Kicking It Up a Level
How new credentials and biometrics are helping protect people and property better
- By Jennifer Toscano
- Aug 01, 2011
An employee at a particular
major teaching hospital
carries a magnetic
stripe card with two
barcodes on the lanyard.
In addition, the employee must
remember two different PINs and carry
a proximity card for the institution’s
other facility. That doesn’t make sense.
A credential is what you use to identify
yourself to a system. Whether it’s
a key, a card or a biometric, your credential
can provide access to spaces or
services within your facility. For system
managers, card-based credentials offer
a solution that is easier to manage than
keys and harder to duplicate than PINs.
Managers can easily assign and revoke
access privileges, or alter a single user’s
access privileges without affecting the
entire population of users.
With card-based access, the threat
of unauthorized keys and shared PIN
codes is eliminated. In facilities that require
permission to multiple systems,
card-based credentials offer the potential
to consolidate technologies across
multiple systems, enabling users to
carry one credential to achieve multiple
activities.
However, today’s typical access control
system was, in all too many cases,
installed in stages. As a result, it is made
up of different brands and disparate
products that often do not integrate
into the same system or talk with one
another. Too many of today’s systems
require many separate databases and
a plethora of software interfaces that
create confusion, lower the level of security
within the facility, and decrease
staff productivity for the customer and
the installer.
Not only are such scenarios cumbersome
for the employees, they drive the
physical access control management
crazy. And on the horizon sits the IT
department, becoming more and more
prevalent in access control hardware
and software purchases. They shouldn’t
put up with it.
In addition, not all card technologies
are the same. Some card credentials
are a great deal more secure than
others. So, with this is mind, what’s the
outlook for the future in IDs, biometrics
and credentials?
Smart Cards Are the Future
We used to think that Homeland Security
Presidential Directive 12 (HSPD-
12) would fuel smart card use in the
government and accelerate adoption
by large enterprises because HSPD-12
seeks to establish secure and reliable
identification for all federal employees
and contractors. Because federal mandates
tend to have a cascading effect,
this directive would have a huge significance:
State and local governments, as
well as first responders, would become
major buyers of FIPS 201-compliant
smart cards as they follow the federal
initiatives. Private contractors would
have to follow.
But organizations have bigger and
more important reasons for choosing
smart credentials, and there is no reason
not to deploy smart cards immediately,
even if the only application is to
ensure physical access control. Organizations
need smart credentials that
work for them today and give them the
flexibility to add applications in the future.
After all, it is simply too easy for
unauthorized people to duplicate and
use another person’s proximity card.
Smart cards provide a higher level
of security, more convenience and far
greater functionality than proximity
cards do for a comparable price. In addition,
these smart cards have the ability
to manage access, payments and
many other functions.
Unlike proximity cards, smart cards
using MIFARE DESFire EV1 technology
offer several different layers of security,
including mutual authentication,
which ensures that the reader and the
card are allowed to talk with each other
before any information is exchanged.
They also provide AES 128-bit encryption,
a key encryption technique that
helps protect sensitive information.
They additionally supply diversified
keys, which virtually ensure no one can
read or access the holder’s credentials
information without authorization. A
message authentication code further
protects each transaction between the
credential and the reader, ensuring complete
and unmodified transfer of information,
helping to protect data integrity
and prevent outside attacks.
Thus, smart cards provide groups
with a way to increase the security of
their access control solution today
while providing a pathway to other
smart credential applications. For that
reason, although organizations might
currently be using proximity, they are
quickly migrating to smart credentials
because they can incorporate a multitude
of applications on a smart card
more easily.
Besides access control, popular
smart credential applications include
identification, check-out verification,
company cafeteria charges, access to
recreational facilities, charge privileges
at various locations, admission
to events, transit passes, service access,
bankcard service and biometric template
holding.
The Bottom Line
on Smart Cards
It is important that organizations be
prepared for smart credential deployment,
even if their facility wants to
install proximity, magnetic stripe or
keypad readers at present. Integrators
can help customers by proposing multitechnology
readers that combine the
ability to read both proximity cards
and smart cards. That way, when the
group switches over to smart cards, it
doesn’t have to tear out its old readers
to install smart card readers. During
the transition, the group can use both
its old proximity credential and the new
smart credential.
Also, ensure the new credential readers
are open-architecture. Save money
by using the existing access control system,
if at all possible. Open architecture
readers will let groups use both their
current software and panels with their
new credentials. If, down the road, the
group changes its software, it can still
use these readers.
Biometrics—Making Security
Include Who You Are
Biometrics are automated methods
of recognizing an individual based on
unique physical characteristics. Biometric
technologies, like hand geometry
and fingerprinting, enable a facility
manager to ensure that only verified
users have access to a facility at authorized
times. Biometrics provides the
highest level of assurance that the actual
authorized individual, rather than
just the authorized key, card or code,
has access to a secure facility. Because
of the versatility of biometric technologies,
you will find them used in universities,
data centers, day care centers,
airports, healthcare facilities and government
buildings—any place where
resources, lives or sensitive information
require the highest levels of security.
If access control systems are to control
where people, not credentials, can
and cannot go, then only a biometric
device truly provides this capability.
Most people are familiar with the idea that biometrics are used in high-security venues such as data centers, nuclear
plants and laboratories. However, many find it surprising that their biggest deployments
are where they are chosen for convenience.
Biometrics are user-friendly. First of all, they can eliminate the need for keys or
cards. While keys themselves don’t cost much and dramatic price reductions have
lowered the capital cost of the cards in recent years, the true benefit of eliminating
them is realized through reduced administrative efforts. For instance, an administrator
must replace and reissue a lost card. Lost keys not only require replacement,
but they also create the need for replacing the cylinders for all the openings that the
lost key accessed. Thus, when taken together, the overall administration of a key
or card system is costly. Hands and fingers are not stolen or forgotten. They also
don’t wear out or need to be replaced.
“The number-one suggestion from our members was eliminating the need for
ID cards,” said Director of Campus Recreation Jill Schindele at the University of
California-Irvine. “We took [these] suggestions seriously and feel that hand geometry
is the fastest and most efficient alternative to identification cards.”
Secondly, biometrics are easy to administer, install and maintain. Replacing
card readers, in many cases, is simply an unplug-plug-and-play operation. Hand
geometry readers, especially, get people into buildings and rooms quickly. They
include a variety of options, such as letting an employee quickly check accrued
vacation time. Plus, it is easy to control threshold levels, allowing administrators to
implement tight access control in a nuclear power plant and loose access at a spa.
At the University of Georgia, biometric palm readers control access to campus
housing. “Housing basically has an electrified door system,” said Bill McGee,
formerly the manager of the Bulldog Bucks office blackboard transaction system
at University of Georgia card services. “Any door can be opened from the control
desk or remote desks around campus. We also have cameras on the doors. By adding
the [palm reader] HandKey, we go from an access control system to a security
access system. We feel that this is an important attribute. By simply putting one
HandKey at an entrance, an organization can turn that door into a security system
in its simplest form at a low cost.”
According to McGee, eliminating re-keying upon lost or stolen keys and students
or employees leaving the university is especially important for larger institutions.
With 800 people in a dormitory, re-keying would be both cost-prohibitive
and a logistical nightmare.
As a result of so many biometric implementations that took place on college
campuses during the last decade—in addition to the countless campuses that already
had been using biometrics for years—in the residence halls, dining halls, and
recreation centers, the industry has created thousands upon thousands of future
prospects that see biometrics as a tool to be trusted for its security and convenience
rather than equipment to be feared as “futuristic” or worrisome.
Tightening the ID Process Is Now a Two-Step Procedure
Most people will agree with Gary Conley, the University of Virginia’s facilities
and systems engineer for the office of business operations, that simply running a
magnetic stripe card or entering a PIN is not enough in today’s world. A lost card
or found PIN should not be the ticket for unauthorized users to enter places they
don’t belong.
That’s why two-step/multi-factor authentication is becoming more common.
Indeed, it has been one major selling point in the phenomenal growth of biometrics
over the past several years in which a PIN or card is used to bring up the
biometric template that must be matched. Using smart cards in conjunction with
biometrics raises the security level.
That’s because a single smart card can store both the user’s ID number and
biometric template. Because of this, there is no need to distribute hand templates
across a network of readers or require the access control system to manage biometric templates. This means integration
to any existing access control
application is greatly simplified, eliminating
extra network infrastructure
costs. Because the template resides
only on the card, the solution also
eases individual privacy concerns.
Providing the best of smart cards
and biometrics, the solution provides
dual authentication by requesting both
the right card and the right person. A
smart card reader is attached to or embedded
into the biometric reader. A
plastic cardholder is affixed to the side
of the unit. The verification process
takes approximately one second.
With the hand reader, the hand template
requires only nine bytes to define
the hand, the smallest in the biometric
industry. This ensures fast response
times and that the smart card can
maximize its benefits by offering users
increased room for other applications.
In addition, the implementation supports
multiple secure applications on
the smart cards. Possible applications
include the storage of additional information
to allow for secure log on to a
PC or laptop and accessing the company’s
network.
Help That Hospital Employee
Today, it is much more efficient, economical
and secure to have the initially
mentioned teaching hospital’s employee
carry a smart card that provides
a variety of applications, including
a biometric template. It can provide
the employee with access to the areas
of the hospital to which the person is
authorized, including the biometrically
secured pharmacy and other similarly
secure locations, making the job easier,
adding to employee productivity and
helping the hospital become more
secure. The same would be true if the
employee were a student or staffer
on the campus proper, or if he or she
worked in an office building.
This article originally appeared in the August 2011 issue of Security Today.