CLIENT STORY
The Federal Identity, Credential, and Access Management (FICAM) testing program – also known as the Federal Information Processing Standard 201 (FIPS 201) Evaluation Program – tests commercial products used in Personal Identity Verification (PIV) credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs). Electrosoft tests many of these products in the PACS lab under contract to the federal agency charged with delivering effective and efficient government services. Product testing and approval enable a product to be added to the Approved Products List (APL), ensuring that federal agencies purchase compliant, interoperable products that provide value. Electrosoft evaluates both PIV card bodies (PIV cards) and PACS for APL placement.
PROBLEM
PIV systems use identity credentials issued by the federal government to authenticate the identity of employees and contractors seeking access to federally controlled facilities, information systems, and applications. FIPS 201 specifies identity authentication methodologies that include combinations of presenting the PIV card, entering the Personal Identification Number (PIN) associated with the PIV card, and comparing biometric data stored on the card with biometrics collected at the time of screening. Acceptable biometric data include fingerprints, electronic facial images, and electronic iris images.
Fingerprint use can be complicated. While a Federal Bureau of Investigation standard, template, and algorithm exist, the precise finger(s) used in PIV card creation are unknown to the cardholder. Matching the fingerprint(s) read at the point of access to the fingerprint(s) stored on the PIV card can take an inordinate amount of time when seeking access to federal facilities and systems.
A contractor approached the PACS lab requesting that a facial reader, which could be used alone or in combination with the firm’s PACS solutions, be approved for federal use. As electronic facial authentication via a facial reader is a new technology, no established method for evaluating PIV facial authentication readers existed.
Electrosoft would have to determine and document the device requirements needed to approve the reader as FIPS 201 compliant. Further, Electrosoft would have to create new test cases (both positive and negative) to evaluate the device as part of its Functional Requirements and Test Cases (FRTC) approach. It was not clear what certifications the reader would need for the matching algorithm. While generic biometric test cases existed, no specific ones were available for facial authentication.
SOLUTION
Electrosoft researched and documented the facial reader authentication requirements and identified a matching algorithm success requirement based on National Institute of Standards and Technology (NIST) results compiled in “Face Recognition Technology Evaluation (FRTE) 1:1 Verification.”
Electrosoft developed new test cases to evaluate the solution thoroughly. Electrosoft subjected the facial reader to PACS lab testing using the standards and test cases established. It passed all requirements.
Electrosoft also wrote a PACS Demo Guide to demonstrate this new technology to any government lab visitors interested in seeing the facial reader in action.
RESULTS/BENEFITS
The PACS lab approved the first facial authentication reader for federal government procurement and added it to the APL. Electrosoft drafted a new set of functional requirements and test cases to separate biometric test cases into three distinct biometrics: fingerprint, facial, and iris. As other federal contractors develop their own facial authentication readers, the PACS lab will be prepared to evaluate their compliance with federal standards and approve or disapprove them for agency use.
Facial recognition presents its own challenges, including matching one to many and potential biases. The facial authentication reader matches the facial image presented at the point of access to the one stored on the PIV card, providing a new form of identity verification. It also overcomes the difficulties associated with fingerprint use and provides agencies with an extra option to control initial access and subsequent access to areas with higher security levels.