concept
of expediting airport security screening
of passengers who meet eligibility criteria and who volunteer to
undergo a security assessment, while at the same time maintaining
or improving overall system security. The program will use biometrics
(either fingerprints or iris scan) to authenticate each Registered
Traveler's identity at the screening checkpoint.
Registered Travelers would be eligible to use designated and/or
dedicated lanes at screening checkpoints, with the goal being expedited
through-put. Registered Travelers would not be subject to random
selection for secondary screening under CAPPS, although any alarms
of the magnetometer would still be resolved. TSA is also in the
early stages of working with airports and airlines to determine
what additional benefits might be offered to encourage travelers
to participate in the program, including frequent flier miles,
access to club lounges, and close-in parking.
Beginning at the end of June 2004, TSA will conduct pilots at
up to five airports, involving up to 10,000 travelers. The pilots
will run for 90 days. By October 2004, TSA will have data on the
extent to which the pilots were successful in expediting through-put
while maintaining or improving security.
TSA plans to
partner with the private sector for the Registered Traveler (RT)
Program and has issued the first of a two-part
Request for Proposals (RFP) to solicit proposals. The RT RFP focuses
on four elements of support: program management, biometrics, tactical
operations and systems integration. In addition, TSA is working
with air carriers to have them "market" the program by inviting
frequent travelers to participate in the pilot program.
Law Enforcement Officer Credentials
Part of the
Registered Traveler Pilot Program will focus on improving Law
Officer (LEO) credentials. Currently, Federal LEO's
can fly armed at any time, simply by presenting their agency's
credential. In addition, LEO's from 18,000 separate State and local
law enforcement agencies may fly armed if they present their agency's
credential and a letter on their agency's letterhead stating that
they have an official, work-related reason to fly armed. The use
of so many different types of law enforcement credentials increases
the risk that an unauthorized person could use a forged credential
to carry a gun on-board. Under the Registered Traveler Pilot Program,
LEO's who wish to fly armed at the five pilot airports will be
issued a biometric identification card by TSA, which will prove
that the individual seeking to carry a gun on-board is in fact
authorized to do so by the LEO's parent agency.
Airport Access Control Pilot Program
On April 29,
2004, TSA announced that eight airports have been selected to
in Phase I of TSA's Access Control Pilot
Program, which is being implemented pursuant to section 106 of
the Aviation and Transportation Security Act (ATSA). The pilot
program will evaluate various off-the-shelf biometric technologies
as well as Radio Frequency Identification (RFID) technology, Anti-Piggybacking
technology, and advanced video surveillance technology for providing
access control for secure areas of the airports. For example, Boise
Air Terminal/Gowen Field Airport will test a system that combines
fingerprint biometric and RFID technology to control vehicle access.
Newark International Airport will test a system that uses fingerprint
biometric technology to allow only authorized persons to enter
secure areas of the airport. T.F. Green State Airport in Providence,
Rhode Island, will control access to a secure area via an iris
biometric recognition system.
1. For more information on various biometric systems, see Attachment A.
VARIOUS BIOMETRIC TECHNOLOGIES
Facial Recognition - Facial
Recognition identifies people by analyzing features of the face not easily
altered, such as the upper outlines of the
eye sockets, the distance between the inner corners of the eyes, the areas
around the cheekbones, and the sides of the mouth. Because facial images can
be captured from video cameras, facial recognition is the only biometric that
can be used for surveillance purposes. For example, it is used by the gaming
industry at entrances to casinos in Las Vegas, Nevada.
Fingerprint Recognition - An
image of the fingerprint is captured by a scanner, enhanced, and converted
into a template.
Hand Geometry - Hand geometry technology takes 96 measurements of the
hand, including the width, height, and length of the fingers; distances between
joints; and shapes of the knuckles. Although the basic shape of an individual's
hand remains relatively stable over his or her lifetime, natural and environmental
factors can cause slight changes. Hand geometry is not highly distinctive and
cannot reliably pick out an individual from among many (i.e., one-to-many matching).
Therefore, it is most suitable for verification systems, not identification
Iris Recognition - The iris has approximately 266 distinctive characteristics,
including the trabecular meshwork, a tissue that gives the appearance of dividing
the iris radially, with striations, rings, furrows, and freckles. Iris recognition
technology uses about 173 of these distinctive characteristics. These characteristics
reportedly remain stable throughout a person's lifetime, except in cases of
Retina Recognition - Retina
recognition technology captures and analyzes the patterns of blood vessels
on the nerve on the back of the eyeball that
processes light entering through the pupil. Retinal patterns are highly distinctive;
even the eyes of identical twins are distinct. Although each pattern normally
remains stable over a lifetime, it can be affected by disease such as glaucoma,
diabetes, high blood pressure, and autoimmune deficiency syndrome. Because
the retina is small, internal, and difficult to measure, capturing its image
is more difficult than most other biometrics. An individual must position the
eye very close to the lens of the retina-scan device, gaze directly into the
lens, and remain perfectly still while focusing on a revolving light while
a camera scans the retina through the pupil. Any movement can interfere with
the process. Enrollment can easily take more than a minute.
Speaker Recognition - During enrollment, speaker recognition systems
capture samples of a person's speech by having him or her speak some predetermined
information into a microphone a number of times. This information is known
as a passphrase. This phrase is converted to digital format, the distinctive
vocal characteristics, such as pitch, cadence, and tone, are extracted, and
a speaker model is established. A template is then generated and stored for
The Honorable Stewart Verdery
Assistant Secretary for Policy
Border and Transportation Security Directorate
U.S. Department of Homeland Security
Mr. Keith A. Rhodes
Applied Research and Methods
U.S. General Accounting Office
Mr. Richard E. Norton
Executive Vice President
National Biometric Security Project
Mr. Martin Huddart
Chairman, Board of Directors
International Biometrics Industry Association