ANSI - American National Standards Institute
 Print this article  Previous Next 

Pace Picks Up for Biometrics Standards Development

NIST, INCITS, ASC X9, OASIS Work in Tandem to Standardize Biometric Systems

New York, Apr 03, 2002

Validating the identity of an individual based simply on their driver's license photograph, password or handwritten signature will no longer be considered the securest method. With the advent of several new standards initiatives on Biometrics, authentication will be achieved through physiological or behavioral characteristics. Accelerated standards development in this critical area is being achieved through the collaborative efforts of formal standards groups, the federal government and consortia.

The federal government is by far the biggest user of biometric authentication systems. The U.S. Department of Defense, the National Security Agency, the Departments of State, Justice and Transportation (namely the Federal Aviation Administration) and the Federal Bureau of Investigation rely on biometric technologies for data protection, secure access and sign-on applications and more. Essentially, biometrics are automated methods of identifying a person or verifying the identity of a person based on a physiological or behavioral characteristic. Physiological characteristics include hand or finger images, facial characteristics, speaker verification and iris recognition. Behavioral characteristics are traits that are learned or acquired including dynamic signature verification and keystroke dynamics.[1] Simply stated, unlike conventional identification methods such as a driver's license or 'PIN' number that validate identity based on 'what you have or know,' biometrics validate identity based on 'who you are.' It's far easier to falsify an ID card or forge a handwritten signature than it is to alter a voice pattern or change the configuration of an iris.

Signed into law by President Bush on October 26, 2001, the Patriot Act (Public Law 107-56) requires the development of technology standards to confirm identity. Leading biometric standardization at the federal level is the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce and an ANSI member. NIST spearheaded the development of the Common Biometric Exchange File Format (CBEFF), which defines a common set of data elements necessary to support multiple biometric technologies. CBEFF also promotes interoperability of biometric-based application programs and systems by allowing for biometric data exchange.

The development of CBEFF in January 2001 was an outgrowth of the need for exchange and interoperability of biometric data based on the expected enormous growth of biometric-based systems and applications. NIST is currently augmenting the current version of CBEFF in response to requests from several countries for additional requirements. NIST anticipates that by the end of 2002 the new version will be submitted to the Joint Technical Committee 1 (JTC1) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as a suggested new work area for a JTC1 subcommittee on Biometrics. JTC1 would then take over maintenance of the standard and shepherd its submittal for acceptance as an international standard.

Established in November 2001, Technical Committee M1 on Biometrics of the InterNational Committee for Information Technology Standards (INCITS), an ANSI-accredited standards developer, has also responded to the federal government's call for interoperable biometrics technologies. INCITS recently announced that M1 has "fast tracked" a biometrics specification to have it become an American National Standard (ANS). Currently titled INCITS 358, the standard is based on the Biometric Application Programming Interface (BioAPI) that was developed by the BioAPI Consortium, composed of 80 organizations including NIST which is a member of its Steering Committee. BioAPI chairman, Cathy Tilton, indicated that the transition of BioAPI to a formal standards body was "always one of the Consortium's goals." INCITS 358 defines an open system standard application program interface that allows software applications to communicate with different biometric technologies in a common way. INCITS has also announced its intention to submit the standard to ISO for acceptance as an international standard.

Many in the biometrics industry believe that the financial community has the most to gain from biometric standardization. The newly approved Accredited Standards Committee (ASC) X9 document, X9.84 Biometric Information Management and Security, is geared to integrate biometric information, such as fingerprint, iris scan and voiceprint, for use in the financial services industry. ASC X9, the national standards-setting body for the financial services industry and an ANSI-accredited standards developer, is supported by the American Banker's Association which serves as the group's secretariat. The X9.84 standard defines requirements for managing and securing biometric information such as customer identification and employee verification and was developed in cooperation with two of the industry groups already mentioned in this article, including NIST and BioAPI Consortium, as well as others. According to NIST's Fernando Podio who is also co-chair of the Biometric Consortium and the CBEFF development group, "The approval of the ANS X9.84 standard is an important step for the biometrics industry. It will be extremely important in accelerating the utilization of highly secure biometric-based financial applications."

One of the latest groups to join the biometrics arena is the Organization for the Advancement of Structured Information Standards (OASIS), who has recently formed a Technical Committee (TC) to create an XML [2] Common Biometric Format (XCBF). "Existing biometric standards [such as CBEFF and X9.84]" explained Phillip H. Griffin of Griffin Consulting and chair of the XCBF TC, "use binary encoding formats, which severely limit their use in XML systems and applications. XCBF will provide a standard way for biometric functions to be done using XML." OASIS has indicated that XCBF will define a set of XML encodings for CBEFF in the form of universal type definitions that will allow biometric data to be validated and exchanged without ambiguity over the Web. In addition, XCBF will be harmonized with X9.84 schema and security mechanisms regarding the authenticity and integrity of biometric data.

As demonstrated in the biometrics industry, formal standards bodies, government agencies and consortia groups serve complimentary roles. When they work together successfully, building upon each other's work to serve a variety of sectors, U.S. interests are well served.


1. Source: Ferando L. Podio, NIST, "Biometrics-Technologies for Highly Secure Personal Authentication."

2. XML or Extensible Markup Language, is a widely used technology that facilitates data transfer and storage over the Internet.

ANSI Membership