Thread Subject: Re: biometrics continued

Return to this mailing list's archives

From: Hoffman, Allen
Date: Wed, Jul 18 2007 12:45 PM
Subject: Re: biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must
provide an alternate means of access for anyone who can not use the
provided biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be developed to allow multiple biometrics to be used. For
example, fingerprints and retina patterns are just two examples. It is
less likely for people to have both missing fingerprints and retinas
than either stand-alone. Even if multiple biometrics are available,
when people can not use those, alternate means of access must be
provided in policy and implementation for those affected. For example,
for someone who has no retinas or fingers, another procedure, which
could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated in to security best practices and standards in the near
future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Dibner, Eric
Date: Wed, Jul 18 2007 12:50 PM
Subject: Re: biometrics continued

I like the suggested update language. Very clear.

Eric

-----Original Message-----
From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ]On Behalf Of Hoffman,
Allen
Sent: Wednesday, July 18, 2007 2:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued



Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:






When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must
provide an alternate means of access for anyone who can not use the
provided biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be developed to allow multiple biometrics to be used. For
example, fingerprints and retina patterns are just two examples. It is
less likely for people to have both missing fingerprints and retinas
than either stand-alone. Even if multiple biometrics are available,
when people can not use those, alternate means of access must be
provided in policy and implementation for those affected. For example,
for someone who has no retinas or fingers, another procedure, which
could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated in to security best practices and standards in the near
future.
















Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Walser, Kate
Date: Wed, Jul 18 2007 1:30 PM
Subject: Re: biometrics continued

I like Allen's suggestion about research to identify non-biometric forms
of identification, control, or activation. I imagine that we could
identify and invite individuals well-versed in biometrics and security
to the discussion ourselves. From what I recall from biometrics research
some years ago, when you introduce alternative biometric forms, the
assets becomes only as secured as your least reliable biometric
technology. So for example, if an agency used iris scanning (highly
secure) and then used face recognition (less secure even with more
recent improvements) as an alternative, you drop security to the level
of face recognition.

I worry that without appropriate guidance, we risk spending much effort
drafting a provision that would not work or make it through to the final
round.

Am happy to "scare up" some security folks I know if it's helpful who
are knowledgeable both of the objectives of Section 508 and biometrics.

Thanks,
Kate

Kate Walser
Director, Usability Center of Excellence
SRA International, Inc.
4300 Fair Lakes Court
Fairfax, VA 22033
(703) 502-1170

From: Gregg Vanderheiden
Date: Wed, Jul 18 2007 2:10 PM
Subject: Re: biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Hoffman, Allen
Date: Wed, Jul 18 2007 2:20 PM
Subject: Re: biometrics continued

Specific items:

1. language says when identification or control, and then identification
or activation, reconcile this.
2. The language on "all people" while potentially functionally
equivalent, may not read as precisely.
3. There isn't the "unique characteristic" language anymore and that is
key to the biometrics usage.


original:
When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people




Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Gregg Vanderheiden
Date: Thu, Jul 19 2007 7:20 AM
Subject: Re: biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Walser, Kate
Date: Thu, Jul 19 2007 7:45 AM
Subject: Re: biometrics continued

Gregg wrote:
"There was a suggestion to bring in some people with security background.    Does someone know some people we could invite?"

Kate replies:
I do and will see if I can pull them into the discussion either via mailing list or standing weekly meeting.

Best regards,
Kate

From: Hoffman, Allen
Date: Thu, Jul 19 2007 9:00 AM
Subject: Re: biometrics continued

I think our practical experience in dealing with this at the present
time is that adding at least one additional biometric as an alternative
will address the vast majority of people affected, e.g. the same
approach of "lets deal with the things we can first", as we are doing in
lots of 508 now.

Your suggested language:

"When biometric forms of user identification are used, an alternative
form of identification must also be provided unless the biometric
measure is not affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and
voice.



Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is
accepted. My experience with security requirements is that they are
very specific, so our requirements must be as precisely defined as we
can make them to leave little room for unclarity. I believe the
Access-Board was looking for some expertise that could identify
acceptable alternatives to biometric usage. I don't think we have done
that yet, so we need to encode the practical acceptable "real world"
approach first, as long as the aspirational solution is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics, or
does not
rely upon biometrics. Agencies must provide an alternate means of
access for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use
those, alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers,
another procedure,
which could involve physical assistance may be needed to provide
comparable access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more
clearly to reconcile both.



Revision:

When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics,
relies upon a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of
access for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing
such solutions to accept alternative biometrics will decrease the number
of people who are unable to use such biometrics solutions greatly, since
people with multiple disabilities of this type are a smaller portion of
the population. This, however, is only an interim step until biometric
or nonbiometric alternatives are identified and integrated into security
best practices that "all people" regardless of disability are able to
use the procedure. For example, one potential solution may rely upon
circulation only, and it may be true that no people are missing
circulation, so this would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systems must be
developed to allow multiple biometrics to be used. Alternatively, until
a biometric solution is identified that all people can use, biometrics
systems that use multiple biometrics or nonbiometrics must be employed.
For example, fingerprints and retina patterns are just two examples. It
is less likely for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use
those, alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers,
another procedure,
which could involve physical assistance may be needed to provide
comparable access.



It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation,
or biometric alternatives that all people can make use of, to be
integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Gregg Vanderheiden
Date: Thu, Jul 19 2007 12:35 PM
Subject: Re: biometrics continued

Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.



So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.



Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.



Your suggested language:



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more clearly to
reconcile both.



Revision:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Hoffman, Allen
Date: Thu, Jul 19 2007 12:40 PM
Subject: Re: biometrics continued

I'll raise this with the Access Board.
thanks.



Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Gregg Vanderheiden
Date: Thu, Jul 19 2007 12:45 PM
Subject: Re: biometrics continued

Ok



Not sure it is an AB issue is it?

I think they will tell us it is our decision.



Oh - when I said I was told "two biometrics wasn't acceptable" - it wasn't
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I'll raise this with the Access Board.

thanks.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.



So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.



Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.



Your suggested language:



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more clearly to
reconcile both.



Revision:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Hoffman, Allen
Date: Thu, Jul 19 2007 12:50 PM
Subject: Re: biometrics continued

Gregg:

Do you have any philosophical problem with this approach? I think this
path may get us moving toward more accessible biometrics, or alternates
more quickly than basically just leaving the full or nothing on the
table only. I'm saying this from some direct experiences here at DHS
where this is indeed an active continuous challenge. If, AB indeed did
say that path is not what they want, then we can certainly consider
offering our experiences up for consideration as supplemental
information. To be honest what is needed is hard research on
identifying the accessible biometric or alternative that is accepted by
the security community as real.







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Katie Haritos-Shea
Date: Thu, Jul 19 2007 1:05 PM
Subject: Re: biometrics continued

<HEAD>
<STYLE>body{font-family: Geneva,Arial,Helvetica,sans-serif;font-size:9pt;background-color: #ffffff;color: black;}</STYLE>

<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY id=compText>
<P>Folks,</P>
<P>I don't work at DHS, and I know we sorely need expertise in this area.</P>
<P>But, at each organization that I have spelled-out the existing 508 biometrics requirements for, for both existing and systems under development, I have not met with any resistance from the InfoSec folks. I advocated for an alternative (second) biometric ID. Compared to many other 508&nbsp;requirements, alternative methods of biometric authentication appear to be do-able. My 2 cents of experience.</P>
<P>Katie<BR><BR><BR></P>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 0px; BORDER-LEFT: #0000ff 2px solid">-----Original Message----- <BR>From: "Hoffman, Allen" < = EMAIL ADDRESS REMOVED = ><BR>Sent: Jul 19, 2007 2:46 PM <BR>To: TEITAC General Interface Accessibility Subcommittee < = EMAIL ADDRESS REMOVED = ><BR>Subject: Re: [teitac-general] biometrics continued <BR><BR><ZZZHTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns:v="urn:schemas-microsoft-com:vml"><ZZZHEAD><ZZZMETA content="text/html; charset=us-ascii" http-equiv="Content-Type"><ZZZMETA content="MSHTML 6.00.2900.3132" name="GENERATOR"><ZZZ!--[IF !mso]>
<STYLE>v:* {
BEHAVIOR: url(#default#VML)
}
o:* {
BEHAVIOR: url(#default#VML)
}
w:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
</STYLE>
<ZZZ![ENDIF]--><?xml:namespace prefix = o /><o:SmartTagType name="PersonName" namespaceuri="urn:schemas-microsoft-com:office:smarttags"></o:SmartTagType><ZZZ!--[IF !mso]>
<STYLE>st1:* {
BEHAVIOR: url(#default#ieooui)
}
</STYLE>
<ZZZ![ENDIF]-->
<STYLE>@font-face {
font-family: Wingdings;
}
@font-face {
font-family: Batang;
}
@font-face {
font-family: Kartika;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Coronet;
}
@font-face {
font-family: Monotype Corsiva;
}
@font-face {
font-family: @Batang;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.25in 1.0in 1.25in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: "Times New Roman"
}
H1 {
FONT-WEIGHT: bold; FONT-SIZE: 16pt; MARGIN: 12pt 0in 3pt; COLOR: windowtext; FONT-FAMILY: Arial
}
H2 {
FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0in 3pt; COLOR: windowtext; FONT-STYLE: italic; FONT-FAMILY: Arial
}
H3 {
FONT-WEIGHT: bold; FONT-SIZE: 13pt; MARGIN: 12pt 0in 3pt; COLOR: windowtext; FONT-FAMILY: Arial
}
H4 {
FONT-WEIGHT: bold; FONT-SIZE: 14pt; MARGIN: 12pt 0in 3pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"
}
P.MsoFooter {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"
}
LI.MsoFooter {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"
}
DIV.MsoFooter {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"
}
P.MsoListBullet3 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt 0.75in; COLOR: windowtext; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l8 level1 lfo3
}
LI.MsoListBullet3 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt 0.75in; COLOR: windowtext; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l8 level1 lfo3
}
DIV.MsoListBullet3 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt 0.75in; COLOR: windowtext; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l8 level1 lfo3
}
P.MsoListNumber2 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt; COLOR: windowtext; TEXT-INDENT: 0in; FONT-FAMILY: "Times New Roman"; mso-list: l0 level1 lfo4
}
LI.MsoListNumber2 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt; COLOR: windowtext; TEXT-INDENT: 0in; FONT-FAMILY: "Times New Roman"; mso-list: l0 level1 lfo4
}
DIV.MsoListNumber2 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 6pt; COLOR: windowtext; TEXT-INDENT: 0in; FONT-FAMILY: "Times New Roman"; mso-list: l0 level1 lfo4
}
P.MsoTitle {
FONT-WEIGHT: bold; FONT-SIZE: 16pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"; TEXT-ALIGN: center
}
LI.MsoTitle {
FONT-WEIGHT: bold; FONT-SIZE: 16pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"; TEXT-ALIGN: center
}
DIV.MsoTitle {
FONT-WEIGHT: bold; FONT-SIZE: 16pt; MARGIN: 0in 0in 0pt; COLOR: windowtext; FONT-FAMILY: "Times New Roman"; TEXT-ALIGN: center
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P.MsoDocumentMap {
FONT-SIZE: 10pt; BACKGROUND: navy; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: Tahoma
}
LI.MsoDocumentMap {
FONT-SIZE: 10pt; BACKGROUND: navy; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: Tahoma
}
DIV.MsoDocumentMap {
FONT-SIZE: 10pt; BACKGROUND: navy; MARGIN: 0in 0in 0pt; COLOR: black; FONT-FAMILY: Tahoma
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; COLOR: black; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman"; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
P.AbstractBullets {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l3 level1 lfo1
}
LI.AbstractBullets {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l3 level1 lfo1
}
DIV.AbstractBullets {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l3 level1 lfo1
}
P.SingleSpaceListing {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l2 level2 lfo2
}
LI.SingleSpaceListing {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l2 level2 lfo2
}
DIV.SingleSpaceListing {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l2 level2 lfo2
}
P.abstractbullets0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l9 level1 lfo5
}
LI.abstractbullets0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l9 level1 lfo5
}
DIV.abstractbullets0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l9 level1 lfo5
}
P.singlespacelisting0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l5 level2 lfo6
}
LI.singlespacelisting0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l5 level2 lfo6
}
DIV.singlespacelisting0 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l5 level2 lfo6
}
P.abstractbullets00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l7 level1 lfo7
}
LI.abstractbullets00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l7 level1 lfo7
}
DIV.abstractbullets00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l7 level1 lfo7
}
P.singlespacelisting00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l6 level2 lfo8
}
LI.singlespacelisting00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l6 level2 lfo8
}
DIV.singlespacelisting00 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l6 level2 lfo8
}
P.abstractbullets000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l1 level1 lfo9
}
LI.abstractbullets000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l1 level1 lfo9
}
DIV.abstractbullets000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt 0.75in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l1 level1 lfo9
}
P.singlespacelisting000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l4 level2 lfo10
}
LI.singlespacelisting000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l4 level2 lfo10
}
DIV.singlespacelisting000 {
FONT-SIZE: 12pt; MARGIN: 0in 0in 3pt 1in; COLOR: black; TEXT-INDENT: -0.25in; FONT-FAMILY: "Times New Roman"; mso-list: l4 level2 lfo10
}
SPAN.EmailStyle32 {
FONT-FAMILY: "Times New Roman"; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}
</STYLE>
<ZZZ!--[IF 9] mso gte><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><ZZZ![ENDIF]--><ZZZ!--[IF 9] mso gte><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><ZZZ![ENDIF]--></ZZZHEAD><ZZZBODY lang=EN-US bgColor="white" link="blue" vLink="purple">
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2>Gregg:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2>Do you have any philosophical problem with this approach?&nbsp; I think this path may get us moving toward more accessible biometrics, or alternates more quickly than basically just leaving the full or nothing on the table only.&nbsp; I'm saying this from some direct experiences here at DHS where this is indeed an active continuous challenge.&nbsp; If, AB indeed did say that path is not what they want, then we can certainly consider offering our experiences up for consideration as supplemental information.&nbsp; To be honest what is needed is hard research on identifying the accessible biometric or alternative that is accepted by the security community as real.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=ltr align=left><SPAN class=094014318-19072007><FONT face=Arial color=#0000ff size=2></FONT></SPAN>&nbsp;</DIV>
<DIV>&nbsp;</DIV><ZZZ!-- -- text format rtf from Converted>
<P><SPAN lang=en-us><FONT face=Arial size=2>Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303</FONT></SPAN> </P>
<DIV>&nbsp;</DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B>On Behalf Of </B>Gregg Vanderheiden<BR><B>Sent:</B> Thursday, July 19, 2007 2:42 PM<BR><B>To:</B> 'TEITAC General Interface Accessibility Subcommittee'<BR><B>Subject:</B> Re: [teitac-general] biometrics continued<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV class=Section1>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Ok<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Not sure it is an AB issue is it?&nbsp;&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">I think they will tell us it is our decision.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Oh � when I said I was told �two biometrics wasn�t acceptable� � it wasn�t by the Access Board.&nbsp; It was on one of our calls (or one of the calls. I can't remember if it was in general or another group)<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"></SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><BR></SPAN></FONT><FONT face="Monotype Corsiva" color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: 'Monotype Corsiva'">Gregg</SPAN></FONT><FONT face=Coronet color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: Coronet"><BR></SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial">&nbsp;</SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">-- ------------------------------</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <BR></SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">Gregg C Vanderheiden Ph.D.</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<BLOCKQUOTE style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Hoffman, Allen<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, July 19, 2007 1:34 PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> <?xml:namespace prefix = st1 /><st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName><BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I'll raise this with the Access Board.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">thanks.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV><ZZZ!-- -- text format rtf from Converted>
<P><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303</SPAN></FONT> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Gregg Vanderheiden<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, July 19, 2007 2:33 PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> '<st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName>'<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Oh you are correct.&nbsp;&nbsp; The new language does not &nbsp;allow two biometrics.&nbsp;&nbsp;&nbsp; But that was because I was told that was not acceptable. &nbsp;&nbsp;I was told it only reduced the problem but still barred the rest from access.&nbsp;&nbsp;&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">So the wording covered that.&nbsp;&nbsp; If covering that vast majority is good enough � then we can look at two biometrics.&nbsp;&nbsp;&nbsp; I was just trying to go with the constraints laid down. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Lets take this up and discuss it again.&nbsp; We certainly need to determine what we are TRYING to say �before we can figure out the words. &nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial"><BR></SPAN></FONT><FONT face="Monotype Corsiva" color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: 'Monotype Corsiva'">Gregg</SPAN></FONT><FONT face=Coronet color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: Coronet"><BR></SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial">&nbsp;</SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">-- ------------------------------</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <BR></SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">Gregg C Vanderheiden Ph.D.</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<BLOCKQUOTE style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Hoffman, Allen<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, July 19, 2007 9:51 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> <st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName><BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I&nbsp; think our practical experience in dealing with this at the present time is that adding at least one additional biometric as an alternative will address the vast majority of people affected, e.g. the same approach of "lets deal with the things we can first", as we are doing in lots of 508 now.&nbsp; &nbsp; </SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Your suggested language:</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">�When biometric forms of user identification are used, an alternative form of identification must also be provided unless the biometric measure is not affected by any disability.� <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Is not operationally much different than what we have now, and doesn't provide steps to solutions we can move towards to the final aspirational solution.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">I don't think this is clear that adding alternate biometrics is accepted. My experience with security requirements is that they are very specific, so our&nbsp;requirements&nbsp;must be as&nbsp;precisely defined as we can make them to leave little room&nbsp;for unclarity.&nbsp; I believe the Access-Board was looking for some expertise that could identify acceptable alternatives to biometric usage.&nbsp; I don't think we have done that yet, so we need to encode the practical acceptable "real world" approach first, as long as the aspirational solution is not prohibited.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">So my previous suggestion was:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">When biometric forms of user identification or controlor activation are used which rely&nbsp;upon a person possessing one unique biological characteristic,<BR>an alternative form of identification or&nbsp;control or activation must also be provided which uses alternate biometric unique characteristics, or does not<BR>rely&nbsp;upon biometrics.&nbsp; Agencies must provide an alternate means of access for anyone who can not use the provided biometrics-based form of identification,<BR>control or activation.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Explanatory note:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Until nonbiometric forms of identification, control or activation have been integrated into security best practices, such biometric-based systemsmust be<BR>developed to allow multiple biometrics to be used.&nbsp; For example, fingerprints and retina&nbsp;patterns are just two examples.&nbsp; It is less likely for&nbsp;people<BR>to have both missing fingerprints and retinas than either stand-alone.&nbsp; Even if multiple biometrics are available, when people can not use those, alternate<BR>means of access must be provided in policy and implementation for those affected.&nbsp; For example, for someone who has no retinas or fingers, another procedure,<BR>which could involve physical assistance may be needed to provide comparable access.&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">It is strongly recommended that the Access-Board direct research to identify nonbiometrics forms of identification, control or activation to be integrated<BR>in to security best practices and standards in the near future.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">I think this can be strengthened to include the aspirational more clearly to reconcile both.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Revision:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">When biometric forms of user identification or controlor activation are used which rely&nbsp;upon a person possessing one unique biological characteristic,<BR>an alternative form of identification or&nbsp;control or activation must also be provided which uses alternate biometric unique characteristics, relies upon a biometric characteristic that all people have, or does not<BR>rely&nbsp;upon biometrics.&nbsp; Agencies must provide an alternate means of access for anyone who can not use the provided biometrics-based form of identification,<BR>control or activation.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Explanatory note:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">People who do not have fingers, eyes, etc are not able to make use of biometrics-based E&amp;IT simply because currently these solutions rely upon only one unique biometric measurement, such as a fingerprint. Allowing such solutions to accept alternative biometrics will decrease the number of people who are unable to use such biometrics solutions greatly, since people with multiple disabilities of this type are a smaller portion of the population.&nbsp; This, however, is only an interim step until biometric or nonbiometric alternatives are identified and integrated into security best practices that "all people" regardless of disability are able to use the procedure.&nbsp; For example, one potential solution may rely upon circulation only, and it may be true that no people are missing circulation, so this would be an accessible biometric.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">Until nonbiometric forms of identification, control or activation have been integrated into security best practices, such biometric-based systemsmust be<BR>developed to allow multiple biometrics to be used.&nbsp; Alternatively, until a biometric solution is identified that all people can use, biometrics systems that use multiple biometrics or nonbiometrics must be employed.&nbsp; For example, fingerprints and retina&nbsp;patterns are just two examples.&nbsp; It is less likely for&nbsp;people<BR>to have both missing fingerprints and retinas than either stand-alone.&nbsp; Even if multiple biometrics are available, when people can not use those, alternate<BR>means of access must be provided in policy and implementation for those affected.&nbsp; For example, for someone who has no retinas or fingers, another procedure,<BR>which could involve physical assistance may be needed to provide comparable access.&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial">It is strongly recommended that the Access-Board direct research to identify nonbiometrics forms of identification, control or activation, or biometric alternatives that all people can make use of, to be integrated<BR>in to security best practices and standards in the near future.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;</SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P></DIV><ZZZ!-- -- text format rtf from Converted>
<P><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303</SPAN></FONT> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Gregg Vanderheiden<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Thursday, July 19, 2007 9:14 AM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> '<st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName>'<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Thanks Allen,<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal style="TEXT-INDENT: 6pt"><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">- first � thanks for catching the �control� part.&nbsp;&nbsp; That was supposed to be removed.&nbsp; It should be identification only.&nbsp; The word control confuses biometric issue with the biologically activated controls issue.&nbsp;&nbsp; &nbsp;&nbsp;We decided to make this biometrics only � but forgot the edit.&nbsp;&nbsp; (done in conjunction with hardware)&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal style="TEXT-INDENT: 6pt"><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 24pt; TEXT-INDENT: -0.25in"><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">-</SPAN></FONT><FONT color=black size=1><SPAN style="FONT-SIZE: 7pt; COLOR: windowtext">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext">on your point 2 � please say more. I don't quite understand.&nbsp;&nbsp; Those are the words that allow the type of solution we were instructed to include.&nbsp; Your proposed language is easier to understand or read but does&nbsp; not include the option we were instructed to include. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN-LEFT: 24pt; TEXT-INDENT: -0.25in"><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">-</SPAN></FONT><FONT color=black size=1><SPAN style="FONT-SIZE: 7pt; COLOR: windowtext">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext">on your point 3&nbsp; regarding �unique characteristic� � that should be covered by the word �biometric� � but perhaps it would be good to spell it out a bit since there was already confusion with biologic controls.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">How about<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">�When biometric forms of user identification are used, an alternative form of identification must also be provided unless the biometric measure is not affected by any disability.� <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.&nbsp; <o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">This language does NOT allow for a double biometric approach.&nbsp;&nbsp; Do we think two biometric is OK?&nbsp; Which two?&nbsp;&nbsp; What about employees who lose two?&nbsp;&nbsp;&nbsp; Should there always be another option � so they are not barred? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Remember that if there was an �iris or passcode�,&nbsp; only the person without an iris would need to be able to use the passcode. &nbsp;&nbsp;Not everyone. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Thoughts?&nbsp;&nbsp;&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">There was a suggestion to bring in some people with security background.&nbsp;&nbsp;&nbsp; Does someone know some people we could invite? <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">Thanks <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext; FONT-FAMILY: Arial"><BR></SPAN></FONT><FONT face="Monotype Corsiva" color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: 'Monotype Corsiva'">Gregg</SPAN></FONT><FONT face=Coronet color=black size=4><SPAN style="FONT-SIZE: 13.5pt; COLOR: windowtext; FONT-FAMILY: Coronet"><BR></SPAN></FONT><FONT face=Arial color=black><SPAN style="COLOR: windowtext; FONT-FAMILY: Arial">&nbsp;</SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">-- ------------------------------</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <BR></SPAN></FONT><FONT face=Arial color=black size=2><SPAN lang=SV style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Arial">Gregg C Vanderheiden Ph.D.</SPAN></FONT><FONT color=black><SPAN lang=SV style="COLOR: windowtext"> <o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<BLOCKQUOTE style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Hoffman, Allen<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday, July 18, 2007 3:14 PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> <st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName><BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Specific items:</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">1. language says when identification or control, and then identification or activation, reconcile this.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">2.&nbsp;&nbsp;The language on "all people" while potentially functionally equivalent, may not read as precisely.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">3.&nbsp; There isn't the "unique characteristic" language anymore and that is key to the biometrics usage.</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">&nbsp; </SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">original:</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">When biometric forms of user identification or control are used, an alternative form of identification or activation must also be provided unless all people</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV><ZZZ!-- -- text format rtf from Converted>
<P><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303</SPAN></FONT> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt; COLOR: windowtext">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma color=black size=2><SPAN style="FONT-SIZE: 10pt; COLOR: windowtext; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B><st1:PersonName w:st="on">Gregg Vanderheiden</st1:PersonName><BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday, July 18, 2007 4:08 PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> '<st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName>'<BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><FONT color=black><SPAN style="COLOR: windowtext"><o:p></o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">At the last TEITAC meeting we were specifically asked to create a provision that allowed a single biometric device to be used if the biometric was something that everyone had.&nbsp; Like a biometric system based on a persons circulatory system.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; You language would seem to prevent that.&nbsp; &nbsp;So we would have to go against the TEITAC directive. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">Other than that they look much the same.&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">What did you see that the working group language allowed that it shouldn�t (and your�s prevented)&nbsp; &nbsp;or that the working group language prevented/required that it shouldn�t and yours allowed. &nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face=Arial color=black size=3><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: Arial"><BR></SPAN></FONT><FONT face="Monotype Corsiva" size=4><SPAN style="FONT-SIZE: 13.5pt; FONT-FAMILY: 'Monotype Corsiva'">Gregg</SPAN></FONT><FONT face=Coronet size=4><SPAN style="FONT-SIZE: 13.5pt; FONT-FAMILY: Coronet"><BR></SPAN></FONT><FONT face=Arial><SPAN style="FONT-FAMILY: Arial">&nbsp;</SPAN></FONT><FONT face=Arial size=2><SPAN lang=SV style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-- ------------------------------</SPAN></FONT><SPAN lang=SV> <BR></SPAN><FONT face=Arial size=2><SPAN lang=SV style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Gregg C Vanderheiden Ph.D.</SPAN></FONT><SPAN lang=SV> <o:p></o:p></SPAN></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<BLOCKQUOTE style="BORDER-RIGHT: medium none; PADDING-RIGHT: 0in; BORDER-TOP: medium none; PADDING-LEFT: 4pt; PADDING-BOTTOM: 0in; MARGIN: 5pt 0in 5pt 3.75pt; BORDER-LEFT: black 1.5pt solid; PADDING-TOP: 0in; BORDER-BOTTOM: medium none">
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV class=MsoNormal style="TEXT-ALIGN: center" align=center><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">
<HR tabIndex=-1 align=center width="100%" SIZE=2>
</SPAN></FONT></DIV>
<P class=MsoNormal style="MARGIN-BOTTOM: 12pt"><B><FONT face=Tahoma color=black size=2><SPAN style="FONT-WEIGHT: bold; FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">From:</SPAN></FONT></B><FONT face=Tahoma size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"> = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] <B><SPAN style="FONT-WEIGHT: bold">On Behalf Of </SPAN></B>Hoffman, Allen<BR><B><SPAN style="FONT-WEIGHT: bold">Sent:</SPAN></B> Wednesday, July 18, 2007 1:38 PM<BR><B><SPAN style="FONT-WEIGHT: bold">To:</SPAN></B> <st1:PersonName w:st="on">TEITAC General Interface Accessibility Subcommittee</st1:PersonName><BR><B><SPAN style="FONT-WEIGHT: bold">Subject:</SPAN></B> Re: [teitac-general] biometrics continued</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Current language:</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">When biometric forms of user identification or control are used, an alternative form of identification or activation must also be provided unless all people<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">can use the biometric device. <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Suggested update:</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">When biometric forms of user identification or control&nbsp;or activation are used which rely&nbsp;upon a person possessing one unique biological characteristic, an alternative form of identification or&nbsp;control or activation must also be provided which uses alternate biometric unique characteristics, or does not rely&nbsp;upon biometrics.&nbsp; Agencies must provide an alternate means of access for anyone who can not use the provided biometrics-based form of identification, control or activation.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;&nbsp; <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">Explanatory note:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">Until nonbiometric forms of identification, control or activation have been integrated into security best practices, such biometric-based systems&nbsp;must be developed to allow multiple biometrics to be used.&nbsp; For example, fingerprints and retina&nbsp;patterns are just two examples.&nbsp; It is less likely for&nbsp;people to have both missing fingerprints and retinas than either stand-alone.&nbsp; Even if multiple biometrics are available, when people can not use those, alternate means of access must be provided in policy and implementation for those affected.&nbsp; For example, for someone who has no retinas or fingers, another procedure, which could involve physical assistance may be needed to provide comparable access.&nbsp; </SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">It is strongly recommended that the Access-Board direct research to identify nonbiometrics forms of identification, control or activation to be integrated in to security best practices and standards in the near future.</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial color=blue size=2><SPAN style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial">&nbsp;&nbsp;</SPAN></FONT><o:p></o:p></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;&nbsp;&nbsp;<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV><ZZZ!-- -- text format rtf from Converted>
<P><FONT face=Arial color=black size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303</SPAN></FONT> <o:p></o:p></P>
<DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt"><o:p>&nbsp;</o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=black size=3><SPAN style="FONT-SIZE: 12pt">&nbsp;<o:p></o:p></SPAN></FONT></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></DIV></ZZZBODY></ZZZHTML></BLOCKQUOTE></BODY><PRE>

* katie *

Katie Haritos-Shea
Section 508 Technical Policy Analyst

703-371-5545

People may forget exactly what it was that you said or did,
but they will never forget how you made them feel.......</PRE>

From: Tom Brett
Date: Thu, Jul 19 2007 1:20 PM
Subject: Re: biometrics continued

In actuality Government Security Personnel need to weigh in on this. There
are competing Executive orders and laws on accessibility and security.
There needs to be a happy medium reached that will provide the best security
with the least amount of inaccessibility to people with disabilities.



Tom Brett



_____

From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Katie
Haritos-Shea
Sent: Thursday, July 19, 2007 3:03 PM
To: TEITAC General Interface Accessibility Subcommittee; TEITAC General
Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued



Folks,

I don't work at DHS, and I know we sorely need expertise in this area.

But, at each organization that I have spelled-out the existing 508
biometrics requirements for, for both existing and systems under
development, I have not met with any resistance from the InfoSec folks. I
advocated for an alternative (second) biometric ID. Compared to many other
508 requirements, alternative methods of biometric authentication appear to
be do-able. My 2 cents of experience.

Katie



-----Original Message-----
From: "Hoffman, Allen"
Sent: Jul 19, 2007 2:46 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued




Gregg:



Do you have any philosophical problem with this approach? I think this path
may get us moving toward more accessible biometrics, or alternates more
quickly than basically just leaving the full or nothing on the table only.
I'm saying this from some direct experiences here at DHS where this is
indeed an active continuous challenge. If, AB indeed did say that path is
not what they want, then we can certainly consider offering our experiences
up for consideration as supplemental information. To be honest what is
needed is hard research on identifying the accessible biometric or
alternative that is accepted by the security community as real.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:42 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Ok



Not sure it is an AB issue is it?

I think they will tell us it is our decision.



Oh - when I said I was told "two biometrics wasn't acceptable" - it wasn't
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I'll raise this with the Access Board.

thanks.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.



So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.



Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.



Your suggested language:



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more clearly to
reconcile both.



Revision:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303











* katie *



Katie Haritos-Shea

Section 508 Technical Policy Analyst



703-371-5545



People may forget exactly what it was that you said or did,

but they will never forget how you made them feel.......

From: Gregg Vanderheiden
Date: Thu, Jul 19 2007 1:50 PM
Subject: Re: biometrics continued

Me personally?



My approach is to start with the ideal, then explore all the approaches.
Then see what is possible and practical.



There are different environments here so I think I would look for



1) a general guideline that seeks what is needed

2) sub provisions that cover situations

a. e.g ir x is not possible then y.

b. if non-biometric is not possible then at least two (or finger and
hand) (or one not requiring vision or eyes) (o r something else ) OR the
biometric does not involve something that a person can lose (e.g. biometric
analysis of circulatory system).



So I don't start out with any preconceived limitations.



Will be great to hear from people who may know about security issues across
the gov - including high and low security use of biometrics.






Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:47 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Gregg:



Do you have any philosophical problem with this approach? I think this path
may get us moving toward more accessible biometrics, or alternates more
quickly than basically just leaving the full or nothing on the table only.
I'm saying this from some direct experiences here at DHS where this is
indeed an active continuous challenge. If, AB indeed did say that path is
not what they want, then we can certainly consider offering our experiences
up for consideration as supplemental information. To be honest what is
needed is hard research on identifying the accessible biometric or
alternative that is accepted by the security community as real.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:42 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Ok



Not sure it is an AB issue is it?

I think they will tell us it is our decision.



Oh - when I said I was told "two biometrics wasn't acceptable" - it wasn't
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I'll raise this with the Access Board.

thanks.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.



So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.



Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.



Your suggested language:



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.



I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.



So my previous suggestion was:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.



I think this can be strengthened to include the aspirational more clearly to
reconcile both.



Revision:



When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.



Explanatory note:



People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.





Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.











Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Thanks Allen,



- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)



- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.



- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.



How about



"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."

NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.




This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?



Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.



Thoughts?



There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?



Thanks




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Specific items:



1. language says when identification or control, and then identification or
activation, reconcile this.

2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.

3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.





original:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.



Other than that they look much the same.

What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued

Current language:



When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people

can use the biometric device.



Suggested update:



When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.







Explanatory note:



Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.



It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.













Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Hoffman, Allen
Date: Thu, Jul 19 2007 2:45 PM
Subject: Re: biometrics continued

This sounds like you and I are thinking along similar lines.



Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: terry.weaver@gsa.gov
Date: Thu, Jul 19 2007 3:00 PM
Subject: Re: biometrics continued

This subject has also been raised with the Federal Identity Credential
Committee (FICC), who are working with GSA and NIST on ID standards for
all Federal employees. I have been speaking with Judy Spencer, who works
in another division in my office and we have met with the Access Board
regarding the standard that agencies need to follow in selecting, creating
and using Federal Identity cards.

I forwarded some of our emails and ask that she share the discussion
regarding the two forms of biometric identification (fingerprint and
retinal scan) with the members of the FICC and here is Judy's reply - "I
will share this. Currently, FIPS 201 does have an alternative - the
facial image. Since we all have faces (if you can show me someone without
a face, I'd be very interested) and facial recognition software is really
quite good (it deals well with changes in facial hair and glasses) and
getting better, I think this is the best and least invasive alternative.
Retinal scans require you to put your eye up to a sensor and hold
relatively still, someone with a palsy would have as much trouble, if not
more, with this alternative as with presenting a readable fingerprint."

I will be happy to forward responses to her.






"Hoffman, Allen" < = EMAIL ADDRESS REMOVED = >
Sent by: = EMAIL ADDRESS REMOVED =
07/19/2007 04:39 PM
Please respond to
"TEITAC General Interface Accessibility Subcommittee"
< = EMAIL ADDRESS REMOVED = >


To
"TEITAC General Interface Accessibility Subcommittee"
< = EMAIL ADDRESS REMOVED = >
cc

Subject
Re: [teitac-general] biometrics continued






This sounds like you and I are thinking along similar lines.


Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 3:44 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Me personally?

My approach is to start with the ideal, then explore all the
approaches. Then see what is possible and practical.

There are different environments here so I think I would look for

1) a general guideline that seeks what is needed
2) sub provisions that cover situations
a. e.g ir x is not possible then y.
b. if non-biometric is not possible then at least two (or finger and
hand) (or one not requiring vision or eyes) (o r something else ) OR
the biometric does not involve something that a person can lose (e.g.
biometric analysis of circulatory system).

So I don't start out with any preconceived limitations.

Will be great to hear from people who may know about security issues
across the gov - including high and low security use of biometrics.



Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman,
Allen
Sent: Thursday, July 19, 2007 1:47 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Gregg:

Do you have any philosophical problem with this approach? I think this
path may get us moving toward more accessible biometrics, or alternates
more quickly than basically just leaving the full or nothing on the table
only. I'm saying this from some direct experiences here at DHS where this
is indeed an active continuous challenge. If, AB indeed did say that path
is not what they want, then we can certainly consider offering our
experiences up for consideration as supplemental information. To be
honest what is needed is hard research on identifying the accessible
biometric or alternative that is accepted by the security community as
real.






Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:42 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Ok

Not sure it is an AB issue is it?
I think they will tell us it is our decision.

Oh � when I said I was told �two biometrics wasn�t acceptable� � it wasn�t
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman,
Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
I'll raise this with the Access Board.
thanks.


Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Oh you are correct. The new language does not allow two biometrics. But
that was because I was told that was not acceptable. I was told it only
reduced the problem but still barred the rest from access.

So the wording covered that. If covering that vast majority is good
enough � then we can look at two biometrics. I was just trying to go
with the constraints laid down.

Lets take this up and discuss it again. We certainly need to determine
what we are TRYING to say �before we can figure out the words.


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman,
Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.

Your suggested language:

�When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is
not affected by any disability.�
NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and
voice.

Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.

I don't think this is clear that adding alternate biometrics is accepted.
My experience with security requirements is that they are very specific,
so our requirements must be as precisely defined as we can make them to
leave little room for unclarity. I believe the Access-Board was looking
for some expertise that could identify acceptable alternatives to
biometric usage. I don't think we have done that yet, so we need to
encode the practical acceptable "real world" approach first, as long as
the aspirational solution is not prohibited.

So my previous suggestion was:

When biometric forms of user identification or controlor activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics, or does
not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.

Explanatory note:
Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide
comparable access.

It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated
in to security best practices and standards in the near future.

I think this can be strengthened to include the aspirational more clearly
to reconcile both.

Revision:

When biometric forms of user identification or controlor activation are
used which rely upon a person possessing one unique biological
characteristic,
an alternative form of identification or control or activation must also
be provided which uses alternate biometric unique characteristics, relies
upon a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.

Explanatory note:

People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing
such solutions to accept alternative biometrics will decrease the number
of people who are unable to use such biometrics solutions greatly, since
people with multiple disabilities of this type are a smaller portion of
the population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.


Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based
systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics
systems that use multiple biometrics or nonbiometrics must be employed.
For example, fingerprints and retina patterns are just two examples. It
is less likely for people
to have both missing fingerprints and retinas than either stand-alone.
Even if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide
comparable access.

It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation, or
biometric alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Thanks Allen,

- first � thanks for catching the �control� part. That was supposed to
be removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only � but forgot the edit. (done in
conjunction with hardware)

- on your point 2 � please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.

- on your point 3 regarding �unique characteristic� � that
should be covered by the word �biometric� � but perhaps it would be good
to spell it out a bit since there was already confusion with biologic
controls.

How about

�When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is
not affected by any disability.�
NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and
voice.

This language does NOT allow for a double biometric approach. Do we
think two biometric is OK? Which two? What about employees who lose
two? Should there always be another option � so they are not barred?

Remember that if there was an �iris or passcode�, only the person without
an iris would need to be able to use the passcode. Not everyone.

Thoughts?

There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?

Thanks


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman,
Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Specific items:

1. language says when identification or control, and then identification
or activation, reconcile this.
2. The language on "all people" while potentially functionally
equivalent, may not read as precisely.
3. There isn't the "unique characteristic" language anymore and that is
key to the biometrics usage.


original:
When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people



Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
At the last TEITAC meeting we were specifically asked to create a
provision that allowed a single biometric device to be used if the
biometric was something that everyone had. Like a biometric system based
on a persons circulatory system. You language would seem to prevent
that. So we would have to go against the TEITAC directive.

Other than that they look much the same.
What did you see that the working group language allowed that it shouldn�t
(and your�s prevented) or that the working group language
prevented/required that it shouldn�t and yours allowed.


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman,
Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Current language:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people
can use the biometric device.

Suggested update:

When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide
an alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have
been integrated into security best practices, such biometric-based systems
must be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can
not use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.

It is strongly recommended that the Access-Board direct research to
identify nonbiometrics forms of identification, control or activation to
be integrated in to security best practices and standards in the near
future.






Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Hoffman, Allen
Date: Thu, Jul 19 2007 3:20 PM
Subject: Re: biometrics continued

Retinal scans were only inserted as "an example", not proposed as any
viable solution.
I would be interested eventually to know what is happening with
validation of claims made by some concerning facial scans that rely
primarily upon the circulation in the face, which is not dependent upon
age, make-up, or even cosmetic changes, but apparently is reputed to
remain consistently measurable over ones lifetime.

but, face recognition always has sounded like the way to go, but getting
there has been a real challenge.

I suspect there is a huge cost difference however, but that is another
whole topic.





Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Jared Smith
Date: Thu, Jul 19 2007 5:05 PM
Subject: Re: biometrics continued

Just a friendly reminder for folks to please trim your messages to the
relevant portions of the message you are quoting or replying to. In threads
that are sometimes 10's of messages deep, quoting the entirety of all the
messages ahead of yours is not necessary, requires a lot of bandwidth and
scrolling to read, and is making the list archives almost entirely unusable.
The 18 messages in this thread alone requires 97 printed pages on my
computer, with about 93 of those pages being quoted messages -
http://teitac.org/mailarchives/mail_thread.php?thread=1343

Thanks!

Jared Smith

From: Gregg Vanderheiden
Date: Fri, Jul 20 2007 12:05 PM
Subject: Re: biometrics continued

Thanks Terry,

That is exactly the kind of thing that I think Jim had in mind and that we
don't want to exclude as OK.



Please do.




Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of
= EMAIL ADDRESS REMOVED =
Sent: Thursday, July 19, 2007 3:55 PM
To: TEITAC General Interface Accessibility Subcommittee
Cc: TEITAC General Interface Accessibility Subcommittee;
= EMAIL ADDRESS REMOVED =
Subject: Re: [teitac-general] biometrics continued


This subject has also been raised with the Federal Identity Credential
Committee (FICC), who are working with GSA and NIST on ID standards for all
Federal employees. I have been speaking with Judy Spencer, who works in
another division in my office and we have met with the Access Board
regarding the standard that agencies need to follow in selecting, creating
and using Federal Identity cards.

I forwarded some of our emails and ask that she share the discussion
regarding the two forms of biometric identification (fingerprint and retinal
scan) with the members of the FICC and here is Judy's reply - "I will share
this. Currently, FIPS 201 does have an alternative - the facial image.
Since we all have faces (if you can show me someone without a face, I'd be
very interested) and facial recognition software is really quite good (it
deals well with changes in facial hair and glasses) and getting better, I
think this is the best and least invasive alternative. Retinal scans
require you to put your eye up to a sensor and hold relatively still,
someone with a palsy would have as much trouble, if not more, with this
alternative as with presenting a readable fingerprint."

I will be happy to forward responses to her.







"Hoffman, Allen" < = EMAIL ADDRESS REMOVED = >
Sent by: = EMAIL ADDRESS REMOVED =

07/19/2007 04:39 PM


Please respond to
"TEITAC General Interface Accessibility Subcommittee"
< = EMAIL ADDRESS REMOVED = >


To

"TEITAC General Interface Accessibility Subcommittee"
< = EMAIL ADDRESS REMOVED = >


cc




Subject

Re: [teitac-general] biometrics continued











This sounds like you and I are thinking along similar lines.



Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303




_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 3:44 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued

Me personally?

My approach is to start with the ideal, then explore all the approaches.
Then see what is possible and practical.

There are different environments here so I think I would look for

1) a general guideline that seeks what is needed
2) sub provisions that cover situations
a. e.g ir x is not possible then y.
b. if non-biometric is not possible then at least two (or finger and
hand) (or one not requiring vision or eyes) (o r something else ) OR the
biometric does not involve something that a person can lose (e.g. biometric
analysis of circulatory system).

So I don't start out with any preconceived limitations.

Will be great to hear from people who may know about security issues across
the gov - including high and low security use of biometrics.



Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:47 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Gregg:

Do you have any philosophical problem with this approach? I think this path
may get us moving toward more accessible biometrics, or alternates more
quickly than basically just leaving the full or nothing on the table only.
I'm saying this from some direct experiences here at DHS where this is
indeed an active continuous challenge. If, AB indeed did say that path is
not what they want, then we can certainly consider offering our experiences
up for consideration as supplemental information. To be honest what is
needed is hard research on identifying the accessible biometric or
alternative that is accepted by the security community as real.







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:42 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Ok

Not sure it is an AB issue is it?
I think they will tell us it is our decision.

Oh - when I said I was told "two biometrics wasn't acceptable" - it wasn't
by the Access Board. It was on one of our calls (or one of the calls. I
can't remember if it was in general or another group)


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 1:34 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
I'll raise this with the Access Board.
thanks.



Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 2:33 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Oh you are correct. The new language does not allow two biometrics.
But that was because I was told that was not acceptable. I was told it
only reduced the problem but still barred the rest from access.

So the wording covered that. If covering that vast majority is good enough
- then we can look at two biometrics. I was just trying to go with the
constraints laid down.

Lets take this up and discuss it again. We certainly need to determine what
we are TRYING to say -before we can figure out the words.


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Thursday, July 19, 2007 9:51 AM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
I think our practical experience in dealing with this at the present time
is that adding at least one additional biometric as an alternative will
address the vast majority of people affected, e.g. the same approach of
"lets deal with the things we can first", as we are doing in lots of 508
now.

Your suggested language:

"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."
NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.


Is not operationally much different than what we have now, and doesn't
provide steps to solutions we can move towards to the final aspirational
solution.

I don't think this is clear that adding alternate biometrics is accepted. My
experience with security requirements is that they are very specific, so our
requirements must be as precisely defined as we can make them to leave
little room for unclarity. I believe the Access-Board was looking for some
expertise that could identify acceptable alternatives to biometric usage. I
don't think we have done that yet, so we need to encode the practical
acceptable "real world" approach first, as long as the aspirational solution
is not prohibited.

So my previous suggestion was:

When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.

Explanatory note:
Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.

It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated
in to security best practices and standards in the near future.

I think this can be strengthened to include the aspirational more clearly to
reconcile both.

Revision:

When biometric forms of user identification or controlor activation are used
which rely upon a person possessing one unique biological characteristic,
an alternative form of identification or control or activation must also be
provided which uses alternate biometric unique characteristics, relies upon
a biometric characteristic that all people have, or does not
rely upon biometrics. Agencies must provide an alternate means of access
for anyone who can not use the provided biometrics-based form of
identification,
control or activation.

Explanatory note:

People who do not have fingers, eyes, etc are not able to make use of
biometrics-based E&IT simply because currently these solutions rely upon
only one unique biometric measurement, such as a fingerprint. Allowing such
solutions to accept alternative biometrics will decrease the number of
people who are unable to use such biometrics solutions greatly, since people
with multiple disabilities of this type are a smaller portion of the
population. This, however, is only an interim step until biometric or
nonbiometric alternatives are identified and integrated into security best
practices that "all people" regardless of disability are able to use the
procedure. For example, one potential solution may rely upon circulation
only, and it may be true that no people are missing circulation, so this
would be an accessible biometric.


Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systemsmust be
developed to allow multiple biometrics to be used. Alternatively, until a
biometric solution is identified that all people can use, biometrics systems
that use multiple biometrics or nonbiometrics must be employed. For
example, fingerprints and retina patterns are just two examples. It is less
likely for people
to have both missing fingerprints and retinas than either stand-alone. Even
if multiple biometrics are available, when people can not use those,
alternate
means of access must be provided in policy and implementation for those
affected. For example, for someone who has no retinas or fingers, another
procedure,
which could involve physical assistance may be needed to provide comparable
access.

It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation, or biometric
alternatives that all people can make use of, to be integrated
in to security best practices and standards in the near future.






Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Thursday, July 19, 2007 9:14 AM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
Thanks Allen,

- first - thanks for catching the "control" part. That was supposed to be
removed. It should be identification only. The word control confuses
biometric issue with the biologically activated controls issue. We
decided to make this biometrics only - but forgot the edit. (done in
conjunction with hardware)

- on your point 2 - please say more. I don't quite understand.
Those are the words that allow the type of solution we were instructed to
include. Your proposed language is easier to understand or read but does
not include the option we were instructed to include.

- on your point 3 regarding 'unique characteristic' - that should
be covered by the word 'biometric' - but perhaps it would be good to spell
it out a bit since there was already confusion with biologic controls.

How about

"When biometric forms of user identification are used, an alternative form
of identification must also be provided unless the biometric measure is not
affected by any disability."
NOTE: Disabilities routinely involve loss of hands, eyes, limbs, and voice.


This language does NOT allow for a double biometric approach. Do we think
two biometric is OK? Which two? What about employees who lose two?
Should there always be another option - so they are not barred?

Remember that if there was an "iris or passcode", only the person without
an iris would need to be able to use the passcode. Not everyone.

Thoughts?

There was a suggestion to bring in some people with security background.
Does someone know some people we could invite?

Thanks


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 3:14 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Specific items:

1. language says when identification or control, and then identification or
activation, reconcile this.
2. The language on "all people" while potentially functionally equivalent,
may not read as precisely.
3. There isn't the "unique characteristic" language anymore and that is key
to the biometrics usage.


original:
When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people




Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Gregg
Vanderheiden
Sent: Wednesday, July 18, 2007 4:08 PM
To: 'TEITAC General Interface Accessibility Subcommittee'
Subject: Re: [teitac-general] biometrics continued
At the last TEITAC meeting we were specifically asked to create a provision
that allowed a single biometric device to be used if the biometric was
something that everyone had. Like a biometric system based on a persons
circulatory system. You language would seem to prevent that. So we
would have to go against the TEITAC directive.

Other than that they look much the same.
What did you see that the working group language allowed that it shouldn't
(and your's prevented) or that the working group language
prevented/required that it shouldn't and yours allowed.


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.






_____



From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Hoffman, Allen
Sent: Wednesday, July 18, 2007 1:38 PM
To: TEITAC General Interface Accessibility Subcommittee
Subject: Re: [teitac-general] biometrics continued
Current language:

When biometric forms of user identification or control are used, an
alternative form of identification or activation must also be provided
unless all people
can use the biometric device.

Suggested update:

When biometric forms of user identification or control or activation are
used which rely upon a person possessing one unique biological
characteristic, an alternative form of identification or control or
activation must also be provided which uses alternate biometric unique
characteristics, or does not rely upon biometrics. Agencies must provide an
alternate means of access for anyone who can not use the provided
biometrics-based form of identification, control or activation.



Explanatory note:

Until nonbiometric forms of identification, control or activation have been
integrated into security best practices, such biometric-based systems must
be developed to allow multiple biometrics to be used. For example,
fingerprints and retina patterns are just two examples. It is less likely
for people to have both missing fingerprints and retinas than either
stand-alone. Even if multiple biometrics are available, when people can not
use those, alternate means of access must be provided in policy and
implementation for those affected. For example, for someone who has no
retinas or fingers, another procedure, which could involve physical
assistance may be needed to provide comparable access.

It is strongly recommended that the Access-Board direct research to identify
nonbiometrics forms of identification, control or activation to be
integrated in to security best practices and standards in the near future.







Allen Hoffman -- = EMAIL ADDRESS REMOVED = ; v: 202-447-0303

From: Schomburg, Paul
Date: Mon, Jul 30 2007 10:10 AM
Subject: Re: biometrics continued

Folks: I would like to give some input regarding the biometrics
discussion from the week before last.

FIPS 201 requires every agency to use the interoperable fingerprint
biometric. This is the only interoperable biometric required by FIPS
201. However, each agency also has the discretion to use any additional
biometric it prefers for agency-specific needs. Under the FIPS 201-1
standard for the PIV card for federal employees and contractors, it is
also mandatory to store the facial image data object on the PIV smart
card. However, this facial image is intended only to be used in
generating a printed image and to augment authentication of the card
holder. Although NIST Special Publication (SP) 800-76-1 requires the
data format of the image to conform to the INCITS 385-2004 biometric
data interchange format standard, there is no requirement that the
facial image be used for automated biometric matching. Section 2.1 of
SP800-76-1 allows agencies to select other biometrics to meet specific
operational needs, but does not require the second biometric to be
interoperable across agencies.

Since biometric technologies are just starting to be deployed in the
Federal government, I would be careful in giving a preference or
requirement to support a specific technology such as "facial
recognition" as a second biometric identifier. For example, Iris
recognition is also a strong biometric identifier that can be used even
with an individual with no sight (but of course with an eye), and can be
accomplished without the requirement to sit perfectly still while
scanned. Iris recognition involves no lasers, bright lights, or any
invasive technology at all, making it as safe to use as a video camera.
For a more detailed overview of iris recognition see:
http://www.ibia.org/membersadmin/whitepapers/pdf/14/irisrecog.pdf. For
an overview of other biometric technologies see:
http://www.ibia.org/biometrics/technologies.asp

I would suggest that if TEITAC requires a second biometric identifier it
should leave the choice up to each agency (or a future government-wide
process) to determine what is both most secure and accessible to people
with disabilities. Panasonic works with the International Biometrics
Industry Association (www.ibia.org) and would be happy to facilitate
further discussion on this topic with IBIA.

Thanks, Paul

_____


From: = EMAIL ADDRESS REMOVED =
[mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of
= EMAIL ADDRESS REMOVED =
Sent: Thursday, July 19, 2007 3:55 PM
To: TEITAC General Interface Accessibility Subcommittee
Cc: TEITAC General Interface Accessibility Subcommittee;
= EMAIL ADDRESS REMOVED =
Subject: Re: [teitac-general] biometrics continued


This subject has also been raised with the Federal Identity Credential
Committee (FICC), who are working with GSA and NIST on ID standards for
all
Federal employees. I have been speaking with Judy Spencer, who works in
another division in my office and we have met with the Access Board
regarding the standard that agencies need to follow in selecting,
creating
and using Federal Identity cards.

I forwarded some of our emails and ask that she share the discussion
regarding the two forms of biometric identification (fingerprint and
retinal
scan) with the members of the FICC and here is Judy's reply - "I will
share
this. Currently, FIPS 201 does have an alternative - the facial image.
Since we all have faces (if you can show me someone without a face, I'd
be
very interested) and facial recognition software is really quite good
(it
deals well with changes in facial hair and glasses) and getting better,
I
think this is the best and least invasive alternative. Retinal scans
require you to put your eye up to a sensor and hold relatively still,
someone with a palsy would have as much trouble, if not more, with this
alternative as with presenting a readable fingerprint."

I will be happy to forward responses to her.

From: Gregg Vanderheiden
Date: Thu, Aug 02 2007 10:55 PM
Subject: Re: biometrics continued

Thanks Paul

You said that agencies were free to use a second biometric. Do you mean an
alternative biometric?

The provision we have been discussing is


"When biometric forms of user identification or control are used, an
alternative form of identification or activation shall also be provided
unless all people can use the biometric device."

This would seem to meet your recommendation that a specific form not be
required. Does it?

Do you have any recommendationed changes to this?


Gregg
-- ------------------------------
Gregg C Vanderheiden Ph.D.



> -----Original Message-----
> From: = EMAIL ADDRESS REMOVED =
> [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of
> Schomburg, Paul
> Sent: Monday, July 30, 2007 11:07 AM
> To: = EMAIL ADDRESS REMOVED =
> Cc: Schomburg, Paul
> Subject: Re: [teitac-general] biometrics continued
>
> Folks: I would like to give some input regarding the
> biometrics discussion from the week before last.
>
> FIPS 201 requires every agency to use the interoperable
> fingerprint biometric. This is the only interoperable
> biometric required by FIPS 201. However, each agency also
> has the discretion to use any additional biometric it prefers
> for agency-specific needs. Under the FIPS 201-1 standard for
> the PIV card for federal employees and contractors, it is
> also mandatory to store the facial image data object on the
> PIV smart card. However, this facial image is intended only
> to be used in generating a printed image and to augment
> authentication of the card holder. Although NIST Special
> Publication (SP) 800-76-1 requires the data format of the
> image to conform to the INCITS 385-2004 biometric data
> interchange format standard, there is no requirement that the
> facial image be used for automated biometric matching. Section 2.1 of
> SP800-76-1 allows agencies to select other biometrics to meet
> specific operational needs, but does not require the second
> biometric to be interoperable across agencies.
>
> Since biometric technologies are just starting to be deployed
> in the Federal government, I would be careful in giving a
> preference or requirement to support a specific technology
> such as "facial recognition" as a second biometric
> identifier. For example, Iris recognition is also a strong
> biometric identifier that can be used even with an individual
> with no sight (but of course with an eye), and can be
> accomplished without the requirement to sit perfectly still
> while scanned. Iris recognition involves no lasers, bright
> lights, or any invasive technology at all, making it as safe
> to use as a video camera.
> For a more detailed overview of iris recognition see:
> http://www.ibia.org/membersadmin/whitepapers/pdf/14/irisrecog.
> pdf. For an overview of other biometric technologies see:
> http://www.ibia.org/biometrics/technologies.asp
>
> I would suggest that if TEITAC requires a second biometric
> identifier it should leave the choice up to each agency (or a
> future government-wide
> process) to determine what is both most secure and accessible
> to people with disabilities. Panasonic works with the
> International Biometrics Industry Association (www.ibia.org)
> and would be happy to facilitate further discussion on this
> topic with IBIA.
>
> Thanks, Paul
>
> _____
>
>
> From: = EMAIL ADDRESS REMOVED =
> [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of
> = EMAIL ADDRESS REMOVED =
> Sent: Thursday, July 19, 2007 3:55 PM
> To: TEITAC General Interface Accessibility Subcommittee
> Cc: TEITAC General Interface Accessibility Subcommittee;
> = EMAIL ADDRESS REMOVED =
> Subject: Re: [teitac-general] biometrics continued
>
>
> This subject has also been raised with the Federal Identity
> Credential Committee (FICC), who are working with GSA and
> NIST on ID standards for all Federal employees. I have been
> speaking with Judy Spencer, who works in another division in
> my office and we have met with the Access Board regarding the
> standard that agencies need to follow in selecting, creating
> and using Federal Identity cards.
>
> I forwarded some of our emails and ask that she share the
> discussion regarding the two forms of biometric
> identification (fingerprint and retinal
> scan) with the members of the FICC and here is Judy's reply -
> "I will share this. Currently, FIPS 201 does have an
> alternative - the facial image.
> Since we all have faces (if you can show me someone without a
> face, I'd be very interested) and facial recognition software
> is really quite good (it deals well with changes in facial
> hair and glasses) and getting better, I think this is the
> best and least invasive alternative. Retinal scans require
> you to put your eye up to a sensor and hold relatively still,
> someone with a palsy would have as much trouble, if not more,
> with this alternative as with presenting a readable fingerprint."
>
> I will be happy to forward responses to her.
>
>
>