Let The Finger Do The Talking
Retailers need to understand how access control can be integrated into identity management systems
- By Bill Spence
- Jun 01, 2012
Visualize this: You walk into a men’s store, approach the “personal
shopper” stand and place your finger onto a designated spot. A
personalized greeting appears on the monitor: “Good day, Mr.
Brigham. The last time you visited, you bought a blue pinstripe
suit. To thank you for your business, for any tie you buy today, pick
another at the same price or less for free. Your discount will appear at checkout.”
With a biometrically enabled loyalty system like that, past customers will want to
return to the store over and over again.
Today, retail decision makers can be less concerned about whether technology
works—with the introduction of multispectral imaging, even biometrics have become
reliable—and more interested in how access control can be integrated into
identity management systems for goals beyond the simple transaction of opening
a door. Also today, they can use biometrics in “customer-facing” applications like
loyalty programs. With the advent of the latest technologies, biometrics have been
successfully deployed at major theme parks and ATMs. Why shouldn’t the retail
industry take advantage of new biometrics technologies as well?
Can biometrics allow workflow to be streamlined by a single authentication
solution across an organization? Can user authentication be tied into safety systems,
as required by regulators or insurance providers? Can business patrons’ experiences
be enhanced by expanding the touch points that know who they are?
The answers to these questions are being asked today by retail CIOs who are demanding
seamless and holistic solutions to IAM challenges that revolve around
the question, “Who?”
The challenge has always been how to establish the “who” in transactions. Who
is accessing the warehouse? Who is punching the time clock? Who is the customer
standing in front of me? The question is always, “Who?”
Until now, the industry response to this question of “who” has been to use the
best available tools to approximate identity. Thus, cutomers can present a credential—
something they know like a password or something they have like a swipe
card—to authenticate their identity. However, credentials alone simply cannot
substantiate identity.
CIOs understand that others can know the password—it may have been shared,
found or observed. Cards and tokens show what somebody has, but possession
alone does not ensure identity; somebody else could have access to that card or
token via sharing or theft. Thus, while access and authorization have always been
granted to individuals, knowing a password or having a key is only superficially
related to the authorized person, and neither can establish who. Only a biometric
can do that.
Here’s an example of why it’s important to know who. Today, NFC-enabled
smartphones are starting to get a lot of press. It is now possible to replace cards
with virtual credentials on a smartphone. These credentials, when linked to one’s
unique identity, provide an easier, simpler way to pay for merchandise. The customer
just has to tap his or her smartphone to the cash register. NFC-enabled
smartphones also could provide better access to buildings, data or devices.
Nonetheless, virtual credentials still verify only that somebody has the phone.
Add a biometric to the phone and you know that the person using the phone is the
person who is authorized to use it.
Instead of a smartphone, retailers could implement finger biometrics and actually
understand who. After all, not all customers fit the phone-carrying demographic. And what about customers who forget to bring their cellphone? They
didn’t leave their finger at home! Let’s look at some retail applications and how
biometrics can help take retailers to the next level.
Eliminating the High Cost of Buddy Punching
Increasingly, retailers are discovering that time and attendance technologies, such
as barcode ID cards, proximity cards, PINs and manual punch clocks, are inexpensive
short-term fixes but, in the long run, they can be exploited and are susceptible
to fraud, rendering them a poor long-term solution. Biometrics solves this problem
by eliminating sharing, swapping, stealing and loss of PINs, passwords and ID
cards. This is especially true for big-box environments.
Every retailer knows that it is working in a very small-margin industry. Although
most employ some type of workforce management system, that initiative
is really no better than the data entered into it. And, much of that data is bad because
employees buddy-punch—clocking their friends in and out of work.
On average, 19 percent of employees admit that they have buddy-punched at
least once in the past year, and 74 percent of all companies report that they have
experienced a loss from buddy punching. It’s bad enough that the store misses
out on the expected labor of the missing employee. In addition, according to the
American Payroll Association, this practice costs companies between 5 to 7 percent
in payroll expenditures.
Wouldn’t it be nice to verify employees with the touch of a finger? A biometric
ensures that employees earn a day’s pay only when they are present to do a day’s
work. However, a biometrically enabled terminal is more than a simple time clock.
It transmits the employee’s in-and-out transactions to a company’s time/attendance/
payroll software. It also can display messages specific to an employee. Shift
schedules can be communicated and vacation balances retrieved—all enhancing
employee communication. Multiple units can be networked into a central time and
attendance recordkeeping system, and interface software can be tailored to meet
multiple recordkeeping needs, including programmable data management keys
that collect specific data when employees are verified.
Simple single-clock or multiple-unit systems can be connected at a variety of
sites over a full range of network topographies. Supervisors can enhance productivity
by performing a variety of functions at the terminal. They might override
user restrictions and input missed punches, planned vacations, sick time and other
information. This biometrically protected supervisor mode lessens the need for
computer edits, while audit trails for use of those functions ensure security. Even
bell schedules can be programmed to signal shift starts and stops as well as breaks.
For small retailers, the time and attendance application is the main incentive for
installing biometrics. But unlike the box store that might place biometric terminals
at employee doors, how does the ice cream parlor collect this data?
Who Is Operating the POS Terminal?
Small retailers have their employees clock in and out at the cash register, or the
POS terminal. How else could that biometric interface be used? What about opening
the register? Using a finger is certainly faster than using a PIN.
Plus, as a byproduct of having employees use their fingers to open the register,
the owner now has a record of exactly who was opening it during the window of
time some money was found missing—not simply a record of what PIN was keyed
in. The owner has irrefutable evidence of precisely which employees were in the
drawer. As a result, the owner knows who to talk to when there is shrinkage. Those
whose fingers were not used at that time won’t be bothered.
Of course, the same system can also be used in the big-box stores where transactions,
returns and other potentials for shrinkage run in the hundreds to thousands of opportunities per day.
Who Did What?
In auto repair and servicing, it becomes important to discern who fixed the car to
keep employees responsible for what they have done. That’s why such organizations,
which are similar to retail, have work orders that detail what was done and
by whom, which is typically noted into the system with a PIN. For instance, if Joe
isn’t really feeling up to it that day, he just enters Charley’s PIN. And when Mrs.
Jacobs’ car stalls on the freeway six miles from the shop, Joe doesn’t hear a word
about it. If Joe had to sign on with a finger, he might be a little more careful.
Creating an Enterprise Single Sign-On (ESSO) System
After considering these examples, all of which are in use today, ask yourself:
Would a retail organization like to have a system that offers authorized users
quick, easy access to specific information or use of particular data sets and enforces
document compliance with its policies and procedures? Of course, it would.
But in today’s complex world, authorized users are sometimes forced to carry different
forms of credentials for various applications and, at a minimum, remember
multiple passwords.
An ESSO system, used in concert with the latest generation of biometric sensors,
provides a better, more convenient and secure solution. Retailers realize
that security is a must, but security solutions cannot interfere with employees
doing their jobs effectively, efficiently and safely. With a biometrically enabled
ESSO, one simple enrollment allows for multiple uses across the whole enterprise—
from entering the employee-only area to going into the warehouse to using
the POS system or entering time and attendance data. This holistic view
of enterprise security is vital and provides an integrated identity management
system that is much more reliable and cost-effective because it eliminates the
problems of having multiple identities tracked over an ever-increasing number
of disconnected access points.
A biometrically enabled ESSO eliminates end-user frustrations of keeping up
with multiple passwords and lost tokens. Investing in an ESSO with a biometric
completes a retailer’s enterprise security by merging all authentication needs to a
single finger and providing an irrefutable audit trail.
Multispectral Imaging Assists Biometric Verification
For many years, retailers and other organizations did not realize the lower cost and
smaller footprint of fingerprint biometrics because legitimate, authorized employees
were rejected by the fingerprint scanning system. The optical and electronic
technologies used by conventional fingerprint scanners had error rates from 5 to
20 percent, depending on the environment. With the number of people employed
in retail chains, those error rates are just too high.
The core problem is that conventional technologies rely on unobstructed and
complete contact between the fingerprint and the sensor. This contact is hard to
achieve if the user’s hands are wet, dry or dirty.
To read a fingerprint, these units, whether optical or electrically based, need
the employee to lay a fingertip directly on the platen, and they need the fingerprint
ridges to make good electrical or optical contact with the device. In addition, they
also need the valleys between the fingerprints to fill with air. Dirt, water or any
other contaminant could fill those valleys or not allow the ridges to make good
contact with the platen. The result was bad images that lead to bad reads.
Are your employees meticulously clean? Consider that dry fingertips are common—
caused by anything from climate conditions and natural skin characteristics
to frequent hand washing and air travel. For instance, a high desert climate, like Las Vegas, causes dry fingers. In a more
humid environment, such as Miami,
moisture creates problems.
Most optical sensors are configured
to look for the presence or absence of
total internal reflectance (TIR), which is
the phenomenon in which the interface
between glass and air acts as a mirror at
certain angles. The contact between the
skin and the platen defeats the TIR, allowing
those points of contact between
the finger and the sensor to be imaged.
Thus, those points of contact must be
complete and unobscured to enable
the conventional sensor to collect a fingerprint
image. Establishing firm and
complete contact with the sensor is difficult
with dry fingers because there is
not enough moisture in the skin and the
skin is not pliable enough to facilitate
the contact necessary for TIR imaging.
A newer technology, based on using
multiple wavelengths of light and advanced
polarization techniques, can extract
unique fingerprint characteristics
from both the surface and subsurface
of the skin. It unleashes the subsurface
fingerprint to provide results that are
more consistent, more inclusive and
more tamper resistant. A dirty, calloused,
wet or dry fingerprint is still
readable with multispectral imaging
because the subsurface fingerprint can
still be read even if the outer fingerprint
is unreadable.
Biometrics gives back what could
possibly be the most important asset
that an employee can offer in a retail
environment—increased productivity.
Productivity growth is important because
it means that a retailer can meet
its growing obligations and still stay
competitive or even improve its competitiveness
within its vertical market.
The Future of Biometric Deployments in Retail
Adopting biometric technology in a
retail environment eliminates the need
for log-on IDs and passwords. An employee
can’t borrow a swipe card or a
PIN to perform a transaction or override
what is above his or her permission
level because a manager must be physically
present to offer biometric authentication
for the authorization to be
completed. That’s just the beginning.
There is a burgeoning desire by retailers
to introduce the aforementioned
“personal experience” to their customers.
To launch a whole new mode of
customer service, they want to deploy
the “customer facing” technologies
decribed in the men’s store example.
What’s simpler than using a finger tap
to access a customer’s loyalty account
and provide payment?
Yes, installing and implementing
biometrics in their businesses will give
retailers added peace of mind—they
will rest easier knowing that the data
they depend on is safe and secure. As
biometric technology has improved
and more POS products have become
available, biometrics have become affordable
to retailers of all sizes.
This article originally appeared in the June 2012 issue of Security Today.