A Perfect Match

Consider multiple options for deployment of biometric authentication

  • By Damon Dageenakis
  • Sep 01, 2008

As more organizations implement biometrics, it is not uncommon to see an iris reader used to control access to an IT server room, a fingerprint sensor integrated into a laptop computer for desktop logon or a facial recognition system used to clock in on a factory floor. Although these are excellent examples of the use of biometrics, for many organizations the question remains, “Should we be using a biometric, and if so, what type?”

Whether the application is used for physical access control to a building, logical access control to a PC or time and attendance functions, biometric verification offers a number of benefits over traditional methods of authentication. Biometric verification is more productive and convenient than traditional methods and eliminates the need to remember multiple PINs or passwords. Additionally, each biometric is unique to a person, thus ensuring high-accuracy authentication for access control.

Which Solution is Right?
 While there are no hard and fast answers regarding which biometric method works best for an organization, there are several issues, including regulatory compliance and/or government standards, that compel companies to consider deploying specific types of biometric installations.

The intense pressure for governance and compliance impacts organizations by amplifying the focus on security policies, controls, auditability and identity assurance. With increased regulatory considerations, including accounting and insurance security audits, these regulations and programs drive the need for multifactor authentication, especially where unsecured access to sensitive locations or information can lead to dire consequences. For instance, the government’s TWIC program requires that a biometric be enrolled on a smart card to access facilities, protecting U.S. ports from potential terrorist infiltration.

While most biometric solution providers offer both server and smart card-based methods of template storage and distribution, a smart card-based method enhances the privacy of biometric templates while reducing system installation costs and complexity. The result is an increased return on investment for the organization. Overall, the right biometric system will reduce costs and/or improve productivity such that it will pay for itself in a reasonable period of time, so long as the secondary authentication is protecting something of high value.

Deployment Within a Network
If an organization is looking to increase security within a facility, biometrics easily can be integrated into existing access control systems. Most biometric devices are equipped to support traditional Wiegand output, as well as bidirectional serial communication. Implementing biometrics can be as simple as adding a standard keypad or card reader. In this case, the question of where to install biometrics within the existing access control framework often arises.

Every organization’s needs are different, which often results in a tailored biometric installation. Organizations must weigh their need for increased security against cost, as well as increased throughput time and environmental considerations. For instance, organizations with larger physical spaces and security-sensitive locations, such as an airport, tend to install more biometrics to protect these locations, such as data centers and sterile areas. In contrast, organizations with few employees and less sensitive locations install biometric access on a smaller portion of physical access points like IT server rooms while using a biometric time and attendance system to ensure proper employee clock-in and clock-out.

For biometric installations at perimeter locations, an organization should consider that throughput time will increase. To prevent bottlenecks at main entrances, enough entry points should be available for employees. This is especially important for employees who use a biometric time and attendance application that requires them to clock in for their workday. For biometrics that will be installed on outdoor perimeters, consider a biometric that can perform and is rated for your climate. Additionally, it is important to work with a large portfolio of biometric products that can provide a variety of options, ensuring that the installation is tailored to meet the organization’s needs.

Application of Biometrics
Beyond standard access control, biometrics can be leveraged for other applications, including providing business efficiencies in the areas of time and attendance and logical access. Within the time and attendance space, biometrics can be used to confidentially support self-management at a PC terminal.

For instance, when an employee uses a biometric system to request time off or a shift change, the system is assured that the employee is the one who made the request. This helps to minimize the overhead of human verification and improves the ROI within an organization.

There are additional benefits of using a biometric. Once it can be positively confirmed who executed a transaction at a PC terminal using a biometric, more sensitive data can be shared, enabling employees to check their vacation time status, request time off and view short but important messages. The biometric adds non-repudiation, which is important when dealing with personnel issues.

What Should be Used?
Once the decision is made to deploy biometrics, the next question is usually, “What type of biometric should be used?” While there is no standard answer, there are several considerations for choosing which type of system to deploy, including:

Privacy. During enrollment, users often ask, “Is my biometric securely stored or will this be shared with any government agency?” Although biometrics are typically not shared, users often do not accept the argument and remain concerned with letting their information be stored on a server. In these cases, a better approach is to store the biometric on the user’s smart card and nowhere else. The template is read during the verification process and then discarded by the reader.

Cost. The key is to focus on the total cost of deployment and ongoing use, including the direct cost of the biometric equipment, as well as the cost associated with training users and maintaining the system.

Ease-of-use/traffic. For very hightraffic areas, such as the entrance to a large building, it may be necessary to use multiple readers to not delay employees during peak traffic times.

Installation environment. For environments where hands are used a lot for other tasks, the condition of the fingers may reduce the effectiveness of fingerprints. Even the best sensors have a difficult time reading wet and dirty fingers. In that type of environment, an iris-based biometric may be an effective solution, since no direct physical contact is required. Facial recognition—which performs best when the lighting at authentication is similar to when the user was enrolled—may require the biometric to be used in the same location every time, which can be impractical or problematic for portable use.

Form factor. This is a more sensitive topic when looking at the logical access arena. As travel restrictions become more prevalent and limitations are placed on carry-on luggage, it can be cumbersome to carry an extra peripheral for authentication when conducting PC log-on and single sign-on. This is where built-in biometrics is extremely beneficial.

Accuracy. The degree of accuracy desired must be balanced against speed and ease-of-use. For larger organizations with a biometric database that may have up to 100,000 records, it is not realistic to expect to identify a person in one second solely from a fingerprint presented at a door. Iris and retinal scans, while generally considered to be more accurate, are more time intensive.

Smart-Card Biometrics
Smart cards minimize the overhead when dealing with biometric template management and distribution. Rather than storing biometrics on a server and distributing them over a wired network, a smart cardbased system allows biometric templates to be carried by the card holder. By using smart cards, biometric templates are mobile and easily can transact with the biometric reader in the field, eliminating the need for the templates to be added, stored or purged on back-end systems.

With smart cards, security is often enhanced and privacy concerns are addressed with biometric template storage only residing on a secure card. Also, coupling a smart card with biometrics for some logical access applications can advance security, improve convenience for the end user and minimize help-desk calls for forgotten passwords in single sign-on cases.

System administration also is made easy with smart cards, as there is no need to download templates to biometric readers or worry about template capacity within the reader. Smart cards deliver template storage to an unlimited number of users. Additionally, the investment in smart cards returns an incremental benefit when adding more applications to the card.

The Algorithm Factor
Smart card-based systems also address privacy concerns by employing mutual authentication and encryption to protect the biometric template on the card. Algorithm choice also is something to consider when selecting a biometric system. There are two primary algorithms: a one-to-one and a one-to-many algorithm.

A one-to-one algorithm verifies the end user’s real-time data—fingerprint image or iris image—against his or her template. This algorithm requires that both a credential and real-time biometric data be supplied to initiate verification. A credential provides a unique identifier for the end user and/or the biometric template(s). Examples of credentials include iCLASS® and MIFARE contactless smart cards, magnetic stripe cards and keypad entry.

A one-to-many algorithm attempts to locate or identify an end user’s biometric information from a database of templates. The end user is only required to provide his or her real-time biometric data to the device; no card or PIN is required to initiate the process.

Although each algorithm has its advantages and ideal installation scenarios, a one-to-one algorithm is generally considered more secure and accurate. For a oneto- one biometric device, the end user must always supply at least two factors of authentication: the credential—what you have—and the candidate data—who you are. One-to-many algorithms attempt to match the candidate data to a potentially large database of templates. A one-to-one algorithm is only comparing candidate data against the template(s). These basic factors lower the probability for a false acceptance to occur within a one-to-one device. This system also addresses broader privacy concerns, as there is no database of biometric templates that can be hacked. Additional security can be achieved when factoring in the use of smart cards, which creates another layer of security via a diversified unique key specific to the site.

Featured

  • It's Show Time

    I am one of those people that likes to see things get bigger and better. As advertised, ISC West is going to be bigger (more exhibitors) and better (more attendees). It’s show time in Las Vegas. Read Now

    • Industry Events
    • ISC West

  • SIA Releases New Report on Operational Security Technology

    The Security Industry Association (SIA) has released an impactful new resource – Operational Security Technology: Principles, Challenges and Achieving Mission-Critical Outcomes Leveraging OST. Read Now

  • Cyber Overconfidence Is Leaving Your Organization Vulnerable

    The increased sophistication of cyber threats pumped by the relentless use of AI and machine learning brings forth record-breaking statistics. Cyberattacks grew 44% YoY in 2024, with a weekly average of 1,673 cyberattacks per organization. While organizations up their security game to help thwart these attacks, a critical question remains: Can employees identify a threat when they come across one? A Confidence Gap survey reveals that 86% of employees feel confident in their ability to identify phishing attempts. But things are not as rosy as they appear; the more significant part of the report finds this confidence misplaced. Read Now

  • Mission 500 Debuts Refreshed Identity Ahead of Security 5K/2K at ISC West

    Mission 500, the security industry’s nonprofit charity dedicated to supporting children in need across the US, Canada, and Puerto Rico, has unveiled a refreshed brand identity ahead of ISC West. The charity’s new look includes a modernized logo with refined messaging to reinforce Mission 500’s nearly decade-long commitment to serving the needs of children and families in crisis. Read Now

    • Industry Events
Most   Popular

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.