Biometric Systems: Can they be cheap and simple?
Thinking about installing or improving a biometric system for traveller identification? You may feel pressured to buy something that’s expensive, complex and large in scope. Based on Australia’s experience with issuing passports, you may not need a system like that. We’re sharing what we’ve learned in recent years about putting together simple, effective biometric controls that don’t break the national treasury.
Every identity authority’s circumstances are different. Nobody would want, or would be able to replicate our solution in full. But the principles behind our approach, and many specific elements, may give you something to think about. Though we deal with facial biometrics, the concepts apply equally to iris and fingerprints.
Our starting point
Every year, Australia’s Department of Foreign Affairs and Trade processes two million travel document applications. Slightly more than half come from the 14 million Australians who need to renew the passport they already have. We archive the biometric facial image from every application. Our image repository has 27 million biometric images, a figure that grows by more than 8,000 every business day.
We were one of the first passport authorities, and one of the first government agencies anywhere, to integrate biometrics into our identity management. That was in 2004. Back then, it wasn’t possible to purchase whole biometric systems, so we developed our own system in-house.
We built our biometric system into our passport processing software (called Delta), and coupled it to Delta’s workflow engine. It functioned very well. But because it was so deeply embedded in Delta, it was not adaptable.
When we recently developed completely new processing software (Atlas), we were unable to simply take Delta’s biometric system and transplant it.
We needed a new biometric system. And we needed it to not just process new passports, but to also verify existing passports for other agencies. This way we could participate in the nationwide biometric identity-matching arrangements that Australia’s federal, state and territory governments launched in 2017.
What we didn’t do
Hype about biometrics, and the fear of missing out on the benefits, can tempt senior managers into seeing biometric systems as a solution to all kinds of identity risks. This opens the door for vendors to oversell the capability of their biometric products, or to bundle them with business rules engines, identity repositories, middleware layers and other add-ons.
Bundling can leave organizations with opaque ‘black box’ systems they do not fully understand, that foster excessive dependence on the vendor, and that are more likely than simple systems to fail. While black boxes are good for vendors, they add complexity, cost and maintenance overheads that organizations don’t generally need. Often, black boxes don’t optimize the business value of the personal information the organizations have collected.
How we avoided this
We made decisions about our new biometric system with a hard-headed understanding of what we would not need it to do. It would not need to include an identity repository. Sitting behind our processing software, we already had a robust non-biometric database that linked identity elements (names, addresses and so on) to application form numbers and the passport numbers of completed travel documents. This ensured that every client only had a single identity record.
Our new biometric system would not need a business rules engine. Through Delta and Atlas, we already had, like most passport issuers around the world, an IT workflow that followed defined business rules for handling applications logically. Our Atlas software was going to have a thin-client interface that presented biographic and biometric information to passport processing officers on a single screen. Our new biometric system would need to service this interface but not integrate with it.
We boiled down what we would need to three core functions:
- 1:n (Identification) – comparing a supplied image to multiple images in our records to detect identity fraud and identify unknown persons for identity-matching purposes. Identification ansers the questions, ‘do we know this applicant under another identity’ and ‘do we know this person at all’?
- 1:1 (Verification) – comparing a single image in our records to the supplied image of someone who purports to be that person. Verification confirms that a renewal client is using the same identity as in previous applications or that a person interacting with government in other contexts is who they claim to be.
- QA (Image Quality Assurance) – determining whether a facial image is good enough to be used for Identification or Verification.
We did not build a single big application to perform these three functions. Instead, for simplicity and flexibility, we developed a set of three separate services.
We made decisions about our new biometric system with a hard-headed understanding of what we would not need it to do.
How it works
The Image Quality Assurance (QA) service accepts a single facial image and returns a list of quality attributes. Which internal system calls the service isn’t important, it could be our Delta or Atlas passport processing software, an identity-matching software or a future software not yet conceived. The service will return the same list regardless. The workflow engine in the software that calls the service decides whether the attributes in the list signify an image quality high enough to attempt a match using the other two services.
The Verification service takes two facial images as an input and returns a match score, a figure between 0 and 1 indicates the likelihood of a match between the two images. The workflow engine in the software that calls the service, decides whether the score constitutes a match, and what to do with it next.
The Identification service takes a single facial image and returns a list of the top 200 possible matches. The list includes only the identity record number and match score, for each result. The workflow engine in the software that calls the service decides what to do with the information.
This approach has a number of benefits:
- The services proved relatively simple and quick to build.
- Keeping them discrete from other software means we can make them highly available at a lower cost than what would otherwise be the case.
- The services can be called by any of our business processes, not just passport application processing software.
- Each service can be upgraded or replaced separately, with no impact on the other two services, and with no effect on business processes as long as the new service returns outputs within the same range.
- The outputs are simple and known, so developing new business processes that use them, is straight forward.
- New approaches to facial comparison, such as using multiple matching engines, can easily be implemented behind the service interface.
Bigger is not always better
With the new system came a new line of thinking about the identification service. Until recently, our policy had been to enrol every facial image in our archive into the database of our biometric system. This posed two challenges:
- 1:n Identification engines are expensive, and licencing is based on the number of templates enrolled.
- Extensive research has shown that as the size of the database increases, the matching effectiveness decreases.
We have therefore decided to rationalize the number of templates we enrol. Because facial images of young children and outdated images of adults are of little value for identification, in the future we will only enrol the images of children above a certain age, and the most recent image of other clients.
These policies will reduce the size of the database from 27 million to around 13 million. This will bring a significant saving in licence and maintenance fees, and a corresponding increase in matching effectiveness. Images not enrolled in the database will be retained in the archive, from where we will be able to access them manually if we need to.
The bottom line
The project took 12 months to complete at a cost of just AUD 2 million (USD1.477 million). This kind of inexpensive outcome is not typical, but then neither was our approach.
In deciding on a biometric system, the most important factor is a clear-eyed understanding of what you do and don’t need. Every biometric system uses commercial components, such as algorithms and service interfaces. The key is to buy only what you require, to make the technology work for you rather than the other way around, and to deal with vendors from a position where you, not they, are setting the agenda.
Stephen Gee is Australia’s Member in the ICAO Technical Advisory Group on the Traveller Identification Programme (TAG/TRIP). He is Assistant Secretary in the Department of Foreign Affairs and Trade of Australia. His team manages passport biometrics, standards, policy, communications and investigations.