Knowing who’s who is imperative when so much relies on it
- By Phil Scarfo
- Aug 01, 2012
Today, decision makers can raise the bar on enterprise security without
raising the complexity for their users. With the introduction of multispectral
imaging, biometrics has become reliable enough to deal with
the fundamental issue of knowing “who” with a much higher degree
of confidence. Knowing “who” makes it possible to design systems
that enable rather than block and creates a wide range of identity management
solutions, such as convenient theme park entry and secure ATM transactions.
Knowing “who” also can streamline access to buildings and data, support
enterprise single-sign-on solutions (ESSO) and ensure authorized use of assets,
equipment and machinery. In short, by making biometrics authentication a practical
reality, CIOs can lower risks, reduce costs and improve efficiencies. In fact, by
linking physical identity to myriad digital identities, identity and access management
(IAM) solutions become much more powerful.
There is no meaningful access management without first establishing the “who”
in transactions. Who is accessing my facility? Who is punching the time clock?
Who is withdrawing funds from that ATM? The question is always “Who?”
Cards, tokens, PINs and passwords are, at best, tools to provide an approximate
identity. Thus, users can present a credential—something they know like a password
or something they have like a swipe card—to “authenticate” their identity.
But these credentials alone simply cannot substantiate identity.
Thus, while access and authorization have always been granted to individuals,
knowing a password or having a key is only superficially related to the authorized
person, and neither can establish “who”; only a biometric can do that. Add to that
the domination of smart mobile devices, and people have more digital identities to
remember. Smart devices are being used to authenticate online transactions and
are the containers for our most secure credentials.
NFC-enabled smartphones are likely to make matters even worse. It is now
possible to replace cards with virtual credentials on a smartphone. These credentials,
when linked to one’s unique identity, provide an easier, simpler way to pay
for merchandise. The customer just taps his or her smartphone to a cash register.
NFC-enabled smartphones also could be provisioned to provide access to buildings,
data or devices.
The simple problem here is that virtual credentials still verify only that somebody
has the phone. Without a biometric, you can only hope that the person using
the phone is the person who is authorized to use it.
That again shows why user authentication, and specifically biometric identity
management, is becoming more and more important. Let’s look at some industries
and how they can take IAM to the next level.
A Cure for Healthcare IAM
Access to pharmaceuticals has become a real challenge in most hospital environments.
It is extremely important that only specifically authorized people, such as
pharmacists and certain nurses, have access to controlled substances in hospitals.
Verifying “who” is imperative—and something that cannot be determined by a card
or password alone. Today, if you extend biometric authentication of drug access
to other systems in a hospital—shared workstations, patient medical records, time clocks—the hospital can improve workflow
efficiency, save costs at help desks,
advance patient safety and privacy and
facilitate regulatory requirements. Time
and attendance is automated, and the
opportunities for buddy punching are
erased; compliance mandates are met,
both on the physical and logical access
control sides; and nobody checks in
with help desks because they have lost
Thus, biometrics becomes extremely
important in a hospital’s IAM scenario.
For example, administrators would
know exactly who handled patient
Jones’ Vicodin, when laundry room
associate Carter checked in for work
and when he left, if files coordinator
Smith went into the computer center
and when accounts payable clerk
Hernandez checked on patient Jones’
billing status. Officials have the assurance
of knowing who is who, not just
what is being carried at the time. Thus,
verifying “who” provides greater security
while simultaneously providing an
opportunity to streamline and improve
workflow and facilitate any number of
benefits throughout the hospital, ranging
from auto-filing a form in a way
that is most useful to that particular
user to enabling better provisioning
and rights management.
The electronic prescribing of medications
is an application that is increasingly
reliant on the “what you are” of
biometrics to satisfy regulatory requirements.
E-prescribing enables a physician
to transmit prescriptions electronically
to a pharmacy via a computer or
mobile device. These systems are typically
integrated with electronic medical
records and help prevent harmful
drug interactions and incorrect dosing.
There are rules and protocols in place
to ensure that only authorized medical
professionals can order prescriptions
electronically. One such rule, issued by
the Drug Enforcement Administration
(DEA), requires doctors and pharmacists
to use two-factor authentication
when electronically prescribing controlled
According to DEA, the doctor or
pharmacist creating the prescription
must authenticate with two of the following:
something you know (a knowledge
factor), something you have (a hard
token stored separately from the computer
being accessed) and something
you are (biometric information). The
state of Ohio paved the way for this twofactor
approach to e-prescribing; today,
biometrics is a common component of
effective and convenient two-factor eprescribing
solutions in that state.
A hospital makes an easy case for
the use of biometrics in IAM systems.
Biometrics has long been used for access
control; taking biometrics beyond
this common application into the hospital
with its complex systems dealing
with scores of standards and regulations
just makes sense. But, does biometrics
in IAM play such an important
role in other settings?
Identity Fraud – Who is Who?
Several massive biometric banking
projects are being rolled out in markets
such as Latin America, South Africa
and India. As the world attempts to
cut back on the problems of ID theft
and reduce waste, fraud and abuse, the banking sector will be huge for IAM and biometric authorization. While the cost
of identity theft and fraudulent online transactions continues to grow, the industry
must, at some point, look for ways to ensure that these transactions and personal
identities are secured.
As face-to-face transactions become rare and online commerce continues to
grow, accurate authentication becomes more difficult to achieve. Current systems
that deploy multiple passwords, pass phrases and other knowledge-based identification
are better but not sufficient for ensuring that the right individual is at the
end of that transaction. Data losses and the growing number of system attacks
place any of these credentials at risk. Ultimately, biometrics raises the security
level and provides a better guarantee of user authentication.
Worldwide, different laws and sensibilities allow a diverse implementation of
biometrics in large-scale private and public projects. The coupling of governmentissued
ID documents to private projects enables the intelligent use of biometrics
for customer identity verification at an ATM or service counter. The South Africa
Banking Risk Information Centre (SABRIC) asked banks to take active measures
to become “safe, secure and risk free.” As a result, several large regional banks in
the country began to plan and focus on measures to eliminate fraud and adopt
identity systems that would utilize biometrics as a means to achieve their goals. In
India, initiatives related to financial inclusion and public distribution systems also
turned to biometrics as a means of securing field transactions and ensuring that
the citizens were protected and that government services were being provided to
those who were authorized to receive those benefits.
Biometric ATMs are becoming common in many countries such as Brazil. A
simple two-factor approach has the banking customer using a card plus a biometric
to ensure that the user is authorized and legitimate. Oftentimes, the card
may include a biometrics template and the matching can be done either locally or
online. Another banking application is a portable, handheld device that can authenticate
both user and service provided to ensure proper delivery of the service
and provide a complete non-repudiated audit trail of those transactions.
Tracking Cargo, Verifying Fleet Maintenance Personnel
In transportation applications, the control of assets via RFID tagging coupled with biometrics allows carriers not only to track merchandise and goods but also
maintain a proper chain of custody—identifying who is loading and unloading
containers and transporting the goods.
Even further, with the introduction of telematics, people are managing very
expensive assets remotely, and they want to know everything and anything about
these assets, including the last time the oil was changed and real-time information
about the RPM and a particular engine in a particular vehicle. What they don’t
know now is “who” is in control of the asset. They don’t know who is driving it or
who is servicing that particular piece of machinery. So, you can imagine the value
proposition of being able to add the “who” on top all of the other elements that
are known about these assets.
Who Are You?
Lastly, there is a burgeoning desire by the hospitality and retail markets to expand
the “personal experience” of their customers to a whole new level. They want to
launch a whole new mode of customer service that combines the use of biometrics
and RFID. For instance, when Joe arrives at a cruise ship (or men’s store, etc.), he
checks in with his fingerprint. An RFID bracelet—or his credit card—tracks where
he is. As he approaches a steward, the steward says, “Good afternoon, Mr. Jones.
Will you want to eat out on the deck again or inside today?” At the men’s store, the
sales clerk might ask, “Mr. Jones, would you be interested in our shirt sale? Many of
them would go great with the blue pinstripe suit you recently purchased.” And, of
course, payment is made with a finger tap. In this way, biometrics provides the “who”
that allows organizations to customize the whole customer experience.
A Sullied Past
For many years, the promise of biometrics has not been fully realized because
performance in the lab is not representative of performance in the field. The core
problem is that conventional biometric technologies rely on unobstructed and
complete contact between the fingerprint and the sensor, a condition that is elusive
in the real world—a world that is wet, dry and dirty.
However, that was then; this is now. Multispectral imaging is a sophisticated
technology designed to overcome the fingerprint-capture problems that conventional
imaging systems have in less-than-ideal conditions. This more-effective technology
is based on using multiple spectrums of light and advanced polarization
techniques to extract unique fingerprint characteristics from both the surface and
subsurface of the skin.
Interestingly, the fingerprint ridges seen on the surface of the finger have their
foundation beneath the surface of the skin, in the capillary beds and other subdermal
structures. The fingerprint ridges we see on our fingertips are merely an echo
of the foundational “inner fingerprint.”
Unlike surface fingerprint characteristics, which can be obscured by moisture,
dirt or wear, the “inner fingerprint” lies undisturbed and unaltered beneath the
surface. When surface fingerprint information is combined with subsurface fingerprint
information and reassembled in an intelligent and integrated manner, the
results are more consistent, more inclusive and more tamper-resistant.
Today, biometrics can be used in more places and more applications for sophisticated,
economical and convenient credential management. More than 40 million
people are already enrolled in multispectral imaging-based systems at locales ranging
from the classic door access control situation to the gates of the world’s largest
Organizations in many industries are searching for IAM solutions.
Today, biometrics that provide a clean read on the first try
are finally available to offer the needed mix of user convenience,
cost savings and unquestionable compliance.
This article originally appeared in the August 2012 issue of Security Today.