Thread Subject: Re: biometrics continued

Note

This archival content is maintained by WebAIM and NCDAE on behalf of TEITAC and the U.S. Access Board . Additional details on the updates to section 508 and section 255 can be found at the Access Board web site.

From: Hoffman, Allen
Date: Thu, Jul 19 2007 9:00 AM

I think our practical experience in dealing with this at the present
time is that adding at least one additional biometric as an alternative
will address the vast majority of people affected, e.g. the same
approach of "lets deal with the things we can first", as we are doing in
lots of 508 now.

Your suggested language:

"When biometric forms of user identification are used, an alternative
form of identification must also be provided unless the biometric
measure is not affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and
voice.



Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is
accepted. My experience with security requirements is that they are
very specific, so our requirements must be as precisely defined as we
can make them to leave little room for unclarity. I believe the
Access-Board was looking for some expertise that could identify
acceptable alternatives to biometric usage. I don't think we have done
that yet, so we need to encode the practical acceptable "real world"
approach first, as long as the aspirational solution is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics, or
does not
rely upon biometrics. Agencies must provide an alternate means of
access for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use
those, alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers,
another procedure,
which could involve physical assistance may be needed to provide
comparable access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more
clearly to reconcile both.



Revision:

When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics,
relies upon a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of
access for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing
such solutions to accept alternative biometrics will decrease the number
of people who are unable to use such biometrics solutions greatly, since
people with multiple disabilities of this type are a smaller portion of
the population. This, however, is only an interim step until biometric
or nonbiometric alternatives are identified and integrated into security
best practices that "all people" regardless of disability are able to
use the procedure. For example, one potential solution may rely upon
circulation only, and it may be true that no people are missing
circulation, so this would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be
developed to allow multiple biometrics to be used. Alternatively, until
a biometric solution is identified that all people can use, biometrics
systems that use multiple biometrics or nonbiometrics must be employed.
For example, fingerprints and retina patterns are just two examples. It
is less likely for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use
those, alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers,
another procedure,
which could involve physical assistance may be needed to provide
comparable access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation,
or biometric alternatives that all people can make use of, to be
integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

WebAIM is an initiative of:
Center for Persons with Disabilities (CPD) Utah State University