A practical system for identity screening at US airports
A practical system for identity checks at airports that increases security and
passenger convenience while protecting privacy is described. The system is based
upon proven technology and components available today and in commercial use.
Although the combination of components is unique, because the system is built on
standards, it could be implemented at very modest cost in short timeframes and
can be rolled out one airport at a time. The recommend system involves a
once-in-a-lifetime registration to receive an identity card with a unique serial
number with a magnetic stripe on which the same ID number is coded (similar to a
credit card). This card is then used in conjunction with an iris scan (or other
suitably unique biometric) to authenticate identity and prevent fraud.
- Allow us to deny boarding to certain individuals on a "watch
- Allow us to run an instant background check on an individual to determine
whether that person has a criminal record
- Eliminate the possibility of a terrorist using phony credentials to evade
- Increase passenger convenience
- Enhance passenger security
- Enrollment, which takes about 30 seconds, happens only once in a
person's lifetime: Person walks up to enrollment machine located at any
place that iris codes are used, e.g., airport lobby or foreign arrivals
lobby. Enrollment machine takes 4
snapshots of each eye and, if the iris data is unique based on searching a
centralized government database of iris codes, issues a OneID card 1 second
later. This OneID card has a serial number printed on it, which is also
encoded on a magnetic stripe on the card. The whole process was done
completely anonymously since no ID needed to be presented and no picture was
- In order to check in and receive a boarding pass with seat info or enter
through security, a person just swipes his card and he's instantly
confirmed. No authentication is really needed at these points since they are
not critical. In fact, with a OneID card, it's more secure than it is today
since today I can pass through security with a phony itinerary that can be
easily created. Automated check-in kiosks could be designed that would
service all airlines. Since the boarding pass is useless without the proper
iris, there is no chance of fraud. Only the OneID card is required at these
- In order to board the plane, a person swipes his card, looks into
the iris scanner, and one second later he's notified whether he is
authenticated. So we really only need to take an iris scan once (an
optionally once when you check your bags to authenticate it is really you).
- If you lose your OneID card, just walk up to an enrollment machine and
request a replacement. It will take a few images of one of your eyes and
look up your iris code and re-issue your OneID. This process takes under a
second, even with 100M+ irises in the database.
- If the FBI or police want to stop a subject, they lookup the subject's
OneID number in their database (they enrolled the subject upon original
capture if he wasn't already enrolled). They log into the federal OneID
system and type in the OneID number they wish to apprehend. The OneID system
will notify the operator if a listed OneID attempts to pass through, and
will also notify the agency who requested the "hold."
Features of the solution
- Authenticates uniqueness: it is virtually impossible (less than 1 chance
in a million) for a wanted person presenting or using phony ID to escape
detection because of the biometric chosen
- Authenticates identity: we know who is on the plane and can keep certain
individuals off the plane
- Fast: identity authentication in a fraction of a second. Once in a
lifetime enrollment takes under 30 seconds. Eliminates manual error-prone
check of itinerary at security and manual check of ID + ticket at gate.
- Tamperproof: The OneID card is just a number that is machine readable.
There are no smart cards. Although a card can easily be forged, a forged
card is worthless.
- Simple: The overall process is simple for a user and the architecture is a
straight forward client server.
- Secure: the system is designed so that it would be difficult for a hacker
to break into and in order to compromise security, multiple system must be
hacked. In general, a few centralized systems (our preferred architecture)
are easier to secure than a distributed system (another possible
architecture). You can't fool the iris recognition system with contact
lenses or a photograph because of various security checks in the software
and the unique properties of the iris. Only a live person with the same iris
can create a match.
- Flexible: the system can be configured in a variety of ways and still
work, e.g., local or remote servers, etc.
- Reliable: The system never goes down because there is no single point of
failure and there is multiple redundant systems. Biometric that is used has few false positives and false negatives
(crossover error rate is less than 1 in 1,000,000). System uses redundant
servers and a local mirror of the "wanted" database is always
available so that in the event the Internet is "down", passengers
can still register and authenticate without chance of error or letting a
wanted person slip through.
- Private: Because the association of an iris code with a number is the only
thing in the database, the database is completely useless to anyone if the
database is compromised. No names are stored so it is completely anonymous.
- Possible to implement immediately: All the components are readily
commercially available, although some amount of work would need to be done
to make iris scanners a bit more user friendly (a guide to where to place
your eye), a new high speed iris match algorithm needs to be implemented
before widespread adoption (the design exists but it hasn't been coded),
- Standards based: Internet for communication, HTML for user
- Accurate: There has never been a false iris recognition.
- Low cost: Iris scanners cost less than $200 in single quantities. The
OneID card is no different than a credit card. The centralized or
decentralized computing infrastructure to authenticate hundreds of people
per second is under $10,000. In fact, a single desktop PC has sufficient
power to serve the authentication needs of all US airports. The centralized
computing infrastructure to authenticate new users is under $10M.
- Allows a reliable mechanism for data sharing between federal agencies:
Unlike today's fingerprint system, using a OneID as a foreign key.
guarantees that information on a given person can be retrieved from
different databases without error.
- Compliant with federal technical requirements: Of 403(c) of the USA Patriot Act
and the Border Security bill.
- Public: this database can be made publicly available since it requires the
willing cooperation of the person to be useful. For example, by making the
database publicly available, we can eliminate identity theft and credit card
- Tracking: the government can track the travel of everyone and look
for suspicious travel patterns.
- Unique: The OneID number is guanteed to be a unique number for each
- Permanent: Your OneID number, once issued, is permanent for life.
If you lose your card, you'll get a replacement card with the same number.
Making flight reservations over the phone
If you give your OneID in addition to your name, etc., then you can checkin
and pick up your boarding pass at an automated ticketing machine. Just present
your OneID card. An iris scan is not required at these stations because the
ticket is tied to your iris, so even if someone were to steal your OneID card,
the ticket would be useless to them.
Use your OneID number to register for frequent flyer programs, hotel
programs, rent a car programs, etc. Instead of having to carry around dozens of
membership cards, you carry around a single card. Since anyone can get a OneID
card, and the OneID number is guaranteed to be both unique and permanent, it's a
To be very secure, the porter would have you authenticate. From that point
on, this happens as it does today. Your bag tags have your name and flight
machine coded on them already.
All components are connected into the Internet via wireless or LAN
All GUI are done as HTML pages so we leverage web protocols.
Iris enrollment stations will capture the iris data for both eyes, then send
this data to one of 3 national computers (triple redundancy to reduce the chance
of failure) to be authenticated as unique. Using a special high speed Hamming
comparison algorithm and 100 PCs in parallel, we can search over 200M iris codes
to determine a unique match in a fraction of second. If there is no match, a new
OneID is generated. All three computers talk to each other and synchronize their
databases. Enrollement stations all use high quality iris scanners.
Each iris authentication terminal is connected to the Internet. These
stations consist of a PC and an inexpensive iris scanner and a credit card
magnetic stripe scanner or barcode scanner. The presented
OneID number on the card is transmitted to one of 3 servers at the airport.
Each lookup goes to a different server to eliminate the possibility of a single
hacked system. If there server doesn't have the OneID in its disk cache, the
cache machine asks one of
3 government servers for the iris code and caches it for future use. In the reply from
the government server, any changes to the status of any iriscode (e.g., put on
or off stoplist) since the last version of the database is also transmitted so all local caches are up to
date with the latest info.
An iris code is captured at the authentication scanner at the airport. By the time the iris code is
captured, the 512 byte iris code has been returned from the central server (from
the local airport cache which may have had to ask the central server). The
Hamming comparison is done at the local computer for all normal rotation angles,
and the return value (match or no match) is presented to the security operator within a fraction of
a second after the iris is captured. If the OneID is on a "stop list", the
operator is notified. The Hamming threshold for matches can be set fairly
loosely, e.g., 1 in 1 million chance so that the chance of a false negative
(i.e., rejecting a legit passenger) is reduced.
When you make your plane reservation, after the authentication terminal has
verified your OneID, it then check in via the Internet with the airline's
computer and asks if the OneID has a ticket for today (security station
computers) or a ticket for this flight (gate computers). That information can be
pulled on demand or pushed, e.g., we could push the OneIDs of all people
authorized to board a flight. Any OneID not on the pushed list could be checked
against the central database for changes. Technically, it's easier to pull
because you can account for last minute changes.
Choice of biometric
We need a biometric that is "highly accurate to verify
identity" and can be used to authenticate uniqueness. A single
biometric that does both can virtually eliminate the chance of fraud. For
example, if you used iris to authenticate uniqueness and hand geometry to verify
identity, you must have people watching the registration process and if those
people are corrupt, they can register a volunteer's iris along with a
terrorist's hand geometry biometric which would enable a terrorist to escape
So ideally, you need a biometric with the following characteristics:
- because there are billions of people on earth, the biometric must allow
for at least the square of the population in unique values to avoid
conflicts; it must allow for 264 different values, i.e., the biometric's
value must evenly distributed among at least a 8 byte range. This is so that
the chance of two people having the same biometric is minimal. In fact, even
with 64 degrees of freedom, the chance of two people having the same
biometric is about 40%.
- authentication must take less than one second to compute.
- uniqueness against a database of 1028 must be verifiable in
less than .001 seconds using a modest amount of hardware
- the biometric must remain invariant throughout life
- it cannot be faked
- it must have a crossover error rate of less than 1 in 10,000. 1 in
1,000,000 is ideal. this is required to authenticate uniqueness.
Authenticating uniqueness requires FAR and FRR are both as low as possible
because we don't want to issue a card if the person is already in the
database (we want a low FRR) and we don't want to issue the same OneID to
two different people (we want a low FAR).
Why iris codes are preferred:
- Iris has approximately 240 degrees of freedom so that it is highly
unlikely that two people will ever have the same iris code for eternity (the
universe will end before two people have the same iris code).
- An iris code can be matched against the value returned from the database
in about 10 microseconds.
- A high speed Hamming algorithm can be used to compare iris codes against
huge databases in a fraction of a second.
- Iris codes are stable for life after 1 years of age
- Iris codes cannot be faked because they rely on the unique properties of a
living eye that are impossible to fake
- Iris codes have a crossover error rate of less than 1 in 1,000,000
Identity vs. Uniqueness and the fallacy of multiple biometrics
Hand geometry is accepted to be highly accurate to verify identity and used at
airports today, but LOTS of people have the same hand geometry so hand geometry
cannot be used to authenticate uniqueness. These are totally different concepts.
The specs are completely different for verifying identity vs. verifying
For verifying uniqueness, for example, you need to specify the population
size you are concerned about because this determines the minimum acceptable
number of degrees of freedom. When you verify uniqueness, you are also concerned
about having very low crossover error rates (the error rate when the system
thresholds are set so FAR=FRR)and thus the use of multiple
biometrics are BAD because they increase the False Rejection Rate (FRR) which
makes it EASIER for a terrorist to register again using forged credentials. For guaranteeing uniqueness,
hand geometry (for examle) is completely unacceptable. For example, see the
last paragraph in http://www.hand-scan.com/strengths_and_weakness.htm
When you verify identity, you are mostly concerned with wanting very low
false acceptance rates (FAR) and the use of multiple biometrics are GOOD. Hand
geometry is perfectly acceptable and used at airports today. But that's a
completely different application than what you need here. Here you need both to
verify identity and uniqueness.
Suppose the FBI has just determined that whoever presented a California
driver's license with the name "Steven T Kirsch" on it 3 months ago
at the San Jose airport is a terrorist. We want to stop this person from
getting on another plane even if he presents a different phony ID next time.
We can do that
with 100% accuracy.
We want to ensure that from anyone who has been convicted a felony after
Jan 1, 2003, can't work as a security officer in a US airport even if they
change their name. We can do an instant check for this even though it takes as
long as 6 months to get a fingerprint match back from the FBI.
A regular employer (including private security firms!) who wants to hire people they can trust
can do a
background check instantly.
Presentation for San Jose blue ribbon committee
- ATM-style card readers where the card scanning is done under control of a
machine are more reliable than "swiping".
- Card has number recorded redundantly and there are check digits. In case
of read error of any of the copies of the number, person is notified to
"replace his card soon."
- Paper or plastic cards can be used, e.g., Bart uses paper.
powerpoint prezo of this web page. slightly different variation of this web
How to solve the INS problem of letting the wrong people into the US
This is a slightly different variation
Steve Kirsch Political Home Page