Fact, Fiction or Future Reality?

Oct. 1, 2012
A gaze into the access control crystal ball reveals we are closer to sci-fi reality than you think

Very early in my security career, in the late 1970s, there was a rumor that research was being done on use of alpha waves, emitted by the occipital lobe of the brain, as a unique identifier of a person. It was posited that alpha wave activity could be detected and measured using electroencephalography (EEG) or magnetoencephalography (MEG) as the person walked through a portal.

There are a few potential problems with such a system: alpha waves are most commonly present during relaxed wakefulness with eyes closed (rather than during alert physical activity such as walking) and their frequency is very low (about 10 waves per second) permitting only a small sample to be read as the person passed the sensor.

However, the concept behind the rumored research points to the pot of gold at the end of the personal authentication rainbow: the ability to positively and uniquely identify someone without them touching anything or requiring them to interrupt their activity — the goal as yet only seen in science fiction.

Here are the access control concepts, some of the new technology already on the market and a look at where these technological innovations may lead in the future.

Biometrics
Existing methods of identification — the first factor in positive access control — rely on some form of credential that is physical, e.g., a card (what you have); memorized, e.g., a password or PIN (what you know) or a measurable aspect (biometric) of the person, e.g., fingerprint or iris geometry (what you are).

Card systems are becoming more and more sophisticated in their capability for multiple uses, and also in their security, for example, HID Global’s Secure Identity Object (SIO) and Trusted Identity Platform (TIP) frameworks. However, on its own, verifying and validating an access card does not verify or validate the credential holder — only the credential.

Password systems, particularly as authentication for logical access, have evolved as our data has become more important and/or personal. Simple four-digit PINs have been replaced with passwords containing stronger mixes of alpha, numeric and special characters. Their limitations mostly relate to the frailty of the human memory that lead us to either select passwords that are easier to memorize — and, therefore, more easily guessed by an adversary — or to record them, which makes them more easily discoverable.

Biometric identification has been around for eons: we use many human characteristics to recognize those known to us, like face, voice and mannerisms, and those who may be discerned as friends rather than foes through language, behavior, accents, hairstyle, clothing style and even eye color. Fingerprint, hand geometry and signature dynamics were three early leaders in a field that has expanded to include computerized facial recognition, scanning of the eye’s iris, and blood vessel patterns in the retina of the eye, the wrist, the back of the hand and the palm.

To be a candidate for biometric identification the human characteristic under consideration must number a number of technical and operational criteria:

• The biometric characteristic must be measurable in real time – waiting an extended period of time at a door while a DNA sample is processed is far from acceptable to most business operations.

• The biometric measurement must be reducible to a template that can be recordable and searchable for comparison against the next time that the individual presents their biometric credential. Again, the processing time needs to be within fractions of a second to be acceptable to a user.

• The template for each individual must be sufficiently different to uniquely and repeatedly identify that person.

• The feature should be stable over time, although slow changes over a number of years can be accommodated by many systems.

• The biometric feature must be very difficult to falsify — for example, height and weight could easily be replicated, but blood vessel patterns seen under infrared lighting would require extraordinary measures to synthesize.

The system criteria described above lead to measurable performance parameters such as times for enrollment and access control operations and the following:

• Type 1 Errors – the probability that an authorized person is falsely rejected (should be low to ensure that the CEO is not rejected and throws out the security system)

• Type 2 Errors – the probability that an unauthorized person is falsely accepted (should be extremely low for obvious reasons)

A live biometric measurement never exactly matches the owner’s stored template, so some leeway is given to the acceptance/rejection threshold. On many biometric systems, these error rates are adjustable — in some cases on a per-person basis to accommodate special physical characteristics. Reducing the acceptance threshold reduces Type 1 errors but also increases Type 2. Examination of the point at which the errors are the same (the Crossover Point) allows useful comparison of different biometric systems.

We have seen numerous biometric systems based on our hands. The PalmEntry2 from Fujitsu adds to this field with authentication technology that uses near-infrared light to measure vascular patterns in the palm of the hand. The device requires the blood in the veins to be flowing so the dismembered hand of a once authentic individual is not a valid credential. Taking the biometric measurements does not require contact with the sensor — the palm is held about two inches above the reader — and is not affected by surface skin conditions on the palm. As with other biometric systems, it can include multi-factor authentication by adding PIN pad and/or various card technologies.

Iris scan is seeing new applications with readers integrated into turnstile pedestals. The LG IrisAccess systems still require the cooperation of the individual to pause and look at the iris camera, but it can capture images of both eyes in two seconds from feet away, rather than inches. The probability of the system developing the same two-eye templates from two different people is a staggering 1:1078.

These new biometric systems show great progress towards the goal of authenticating an individual in full stride without any input from them.

Carried Credentials
Much progress has been made in the area of security in reading and transmitting data from credentials that we carry — passive contact and contactless cards as well as active devices. The new Near Field Communications (NFC) technology is the target of a bundle of development money from companies that include such security industry heavy-hitters as Honeywell, Assa Abloy and HID Global. The goal is to add this technology to our smart phones and turn them into access credentials. In a college setting, students — who tend to be early adopters of new technology — may forget their access card, but they will very rarely forget to carry their cell phone.

The TSA has started a pilot program to test NFC-enabled phones for both passenger ID credentials as well as boarding passes. Other future uses of NFC in smart phones, in addition to access control, will be vending, cafeteria and other purchasing functions such as buses, trains, laundry or wherever your current credit card is accepted.

It is estimated that 46 percent of smart phones will be NFC-enabled by 2016. The only caveat is phone battery life — there will be a big backlash if you cannot get into your house, apartment or dorm at the end of the day!

Another technology whose time has come is the active RFID (Radio Frequency Identification) tag that can be detected through triangulation and can alert or alarm if an individual moves to an unauthorized area. Such devices have been used for infant monitoring in hospitals for years — Vizbee RFID Solutions promotes this technology for more than just access control and infant protection – it also lists asset (and people) tracking, warehouse management, chain-of-custody and retail applications.

The day may be coming where we will be wearing a subcutaneous active tag to achieve the authentication dream!

Locking Devices
Until a few years ago, locking devices have long been considered the low-tech components of access control. However, developments in offline card and PIN pad locking systems and their wireless online siblings have shown that locks have come of age.

One of the benefits of these locking systems is their low cost of installation with no cabling required. Battery-powered offline locks will support thousands of activations but the online types with wireless communications suffer from the need to skimp on data transmission to save battery power.

This limitation has now been blown away by Assa Abloy, which won one of ASIS’s 2012 Accolade Awards with its PowerJump inductive coupling power transfer (ICPT) device that can wirelessly transmit up to 6 watts of power (12 or 24 VDC) across the gap (up to ¼ inch wide) between the frame and the door. This is the same technology that Apple uses for contactless cell phone battery charging.

Assa Abloy’s next trick? They are researching the possibility of wireless data transmission using the same inductive coupling technology.

The company also won an ASIS accolade for its wireless, battery-powered cabinet lock with built-in contactless smart card reader. This provides a cost effective solution for access to individual racks in data centers and web hosting/IT hotel facilities.

The Future?
Regardless of the state of the economy, innovation is alive and kicking. We are seeing development of existing technology and new ideas pushing the access control industry to the ultimate goal of authentication and subsequent unimpeded access to authorized areas without the need for a pause or an overt action while, of course, denying access to unauthorized individuals.

New technologies will continue to surface; in fact, research is under way in Finland on the measurement and analysis of rapid involuntary eye movements called saccades. Patterns of these movements are as unique as fingerprints but preliminary test show a requirement of 30 seconds to measure enough saccades to yield a high enough degree of accuracy.

Facial recognition has been one of the most promising technologies for passive authentication — after all, it is the oldest form of personal identification. Perhaps the next few years will see the emergence of more solutions to the myriad challenges that the technology has faced.

Moore’s Law says technology will double every two years, so whatever the outcome, we are in for a thrilling ride!

David G Aggleton, CPP, CSC, has been developing security system design solutions for building managers and tenants in more than 150 commercial office buildings. He is a member of the International Association of Professional Security Consultants (www.IAPSC.org) and the ASIS Security Architecture & Engineering Council. He can be reached at [email protected].