Biometrics 101: A Primer for Physical Access Control
By Debra Spitler
The world of physical access control was altered by the events of September 11, 2001, as veterans of this industry will attest. Prior to that time, physical access control systems relied upon technologies such as barium ferrite, magnetic stripe, Wiegand, and proximity to provide an appropriate level of security.
Biometric technology was rarely considered for use in a physical access control system. The need for high security translated into the requirement to provide a proximity reader and card as opposed to a magnetic stripe reader and card. Further, the concept of identity verification did not enter the picture.
Times have changed. U.S. government agencies such as the Transportation Security Administration and the Federal Aviation Administration, as well as private industry, are seriously considering the benefits of a second level of physical security that incorporates biometric technology. As a result, biometric technology providers are seeking ways to transfer their knowledge to the physical access control marketplace. Likewise, access control system manufacturers and large system integrators are beginning to take an active interest in learning about and supporting biometric technologies at the end-user level.
As new opportunities for growth in the access control arena emerge, it is important to remember that biometrics is a technology, not an industry, says John Hunepohl, president of Exact Identification Corporation. "Before applying any technology, first identify the problem. Second, define a solution. Third, see how your technology can become part or all of the solution."
What Are Biometrics?
Biometric systems use automated techniques that verify or identify people by their physical characteristics. Various technologies are currently available for biometric authentication.
The role of biometrics in physical access control is to provide security and convenience. "Given the new security-conscious climate and the reduction in cost for biometric devices, there is an increasing adoption based on security requirements," says Frances Zelazny, director of corporate communications for Identix Inc. Physical access control is one of the most demanding applications of biometrics.
Initial biometric systems stood alone-they did not integrate with existing access control systems. However, most companies now provide systems that integrate quite easily with legacy hardware by means of Wiegand data. To work within the legacy market, Exact Identification Corporation designed its biometric offering with the following three objectives:
1) The end user will not have to add additional wire or cable. The unit will connect using the existing access control reader cable.
2) The end user will not have to re-badge employees or contractors.
3) Most important, the biometric reader installation will have no impact on the management of the access control system software. It will not be necessary to retrain any access control operator.
Hunepohl said, "The biometric reader, like a proximity reader, becomes just another component of the access control system."
When biometric systems integrate with existing systems through Wiegand data, the biometric reader looks to the door controller just like a normal card reader. This typically requires that the biometric data be handled separately from the user data managed by the access control system. Biometric data is handled by software provided by the vendor. One way biometric vendors have maneuvered around this drawback is by offering products that utilize smart card technology. Contactless read/write smart card technology operating at the 13.56 MHz frequency will play a strong supporting role in the adoption of biometric technology. By offering end users the ability to store the biometric template on a contactless smart card, manufacturers offer end users the convenience and read range of proximity, enhanced by the data storage and processing capability of a smart card. When biometric templates are stored on the card, there is no need to distribute the biometric data to the various readers in a facility. The access control system still manages access rights by means of the ID number sent from the biometric reader to the door controller.
To help end users migrate to biometric technology, contactless smart card manufacturers have developed a "smart" tag. The tag adheres to any existing card or non-metallic device to easily and cost-effectively produce a contactless smart card. Alternatively, end users have the option to purchase multi-technology credentials that combine two or more technologies into one ISO standard thin card. No matter what technologies are needed, these types of options assist end users in leveraging their investment in existing systems while upgrading to new technologies and applications.
According to Webb, future systems will be even further integrated by changing the communication link between the door controller and the reader to RS-232 or RS-485. The access control system can be the central repository and manager of all data, including biometric information. Only the necessary data is transmitted to the biometric reader at the door. This also enables the physical access control system to manage logical access control through biometric PC log-on.
Successfully Deploying a Biometric Solution
To ensure a successful deployment of the chosen biometric solution, consider the following.
1) Choose a biometric sensor based on the application, and understand the system requirements.
2) The chosen solution must be robust and maintainable. Be especially sensitive to any environmental conditions (i.e., outdoor installations, dirty environments) that may affect the reliability of the solution.
3) Users must accept the solution. Train employees in the use of the new technology. This should result in employees perceiving the value of increased security. Address any employee issues associated with privacy. Increase throughput with a second factor, such as proximity, but be sure that the throughput rate does not diminish convenience.
4) Maximize flexibility in setting the threshold with an authentication mode.
5) Enrollment must be completed quickly and easily by trained, trusted administrators. Be ready to handle any limitations associated with enrolling users. According to the UK Biometrics Working Group, "You cannot expect to find a single biometric that will be accessible for all of your users, all of the time."
Error Rates
Most people considering biometric technology for their facilities have concerns about the accuracy and performance of biometrics. In general, technology experts agree that the accuracy and response time have improved. However, given the way data is reported, it is difficult to quantitatively estimate the level of improvement.
Within the world of biometrics, we hear about false acceptance rates (FAR) and false rejection rates (FRR). Most manufacturers of biometric products indicate that such errors typically result from improper use (improper positioning and recording of traits during the enrollment process), rather than inaccuracy of the technology.
According to Webb, modern biometric systems are very accurate and may have false acceptance rates of less than 1 in 10,000. When the system is tuned this way, the false rejection rates increase dramatically. Therefore, a way of looking at the systems on equal footing is the equal error rate-the level at which the false acceptance and false rejection rates are equal. Some of the best systems have an equal error rate of approximately 1 in 1,000. These numbers are generated based on large databases of collected templates.
Enrollment quality and operational use issues must also be considered. If someone does not provide the best input to the device, the false rejection rate will be high. Training is often the best solution. The installer or integrator should train the end user on how to properly enroll the biometric. This includes how to place the finger, the projected response time, and what to do in case of a negative response. A high-quality enrollment will go a long way in showing a system in its best light.
Privacy Concerns
One of the key items in a successful biometric solution deployment is gaining user acceptance. According to Cathy Schaub, vice president of marketing for Biocentric Solutions Inc., three privacy questions arise with biometric applications: (1) where the biometric templates are stored; (2) who has access to them; and (3) whether they can be duplicated.
Frances Zelazny notes that the biometric industry is responding to privacy concerns through the International Biometric Industry Association (IBIA). This trade association was founded to advance, advocate, defend and support the collective international interests of the biometric industry.
Privacy guidelines have been developed that govern the use of biometric technologies in both the private and public sector. These guidelines specify that in the private sector, biometric data can be used only for the purpose for which it was collected, and should not be sold or transferred to a third party without the individual's consent unless in response to proper law enforcement investigative procedures. In the public sector, the guidelines stipulate that the collection of the biometric be done in accordance with the law.
In addition to adhering to guidelines such as those outlined above, companies such as Biocentric Solutions Inc. consider privacy concerns a key component of product design. For example, biometric templates are not saved after enrollment and are not held in a database. Templates, which are encrypted, are stored on a card and held by the owner of that card. Bioscrypt's Webb explained, "Since the biometric data is stored on the card, and you have possession of the card, there is less worry of the information being used surreptitiously. Also, the smart card may encrypt your data for storage, further limiting the possibility that the data can be used inappropriately."
Hunepohl and Webb agree that privacy concerns are really an education issue. "Users need to understand biometrics applications are just a more secure form of identification," said Hunepohl. Webb added, "Although biometrics are a measurable characteristic of your body, they are used to protect, not incriminate." She noted the biometrics that cause the most concern over privacy are DNA and fingerprints (since fingerprints are often used in criminal investigations and stored by other government organizations.)
However, Webb says these concerns may be unfounded, because DNA systems are not commercially available, and commercial fingerprint biometric systems do not record fingerprints like the government systems. Instead, they analyze fingerprints and extract pertinent information, which is stored as a mathematical model of the fingerprint-a template. It is not the fingerprint itself. The template is later used to compare against data extracted from a live scan of a fingerprint for purposes of identity verification.
Can a biometric template be used to recreate the image it represents? "The answer lies in the fact that biometric templates are mathematical representations of a physical or behavioral trait," said Zelazny. "As such, they cannot be reverse engineered. Tampering and altering possibilities are mostly an issue of data protection."
Schaub, whose company stores encrypted templates on a token, agrees. "It would take a lot of money, time, and tremendous determination to duplicate a fingerprint; even if successful, there are additional ways of preventing that card from ever being compromised to gain access or entry."
The Future of the Biometric Market
Fingerprint biometrics are by far the most widely used biometric today, particularly in the law enforcement arena, and will continue to be so for the physical access control market in the foreseeable future, according to industry experts. However, these same experts disagree about which other biometric technologies will become widely used over the next five years.
The three biggest markets for biometrics are physical access control, time and attendance tracking, and logical access. Physical access control is more amenable to various forms of biometrics. Although biometric systems are still more expensive than traditional card systems, the end user now has more options that can be implemented into the security plan.
Time-and-attendance systems are adopting biometrics at least as fast as physical access control. Fingerprint biometrics and hand geometry readers tend to be most suited for these applications due to the lower cost and small form factor. By reducing "buddy punching", the use of biometrics for time and attendance can provide a strong return on investment.
Although the market is being introduced to biometric readers used for PC secure log-on, logical access will probably be the last to fully adopt biometrics. Users in this market tend to be pragmatic and want to see an industry leader before they purchase.
Law enforcement and government are the main adopters of biometrics today. Identix's Zelazny believes the next wave of market adoption will come from the "regulated industries"-transportation and aviation, finance and healthcare-where there is a mission, a mandate, and funding. Hunepohl says the government will use biometrics for personal identification and fraud prevention, while the financial market will focus on personal identification and deterring identity theft.
Acceptance by End Users
Transaction-based (mass-consumer) use of biometrics will follow the regulated industries. However, Webb points out that transaction processing and point-of-sale will be slower to adopt biometrics due to the immense efforts required to develop the infrastructure to support biometric verification.
For biometrics to become widely used, acceptance of the technology must increase, driven by increased performance, ease of use, and assurance that the biometric will be used properly. Other factors such as system integration and system cost will be initial deployment factors, but may not be enough to win end users over.
Schaub indicates that there are two significant drivers to end users' acceptance of biometrics. First are the recent U.S. government mandates and funding for biometric security as part of its transportation and border security initiatives. Second is using biometric identification as an access or entry option on commercial products, such as laptops, cell phones, automobiles and doors.
The bottom line to end user acceptance, says Hunepohl, is that there must be some clear benefit to end users. For example, he cites the ability to be excluded from delays. "If I can go to the airport 30 minutes before my flight, and submit my biometric proof to speed me through the process-I, along with a few million other travelers, am willing to submit to the background check and submit biometric proof of identification."
Debra Spitler is vice president of marketing for the ASSA ABLOY Identification Technology Group (ITG).
ÂÂ