Are Biometric Web Services a Reality?
A Best Practice Analysis for Telebiometric Deployment in Open Networks
Dustin van der Haar and Basie von Solms
Academy of Computer Science and Software Engineering, University of Johannesburg,
Cnr Kingsway and University Road, Auckland Park, Johannesburg, South Africa
Keywords:
Telebiometrics, Policy, Services, Distributed Access Control.
Abstract:
With the growth of biometric system complexity and the resources required for these systems, newer biometric
systems are increasingly becoming more distributed to deal with accessibility and computation demand. These
telebiometric systems introduce additional problems, which are outside of the scope of traditional biometric
standards. Best practices have been published that address problems in these distributed systems, by outlining
service-based approaches that provision typical biometric operations through the use of telecommunication
standards, such as SOAP. In this paper, 2 families of best practices for telebiometric-based systems (the ITU-T
X.1080 family of recommendations and the BIAS family of standards) are reviewed and assessed according
to their current deployment potential within an online context. Recommendations are then presented and a
verdict is given that shows current best practice provides adequate guidance for the building of large-scale
telebiometric systems that utilise web-based biometric services.
1 INTRODUCTION
As a human being we take many things for granted
such as walking, talking or breathing. In order to co-
ordinate these various activities, a multitude of phys-
ical systems all work together to accomplish the goal
at hand. Aside from enabling us to perform these and
many other tasks, the physical parts or attributes for
each human being are all unique. The measurements
derived from these physical or behavioural attributes,
which are used to achieve automated recognition, are
called biological metrics or biometrics. It is these
measurements that have helped us reach a form of
identifying and authenticating human beings, which
surpass conventional username-password and token
paradigms, with regards to convenience and security.
In the past, the lack of robust measuring tools or
sensors limited the use of certain biometrics to facial
attributes, fingerprints, hand geometry and other es-
tablished biometrics (Woodward et al., 2003), but as
technology improves, so does the rise of new and ever
improving biometrics used in society today, such as
(Sarkar et al., 2010; Shen et al., 2012). One domain
that has relatively less potential for using biometrics
(when compared to physical environments) is open
networks found in the public virtual domain or on-
line spaces, where various service providers, such as
social networks, online shopping and premium con-
tent providersreside. The problem with this domain is
that many biometrics measure physical presence, and
the virtual presence that exists in these open networks
lacks certain attributes that can be measured with lit-
tle effort and therein lies the root of the problem. Ef-
fective biometrics used in an online environment are
limited to biometric attributes that are carried over to
this virtual presence and in some cases, it is difficult to
identify and deploy biometrics that are cost effective
and compatible with modern public open networks.
In addition to identifying potential biometrics that
can be used in this environment, it is a difficult task to
choose the best biometric for a specific environment.
Although guidelines and best practices exist to facil-
itate authentication and interoperability for telebio-
metric systems (ITU-T, 2008a), these best practices
lack guidance for choosing good biometrics to deploy
in virtual or online spaces. Further guidelines that ad-
dress biometric choice in a domain should narrow the
decision-making process and mitigate problems that
could result in deployment failure, poor user accep-
tance and unnecessary costs.
The paper will begin with a brief background on
telebiometrics, along with how biometrics are eval-
uated to determine which biometric should be cho-
sen. Following that, a best practice analysis will be
494
van der Haar D. and von Solms B..
Are Biometric Web Services a Reality? - A Best Practice Analysis for Telebiometric Deployment in Open Networks.
DOI: 10.5220/0004521704940499
In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 494-499
ISBN: 978-989-8565-73-0
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
performed that addresses the potential deployment
of biometrics within a public open network context.
Recommendations then follow, which should help ad-
dress any issues identified and the paper is then con-
cluded.
2 PROBLEM BACKGROUND
Human beings have been identifying people with
physical or behavioural traits for many years rang-
ing from hand or finger impressions on artwork, to
even using an individual’s DNA to solve crimes. The
abundance of these unique characteristics that humans
exhibit, leave almost endless possibilities for identifi-
cation and provide a good means to determine if a
person is exactly who they say they are (authentica-
tion). These biometrics have especially been useful
to ensure the latter in many organisations to protect
physical environments, which contain valuable com-
pany assets, from unwanted individuals that may want
to steal or damage these assets. By applying biomet-
rics to telecommunication and changing how biomet-
ric sensing works with telecommunications, telebio-
metrics are formed.
2.1 Telebiometrics: Biometrics as
Online Authenticators
The protection of physical environments may be an
established field, but the application of these tech-
niques within an online context is lacking. Al-
though the amount of open networks and virtual as-
sets that need protection are growing, as seen in
open network services, the variety of online mecha-
nisms that protect these assets from unauthorised ac-
cess are not. The majority of the mechanisms that
limit access to these virtual environments, employ the
username-password paradigm. Just as limitations of
the username-password paradigm have been encoun-
tered in physical environments, so do many of these
problemscarry overinto an online context. Passwords
can be forgotten, stolen without the user’s knowledge
and can be derived should the password length be in-
adequate (O’Gorman, 2003). However,unlike tokens,
which have a limited amount of potential within the
online context, passwords can be easily used to pro-
tect access to open networks.
In a similar manner to token-based systems, bio-
metric systems typically measure attributes with sen-
sor equipment specialised for a specific biometric,
such as a fingerprint scanner, making a transition from
the physical environment to the online public domain
difficult. The additional costs the equipment intro-
duces to the end user, make it difficult to deploy and
gain user acceptance, especially if users need to pur-
chase the equipment themselves. However, not all
sensors for biometric systems need to be purchased
separately. There are certain sensors, such as cameras,
microphones, keyboards and mice, which all have the
potential to capture biometric attributes. By utilis-
ing these sensors that extend the reach of attributes
to a user’s virtual presence and keeping environmen-
tal constraints in mind, face recognition (Woodward
and Corporation., 2003), speaker verification (Kelly
et al., 2012), mouse dynamics (Shen et al., 2012) and
other biometric mechanisms, can be used to authenti-
cate users in open networks.
Although many other biometric systems can be
deployed in a public open network by simply modify-
ing the communication channel used between compo-
nents into a web service-based channel, factors exist
that differentiate it from the average physical deploy-
ment. If the communication channel is not protected
properly, it can be attacked to compromisethe system,
because communication occurs within a public do-
main (Buhan and Hartel, 2005; ITU-T, 2008b). Man-
aging the distributed system also becomes a more dif-
ficult task and the points of potential failure increases
due to the additional mechanisms included to facili-
tate telecommunication. In a public domain, users are
individuals that have subscribed for a service, such
as social networking or online media viewership, and
do not necessarily have certain biometric sensors at
their disposal, such as fingerprint scanners. Should
the biometric system require the user to purchase ad-
ditional equipment in order to be identified or authen-
ticated, unnecessary inconvenienceis incurred that di-
rectly affects the uptake of the system and potentially
the service.
2.2 Current Best Practice for
Telebimoetrics
Currently, standards in force that show promise to
address telebiometrics and their respective issues in-
clude, the International Telecommunication Union
X.1080 family of standards, the OASIS BIAS, BIAS
SOAP Profile and NIST 500-288 family of stan-
dards. These standards address conformance, config-
uration and to a larger extent, interoperability within
a telecommunications context. In the following seg-
ments, a brief overview of these standards are pro-
vided as a precursor to the best practice analysis in
the next section.
AreBiometricWebServicesaReality?-ABestPracticeAnalysisforTelebiometricDeploymentinOpenNetworks
495
2.2.1 ITU-T X.1080 family of Recommendations
One of the existing best practices providedfor telebio-
metrics, ITU-T X.1081 (ITU-T, 2011) and X.1084
(ITU-T, 2008a), addresses user interactions, measure-
ments, authentication and system configuration in
open network systems, by providing biometric au-
thentication protocols and profiles for telecommu-
nication systems. It dictates how unspecified end
users and service providers should communicate dur-
ing authentication, along with the roles the associ-
ated servers and clients play when facilitating au-
thentication. Nine authentication models and profiles
are introduced to accommodate different locations of
the biometric database and comparison components.
The authentication models namely, Local, Download,
Attached, Centre, Reference Management on TTP
for local, Reference Management on TTP for centre,
Comparison outsourcing by client, Comparison out-
sourcing server, Storage and comparison outsourcing
by client and server, are derived from existing poli-
cies. By drawing on existing standards in telecom-
munications (such as ITU-T X.509), the biometrics
domain (X9.84-CMS) and BioAPI (ANSI/INCITS,
2002) to interface with sensors and facilitate commu-
nications, a secure platform is formed that is reliable
and interoperable with current systems. Although re-
lated recommendations deal with important aspects
such as authentication infrastructure (ITU-T, 2008c)
and security countermeasures (ITU-T, 2008b), as we
will see in the review, the current ITU-T X.1080 fam-
ily of recommendations lack certain guidelines neces-
sary for effective telebiometric system deployments.
2.2.2 BIAS and NIST 500-288 Family of
Standards
Another newer set of standards that specifically tar-
get provisions required for telebiometrics is the ANSI
INCITS 442 BIAS standard (ANSI/INCITS, 2010)
and the OASIS BIAS SOAP Profile (OASIS, 2012).
The BIAS standard defines how identity assurance
can be provided with biometric services that work
over a service oriented architecture (SOA). It differ-
entiates between biometric operations and data ele-
ments, along with its associated requirements, such
as how to manage biometric data, along with bridg-
ing the gap between business operations and a dis-
tributed biometric system. The standard also speci-
fies modular operations and the inclusion of the CB-
EFF standard (ISO/IEC 19785 1:2006) for data rep-
resentation, as well as the established BioAPI stan-
dards ((ANSI/INCITS, 2002) and ISO/IEC 19784-1)
for added flexible interfacing and draws on existing
biometric expertise. The OASIS BIAS profile aims
to provide conformance with backend biometric ser-
vices (specified by BIAS) and adequate binding to tar-
get web environments, by outlining biometric meth-
ods that use SOA messaging formatted by the XML
defined in the BIAS standard (the data elements). The
profile also provides a comprehensive set of guide-
lines that addresses aggregate operations such as en-
roll, identify, verify and retrieve information, which
are required for tasks in a biometric system. Collec-
tively these standards provide an open framework that
can be used in public open networks.
The standard that accompanies the BIAS and the
BIAS SOAP Profile, the National Institute of Stan-
dards and Technology (NIST) 500-288: Specifica-
tion for Web Services for Biometric Devices (WS-
BD) (Micheals et al., 2012) provides a command
and control protocol for biometric devices in open
networks, thereby extending the acquisition process.
By focusing on an acquisition process that is de-
vice, operating system and channel independent, in-
teroperability is achieved with any component that
is REST (Representational State Transfer) compati-
ble. The components include a client, sensor and
sensor service, which facilitate acquisition requests,
capture biometric samples and provides middleware,
respectively, for the acquisition process. Service be-
haviour, message formats, configuration and opera-
tions are outlined with the aid of existing standards
published by the IETF, ISO and NIST itself. Oper-
ations such as registration, locking, information, ini-
tialisation, configuration, capture, download and can-
cellation all help to facilitate the extended acquisi-
tion process, required for this level of interoperability.
The standard also already has Java and .NET imple-
mentations (which can be found at (NIST, 2013)) that
make deployment easier. The combination of BIAS,
the BIAS SOAP Profile and the WS-BD specification
collectively provide a good platform to provide web
service-based telebiometric systems, which is readily
available to service providers. Although these stan-
dards address some of the issues the ITU-T X.1080
family experiences, they too lack certain guidelines
necessary for public open network deployment.
2.2.3 Best Practice Alternatives
The above best practice directly addresses telebiomet-
ric systems, or extend regular biometric systems to
telebiometrics systems. However, other technical in-
terface, data interchange, profile, testing and report-
ing standards can be modified or replaced to form
more customised guidelines, such as (Otero-Muras
et al., 2007). These customised guidelines should
work well in organisations that already have biomet-
ric guidelines in place, such as the US government,
SECRYPT2013-InternationalConferenceonSecurityandCryptography
496
Interpol and other law enforcement agencies. Adopt-
ing this approach though, will lower expected inter-
operability and conformance when integrating these
systems with other agencies.
3 BEST PRACTICE ANALYSIS
For years there was a gap in best practice on biometric
services and their application in open networks. From
the mid-2000s standards organisations have been try-
ing to address this gap and currently are moving to-
wards full implementations, making biometric ser-
vices a reality to distributed agencies that are in dire
need of telebiometric systems. In this section, each
of the previously identified telebiometric-based best
practice families are reviewed according to their cur-
rent deployment potential.
3.1 ITU-T X.1080 Family
The first family of best practice provides comprehen-
sive material on telebiometrics, by specifically outlin-
ing (in (ITU-T, 2011)) the type of basic interactions
or modalities that biometrics are derived from and
expected units of measure. By utilising the BioAPI
framework and coordinating it with X.1083 (ITU-T,
2007) and X.1084 (ITU-T, 2008a) a bridge is success-
fully formed between the biometric and the telecom-
munications domains. However, there is a lack of
conformance that still needs to be addressed for it to
fully comply with the BioAPI specification. Another
issue that may be a problem for open networks is that
only a local registration or enrolment has been out-
lined in X.1084. The lack of a remote registration
will cause inconvenience among users in public open
networks. Although this constraint is mainly there to
prevent fraudulent registration, more research should
be done to introduce a trusted registration process that
strikes a balance between security and convenience.
Another problem related to the registration process is
that there is a lack of explicit guidelines when deal-
ing with biometric revocation. There needs to be finer
guidelines that deal with partial revocation and full re-
vocation, instead of just specifying a template update
process.
3.2 BIAS and NIST 500-288 Family
The next family of best practices outlined, also lever-
ages a great deal of its specification on existing stan-
dards, which eliminate teething issues that sometimes
occur with new best practices. Its modular struc-
ture makes it flexible when addressing business pro-
cesses and makes it compatible with many existing
platforms. It even includes operations that are miss-
ing from the ITU-T X.1080 family of recommenda-
tions, such as a quality check, a conformance check
and enrolment that can potentially be used for remote
registration. However, it too suffers from a limited
amount of guidelines when dealing with biometric re-
vocation. One minor problem that the BIAS family of
standards exclusively experiences is a lack of service
guarantees, quality assurance or a way to measure ser-
vice workload so that the binding layer (in this case
the BIAS SOAP Profile) is appropriately informed.
3.3 Overall Analysis
Both best practice families outline the basic require-
ments and core elements required for telebiometrics,
such as how information should be presented and ex-
changed between entities. They both use the well-
established BioAPI framework, which already aids in
further interoperability. However, it is unclear how
these mechanisms will perform in very large scale ap-
plications. The authors have discovered (based on
(Jain and Kumar, 2010)) that it is difficult to address
large-scale application deployments, because biomet-
rics utilised on this scale must be able to deal with the
following requirements:
1. The system must maintain a high accuracy and
throughput under varying operating conditions
and user composition.
2. The deployment must maintain high sensor inter-
operability.
3. The system needs to be able to perform rapid col-
lection of biometric samples, even during harsh
operating environments.
4. The system must provide high levels of privacy
and template protection.
5. There must be secure support structures in place
for operations.
In typical biometric systems a compromise is usually
met that fulfills these requirements according to the
amount of resources available. Although certain as-
pects such as sensor interoperability, privacy and tem-
plate protection, are already addressed by current best
practice, it will be a difficult task to address these re-
quirements on a large-scale in public open networks.
Another consideration that warrants attention is
the deployment of biometrics to public open networks
and the constraints it introduces to the environment.
The larger realm of the Internet introduces many vari-
ables that may or may not affect the potential telebio-
metric system and identifying these variables and de-
AreBiometricWebServicesaReality?-ABestPracticeAnalysisforTelebiometricDeploymentinOpenNetworks
497
termining their resultant effect on the system is a task
that also needs to be addressed.
Although the BIAS standard briefly mentions ser-
vice level monitoring, in both standards there is a
lack of mechanisms for non-repudiation and an ap-
propriate audit trail that can be used to mitigate ser-
vice abuse and potential subversion attempts. The dis-
tributed nature of telebiometric systems, makes non-
repudiation necessary, because of the increased risk
introduced by extending the communication channel
to an open network.
4 PROPOSED
RECOMMENDATIONS
In this section, possible recommendations identified
by the authors are outlined that may improve current
specifications in the highlighted areas.
4.1 Evaluating Biometrics for
Deployment
Many of the problems related to deployment can be
mitigated if a more detailed investigation is pursued
while the deployment of the respective telebiomet-
ric system is considered. The problem, however, is
that many organisations do not have access to the re-
sources, such as skilled individuals or information, to
make better decisions on which biometric to deploy
and how the deployment should be done. The prob-
lem does not just stop there. Even with the resources,
every environment is unique and it may exhibit a new
set of constraints that other environments may not ex-
perience. Best practices can be integrated that outline
this investigative process in order to help with deter-
mining the best biometric fit for a specific environ-
ment. By identifying environmentalrequirements and
constraints, along with a biometric with the appropri-
ate level of usability, as guided by (NIST, 2008), a
better biometric system with fewer errors will be im-
plemented and deployment should be easier.
4.2 Open Enrolment
Another topic brought up in the review is that some
standards (namely the ITU-T X.1080 Family) only
have provisions for local or face-to-face enrolment,
thereby causing user inconvenience. This approach
may still have merit when users are within a reason-
able distance from an enrolment centre, because these
centres are trusted and will have less fraudulent enrol-
ments. However, when these centres become unrea-
sonably far from users and the biometric sensors are
readily available to them, a compromise may need to
be made to accommodate them. One approach is to
introduce a remote enrolment centre that establishes
trust between the user and the center, in a similar man-
ner to the approaches found in (Jsang et al., 2007).
After trust has been established, enrolment can com-
mence and when the acquisition process is followed,
a quality check can be performed on the received bio-
metric sample to gain a viable sample and to reduce
subsequenterrors in authentication. Depending on the
level of security required, the provisioningof this pro-
cess can be changed from completely omitting open
enrolment for high security environments, to provid-
ing open enrolment with limited authority rights.
4.3 Biometric Revocation
One area in the field of biometrics that receivesa great
deal of criticism is the revocation of biometrics. If a
user’s biometric has been compromised, the system
should revoke the biometric and every time that bio-
metric is presented, authentication should fail. How-
ever, if this biometric is used in other systems, revo-
cation presents a real problem. One approach is to use
multiple biometrics and upon revocation, the alterna-
tive biometric can be used. However, a more viable
approach is to use a cancelable biometric template
(Teoh et al., 2006) and should biometric revocation
occur, another template can be generated, using the
same biometric. Best practice can be introduced that
outlines this process, as well as its requirements.
4.4 Non-repudiation and Regulation
Another topic addressed in the review is the monitor-
ing and recording of user activities that occur in a sys-
tem. By including a lightweight non-repudiation pro-
tocol (Zhou and Gollman, 1996) within biometric ser-
vices, which can be reviewed by a trusted third party
or a quality assurance component, liability can be suc-
cessfully tied to component activity. This is especially
needed in distributed systems where activity can be
contested and abuse occurs. Should any component
facilitate biometric operations, that component will be
accountable for the resources used for that operation.
Services can be regulated based on the recordings, to
provide a fair service to other components that require
the service. Best practice can also be included to deal
with requirements for non-repudiation and regulation,
as well as outlining the role of the trusted third party.
SECRYPT2013-InternationalConferenceonSecurityandCryptography
498
5 CONCLUSIONS
Overall, current best practices in both families have
shown that biometric web services are a reality and
future implementations should benefit greatly from
them. Current developments, such as the imple-
mented fingerprint-based telebiometric system using
the WS-BD specification, updates to the BioAPI
framework and further standardisation of BIAS into
ISO/IEC 30108, further support this claim. However,
there are still adjustments that need to be made by the
ITU-T Study Group 17, INCITS M1 Technical Com-
mittee and other policy makers to reach large-scale
telebiometric systems of tomorrow.
REFERENCES
ANSI/INCITS (2002). Ansi/incits 358 - the bioapi specifi-
cation. Technical report, American National Standard
for Information Technology.
ANSI/INCITS (2010). Information technology - biometric
identity assurance services (bias). ANSI INCITS 442-
2010.
Buhan, I. and Hartel, P. (2005). The state of the art in abuse
of biometrics.
ITU-T (2007). Itu-t recommendation x.1083 : Information
technology - biometrics - bioapi internetworking pro-
tocol. Technical report, International Telecommunica-
tion Union.
ITU-T (2008a). Itu-t recommendation x.1084 : Telebio-
metrics system mechanism part 1: General biometric
authentication protocol and system model profiles for
telecommunications systems. Technical report, Inter-
national Telecommunication Union.
ITU-T (2008b). Itu-t recommendation x.1086 : Telebio-
metrics protection procedures - part 1: A guideline
to technical and managerial countermeasures for bio-
metric data security. Technical report, International
Telecommunication Union.
ITU-T (2008c). Itu-t recommendation x.1089 : Telebio-
metrics authentication infrastructure (tai). Technical
report, International Telecommunication Union.
ITU-T (2011). Itu-t recommendation x.1081 : The telebio-
metric multimodal model - a framework for the spec-
ification of security and safety aspects of telebiomet-
rics. Technical report, International Telecommunica-
tion Union.
Jain, A. and Kumar, A. (2010). Biometrics of Next Genera-
tion: An Overview. Springer.
Jsang, A., Ismail, R., and Boyd, C. (2007). A survey of trust
and reputation systems for online service provision.
Decision Support Systems, 43(2):618 – 644. Emerging
Issues in Collaborative Commerce.
Kelly, F., Drygajlo, A., and Harte, N. (2012).
Speaker verification with long-term ageing
data. In Biometrics (ICB), 2012 5th IAPR
International Conference on, pages 478 –483.
Micheals, R. J., Mangold, K. C., Aronoff, M. L., Kwong,
K., and Marshall, K. (2012). Specification for ws-
biometric devices (ws-bd). NIST SP - 500-288. http://
bws.nist.gov (Last Accessed 16/12/2012).
NIST (2008). Usability & biometrics - ensuring
successful biometric systems. Technical re-
port, National Institute of Standards and Technol-
ogy. http://zing.ncsl.nist.gov/biousa/ (Last Accessed
19/12/2012).
NIST (2013). Nist 500-288: Biometric web services. Na-
tional Insitute of Standards and Technology (NIST).
OASIS (2012). Biometric identity assurance ser-
vices (bias) soap profile version 1.0. OA-
SIS Standard. http://docs.oasis-open.org/bias/
soap-profile/v1.0/os/biasprofile-v1.0-os.html (Last
Accessed 18/12/2012).
O’Gorman, L. (2003). Comparing passwords, tokens, and
biometrics for user authentication. Proceedings of the
IEEE, 91(12):2021 – 2040.
Otero-Muras, E., Gonz´alez-Agulla, E., Alba-Castro, J.,
Garc´ıa-Mateo, C., and M
´
Arquez-Fl´orez, O. (2007).
An open framework for distributed biometric au-
thentication in a web environment. Annales Des
T´el´ecommunications, 62:177–192.
Sarkar, I., Alisherov, F., hoon Kim, T., and Bhattacharyya,
D. (2010). Palm vein authentication system: A re-
view. International Journal of Control and Automa-
tion, 3(1):27–34.
Shen, C., Cai, Z., Guan, X., and Wang, J. (2012). On
the effectiveness and applicability of mouse dynam-
ics biometric for static authentication: A benchmark
study. In Biometrics (ICB), 2012 5th IAPR Interna-
tional Conference on, pages 378 –383.
Teoh, A., Goh, A., and Ngo, D. (2006). Random multispace
quantization as an analytic mechanism for biohashing
of biometric and random identity inputs. Pattern Anal-
ysis and Machine Intelligence, IEEE Transactions on,
28(12):1892 –1901.
Woodward, J. and Corporation., R. (2003). Biometrics : A
Look at Facial Recognition. RAND, Santa Monica,
Calif.
Woodward, J., Orlans, N., and Higgins, P. (2003). Biomet-
rics. Rsa Press Series. McGraw-Hill/Osborne.
Zhou, J. and Gollman, D. (1996). A fair non-repudiation
protocol. In Security and Privacy, 1996. Proceedings.,
1996 IEEE Symposium on, pages 55 –61.
AreBiometricWebServicesaReality?-ABestPracticeAnalysisforTelebiometricDeploymentinOpenNetworks
499
