Boosting Identity

Knowing who’s who is imperative when so much relies on it

Today, decision makers can raise the bar on enterprise security without raising the complexity for their users. With the introduction of multispectral imaging, biometrics has become reliable enough to deal with the fundamental issue of knowing “who” with a much higher degree of confidence. Knowing “who” makes it possible to design systems that enable rather than block and creates a wide range of identity management solutions, such as convenient theme park entry and secure ATM transactions.

Knowing “who” also can streamline access to buildings and data, support enterprise single-sign-on solutions (ESSO) and ensure authorized use of assets, equipment and machinery. In short, by making biometrics authentication a practical reality, CIOs can lower risks, reduce costs and improve efficiencies. In fact, by linking physical identity to myriad digital identities, identity and access management (IAM) solutions become much more powerful.

There is no meaningful access management without first establishing the “who” in transactions. Who is accessing my facility? Who is punching the time clock? Who is withdrawing funds from that ATM? The question is always “Who?”

Cards, tokens, PINs and passwords are, at best, tools to provide an approximate identity. Thus, users can present a credential—something they know like a password or something they have like a swipe card—to “authenticate” their identity. But these credentials alone simply cannot substantiate identity.

Thus, while access and authorization have always been granted to individuals, knowing a password or having a key is only superficially related to the authorized person, and neither can establish “who”; only a biometric can do that. Add to that the domination of smart mobile devices, and people have more digital identities to remember. Smart devices are being used to authenticate online transactions and are the containers for our most secure credentials.

NFC-enabled smartphones are likely to make matters even worse. It is now possible to replace cards with virtual credentials on a smartphone. These credentials, when linked to one’s unique identity, provide an easier, simpler way to pay for merchandise. The customer just taps his or her smartphone to a cash register. NFC-enabled smartphones also could be provisioned to provide access to buildings, data or devices.

The simple problem here is that virtual credentials still verify only that somebody has the phone. Without a biometric, you can only hope that the person using the phone is the person who is authorized to use it. That again shows why user authentication, and specifically biometric identity management, is becoming more and more important. Let’s look at some industries and how they can take IAM to the next level.

A Cure for Healthcare IAM

Access to pharmaceuticals has become a real challenge in most hospital environments. It is extremely important that only specifically authorized people, such as pharmacists and certain nurses, have access to controlled substances in hospitals. Verifying “who” is imperative—and something that cannot be determined by a card or password alone. Today, if you extend biometric authentication of drug access to other systems in a hospital—shared workstations, patient medical records, time clocks—the hospital can improve workflow efficiency, save costs at help desks, advance patient safety and privacy and facilitate regulatory requirements. Time and attendance is automated, and the opportunities for buddy punching are erased; compliance mandates are met, both on the physical and logical access control sides; and nobody checks in with help desks because they have lost their fingers.

Thus, biometrics becomes extremely important in a hospital’s IAM scenario.

For example, administrators would know exactly who handled patient Jones’ Vicodin, when laundry room associate Carter checked in for work and when he left, if files coordinator Smith went into the computer center and when accounts payable clerk Hernandez checked on patient Jones’ billing status. Officials have the assurance of knowing who is who, not just what is being carried at the time. Thus, verifying “who” provides greater security while simultaneously providing an opportunity to streamline and improve workflow and facilitate any number of benefits throughout the hospital, ranging from auto-filing a form in a way that is most useful to that particular user to enabling better provisioning and rights management.

The electronic prescribing of medications is an application that is increasingly reliant on the “what you are” of biometrics to satisfy regulatory requirements. E-prescribing enables a physician to transmit prescriptions electronically to a pharmacy via a computer or mobile device. These systems are typically integrated with electronic medical records and help prevent harmful drug interactions and incorrect dosing. There are rules and protocols in place to ensure that only authorized medical professionals can order prescriptions electronically. One such rule, issued by the Drug Enforcement Administration (DEA), requires doctors and pharmacists to use two-factor authentication when electronically prescribing controlled substances.

According to DEA, the doctor or pharmacist creating the prescription must authenticate with two of the following: something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed) and something you are (biometric information). The state of Ohio paved the way for this twofactor approach to e-prescribing; today, biometrics is a common component of effective and convenient two-factor eprescribing solutions in that state.

A hospital makes an easy case for the use of biometrics in IAM systems. Biometrics has long been used for access control; taking biometrics beyond this common application into the hospital with its complex systems dealing with scores of standards and regulations just makes sense. But, does biometrics in IAM play such an important role in other settings?

Identity Fraud – Who is Who?

Several massive biometric banking projects are being rolled out in markets such as Latin America, South Africa and India. As the world attempts to cut back on the problems of ID theft and reduce waste, fraud and abuse, the banking sector will be huge for IAM and biometric authorization. While the cost of identity theft and fraudulent online transactions continues to grow, the industry must, at some point, look for ways to ensure that these transactions and personal identities are secured.

As face-to-face transactions become rare and online commerce continues to grow, accurate authentication becomes more difficult to achieve. Current systems that deploy multiple passwords, pass phrases and other knowledge-based identification are better but not sufficient for ensuring that the right individual is at the end of that transaction. Data losses and the growing number of system attacks place any of these credentials at risk. Ultimately, biometrics raises the security level and provides a better guarantee of user authentication.

Worldwide, different laws and sensibilities allow a diverse implementation of biometrics in large-scale private and public projects. The coupling of governmentissued ID documents to private projects enables the intelligent use of biometrics for customer identity verification at an ATM or service counter. The South Africa Banking Risk Information Centre (SABRIC) asked banks to take active measures to become “safe, secure and risk free.” As a result, several large regional banks in the country began to plan and focus on measures to eliminate fraud and adopt identity systems that would utilize biometrics as a means to achieve their goals. In India, initiatives related to financial inclusion and public distribution systems also turned to biometrics as a means of securing field transactions and ensuring that the citizens were protected and that government services were being provided to those who were authorized to receive those benefits.

Biometric ATMs are becoming common in many countries such as Brazil. A simple two-factor approach has the banking customer using a card plus a biometric to ensure that the user is authorized and legitimate. Oftentimes, the card may include a biometrics template and the matching can be done either locally or online. Another banking application is a portable, handheld device that can authenticate both user and service provided to ensure proper delivery of the service and provide a complete non-repudiated audit trail of those transactions.

Tracking Cargo, Verifying Fleet Maintenance Personnel

In transportation applications, the control of assets via RFID tagging coupled with biometrics allows carriers not only to track merchandise and goods but also maintain a proper chain of custody—identifying who is loading and unloading containers and transporting the goods.

Even further, with the introduction of telematics, people are managing very expensive assets remotely, and they want to know everything and anything about these assets, including the last time the oil was changed and real-time information about the RPM and a particular engine in a particular vehicle. What they don’t know now is “who” is in control of the asset. They don’t know who is driving it or who is servicing that particular piece of machinery. So, you can imagine the value proposition of being able to add the “who” on top all of the other elements that are known about these assets.

Who Are You?

Lastly, there is a burgeoning desire by the hospitality and retail markets to expand the “personal experience” of their customers to a whole new level. They want to launch a whole new mode of customer service that combines the use of biometrics and RFID. For instance, when Joe arrives at a cruise ship (or men’s store, etc.), he checks in with his fingerprint. An RFID bracelet—or his credit card—tracks where he is. As he approaches a steward, the steward says, “Good afternoon, Mr. Jones. Will you want to eat out on the deck again or inside today?” At the men’s store, the sales clerk might ask, “Mr. Jones, would you be interested in our shirt sale? Many of them would go great with the blue pinstripe suit you recently purchased.” And, of course, payment is made with a finger tap. In this way, biometrics provides the “who” that allows organizations to customize the whole customer experience.

A Sullied Past

For many years, the promise of biometrics has not been fully realized because performance in the lab is not representative of performance in the field. The core problem is that conventional biometric technologies rely on unobstructed and complete contact between the fingerprint and the sensor, a condition that is elusive in the real world—a world that is wet, dry and dirty.

However, that was then; this is now. Multispectral imaging is a sophisticated technology designed to overcome the fingerprint-capture problems that conventional imaging systems have in less-than-ideal conditions. This more-effective technology is based on using multiple spectrums of light and advanced polarization techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin.

Interestingly, the fingerprint ridges seen on the surface of the finger have their foundation beneath the surface of the skin, in the capillary beds and other subdermal structures. The fingerprint ridges we see on our fingertips are merely an echo of the foundational “inner fingerprint.”

Unlike surface fingerprint characteristics, which can be obscured by moisture, dirt or wear, the “inner fingerprint” lies undisturbed and unaltered beneath the surface. When surface fingerprint information is combined with subsurface fingerprint information and reassembled in an intelligent and integrated manner, the results are more consistent, more inclusive and more tamper-resistant.

Today, biometrics can be used in more places and more applications for sophisticated, economical and convenient credential management. More than 40 million people are already enrolled in multispectral imaging-based systems at locales ranging from the classic door access control situation to the gates of the world’s largest theme parks.

Organizations in many industries are searching for IAM solutions. Today, biometrics that provide a clean read on the first try are finally available to offer the needed mix of user convenience, cost savings and unquestionable compliance.

This article originally appeared in the August 2012 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3