Let The Finger Do The Talking

Retailers need to understand how access control can be integrated into identity management systems

Visualize this: You walk into a men’s store, approach the “personal shopper” stand and place your finger onto a designated spot. A personalized greeting appears on the monitor: “Good day, Mr. Brigham. The last time you visited, you bought a blue pinstripe suit. To thank you for your business, for any tie you buy today, pick another at the same price or less for free. Your discount will appear at checkout.” With a biometrically enabled loyalty system like that, past customers will want to return to the store over and over again.

Today, retail decision makers can be less concerned about whether technology works—with the introduction of multispectral imaging, even biometrics have become reliable—and more interested in how access control can be integrated into identity management systems for goals beyond the simple transaction of opening a door. Also today, they can use biometrics in “customer-facing” applications like loyalty programs. With the advent of the latest technologies, biometrics have been successfully deployed at major theme parks and ATMs. Why shouldn’t the retail industry take advantage of new biometrics technologies as well?

Can biometrics allow workflow to be streamlined by a single authentication solution across an organization? Can user authentication be tied into safety systems, as required by regulators or insurance providers? Can business patrons’ experiences be enhanced by expanding the touch points that know who they are? The answers to these questions are being asked today by retail CIOs who are demanding seamless and holistic solutions to IAM challenges that revolve around the question, “Who?”

The challenge has always been how to establish the “who” in transactions. Who is accessing the warehouse? Who is punching the time clock? Who is the customer standing in front of me? The question is always, “Who?”

Until now, the industry response to this question of “who” has been to use the best available tools to approximate identity. Thus, cutomers can present a credential— something they know like a password or something they have like a swipe card—to authenticate their identity. However, credentials alone simply cannot substantiate identity.

CIOs understand that others can know the password—it may have been shared, found or observed. Cards and tokens show what somebody has, but possession alone does not ensure identity; somebody else could have access to that card or token via sharing or theft. Thus, while access and authorization have always been granted to individuals, knowing a password or having a key is only superficially related to the authorized person, and neither can establish who. Only a biometric can do that.

Here’s an example of why it’s important to know who. Today, NFC-enabled smartphones are starting to get a lot of press. It is now possible to replace cards with virtual credentials on a smartphone. These credentials, when linked to one’s unique identity, provide an easier, simpler way to pay for merchandise. The customer just has to tap his or her smartphone to the cash register. NFC-enabled smartphones also could provide better access to buildings, data or devices.

Nonetheless, virtual credentials still verify only that somebody has the phone. Add a biometric to the phone and you know that the person using the phone is the person who is authorized to use it.

Instead of a smartphone, retailers could implement finger biometrics and actually understand who. After all, not all customers fit the phone-carrying demographic. And what about customers who forget to bring their cellphone? They didn’t leave their finger at home! Let’s look at some retail applications and how biometrics can help take retailers to the next level.

Eliminating the High Cost of Buddy Punching

Increasingly, retailers are discovering that time and attendance technologies, such as barcode ID cards, proximity cards, PINs and manual punch clocks, are inexpensive short-term fixes but, in the long run, they can be exploited and are susceptible to fraud, rendering them a poor long-term solution. Biometrics solves this problem by eliminating sharing, swapping, stealing and loss of PINs, passwords and ID cards. This is especially true for big-box environments.

Every retailer knows that it is working in a very small-margin industry. Although most employ some type of workforce management system, that initiative is really no better than the data entered into it. And, much of that data is bad because employees buddy-punch—clocking their friends in and out of work.

On average, 19 percent of employees admit that they have buddy-punched at least once in the past year, and 74 percent of all companies report that they have experienced a loss from buddy punching. It’s bad enough that the store misses out on the expected labor of the missing employee. In addition, according to the American Payroll Association, this practice costs companies between 5 to 7 percent in payroll expenditures.

Wouldn’t it be nice to verify employees with the touch of a finger? A biometric ensures that employees earn a day’s pay only when they are present to do a day’s work. However, a biometrically enabled terminal is more than a simple time clock. It transmits the employee’s in-and-out transactions to a company’s time/attendance/ payroll software. It also can display messages specific to an employee. Shift schedules can be communicated and vacation balances retrieved—all enhancing employee communication. Multiple units can be networked into a central time and attendance recordkeeping system, and interface software can be tailored to meet multiple recordkeeping needs, including programmable data management keys that collect specific data when employees are verified.

Simple single-clock or multiple-unit systems can be connected at a variety of sites over a full range of network topographies. Supervisors can enhance productivity by performing a variety of functions at the terminal. They might override user restrictions and input missed punches, planned vacations, sick time and other information. This biometrically protected supervisor mode lessens the need for computer edits, while audit trails for use of those functions ensure security. Even bell schedules can be programmed to signal shift starts and stops as well as breaks.

For small retailers, the time and attendance application is the main incentive for installing biometrics. But unlike the box store that might place biometric terminals at employee doors, how does the ice cream parlor collect this data?

Who Is Operating the POS Terminal?

Small retailers have their employees clock in and out at the cash register, or the POS terminal. How else could that biometric interface be used? What about opening the register? Using a finger is certainly faster than using a PIN.

Plus, as a byproduct of having employees use their fingers to open the register, the owner now has a record of exactly who was opening it during the window of time some money was found missing—not simply a record of what PIN was keyed in. The owner has irrefutable evidence of precisely which employees were in the drawer. As a result, the owner knows who to talk to when there is shrinkage. Those whose fingers were not used at that time won’t be bothered.

Of course, the same system can also be used in the big-box stores where transactions, returns and other potentials for shrinkage run in the hundreds to thousands of opportunities per day.

Who Did What?

In auto repair and servicing, it becomes important to discern who fixed the car to keep employees responsible for what they have done. That’s why such organizations, which are similar to retail, have work orders that detail what was done and by whom, which is typically noted into the system with a PIN. For instance, if Joe isn’t really feeling up to it that day, he just enters Charley’s PIN. And when Mrs. Jacobs’ car stalls on the freeway six miles from the shop, Joe doesn’t hear a word about it. If Joe had to sign on with a finger, he might be a little more careful.

Creating an Enterprise Single Sign-On (ESSO) System

After considering these examples, all of which are in use today, ask yourself: Would a retail organization like to have a system that offers authorized users quick, easy access to specific information or use of particular data sets and enforces document compliance with its policies and procedures? Of course, it would. But in today’s complex world, authorized users are sometimes forced to carry different forms of credentials for various applications and, at a minimum, remember multiple passwords.

An ESSO system, used in concert with the latest generation of biometric sensors, provides a better, more convenient and secure solution. Retailers realize that security is a must, but security solutions cannot interfere with employees doing their jobs effectively, efficiently and safely. With a biometrically enabled ESSO, one simple enrollment allows for multiple uses across the whole enterprise— from entering the employee-only area to going into the warehouse to using the POS system or entering time and attendance data. This holistic view of enterprise security is vital and provides an integrated identity management system that is much more reliable and cost-effective because it eliminates the problems of having multiple identities tracked over an ever-increasing number of disconnected access points.

A biometrically enabled ESSO eliminates end-user frustrations of keeping up with multiple passwords and lost tokens. Investing in an ESSO with a biometric completes a retailer’s enterprise security by merging all authentication needs to a single finger and providing an irrefutable audit trail.

Multispectral Imaging Assists Biometric Verification

For many years, retailers and other organizations did not realize the lower cost and smaller footprint of fingerprint biometrics because legitimate, authorized employees were rejected by the fingerprint scanning system. The optical and electronic technologies used by conventional fingerprint scanners had error rates from 5 to 20 percent, depending on the environment. With the number of people employed in retail chains, those error rates are just too high.

The core problem is that conventional technologies rely on unobstructed and complete contact between the fingerprint and the sensor. This contact is hard to achieve if the user’s hands are wet, dry or dirty.

To read a fingerprint, these units, whether optical or electrically based, need the employee to lay a fingertip directly on the platen, and they need the fingerprint ridges to make good electrical or optical contact with the device. In addition, they also need the valleys between the fingerprints to fill with air. Dirt, water or any other contaminant could fill those valleys or not allow the ridges to make good contact with the platen. The result was bad images that lead to bad reads.

Are your employees meticulously clean? Consider that dry fingertips are common— caused by anything from climate conditions and natural skin characteristics to frequent hand washing and air travel. For instance, a high desert climate, like Las Vegas, causes dry fingers. In a more humid environment, such as Miami, moisture creates problems.

Most optical sensors are configured to look for the presence or absence of total internal reflectance (TIR), which is the phenomenon in which the interface between glass and air acts as a mirror at certain angles. The contact between the skin and the platen defeats the TIR, allowing those points of contact between the finger and the sensor to be imaged. Thus, those points of contact must be complete and unobscured to enable the conventional sensor to collect a fingerprint image. Establishing firm and complete contact with the sensor is difficult with dry fingers because there is not enough moisture in the skin and the skin is not pliable enough to facilitate the contact necessary for TIR imaging.

A newer technology, based on using multiple wavelengths of light and advanced polarization techniques, can extract unique fingerprint characteristics from both the surface and subsurface of the skin. It unleashes the subsurface fingerprint to provide results that are more consistent, more inclusive and more tamper resistant. A dirty, calloused, wet or dry fingerprint is still readable with multispectral imaging because the subsurface fingerprint can still be read even if the outer fingerprint is unreadable.

Biometrics gives back what could possibly be the most important asset that an employee can offer in a retail environment—increased productivity. Productivity growth is important because it means that a retailer can meet its growing obligations and still stay competitive or even improve its competitiveness within its vertical market.

The Future of Biometric Deployments in Retail

Adopting biometric technology in a retail environment eliminates the need for log-on IDs and passwords. An employee can’t borrow a swipe card or a PIN to perform a transaction or override what is above his or her permission level because a manager must be physically present to offer biometric authentication for the authorization to be completed. That’s just the beginning.

There is a burgeoning desire by retailers to introduce the aforementioned “personal experience” to their customers. To launch a whole new mode of customer service, they want to deploy the “customer facing” technologies decribed in the men’s store example. What’s simpler than using a finger tap to access a customer’s loyalty account and provide payment?

Yes, installing and implementing biometrics in their businesses will give retailers added peace of mind—they will rest easier knowing that the data they depend on is safe and secure. As biometric technology has improved and more POS products have become available, biometrics have become affordable to retailers of all sizes.

This article originally appeared in the June 2012 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3