(Bredemarket Premium) The big biometric firms and the even bigger tech firms

When I was part of an industry in which the three major players were my employer IDEMIA and its competitors NEC and Thales, I was always aware of a potential threat to these three multi-billion dollar biometric companies. Specifically, there were much, much bigger technology companies (both inside and outside of Silicon Valley) with huge resources and extensive artificial intelligence experience. These firms could put the three biometric firms out of business at any time.

By Syassine – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=31368987

But is this threat a real threat? Or is it overstated?

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Build your own automated fingerprint identification system…for FREE!

At Bredemarket, I work with a number of companies that provide biometric systems. And I’ve seen a lot of other systems over the years, including fingerprint, face, DNA, and other systems.

The components of a biometric system

While biometric systems may seem complex, the concept is simple. Years ago, I knew a guy who asserted that a biometric system only needs to contain two elements:

  • An algorithm that takes a biometric sample, such as a fingerprint image, and converts it into a biometric template.
  • An algorithm that can take these biometric templates and match them against each other.

If you have these two algorithms, my friend stated that you had everything you need for an biometric system.

Well, maybe not everything.

Today, I can think of a few other things that might be essential, or at least highly recommended. Here they are:

  • An algorithm that can measure the quality of a biometric sample. In some cases, the quality of the sample may be important in determining how reliable matching results may be.
  • For fingerprints, an algorithm that can classify the prints. Forensic examiners routinely classify prints as arches, whorls, loops, or variants of these three, and classifications can sometimes be helpful in the matching process.
  • For some biometric samples, utilities to manage the compression and decompression of the biometric images. Such images can be huge, and if they can be compressed by a reliable compression methodology, then processing and transmission speeds can be improved.
  • A utility to manage the way in which the biometric data is accessed. To ensure that biometric systems can talk to each other, there are a number of related interchange standards that govern how the biometric information can be read, written, edited, and manipulated.
  • For fingerprints, a utility to segment the fingerprints, in cases where multiple fingerprints can be found in the same image.

So based upon the two lists above, there are seven different algorithms/utilities that could be combined to form an automated fingerprint identification system, and I could probably come up with an eighth one if I really felt like it.

My friend knew about this stuff, because he had worked for several different firms that produced fingerprint identification systems. These firms spent a lot of money hiring many engineers and researchers to create all of these algorithms/utilities and sell them to customers.

How to get these biometric system components for free

But what if I told you that all of these firms were wasting their time?

And if I told you that since 2007, you could get source code for ALL of these algorithms and utilities for FREE?

Well, it’s true.

To further its testing work, the National Institute of Standards and Technology (NIST) created the NIST Biometric Image Software (NBIS), which currently has eight algorithms/utilities. (The eighth one, not mentioned above, is a spectral validation/verification metric for fingerprint images.) Some of these algorithms and utilities are available separately or in other utilities: anyone can (and is encouraged to) use the quality algorithm, called NFIQ, and the minutiae detector MINDTCT is used within the FBI’s Universal Latent Workstation (ULW).

If the FBI had just waited until 2007, it could have obtained the IAFIS software for free. FBI image taken from Chapter 6 of the Fingerprint Sourcebook, https://www.ojp.gov/pdffiles1/nij/225326.pdf.

As I write this, NBIS has not been updated in six years, when Release 5.0.0 came out.

Is anyone using this in a production system?

And no, I am unaware of any law enforcement agency or any other entity that has actually USED NBIS in a production system, outside of the testing realm, with the exception of limited use of selected utilities as noted above. Although Dev Technology Group has compiled NBIS on the Android platform as an exercise. (Would you like an AFIS on your Samsung phone?)

But it’s interesting to note that the capability is there, so the next time someone says, “Hey, let’s build our own AFIS!” you can direct them to https://www.nist.gov/itl/iad/image-group/products-and-services/image-group-open-source-server-nigos#Releases and let the person download the source code and build it.

Biometrics IS the financial sector

“Have to update my chart again.”

C. Maxine Most of Acuity Market Intelligence. From https://twitter.com/cmaxmost/status/1418306725510193152

Since I’m treading into financial territory here, I should disclose that Bredemarket has financial relationships with one or more of the companies mentioned in this post. This is not investment advice, do your own due diligence, bla bla bla.

I don’t monitor the market enough to know if this is part of an overall trend, but there has been a lot of biometric and digital identity investment recently. Both Biometric Update and FindBiometrics (and other publications such as FinLedger) have written about some of these recent investments, and IPVM has published its acquisition analysis (for subscribers only). Here’s a partial list of the biometric and/or digital identity companies who have received new funding (via investors, IPO, or acquisitions) recently:

I am not a financial expert (trust me on this), but I suspect that these companies are benefiting from two contradictory factors.

  • The apparent WANING of the COVID threat suggests better market performance in the future.
  • Some biometric and digital identity investments are very attractive precisely BECAUSE of the COVID threat, and the resulting attractiveness of remote and touchless technologies.

Of course, markets run in cycles, and it’s hard to predict if this is just the beginning of money flowing to biometrics/digital identity companies, or if all of this will suddenly come to a grinding halt. Remember how hot so-called “fever scanners” were a year ago, until their deficiencies were identified? And remember how Microsoft was prompted to divest from Anyvision not too long ago?

It’s possible that a number of external factors, such as an increase in government bans of facial recognition use, consumer resistance to digital identity, or the entry (or re-entry) of much larger players into the biometrics and/or digital identity markets, could dampen the revenue hopes for these funded companies.

Of course, investors are used to analyzing risk, and in many cases the investments with higher risk can yield the greater rewards.

It’s all just a game.

Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.

Pangiam, CLEAR, and others make a “sporting” effort to deny (or allow) stadium access

Back when I initially entered the automated fingerprint identification systems industry in the last millennium, I primarily dealt with two markets: the law enforcement market that seeks to solve crimes and identify criminals, and the welfare benefits market that seeks to make sure that the right people receive benefits (and the wrong people don’t).

Other markets simply didn’t exist. If I pulled out my 1994-era mobile telephone and looked at it, nothing would happen. Today, I need to look at my 2020-era mobile telephone to obtain access to its features.

And there are other biometric markets also.

Pangiam and stadium bans

Back in 1994 I couldn’t envision a biometrics story in Sports Illustrated magazine. But SI just ran a story on how facial recognition can be used to keep fans out of stadiums who shouldn’t be there.

Some fans (“fanatics”) perform acts in stadiums that cause the sports teams and/or stadium authorities to officially ban them from the stadium, sometimes for life.

John Green is the man in the blue shirt and white baseball cap to Artest’s left. By Copyright 2004 National Basketball Association. – Television broadcast of the Pacers-Pistons brawl on ESPN., Fair use, https://en.wikipedia.org/w/index.php?curid=6824157

But in the past, these measures were ineffective.

For a long time, those “measures” were limited at best. Fans do not have to show ID upon entering arenas. Teams could run checks on all the credit cards to purchase tickets to see whether any belonged to banned fans, but those fans could easily have a friend buy the tickets. 

But there are other ways to enforce stadium bans, and Sports Illustrated quoted an expert on the matter.

“They’ve kicked the fan out; they’ve taken a picture—that fan they know,” says Shaun Moore, CEO of a facial-recognition company called Trueface. “The old way of doing things was, you give that picture to the security staff and say, ‘Don’t let this person back in.’ It’s not really realistic. So the new way of doing it is, if we do have entry-level cameras, we can run that person against everyone that’s coming in. And if there’s a hit, you know then; then there’s a notification to engage with that person.”

This, incidentally, is an example of a “deny list,” or the use of a security system to deny a person access. We’ll get to that later.

But did you notice the company that was mentioned in the last quote? I’ve mentioned that company before, because Trueface was the most recent acquisition by the company Pangiam, a company that has also acquired airport security technology.

But Pangiam/Trueface isn’t the only company serving stadium (and entertainment) venues.

CLEAR and stadium entry

Most of the time, sports stadiums aren’t concentrating on the practice of DENYING people entry to a stadium. They make a lot more money by ALLOWING people entry to a stadium…and allowing them to enter as quickly as possible so they can spend money on concessions.

One such company that supports this is CLEAR, which was recently in the news because of its Initial Public Offering. Coincidentally, CLEAR also provides airport security technology, but it has branched out from that core market and is also active in other areas.

For example, let’s say you’re a die-hard New York Mets fan, and you head to Citi Field to watch a game.

By Chris6d – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=101751795

The Mets don’t just let anyone into the stadium; you have to purchase a ticket. So you need to take your ticket out of your pocket and show it to the gate staff, or you need to take your smartphone out of your pocket and show your digital ticket to the gate staff.

What if you could get into the stadium without taking ANYTHING out of your pocket? Well, you can.

In the CLEAR Lane, your fingerprint is all you need to use tickets in your MLB Ballpark app – no need to pull out your phone or printed ticket as you enter the game.

Now that is really easy.

Pangiam and CLEAR aren’t the only companies in this space, as I well know. But there’s the possibility that biometrics will be used more often for access to sports games, concerts, and similar events.

(Bredemarket Premium) My (biometric) baby is American made

When I first entered the biometric world, the portion of the world that directly interested me (the automated fingerprint identification system, or AFIS industry) had three major players and one emerging player. Of those four, two were privately held American companies, and the other two were U.S. subsidiaries of foreign companies (one French, one Japanese).

Today it’s different.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Pangiam acquires something else (in this case TrueFace)

People have been coming here to find this news (thanks Google Search Console) so I figured I’d better share it here.

Remember Pangiam, the company that I talked about back in March when it acquired the veriScan product from the Metropolitan Washington Airports Authority? Well, last week Pangiam acquired another company.

TYSONS CORNER, Va., June 2, 2021 /PRNewswire/ — Pangiam, a technology-based security and travel services provider, announced today that it has acquired Trueface, a U.S.-based leader in computer vision focused on facial recognition, weapon detection and age verification technologies. Terms of the transaction were not disclosed….

Trueface, founded in 2013 by Shaun Moore and Nezare Chafni, provides industry leading computer vision solutions to customers in a wide range of industries. The company’s facial recognition technology recently achieved a top three ranking among western vendors in the National Institute of Standards and Technology (NIST) 1:N Face Recognition Vendor Test. 

(Just an aside here: companies can use NIST tests to extract all sorts of superlatives that can be applied to their products, once a bunch of qualifications are applied. Pay attention to the use of the phrase “among western vendors.” While there may be legitimate reasons to exclude non-western vendors from comparisons, make a mental note when such an exclusion is made.)

But what does this mean in terms of Pangiam’s existing product? The press release covers this also.

Trueface will add an additional capability to Pangiam’s existing technologies, creating a comprehensive and seamless solution to satisfy the needs of both federal and commercial enterprises.

And because Pangiam is not a publicly-traded company, it is not obliged to add a disclaimer to investors saying this integration might not happen bla bla bla. Publicly traded companies are obligated to do this so that investors are aware of the risks when a company speculates about its future plans. Pangiam is not publicly traded, and the owners are (presumably) well aware of the risks.

For example, a US government agency may prefer to do business with an eastern vendor. In fact, the US government does a lot of business with one eastern vendor (not Chinese or Russian).

But we’ll see what happens with any future veriTruefaceScan product.

What is an “antimicrobial” contact fingerprint reader? And what is it NOT?

In the COVID and (soon) post-COVID area, people don’t want to touch things. That impacts how identity products are marketed, including biometric readers.

Why contactless biometrics are “better” than contact biometrics

In the biometric world, this reluctance to touch things has served to promote CONTACTLESS biometric technologies, such as facial recognition, other other technologies. The loser in this has been fingerprint-based technologies, as several facial and iris vendors have made the claim that face/iris biometrics are contactless, while fingerprint biometrics are NOT contactless.

Well, my friends at my former employer IDEMIA might take issue with that claim, since you literally do NOT touch the fingerprint reader in IDEMIA’s MorphoWave product. IDEMIA does not (to my knowledge) make any medical claims about MorphoWave, but the company does emphasize that its contactless fingerprint reader allows for fast capture of four-finger slaps.

To protect their premises, organizations need access control solutions that are efficient, fast, and convenient. A contactless fingerprint scanner provides an optimum answer high throughput workplaces. IDEMIA’s MorphoWave contactless fingerprint solution scans and verifies 4 fingerprints in less than 1 second, through a fully touchless hand wave gesture. Thanks to the simplicity of this gesture, the throughput can reach up to 50 people per minute.

An antimicrobial contact fingerprint reader?

But what if there were a CONTACT solution that allowed you to capture prints with a reduced fear of “bad things”?

That’s what Integrated Biometrics appears to be claiming.

Integrated Biometrics (IB), the world leader in mobile, FBI-certified biometric fingerprint scanners, and NBD Nanotechnologies (NBD Nano), the surface coating experts, today announced the inclusion of NBD’s RepelFlex MBED transparent coating on IB’s entire line of fingerprint scanners.

An ultra-thin, transparent coating, RepelFlex MBED is designed to provide outstanding antimicrobial, anti-scratch, and anti-stain protection to devices. Long-lasting and multi-functional, RepelFlex MBED is ideal for surfaces that must stand up to high throughput and harsh conditions without compromising accuracy.

So what exactly does “antimicrobial” mean?

cluster of Escherichia coli bacteria magnified 10,000 times. By Photo by Eric Erbe, digital colorization by Christopher Pooley, both of USDA, ARS, EMU. – This image was released by the Agricultural Research Service, the research agency of the United States Department of Agriculture, with the ID K11077-1 (next)., Public Domain, https://commons.wikimedia.org/w/index.php?curid=958857

Let’s see how NBD Nano describes it.

Preventing the presence and growth of microbials on surfaces is becoming increasingly important. Antimicrobial performance is especially critical on surfaces that are accessible to the public in order to prevent the spread of stain and odor causing bacteria and microbes.

And if you drill further down in NBD Nano’s website, you find this information in a technical data sheet (PDF).

Antimicrobial Performance: Japanese Industrial Standard (JIS) Z 2801 – PASS*
*as tested by Microchem Laboratory, Round Rock, TX

Now since I’m not up to date on my Japanese Industrial Standards, I had to rely on the good folks at the aforementioned Microchem Laboratory to explain what the standard actually means.

The JIS Z 2801 method tests the ability of plastics, metals, ceramics and other antimicrobial surfaces to inhibit the growth of microorganisms or kill them. The procedure is very sensitive to antimicrobial activity and has a number of real world applications anywhere from the hospital/clinical environment to a household consumer company concerned with the ability of a material they have to allow bacterial growth.

The JIS Z 2801 method is the most commonly chosen test and has become the industry standard for antimicrobial hard surface performance in the United States.

It may be antimicrobial, but what about preventing the “C” word?

Now you may have noticed that Microchem Laboratory, NBD Nano, and Integrated Biometrics did not make any medical claims regarding their products. None of them, for example, used the “C” word in any of their materials.

There’s a very, very good reason for that.

If any of these product providers were to make specific MEDICAL claims, then any sales in the United States would come under the purview of the U.S. Food and Drug Administration.

This is something that temperature scanner manufacturers learned the hard way.

Digression: if fever scanners are fever scanners, does that mean they are fever scanners?

Remember “fever scanners”? Those devices that were (and in some cases still are) pointed at your forehead as you enter a building or another secure area? I won’t get into the issues with these devices (what happens when the scanner is placed next to a building’s front entrance on a hot day?), but I will look at some of the claims about those scanners.

About a year ago, John Honovich of IPVM began asking some uncomfortable questions about the marketing of those devices, especially after the FDA clarified what thermal imaging systems could and could not do.

When used correctly, thermal imaging systems generally have been shown to accurately measure someone’s surface skin temperature without being physically close to the person being evaluated….

Thermal imaging systems have not been shown to be accurate when used to take the temperature of multiple people at the same time. The accuracy of these systems depends on careful set-up and operation, as well as proper preparation of the person being evaluated….

Room temperature should be 68-76 °F (20-24 °C) and relative humidity 10-50 percent….

The person handling the system should make sure the person being evaluated…(h)as waited at least 15 minutes in the measurement room or 30 minutes after exercising, strenuous physical activity, bathing, or using hot or cold compresses on the face.

Let’s stop right there. For any of you who have undergone a temperature scan in the last year: how many of you have waited in a measurement room for at least 15 minutes BEFORE your temperature was taken?

Last summer I had a dentist appointment. My dentist is in Ontario, California, where the summers can get kind of hot. The protocol at this dentist’s office was to have you call the office from your car when you arrived in the parking lot, then wait for someone from the office to come outside and take your temperature before you could enter the building.

I was no dummy. I left my car and its air conditioner running while waiting for my temperature to be taken. Otherwise, who knows what my temperature reading would have been? (I also chose NOT to walk to the dentist’s office that day for the same reason.)

Back to John Honovich. He had read the FDA advice on the medical nature of thermal imaging systems, and then noted that some of the manufacturers of said systems were sort of getting around this by stating that their devices were not medical devices.

Even though the manufacturers still referred to them as “fever cameras.”

For example, one vendor (who has since changed its advertising) declared at the time that “thermal temperature-monitoring technology assists in reducing the spread of viral diseases,” even though that vendor’s device “is not a medical device and is not designed or intended for diagnosis, prevention, or treatment of any disease or condition.”

Fever scanners, testosterone supplements…and fingerprint readers

Yes, that language is similar to the language used by providers of natural supplements that, according to anecdotal evidence, work wonders. The FDA really polices this stuff.

So you really don’t want to make medical claims about ANY product unless you can back them up with the FDA. You can say that a particular product passed a particular antimicrobial standard…but you’d better not say anything else.

In fact, Integrated Biometrics only mentions the “antimicrobial” claim in passing, but spends some time discussing other benefits of the NBD Nano technology:

The inclusion of RepelFlex MBED coatings enable IB’s scanners to deliver an even higher level of performance. Surfaces are tougher and more difficult to scratch or stain, increasing their longevity while maintaining print quality even when regular cleaning is not possible due to conditions or times of heavy use.

So the treated Integrated Biometrics products are tough…like those famous 1970s crime fighters Kojak, Columbo, and Danno and the other people from Five-O. (Not that Sherlock and Watson were slouches.)

Book ’em, Danno! By CBS Television – eBay item photo front photo back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=19674714

Pangiam, a new/old player in biometric boarding

Make vs. buy.

Businesses are often faced with the question of whether to buy a product or service from a third party, or make the product or service itself.

And airports are no exception to this.

The Metropolitan Washington Airports Authority (MWAA), the entity that manages two of the airports in the Washington, DC area, needed a biometric boarding (biometric exit) solution. Such solutions allow passengers to skip the entire “pull out the paper ticket” process, or even the “pull out the smartphone airline app” process, and simply stand and let a camera capture a picture of the passenger’s face. While there are several companies that sell such solutions, MWAA decided to create its own solution, veriScan.

https://www.airportveriscan.com/

And once MWAA had implemented veriScan at its own airports, it started marketing the solution to other airports, and competing against other providers who were trying to sell their own solutions to airports.

Well, MWAA got out of the border product/service business last week when it participated in this announcement:

ALEXANDRIA, Va., March 19, 2021 /PRNewswire/ — Pangiam, a technology-based security and travel services provider, announced today that it has acquired veriScan, an integrated biometric facial recognition system for airports and airlines, from the Metropolitan Washington Airports Authority (“Airports Authority”). Terms of the transaction were not disclosed.

Pangiam is clearly the new kid on the block, since the company didn’t even exist in its current form a year ago. Late last year, AE Industrial Partners acquired and merged the decade-old Linkware and the newly-formed Pangian (PRE LLC) “to form a highly integrated travel solutions technology platform providing a more seamless and secure travel experience.”

But in a sense, Pangiam ISN’T new to the travel industry, once you read the biographies of many of the principals at the company.

  • “Most recently (Kevin McAleenan) served as Acting Secretary of the U.S. Department of Homeland Security (DHS)….”
  • “Prior to Pangiam, Patrick (Flanagan) held roles at U.S. Customs & Border Protection (CBP), the U.S. Navy, the National Security Staff, the Transportation Security Administration (TSA), and the Department of Homeland Security (DHS).”
  • “Dan (Tanciar) previously served as the Executive Director of Planning, Program Analysis, and Evaluation in the Office of Field Operations (OFO) at U.S. Customs and Border Protection (CBP).”
  • “Prior to Pangiam, Andrew (Meehan) served as the principal adviser to the Acting Secretary for external affairs at the Department of Homeland Security (DHS).”
  • “(Tom Plofchan) served as a National Security Advisor to the Department of Energy’s Pacific Northwest National Laboratory before entering government to serve as the Counterterrorism Advisor to the Commissioner, U.S. Customs and Border Protection, and as Counterterrorism Counselor to the Secretary, U.S. Department of Homeland Security.”

So if you thought that veriScan was well-connected because it was offered by an airport authority, consider how well-connected it appears now because it is offered by a company filled with ex-DHS people.

Which in and of itself doesn’t necessarily indicate that the products work, but it does indicate some level of domain knowledge.

But will airports choose to buy the Pangiam veriScan solution…or make their own?