From the Product Manager's POV -- Security Today

From the Product Manager's POV

By Security Products Staff
Aug 02, 2007

HIRSCH Electronics is no stranger to introducing new products or winning accolades among its peers. From the competition at ISC West, Hirsch won a special achievement award in the Security Industry Association's New Product Showcase in Las Vegas. We thought readers should know more about the RUU-201 Verification Station, so we talked to Scott Howell of Hirsch Electronics.

Q. The RUU-201 received the industry's special achievement award. What makes the verification station so special?
A. The judging committee said the Special Achievement award is given "in recognition of outstanding accomplishment in technical innovation." The verification station is unique, highly secure and it can be used in a variety of applications. I like to describe it as a 4x4: four factors and four applications. It is one of the first four-factor authentication devices available on the market—card, code, fingerprint and PKI certificate check—so that delivers the high-security assurance. And, it can be used in four ways: at card issuance to verify the card recipient's identity before card handover, as a door/gate controller, as an enrollment device to populate a physical access control system with card data and as a standalone or networked verification station to verify identities anytime, anywhere.

Q. The verification station must be compatible with a variety of applications. What are the most popular uses of the product?
A. Many customers use the verification station strictly as an identity verification device, before handing over a card or at a manned ID checking station. Most customers that use the verification station as a door reader configure it for identity authentication and then forward the verified identity to the access control panel for authorization (lock release), to control who goes where when. Assuming the access control database is kept up-to-date (ideally, via a real-time link from the HR/personnel system) even a recently-terminated employee will be denied entry, even if their identity was verified by their PIN and fingerprint.

Q. Today, security technology is on the cutting edge. What technologies does the verification station incorporate?
A. The verification station is a convergence device. It integrates several technologies, including a privacy-sensitive scrambling keypad, contact and contactless smart card readers, biometric fingerprint reader and a six-line LCD display. The unit is IP-addressable, and it includes ports for a door or other relay, Ethernet, Wiegand, RS-485 and RS-232.

Q. Identity verification is important in many industries. For what market was the verification station created?
A. It was originally designed to help federal government facilities comply with HSPD-12 and the standards published by NIST as FIPS 201. However, the unit is really taking off in non-government, non-FIPS 201 applications, as well. Hirsch is seeing strong sales of the unit into non-FIPS 201 applications. It can be used with non-PIV smart cards, such as MIFARE and DESfire. Prisons, hospitals, universities, as well as state governments and first responders are the early adopters so far.

Q. How does the verification station help a federal agency comply with FIPS 201?
A. An agency would be hard-pressed to comply with the standard without some type of full-featured identity and card verification device. Let's say a sponsor requests a card for an employee, then the registrar does the background check, and the signatory approves the issuance. Finally, the issuer prints and encodes the card, and the applicant is ready to pick it up. But how can the issuer be sure the card works and that they are giving it to the right person? That card must be tested right in front of the issuer, using some type of verification station to check the card's readability, the PIN code acceptance and fingerprint match. That is just one example—card issuance, where the verification station helps agencies comply with FIPS 201. It closes the loop on the process and confirms interoperability before the card is ever used for logical or physical access.

There are many other ways the verification station can help agencies comply with FIPS 201 because of its ability to read a PIV card's expiration date and Federal Agency Smart Credential-Number from the CardHolder Unique IDentity container in the smart card's processor.

Q. I understand the Verification Station uses a fingerprint and PIN differently than is historically done with physical access applications. How so?
A. Most fingerprint readers require that users be pre-enrolled in the reader or access control system. That pre-enrollment requirement is a real problem for those traveling to multiple locations, and it means the organization does not have card or identity interoperability between sites.

In compliance with FIPS 201, the Hirsch verification station uses a more interoperable and user-friendly model whereby the encoded fingerprint data is locked inside the smart card and is unlocked and passed to the reader only after a valid PIN entry. The verification station then performs a one-to-one match of the live finger's print to the card's print. In the FIPS 201 model, the PIN is not issued by the local access control system administrator to be used by the access control system as a second factor of authentication, as was historically done. Rather, the PIN is issued by the central card issuer and used to ensure privacy of the personal identity information stored on the card.

The key here is that government users don't have to be pre-enrolled. Any PIV cardholder can go to any agency at any site in the world and have their identity verified using the verification station—now, that's interoperability. Once identity is authenticated, local authorities or the access control system can determine the appropriate authorization to doors, areas and computers. The process of identity verification (authentication) is separated and administered discretely from the process of granting access (authorization). This idea of using the PIN to unlock the biometric template stored on the card was brought to the forefront by the government's IT-centric FIPS 201 standards, and it is a useful model for ensuring privacy both in the public and private sectors.

Q. Of course, security is of the utmost importance, how does it secure the PIN code?
A. The verification station incorporates a Hirsch ScramblePad, a unique, time-tested, high-security digital keypad. Using the ScramblePad, the PIN cannot be accidentally shared with, or stolen by, onlookers. Each numeral is randomly scrambled to a new position every time the "start" button is pressed, so a bystander cannot ascertain the finger pattern or telltale wear marks. Also, the ScramblePad's internal viewing restrictors allow only the person directly in front of the keypad to see the numbers.

Q. What are the benefits of verification station-assisted enrollment into the physical access control system?
A. Speed, accuracy and consistency. For example, authorized employees visiting from another site can have their identities verified quickly, and then the appropriate data on the card can be instantly imported into the local site's access control system, without a keystroke and without having to go to the personnel or security office. Typos and other data entry errors are avoided. And Thomas is consistently entered as Thomas, rather than Tom. That leaves only the step of assigning authorization privileges to the cardholder, which can be further simplified using role-based access control.

Q. Along the lines of being a "converged" solution, how does the verification station use the IP network?
A. The verification station is Ethernet-ready and IP addressable, and it plugs right into the local site's TCP/IP network infrastructure, if desired. One can use the network to access and configure the RUU-201. And, the RUU-201 can use the network to communicate to a card management system, identity management system or physical access control system. Additionally, the RUU-201 can use a network to do a real-time PKI certificate check with an internal or third-party certificate authority over the LAN/WAN or Internet to ensure the card has not been revoked by the original issuer

Q. What is the PKI certificate check all about, and what is its value?
A. Public key infrastructure is a security tool that has become popular with IT departments to verify the identity of a person logging onto the network, to electronically sign e-mail and to verify the authenticity of a document. The verification station can validate a PKI certificate stored on the card. It works like this: After the card, PIN and fingerprint are read, the verification station (if configured for PKI-check mode) obtains the certificate from the card. The verification station sends the certificate out its Ethernet port and across the LAN/WAN/Internet network, via a secured connection, to a certificate authority, such as an online credential status provider or credential revocation list. The card's certificate is checked by the OCSP or CRL, and a result (e.g., certificate "valid" or "revoked") is returned to the verification station for appropriate action.

Thus, in the case of a recently terminated employee, even though the cardholder's PIN, unique number (e.g., FASC-N) and fingerprint may be valid, the verification station will reveal the card's certificate to be invalid. This extra step—the PKI certificate check—is important for many applications. However, the local site or physical access control system must establish communication to the card issuer's infrastructure and use an OCSP or a CRL to use this feature.

Q. So this is an "edge reader" then, distributing intelligence to the edge of the IT network?
A. Right. In fact, it is one of the first true edge readers on the market. In comparison to the other products we've seen on the market, the Hirsch verification station is the most sophisticated, integrated and secure edge reader available. It's more than a reader though, because it can communicate with the identity management system, card management system and physical access control system. And it can serve as a four-factor, high-security identity verification unit and as a standalone door controller.

Q. Is the verification station integrated with solutions from other companies?
A. Yes. The verification station is part of an integrated, end-to-end solution for FIPS 201 compliance offered by Hirsch and its partners. Hirsch's partners include the leading players in the IDMS, CMS and enterprise database solution sectors. The verification station also can be used with Hirsch's Velocity Security Management System, and it can be used as a door reader attached to nearly any brand of access control system.

Scott Howell is the manager of worldwide marketing for Hirsch Electronics.

Eagle Eye Networks Releases 2025 Trends in Video Surveillance Report
11/20/2024
Genetec Expands Access Control Market Share
11/19/2024
AMAG Technology Welcomes Chris Meiter as Vice President Global Business Development Video Solutions
11/18/2024
Napco Access Pro Launches New MVP Access App
11/18/2024
Evolon and UCC Partner to Deliver Proactive Video Monitoring Solutions
11/14/2024
ASIS International, International Protective Security Board Sign Memorandum of Understanding
11/14/2024
i-PRO Launches High Zoom Bullet Camera
11/14/2024
TSA Announces Proposed Rule Requiring Establishment of Pipeline, Railroad Cyber Risk Management Programs
11/12/2024

Featured

Gaining a Competitive Edge

Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now
- Artificial Intelligence
6 Ways Security Awareness Training Empowers Human Risk Management

Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now
- Cybersecurity
The Stage is Set

The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now
- Artificial Intelligence
Access Control Technology

As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now
- Access Control

Webinars

Hanwha Vision (formerly Hanwha Techwin)

Getting Control of your Access
Eagle Eye Networks Inc, Salient Systems

Insights into the Ever Changing World of Security for 2025
BriefCam

Maximizing Your Investment: The ROI of Video Analytics

Whitepapers

BriefCam

The ROI of Video Analytics
911Cellular

A Buyer's Guide to Panic Button Systems
Allegion

The Current State of School Security

New Products

FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3
AC Nio

Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3
Camden CM-221 Series Switches

Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3