I wanted to write a list of the biometric modalities for which I provide experience.
So I started my usual list from memory: fingerprint, face, iris, voice, and DNA.
Then I stopped myself.
My experience with skin goes way beyond fingerprints, since I’ve spent over two decades working with palm prints.
(Can you say “Cambridgeshire method”? I knew you could. It was a 1990s method to use the 10 standard rolled fingerprint boxes to input palm prints into an automated fingerprint identification system. Because Cambridgeshire had a bias to action and didn’t want to wait for the standards folks to figure out how to enter palm prints. But I digress.)
So instead of saying fingerprints, I thought about saying friction ridges.
But there are two problems with this.
First, many people don’t know what “friction ridges” are. They’re the ridges that form on a person’s fingers, palms, toes, and feet, all of which can conceivably identify individuals.
But there’s a second problem. The word “friction” has two meanings: the one mentioned above, and a meaning that describes how biometric data is captured.
No, there is not a friction method to capture faces. Squishing
If you have to do something to provide your biometric data, such as press your fingers against a platen, that’s friction.
If you don’t have to do anything other than wave your fingers, hold your fingers in the air, or show your face as you stand near or walk by a camera, that’s frictionless.
More and more people capture friction ridges with frictionless methods. I did this years ago using MorphoWAVE at MorphoTrak facilities, and I did it today at Whole Foods Market.
So I could list my biometric modalities as friction ridge (fingerprint and palm print via both friction and frictionless capture methods), face, iris, voice, and DNA.
But I won’t.
Anyway, if you need content, proposal, or analysis assistance with any of these modalities, Bredemarket can help you. Book a meeting at https://bredemarket.com/cpa/
“Apple Inc. may have ceased production of its first-generation Vision Pro headset after the product, which came to market in 2024, turned out to be a massive flop for the company.”
I recently read a web page (I won’t name the site) that included the following text:
…fingerprints, palm prints, latents, faces, and irises at 500 or 1000 ppi.
Which is partially correct.
Yes, fingerprints, palm prints, and latent prints are measured in pixels per inch (ppi), with older systems capturing 500 ppi images, some newer images capturing 1,000 ppi images, and other systems capturing 2,000 ppi or larger images. 2,000 ppi resolution is used in some images in NIST Special Database 300 because why not?
I don’t know of any latent fingerprint examiner who is capturing 4,000 ppi friction ridge prints, but I bet that someone out there is doing it.
But faces and irises are not measured in pixels per inch.
Why not?
Because, at least until recently, friction ridge impressions were captured differently than faces and irises.
Since the 19th century, we’ve naturally assumed that friction ridges are captured via a contact method, whether by inking the fingers and palms and pressing against a paper card, pressing the fingers and palms against a livescan platen, or pressing a finger on a designated spot on a smartphone.
You don’t press your face or iris against a camera. Yes, you often have to place your iris very close to a camera, but it’s still a contactless method.
Obviously things have changed in the friction ridge world over the last decade, as more companies support contactless methods of fingerprint capture, either through dedicated devices or standard smartphone cameras.
And that has caused issues for organizations such as the U.S. Federal Bureau of Investigation, who have very deep concerns about how contactless fingerprints will function in their current contact-based systems.
For example, how will Electronic Biometric Transmission Specification Appendix F (version 11.2 here) compliance work in the world where the friction ridges are NOT pressed against a surface?
As further proof that I am celebrating, rather than hiding, my “seasoned” experience—and you know what the code word “seasoned” means—I am entitling this blog post “Take Me to the Pilot.”
Although I’m thinking about a different type of “pilot”—a pilot to establish that Login.gov can satisfy Identity Assurance Level 2 (IAL2).
The link in that sentence directs the kind reader to a post I wrote in November 2023, detailing that fact that the GSA Inspector General criticized…the GSA…for implying that Login.gov was IAL2-compliant when it was not. The November post references a GSA-authored August blog post which reads in part (in bold):
Login.gov is on a path to providing an IAL2-compliant identity verification service to its customers in a responsible, equitable way.
Specifically, over the next few months, Login.gov will:
Pilot facial matching technology consistent with the National Institute of Standards and Technology’s Digital Identity Guidelines (800-63-3) to achieve evidence-based remote identity verification at the IAL2 level….
Using proven facial matching technology, Login.gov’s pilot will allow users to match a live selfie with the photo on a self-supplied form of photo ID, such as a driver’s license. Login.gov will not allow these images to be used for any purpose other than verifying identity, an approach which reflects Login.gov’s longstanding commitment to ensuring the privacy of its users. This pilot is slated to start in May with a handful of existing agency-partners who have expressed interest, with the pilot expanding to additional partners over the summer. GSA will simultaneously seek an independent third party assessment (Kantara) of IAL2 compliance, which GSA expects will be completed later this year.
In short, GSA’s April 11 press release about the Login.gov pilot says that it expects to complete IAL2 compliance later this year. So it’s going to take more than a year for the GSA to repair the gap that its Inspector General identified.
My seasoned response
Once I saw Steve’s update this morning, I felt it sufficiently important to share the news among Bredemarket’s various social channels.
With a picture.
B-side of Elton John “Your Song” single issued 1970.
For those of you who are not as “seasoned” as I am, the picture depicts the B-side of a 1970 vinyl 7″ single (not a compact disc) from Elton John, taken from the album that broke Elton in the United States. (Not literally; that would come a few years later.)
By the way, while the original orchestrated studio version is great, the November 1970 live version with just the Elton John – Dee Murray – Nigel Olsson trio is OUTSTANDING.
Back to Bredemarket social media. If you go to my Instagram post on this topic, I was able to incorporate an audio snippet from “Take Me to the Pilot” (studio version) into the post. (You may have to go to the Instagram post to actually hear the audio.)
Not that the song has anything to do with identity verification using government ID documents paired with facial recognition. Or maybe it does; Elton John doesn’t know what the song means, and even lyricist Bernie Taupin doesn’t know what the song means.
So from now on I’m going to say that “Take Me to the Pilot” documents future efforts toward IAL2 compliance. Although frankly the lyrics sound like they describe a successful iris spoofing attempt.
Through a glass eye, your throne Is the one danger zone
One advantage of an open source project is that there are far fewer secrets to hide. If a commercial firm develops biometric products, it has a responsibility to its investors to not release sensitive information.
Although findings…describe potential attack surfaces and are of high or medium severity, (Trail of Bits’) analysis did not uncover vulnerabilities in the Orb’s code…
If you want to learn WHY I regard these four events as revolutionary, and why I DON’T regard the introduction of the Apple Vision Pro as revolutionary, see my June 2023 post.
As identity/biometric professionals well know, there are five authentication factors that you can use to gain access to a person’s account. (You can also use these factors for identity verification to establish the person’s account in the first place.)
Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
As I mentioned in August, there are a number of biometric modalities, including face, fingerprint, iris, hand geometry, palm print, signature, voice, gait, and many more.
If your firm offers an identity solution that partially depends upon “something you are,” then you need to create content (blog, case study, social media, white paper, etc.) that converts prospects for your identity/biometric product/service and drives content results.
If you listen closely, you can hear about all sorts of wonderful biometric identifiers. They range from the common (such as fingerprint ridges and detail) to the esoteric (my favorite was the 2013 story about Japanese car seats that captured butt prints).
Forget about fingerprints and faces and irises and DNA and gait recognition and butt prints. Tongue prints are the answer!
Benefits of tongue print biometrics
To its credit, the article does point out two benefits of using tongue prints as a biometric identifier.
Consent and privacy. Unlike fingerprints and irises (and faces) which are always exposed and can conceivably be captured without the person’s knowledge, the subject has to provide consent before a tongue image is captured. For the most part, tongues are privacy-perfect.
Liveness. The article claims that “sticking out one’s tongue is an undeniable ‘proof of life.'” Perhaps that’s an exaggeration, but it is admittedly much harder to fake a tongue than it is to fake a finger or a face.
Are tongues unique?
But the article also makes these claims.
Two main attributes are measured for a tongue print. First is the tongue shape, as the shape of the tongue is unique to everyone.
The other notable feature is the texture of the tongue. Tongues consist of a number of ridges, wrinkles, seams and marks that are unique to every individual.
There is serious doubt (if not outright denial) that everyone has a unique face (although NIST is investigating this via the FRTE Twins Demonstration).
But at least these modalities are under study. Has anyone conducted a rigorous study to prove or disprove the uniqueness of tongues? By “rigorous,” I mean a study that has evaluated millions of tongues in the same way that NIST has evaluated millions of fingerprints, faces, and irises?
I did find this 2017 tongue identification pilot study but it only included a whopping 20 participants. And the study authors (who are always seeking funding anyway) admitted that “large-scale studies are required to validate the results.”
Conclusion
So if a police officer tells you to stick out your tongue for identification purposes, think twice.
Bredemarket 