A practical system for identity screening at US airports

Steve Kirsch
stk@propel.com
408-571-6317

Abstract
A practical system for identity checks at airports that increases security and passenger convenience while protecting privacy is described. The system is based upon proven technology and components available today and in commercial use. Although the combination of components is unique, because the system is built on standards, it could be implemented at very modest cost in short timeframes and can be rolled out one airport at a time. The recommend system involves a once-in-a-lifetime registration to receive an identity card with a unique serial number with a magnetic stripe on which the same ID number is coded (similar to a credit card). This card is then used in conjunction with an iris scan (or other suitably unique biometric) to authenticate identity and prevent fraud.

Key Objectives

Allow us to deny boarding to certain individuals on a "watch list"
Allow us to run an instant background check on an individual to determine whether that person has a criminal record
Eliminate the possibility of a terrorist using phony credentials to evade detection
Increase passenger convenience
Enhance passenger security

The solution

Enrollment, which takes about 30 seconds, happens only once in a person's lifetime: Person walks up to enrollment machine located at any place that iris codes are used, e.g., airport lobby or foreign arrivals lobby. Enrollment machine takes 4 snapshots of each eye and, if the iris data is unique based on searching a centralized government database of iris codes, issues a OneID card 1 second later. This OneID card has a serial number printed on it, which is also encoded on a magnetic stripe on the card. The whole process was done completely anonymously since no ID needed to be presented and no picture was taken.
In order to check in and receive a boarding pass with seat info or enter through security, a person just swipes his card and he's instantly confirmed. No authentication is really needed at these points since they are not critical. In fact, with a OneID card, it's more secure than it is today since today I can pass through security with a phony itinerary that can be easily created. Automated check-in kiosks could be designed that would service all airlines. Since the boarding pass is useless without the proper iris, there is no chance of fraud. Only the OneID card is required at these checkpoints.
In order to board the plane, a person swipes his card, looks into the iris scanner, and one second later he's notified whether he is authenticated. So we really only need to take an iris scan once (an optionally once when you check your bags to authenticate it is really you).
If you lose your OneID card, just walk up to an enrollment machine and request a replacement. It will take a few images of one of your eyes and look up your iris code and re-issue your OneID. This process takes under a second, even with 100M+ irises in the database.
If the FBI or police want to stop a subject, they lookup the subject's OneID number in their database (they enrolled the subject upon original capture if he wasn't already enrolled). They log into the federal OneID system and type in the OneID number they wish to apprehend. The OneID system will notify the operator if a listed OneID attempts to pass through, and will also notify the agency who requested the "hold."

Features of the solution

Authenticates uniqueness: it is virtually impossible (less than 1 chance in a million) for a wanted person presenting or using phony ID to escape detection because of the biometric chosen
Authenticates identity: we know who is on the plane and can keep certain individuals off the plane
Fast: identity authentication in a fraction of a second. Once in a lifetime enrollment takes under 30 seconds. Eliminates manual error-prone check of itinerary at security and manual check of ID + ticket at gate.
Tamperproof: The OneID card is just a number that is machine readable. There are no smart cards. Although a card can easily be forged, a forged card is worthless.
Simple: The overall process is simple for a user and the architecture is a straight forward client server.
Secure: the system is designed so that it would be difficult for a hacker to break into and in order to compromise security, multiple system must be hacked. In general, a few centralized systems (our preferred architecture) are easier to secure than a distributed system (another possible architecture). You can't fool the iris recognition system with contact lenses or a photograph because of various security checks in the software and the unique properties of the iris. Only a live person with the same iris can create a match.
Flexible: the system can be configured in a variety of ways and still work, e.g., local or remote servers, etc.
Reliable: The system never goes down because there is no single point of failure and there is multiple redundant systems. Biometric that is used has few false positives and false negatives (crossover error rate is less than 1 in 1,000,000). System uses redundant servers and a local mirror of the "wanted" database is always available so that in the event the Internet is "down", passengers can still register and authenticate without chance of error or letting a wanted person slip through.
Private: Because the association of an iris code with a number is the only thing in the database, the database is completely useless to anyone if the database is compromised. No names are stored so it is completely anonymous.
Possible to implement immediately: All the components are readily commercially available, although some amount of work would need to be done to make iris scanners a bit more user friendly (a guide to where to place your eye), a new high speed iris match algorithm needs to be implemented before widespread adoption (the design exists but it hasn't been coded), etc.
Standards based: Internet for communication, HTML for user interface, etc.
Accurate: There has never been a false iris recognition.
Low cost: Iris scanners cost less than $200 in single quantities. The OneID card is no different than a credit card. The centralized or decentralized computing infrastructure to authenticate hundreds of people per second is under $10,000. In fact, a single desktop PC has sufficient power to serve the authentication needs of all US airports. The centralized computing infrastructure to authenticate new users is under $10M.
Allows a reliable mechanism for data sharing between federal agencies: Unlike today's fingerprint system, using a OneID as a foreign key. guarantees that information on a given person can be retrieved from different databases without error.
Compliant with federal technical requirements: Of 403(c) of the USA Patriot Act and the Border Security bill.
Public: this database can be made publicly available since it requires the willing cooperation of the person to be useful. For example, by making the database publicly available, we can eliminate identity theft and credit card theft.
Tracking: the government can track the travel of everyone and look for suspicious travel patterns.
Unique: The OneID number is guanteed to be a unique number for each person.
Permanent: Your OneID number, once issued, is permanent for life. If you lose your card, you'll get a replacement card with the same number.

Future applications

Making flight reservations over the phone
If you give your OneID in addition to your name, etc., then you can checkin and pick up your boarding pass at an automated ticketing machine. Just present your OneID card. An iris scan is not required at these stations because the ticket is tied to your iris, so even if someone were to steal your OneID card, the ticket would be useless to them.

Membership cards
Use your OneID number to register for frequent flyer programs, hotel programs, rent a car programs, etc. Instead of having to carry around dozens of membership cards, you carry around a single card. Since anyone can get a OneID card, and the OneID number is guaranteed to be both unique and permanent, it's a perfect identifier.

Bag matching
To be very secure, the porter would have you authenticate. From that point on, this happens as it does today. Your bag tags have your name and flight machine coded on them already.

Architecture

All components are connected into the Internet via wireless or LAN connection.

All GUI are done as HTML pages so we leverage web protocols.

Iris enrollment stations will capture the iris data for both eyes, then send this data to one of 3 national computers (triple redundancy to reduce the chance of failure) to be authenticated as unique. Using a special high speed Hamming comparison algorithm and 100 PCs in parallel, we can search over 200M iris codes to determine a unique match in a fraction of second. If there is no match, a new OneID is generated. All three computers talk to each other and synchronize their databases. Enrollement stations all use high quality iris scanners.

Each iris authentication terminal is connected to the Internet. These stations consist of a PC and an inexpensive iris scanner and a credit card magnetic stripe scanner or barcode scanner. The presented OneID number on the card is transmitted to one of 3 servers at the airport. Each lookup goes to a different server to eliminate the possibility of a single hacked system. If there server doesn't have the OneID in its disk cache, the cache machine asks one of 3 government servers for the iris code and caches it for future use. In the reply from the government server, any changes to the status of any iriscode (e.g., put on or off stoplist) since the last version of the database is also transmitted so all local caches are up to date with the latest info.

An iris code is captured at the authentication scanner at the airport. By the time the iris code is captured, the 512 byte iris code has been returned from the central server (from the local airport cache which may have had to ask the central server). The Hamming comparison is done at the local computer for all normal rotation angles, and the return value (match or no match) is presented to the security operator within a fraction of a second after the iris is captured. If the OneID is on a "stop list", the operator is notified. The Hamming threshold for matches can be set fairly loosely, e.g., 1 in 1 million chance so that the chance of a false negative (i.e., rejecting a legit passenger) is reduced.

When you make your plane reservation, after the authentication terminal has verified your OneID, it then check in via the Internet with the airline's computer and asks if the OneID has a ticket for today (security station computers) or a ticket for this flight (gate computers). That information can be pulled on demand or pushed, e.g., we could push the OneIDs of all people authorized to board a flight. Any OneID not on the pushed list could be checked against the central database for changes. Technically, it's easier to pull because you can account for last minute changes.

Choice of biometric

We need a biometric that is "highly accurate to verify identity" and can be used to authenticate uniqueness. A single biometric that does both can virtually eliminate the chance of fraud. For example, if you used iris to authenticate uniqueness and hand geometry to verify identity, you must have people watching the registration process and if those people are corrupt, they can register a volunteer's iris along with a terrorist's hand geometry biometric which would enable a terrorist to escape detection.

So ideally, you need a biometric with the following characteristics:

because there are billions of people on earth, the biometric must allow for at least the square of the population in unique values to avoid conflicts; it must allow for 2⁶⁴ different values, i.e., the biometric's value must evenly distributed among at least a 8 byte range. This is so that the chance of two people having the same biometric is minimal. In fact, even with 64 degrees of freedom, the chance of two people having the same biometric is about 40%.
authentication must take less than one second to compute.
uniqueness against a database of 10²⁸ must be verifiable in less than .001 seconds using a modest amount of hardware
the biometric must remain invariant throughout life
it cannot be faked
it must have a crossover error rate of less than 1 in 10,000. 1 in 1,000,000 is ideal. this is required to authenticate uniqueness. Authenticating uniqueness requires FAR and FRR are both as low as possible because we don't want to issue a card if the person is already in the database (we want a low FRR) and we don't want to issue the same OneID to two different people (we want a low FAR).

Why iris codes are preferred:

Iris has approximately 240 degrees of freedom so that it is highly unlikely that two people will ever have the same iris code for eternity (the universe will end before two people have the same iris code).
An iris code can be matched against the value returned from the database in about 10 microseconds.
A high speed Hamming algorithm can be used to compare iris codes against huge databases in a fraction of a second.
Iris codes are stable for life after 1 years of age
Iris codes cannot be faked because they rely on the unique properties of a living eye that are impossible to fake
Iris codes have a crossover error rate of less than 1 in 1,000,000

Identity vs. Uniqueness and the fallacy of multiple biometrics

Hand geometry is accepted to be highly accurate to verify identity and used at airports today, but LOTS of people have the same hand geometry so hand geometry cannot be used to authenticate uniqueness. These are totally different concepts.

The specs are completely different for verifying identity vs. verifying uniqueness.

For verifying uniqueness, for example, you need to specify the population size you are concerned about because this determines the minimum acceptable number of degrees of freedom. When you verify uniqueness, you are also concerned about having very low crossover error rates (the error rate when the system thresholds are set so FAR=FRR)and thus the use of multiple biometrics are BAD because they increase the False Rejection Rate (FRR) which makes it EASIER for a terrorist to register again using forged credentials. For guaranteeing uniqueness, hand geometry (for examle) is completely unacceptable. For example, see the last paragraph in http://www.hand-scan.com/strengths_and_weakness.htm

When you verify identity, you are mostly concerned with wanting very low false acceptance rates (FAR) and the use of multiple biometrics are GOOD. Hand geometry is perfectly acceptable and used at airports today. But that's a completely different application than what you need here. Here you need both to verify identity and uniqueness.

Other applications

Suppose the FBI has just determined that whoever presented a California driver's license with the name "Steven T Kirsch" on it 3 months ago at the San Jose airport is a terrorist. We want to stop this person from getting on another plane even if he presents a different phony ID next time. We can do that with 100% accuracy.

We want to ensure that from anyone who has been convicted a felony after Jan 1, 2003, can't work as a security officer in a US airport even if they change their name. We can do an instant check for this even though it takes as long as 6 months to get a fingerprint match back from the FBI.

A regular employer (including private security firms!) who wants to hire people they can trust can do a background check instantly.

Implementation notes

ATM-style card readers where the card scanning is done under control of a machine are more reliable than "swiping".
Card has number recorded redundantly and there are check digits. In case of read error of any of the copies of the number, person is notified to "replace his card soon."
Paper or plastic cards can be used, e.g., Bart uses paper.

Presentation for San Jose blue ribbon committee
powerpoint prezo of this web page. slightly different variation of this web page.

How to solve the INS problem of letting the wrong people into the US
This is a slightly different variation

Steve Kirsch Political Home Page

Hit Counter