(Bredemarket Premium) The big biometric firms and the even bigger tech firms

When I was part of an industry in which the three major players were my employer IDEMIA and its competitors NEC and Thales, I was always aware of a potential threat to these three multi-billion dollar biometric companies. Specifically, there were much, much bigger technology companies (both inside and outside of Silicon Valley) with huge resources and extensive artificial intelligence experience. These firms could put the three biometric firms out of business at any time.

By Syassine – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=31368987

But is this threat a real threat? Or is it overstated?

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Build your own automated fingerprint identification system…for FREE!

At Bredemarket, I work with a number of companies that provide biometric systems. And I’ve seen a lot of other systems over the years, including fingerprint, face, DNA, and other systems.

The components of a biometric system

While biometric systems may seem complex, the concept is simple. Years ago, I knew a guy who asserted that a biometric system only needs to contain two elements:

  • An algorithm that takes a biometric sample, such as a fingerprint image, and converts it into a biometric template.
  • An algorithm that can take these biometric templates and match them against each other.

If you have these two algorithms, my friend stated that you had everything you need for an biometric system.

Well, maybe not everything.

Today, I can think of a few other things that might be essential, or at least highly recommended. Here they are:

  • An algorithm that can measure the quality of a biometric sample. In some cases, the quality of the sample may be important in determining how reliable matching results may be.
  • For fingerprints, an algorithm that can classify the prints. Forensic examiners routinely classify prints as arches, whorls, loops, or variants of these three, and classifications can sometimes be helpful in the matching process.
  • For some biometric samples, utilities to manage the compression and decompression of the biometric images. Such images can be huge, and if they can be compressed by a reliable compression methodology, then processing and transmission speeds can be improved.
  • A utility to manage the way in which the biometric data is accessed. To ensure that biometric systems can talk to each other, there are a number of related interchange standards that govern how the biometric information can be read, written, edited, and manipulated.
  • For fingerprints, a utility to segment the fingerprints, in cases where multiple fingerprints can be found in the same image.

So based upon the two lists above, there are seven different algorithms/utilities that could be combined to form an automated fingerprint identification system, and I could probably come up with an eighth one if I really felt like it.

My friend knew about this stuff, because he had worked for several different firms that produced fingerprint identification systems. These firms spent a lot of money hiring many engineers and researchers to create all of these algorithms/utilities and sell them to customers.

How to get these biometric system components for free

But what if I told you that all of these firms were wasting their time?

And if I told you that since 2007, you could get source code for ALL of these algorithms and utilities for FREE?

Well, it’s true.

To further its testing work, the National Institute of Standards and Technology (NIST) created the NIST Biometric Image Software (NBIS), which currently has eight algorithms/utilities. (The eighth one, not mentioned above, is a spectral validation/verification metric for fingerprint images.) Some of these algorithms and utilities are available separately or in other utilities: anyone can (and is encouraged to) use the quality algorithm, called NFIQ, and the minutiae detector MINDTCT is used within the FBI’s Universal Latent Workstation (ULW).

If the FBI had just waited until 2007, it could have obtained the IAFIS software for free. FBI image taken from Chapter 6 of the Fingerprint Sourcebook, https://www.ojp.gov/pdffiles1/nij/225326.pdf.

As I write this, NBIS has not been updated in six years, when Release 5.0.0 came out.

Is anyone using this in a production system?

And no, I am unaware of any law enforcement agency or any other entity that has actually USED NBIS in a production system, outside of the testing realm, with the exception of limited use of selected utilities as noted above. Although Dev Technology Group has compiled NBIS on the Android platform as an exercise. (Would you like an AFIS on your Samsung phone?)

But it’s interesting to note that the capability is there, so the next time someone says, “Hey, let’s build our own AFIS!” you can direct them to https://www.nist.gov/itl/iad/image-group/products-and-services/image-group-open-source-server-nigos#Releases and let the person download the source code and build it.

Biometrics IS the financial sector

“Have to update my chart again.”

C. Maxine Most of Acuity Market Intelligence. From https://twitter.com/cmaxmost/status/1418306725510193152

Since I’m treading into financial territory here, I should disclose that Bredemarket has financial relationships with one or more of the companies mentioned in this post. This is not investment advice, do your own due diligence, bla bla bla.

I don’t monitor the market enough to know if this is part of an overall trend, but there has been a lot of biometric and digital identity investment recently. Both Biometric Update and FindBiometrics (and other publications such as FinLedger) have written about some of these recent investments, and IPVM has published its acquisition analysis (for subscribers only). Here’s a partial list of the biometric and/or digital identity companies who have received new funding (via investors, IPO, or acquisitions) recently:

I am not a financial expert (trust me on this), but I suspect that these companies are benefiting from two contradictory factors.

  • The apparent WANING of the COVID threat suggests better market performance in the future.
  • Some biometric and digital identity investments are very attractive precisely BECAUSE of the COVID threat, and the resulting attractiveness of remote and touchless technologies.

Of course, markets run in cycles, and it’s hard to predict if this is just the beginning of money flowing to biometrics/digital identity companies, or if all of this will suddenly come to a grinding halt. Remember how hot so-called “fever scanners” were a year ago, until their deficiencies were identified? And remember how Microsoft was prompted to divest from Anyvision not too long ago?

It’s possible that a number of external factors, such as an increase in government bans of facial recognition use, consumer resistance to digital identity, or the entry (or re-entry) of much larger players into the biometrics and/or digital identity markets, could dampen the revenue hopes for these funded companies.

Of course, investors are used to analyzing risk, and in many cases the investments with higher risk can yield the greater rewards.

It’s all just a game.

Biometric (and other) authentication CAN be spoofed…but it isn’t easy

A few days ago, Liam Tung of ZDNet wrote an article entitled “Windows 10 security: Here’s how researchers managed to fool Windows Hello.”

Those who read the title of the article may conclude that biometrics is a terrible authentication method because it can be spoofed.

Just a picture of candy. Nothing special. By Jebulon – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=27753729

Well, until they come to the third paragraph of the article.

The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.

Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.

However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.

And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.

(Bredemarket Premium) My (biometric) baby is American made

When I first entered the biometric world, the portion of the world that directly interested me (the automated fingerprint identification system, or AFIS industry) had three major players and one emerging player. Of those four, two were privately held American companies, and the other two were U.S. subsidiaries of foreign companies (one French, one Japanese).

Today it’s different.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

Even Apple is moving to a service model. Biometric identity vendors are moving also.

Remember when you bought a big old hunk of hardware…and you owned it?

With cloud computing, significant portions of hardware were no longer owned by companies and people, but were instead provided as a service. And the companies moved from getting revenue from selling physical items to getting revenue from selling services.

From Apple Computer to Apple

Apple is one of those companies, as its formal name change from “Apple Computer” signifies.

Then “Apple Computer” circa 1978. From https://www.macrumors.com/2020/03/23/apple-computer-retail-sign/. Fair use.

Yet even as iTunes and “the” App Store become more prominent, Apple still made a mint out of selling new smartphone hardware to users as frequently as possible.

But Apple is making a change later in 2021, and Adrian Kingsley-Hughes noted the significance of that change.

The change?

So, it turns out that come the release of iOS 15 (and iPadOS 15) later this year, users will get a choice.

Quite an important choice.

iPhone users can choose to hit the update button and go down the iOS 15 route, or play it safe and stick with iOS 14.

Why is Apple supporting older hardware?

So Apple is no longer encouraging users to dump their old phones to keep up with new operating systems like the forthcoming iOS 15?

There’s a reason.

By sticking with iOS 14, iPhone users will continue to get security updates, which keeps their devices safe, and Apple gets to keep those users in the ecosystem.

They can continue to buy content and apps and pay for services such as iCloud.

Although Kingsley-Hughes doesn’t explicitly say it, there is a real danger when you force users to abandon your current product and choose another. (Trust me; I know this can happen.)

In Apple’s case, the danger is that the users could instead adopt a SAMSUNG product.

And these days, that not only means that you lose the sale of the hardware, but you also lose the sale of the services.

It’s important for Apple to support old hardware and retain the service revenue, because not only is its services business growing, but services are more profitable than hardware.

In the fiscal year 2019, Apple’s services business posted gross margins of 63.7%, approaching double the 32.2% gross margin of the company’s product sector. 

If current trends continue, Apple’s services (iCloud, Apple Music, AppleCare, Apple Card, Apple TV+, etc.) will continue to become relatively more important to the company.

The biometric identity industry is moving to a service model also

Incidentally, we’re seeing this in other industries, for example as the biometric identity industry also moves from an on-premise model to a software as a service (SaaS) model. One benefit of cloud-based hosting of biometric identity services is that both software and the underlying hardware can be easily upgraded without having to go to a site, deploying a brand new set of hardware, transferring the data from one set of hardware to the other, and hauling away the old hardware. Instead, all of those activities take place at Amazon, Microsoft, or other data centers with little or no on-premise fuss.

(And, as an added benefit, it’s easier for biometric vendors to keep their current customers because obsolescence becomes less of an issue.)

Is your biometric identity company ready to sell SaaS solutions?

But perhaps your company is just beginning to navigate from on-premise to SaaS. I’ve been through that myself, and can contract with you to provide advice and content. I can wear my biometric content marketing expert hat, or my biometric proposal writing expert hat as needed.

The “T” stands for technology. Or something. By Elred at English Wikipedia – Transferred from en.wikipedia to Commons by Moe_Epsilon., Public Domain, https://commons.wikimedia.org/w/index.php?curid=3812206

Obviously this involves more than just saying “we’re cloud-ready.” Customers don’t care if you’re cloud-ready. Customers only care about the benefits that being cloud-ready provides. And I can help communicate those benefits.

If I can help you communicate the benefits of a cloud-ready biometric identity system, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail).

(Bredemarket Premium) The drawbacks of a FOCI-mitigated subsidiary

Those portions of the U.S. government that deal with critical infrastructure are naturally concerned about foreign encroachment into U.S. Government operations, even from “friendly” nations. Therefore, the U.S. Government takes steps to mitigate the effects of “Foreign Ownership, Control or Influence” (FOCI).

I’ve worked for two companies that needed to undertake FOCI mitigation, and I know of others that have also done this. And while FOCI mitigation offers benefits to the United States, there are also drawbacks of which everyone involved should be aware.

Subscribe to get access

Subscribe to Bredemarket Premium to access this premium content.

  • Subscriptions just $5 per month.
  • Access Bredemarket’s expertise without spending hundreds or thousands of dollars.

The Pandora’s Box of the “passwords are dead” movement

I’ve previously commented on the “passwords are dead” movement, and why I don’t agree that passwords are dead. But I recently realized that the “logic” behind the “passwords are dead” movement could endanger ALL forms of multi-factor authentication.

If I may summarize the argument, the “passwords are dead” movement is based upon the realization that passwords are an imperfect authentication method. People use obvious passwords, people re-use passwords, individuals don’t guard their passwords, and even companies don’t guard the passwords that they store. Because of these flaws, many passwords have been compromised over the years.

From this indisputable fact, the “passwords are dead” advocates have concluded that the best thing to do is to refrain from using passwords entirely, and to use some other authentication method instead (choosing from the five authentication factors).

In my spiral of people connections, the most frequently suggested replacement for passwords is biometrics. As a biometric content marketing expert and a biometric proposal writing expert, I’m certainly familiar with the arguments about the wonderfulness of biometric authentication.

But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.

So I guess “biometrics are dead” too, using the “passwords are dead” rationale.

And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.

So I guess “secure documents are dead” too.

Somewhere you are? Yeah, right. There are entire legitimate industries based upon allowing someone to represent that they are in one place when in fact they are in another place.

So I guess “geolocation is dead” too.

You see where this leads.

NO authentication method is perfect.

But just because an authentication method has imperfections doesn’t mean that it should be banned entirely. If you open the Pandora’s Box of declaring imperfect authentication methods “dead,” there will be NO authentication methods left.

Epimetheus opening Pandora’s Box. By Giulio Bonasone – This file was donated to Wikimedia Commons as part of a project by the Metropolitan Museum of Art. See the Image and Data Resources Open Access Policy, CC0, https://commons.wikimedia.org/w/index.php?curid=60859836

And before talking about multi-factor authentication, remember that it isn’t perfect either. With enough effort, a criminal could spoof multiple factors to make it look like someone with a spoofed face and a spoofed driver’s license is physically present at a spoofed location. Of course it takes more effort to spoof multiple factors of authentication…

…which is exactly the point. As security professionals already know, something that is harder to hack is less likely to be hacked.

“I don’t want to say multi-factor is terrible. All things considered, it is generally better than single-factor and we should strive to use it wherever it makes sense and is possible. However, if someone tells you something is unhackable, they’re either lying to you or dumb.”

And heck, be wild and throw a strong password in as ONE of the factors. Even weak passwords of sufficient length can take a long time to crack, provided they haven’t been compromised elsewhere.

Feel free to share the images and interactive found on this page freely. When doing so, please attribute the authors by providing a link back to this page and Better Buys, so your readers can learn more about this project and the related research.

Luckily, my experience extends beyond biometrics to other authentication methods, most notably secure documents and digital identity. And I’m familiar with multi-factor authentication methods that employ…well, multiple factors of authentication in various ways. Including semi-random presentation of authentication factors; if you don’t know which authentication factors will be requested, it’s that much harder to hack the authentication process.

Do you want to know more? Do you need help in communicating the benefits of YOUR authentication mechanism? Contact me.

Something I wrote elsewhere about the biometric systems development lifecycle

One of my non-Bredemarket blogs is JEBredCal, and I recently wrote something on that blog entitled “The biometric systems development lifecycle.”

By Horst59 – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=64233808

The post describes several steps in the lifecycle, including:

  • Strategic/market assessment.
  • Product release definition and development.
  • Capture and proposal strategy.
  • Contract negotiation.
  • Business system requirements analysis.
  • Implementation.
  • Operation.
  • End of life.

At each stage, there are decisions that you need to make regarding whether you will pursue something, or instead choose NOT to pursue it.

  • Does it make sense to pursue this market? As Peter Kirkwood notes, sometimes you SHOULDN’T pursue a market.
  • Does it make sense to release this product? Again, maybe not.
  • Does it make sense to bid on this Request for Proposal? Again, maybe not. Especially if the opportunity cost of bidding on a low-PWin opportunity instead of another opportunity is high.

No, a “no” decision doesn’t mean that you stick a fork in it. The post implicitly refers to ANOTHER definition of a fork.

What is an “antimicrobial” contact fingerprint reader? And what is it NOT?

In the COVID and (soon) post-COVID area, people don’t want to touch things. That impacts how identity products are marketed, including biometric readers.

Why contactless biometrics are “better” than contact biometrics

In the biometric world, this reluctance to touch things has served to promote CONTACTLESS biometric technologies, such as facial recognition, other other technologies. The loser in this has been fingerprint-based technologies, as several facial and iris vendors have made the claim that face/iris biometrics are contactless, while fingerprint biometrics are NOT contactless.

Well, my friends at my former employer IDEMIA might take issue with that claim, since you literally do NOT touch the fingerprint reader in IDEMIA’s MorphoWave product. IDEMIA does not (to my knowledge) make any medical claims about MorphoWave, but the company does emphasize that its contactless fingerprint reader allows for fast capture of four-finger slaps.

To protect their premises, organizations need access control solutions that are efficient, fast, and convenient. A contactless fingerprint scanner provides an optimum answer high throughput workplaces. IDEMIA’s MorphoWave contactless fingerprint solution scans and verifies 4 fingerprints in less than 1 second, through a fully touchless hand wave gesture. Thanks to the simplicity of this gesture, the throughput can reach up to 50 people per minute.

An antimicrobial contact fingerprint reader?

But what if there were a CONTACT solution that allowed you to capture prints with a reduced fear of “bad things”?

That’s what Integrated Biometrics appears to be claiming.

Integrated Biometrics (IB), the world leader in mobile, FBI-certified biometric fingerprint scanners, and NBD Nanotechnologies (NBD Nano), the surface coating experts, today announced the inclusion of NBD’s RepelFlex MBED transparent coating on IB’s entire line of fingerprint scanners.

An ultra-thin, transparent coating, RepelFlex MBED is designed to provide outstanding antimicrobial, anti-scratch, and anti-stain protection to devices. Long-lasting and multi-functional, RepelFlex MBED is ideal for surfaces that must stand up to high throughput and harsh conditions without compromising accuracy.

So what exactly does “antimicrobial” mean?

cluster of Escherichia coli bacteria magnified 10,000 times. By Photo by Eric Erbe, digital colorization by Christopher Pooley, both of USDA, ARS, EMU. – This image was released by the Agricultural Research Service, the research agency of the United States Department of Agriculture, with the ID K11077-1 (next)., Public Domain, https://commons.wikimedia.org/w/index.php?curid=958857

Let’s see how NBD Nano describes it.

Preventing the presence and growth of microbials on surfaces is becoming increasingly important. Antimicrobial performance is especially critical on surfaces that are accessible to the public in order to prevent the spread of stain and odor causing bacteria and microbes.

And if you drill further down in NBD Nano’s website, you find this information in a technical data sheet (PDF).

Antimicrobial Performance: Japanese Industrial Standard (JIS) Z 2801 – PASS*
*as tested by Microchem Laboratory, Round Rock, TX

Now since I’m not up to date on my Japanese Industrial Standards, I had to rely on the good folks at the aforementioned Microchem Laboratory to explain what the standard actually means.

The JIS Z 2801 method tests the ability of plastics, metals, ceramics and other antimicrobial surfaces to inhibit the growth of microorganisms or kill them. The procedure is very sensitive to antimicrobial activity and has a number of real world applications anywhere from the hospital/clinical environment to a household consumer company concerned with the ability of a material they have to allow bacterial growth.

The JIS Z 2801 method is the most commonly chosen test and has become the industry standard for antimicrobial hard surface performance in the United States.

It may be antimicrobial, but what about preventing the “C” word?

Now you may have noticed that Microchem Laboratory, NBD Nano, and Integrated Biometrics did not make any medical claims regarding their products. None of them, for example, used the “C” word in any of their materials.

There’s a very, very good reason for that.

If any of these product providers were to make specific MEDICAL claims, then any sales in the United States would come under the purview of the U.S. Food and Drug Administration.

This is something that temperature scanner manufacturers learned the hard way.

Digression: if fever scanners are fever scanners, does that mean they are fever scanners?

Remember “fever scanners”? Those devices that were (and in some cases still are) pointed at your forehead as you enter a building or another secure area? I won’t get into the issues with these devices (what happens when the scanner is placed next to a building’s front entrance on a hot day?), but I will look at some of the claims about those scanners.

About a year ago, John Honovich of IPVM began asking some uncomfortable questions about the marketing of those devices, especially after the FDA clarified what thermal imaging systems could and could not do.

When used correctly, thermal imaging systems generally have been shown to accurately measure someone’s surface skin temperature without being physically close to the person being evaluated….

Thermal imaging systems have not been shown to be accurate when used to take the temperature of multiple people at the same time. The accuracy of these systems depends on careful set-up and operation, as well as proper preparation of the person being evaluated….

Room temperature should be 68-76 °F (20-24 °C) and relative humidity 10-50 percent….

The person handling the system should make sure the person being evaluated…(h)as waited at least 15 minutes in the measurement room or 30 minutes after exercising, strenuous physical activity, bathing, or using hot or cold compresses on the face.

Let’s stop right there. For any of you who have undergone a temperature scan in the last year: how many of you have waited in a measurement room for at least 15 minutes BEFORE your temperature was taken?

Last summer I had a dentist appointment. My dentist is in Ontario, California, where the summers can get kind of hot. The protocol at this dentist’s office was to have you call the office from your car when you arrived in the parking lot, then wait for someone from the office to come outside and take your temperature before you could enter the building.

I was no dummy. I left my car and its air conditioner running while waiting for my temperature to be taken. Otherwise, who knows what my temperature reading would have been? (I also chose NOT to walk to the dentist’s office that day for the same reason.)

Back to John Honovich. He had read the FDA advice on the medical nature of thermal imaging systems, and then noted that some of the manufacturers of said systems were sort of getting around this by stating that their devices were not medical devices.

Even though the manufacturers still referred to them as “fever cameras.”

For example, one vendor (who has since changed its advertising) declared at the time that “thermal temperature-monitoring technology assists in reducing the spread of viral diseases,” even though that vendor’s device “is not a medical device and is not designed or intended for diagnosis, prevention, or treatment of any disease or condition.”

Fever scanners, testosterone supplements…and fingerprint readers

Yes, that language is similar to the language used by providers of natural supplements that, according to anecdotal evidence, work wonders. The FDA really polices this stuff.

So you really don’t want to make medical claims about ANY product unless you can back them up with the FDA. You can say that a particular product passed a particular antimicrobial standard…but you’d better not say anything else.

In fact, Integrated Biometrics only mentions the “antimicrobial” claim in passing, but spends some time discussing other benefits of the NBD Nano technology:

The inclusion of RepelFlex MBED coatings enable IB’s scanners to deliver an even higher level of performance. Surfaces are tougher and more difficult to scratch or stain, increasing their longevity while maintaining print quality even when regular cleaning is not possible due to conditions or times of heavy use.

So the treated Integrated Biometrics products are tough…like those famous 1970s crime fighters Kojak, Columbo, and Danno and the other people from Five-O. (Not that Sherlock and Watson were slouches.)

Book ’em, Danno! By CBS Television – eBay item photo front photo back, Public Domain, https://commons.wikimedia.org/w/index.php?curid=19674714