Thread Subject: Re: biometrics continued

Note

This archival content is maintained by WebAIM and NCDAE on behalf of TEITAC and the U.S. Access Board . Additional details on the updates to section 508 and section 255 can be found at the Access Board web site.

From: Gregg Vanderheiden
Date: Thu, Jul 19 2007 12:45 PM

Ok



Not sure it is an AB issue is it?

I think they will tell us it is our decision.



Oh - when I said I was told "two biometrics wasn't acceptable" - it wasn't
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I'll raise this with the Access Board.

thanks.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.



So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.



Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.



Your suggested language:



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more clearly to
reconcile both.



Revision:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

WebAIM is an initiative of:
Center for Persons with Disabilities (CPD) Utah State University