From the Product Manager's POV

  • By Security Products Staff
  • Aug 02, 2007

HIRSCH Electronics is no stranger to introducing new products or winning accolades among its peers. From the competition at ISC West, Hirsch won a special achievement award in the Security Industry Association's New Product Showcase in Las Vegas. We thought readers should know more about the RUU-201 Verification Station, so we talked to Scott Howell of Hirsch Electronics.

Q. The RUU-201 received the industry's special achievement award. What makes the verification station so special?
A. The judging committee said the Special Achievement award is given "in recognition of outstanding accomplishment in technical innovation." The verification station is unique, highly secure and it can be used in a variety of applications. I like to describe it as a 4x4: four factors and four applications. It is one of the first four-factor authentication devices available on the market—card, code, fingerprint and PKI certificate check—so that delivers the high-security assurance. And, it can be used in four ways: at card issuance to verify the card recipient's identity before card handover, as a door/gate controller, as an enrollment device to populate a physical access control system with card data and as a standalone or networked verification station to verify identities anytime, anywhere.

Q. The verification station must be compatible with a variety of applications. What are the most popular uses of the product?
A. Many customers use the verification station strictly as an identity verification device, before handing over a card or at a manned ID checking station. Most customers that use the verification station as a door reader configure it for identity authentication and then forward the verified identity to the access control panel for authorization (lock release), to control who goes where when. Assuming the access control database is kept up-to-date (ideally, via a real-time link from the HR/personnel system) even a recently-terminated employee will be denied entry, even if their identity was verified by their PIN and fingerprint.

Q. Today, security technology is on the cutting edge. What technologies does the verification station incorporate?
A. The verification station is a convergence device. It integrates several technologies, including a privacy-sensitive scrambling keypad, contact and contactless smart card readers, biometric fingerprint reader and a six-line LCD display. The unit is IP-addressable, and it includes ports for a door or other relay, Ethernet, Wiegand, RS-485 and RS-232.

Q. Identity verification is important in many industries. For what market was the verification station created?
A. It was originally designed to help federal government facilities comply with HSPD-12 and the standards published by NIST as FIPS 201. However, the unit is really taking off in non-government, non-FIPS 201 applications, as well. Hirsch is seeing strong sales of the unit into non-FIPS 201 applications. It can be used with non-PIV smart cards, such as MIFARE and DESfire. Prisons, hospitals, universities, as well as state governments and first responders are the early adopters so far.

Q. How does the verification station help a federal agency comply with FIPS 201?
A. An agency would be hard-pressed to comply with the standard without some type of full-featured identity and card verification device. Let's say a sponsor requests a card for an employee, then the registrar does the background check, and the signatory approves the issuance. Finally, the issuer prints and encodes the card, and the applicant is ready to pick it up. But how can the issuer be sure the card works and that they are giving it to the right person? That card must be tested right in front of the issuer, using some type of verification station to check the card's readability, the PIN code acceptance and fingerprint match. That is just one example—card issuance, where the verification station helps agencies comply with FIPS 201. It closes the loop on the process and confirms interoperability before the card is ever used for logical or physical access.

There are many other ways the verification station can help agencies comply with FIPS 201 because of its ability to read a PIV card's expiration date and Federal Agency Smart Credential-Number from the CardHolder Unique IDentity container in the smart card's processor.

Q. I understand the Verification Station uses a fingerprint and PIN differently than is historically done with physical access applications. How so?
A. Most fingerprint readers require that users be pre-enrolled in the reader or access control system. That pre-enrollment requirement is a real problem for those traveling to multiple locations, and it means the organization does not have card or identity interoperability between sites.

In compliance with FIPS 201, the Hirsch verification station uses a more interoperable and user-friendly model whereby the encoded fingerprint data is locked inside the smart card and is unlocked and passed to the reader only after a valid PIN entry. The verification station then performs a one-to-one match of the live finger's print to the card's print. In the FIPS 201 model, the PIN is not issued by the local access control system administrator to be used by the access control system as a second factor of authentication, as was historically done. Rather, the PIN is issued by the central card issuer and used to ensure privacy of the personal identity information stored on the card.

The key here is that government users don't have to be pre-enrolled. Any PIV cardholder can go to any agency at any site in the world and have their identity verified using the verification station—now, that's interoperability. Once identity is authenticated, local authorities or the access control system can determine the appropriate authorization to doors, areas and computers. The process of identity verification (authentication) is separated and administered discretely from the process of granting access (authorization). This idea of using the PIN to unlock the biometric template stored on the card was brought to the forefront by the government's IT-centric FIPS 201 standards, and it is a useful model for ensuring privacy both in the public and private sectors.

Q. Of course, security is of the utmost importance, how does it secure the PIN code?
A. The verification station incorporates a Hirsch ScramblePad, a unique, time-tested, high-security digital keypad. Using the ScramblePad, the PIN cannot be accidentally shared with, or stolen by, onlookers. Each numeral is randomly scrambled to a new position every time the "start" button is pressed, so a bystander cannot ascertain the finger pattern or telltale wear marks. Also, the ScramblePad's internal viewing restrictors allow only the person directly in front of the keypad to see the numbers.

Q. What are the benefits of verification station-assisted enrollment into the physical access control system?
A. Speed, accuracy and consistency. For example, authorized employees visiting from another site can have their identities verified quickly, and then the appropriate data on the card can be instantly imported into the local site's access control system, without a keystroke and without having to go to the personnel or security office. Typos and other data entry errors are avoided. And Thomas is consistently entered as Thomas, rather than Tom. That leaves only the step of assigning authorization privileges to the cardholder, which can be further simplified using role-based access control.

Q. Along the lines of being a "converged" solution, how does the verification station use the IP network?
A. The verification station is Ethernet-ready and IP addressable, and it plugs right into the local site's TCP/IP network infrastructure, if desired. One can use the network to access and configure the RUU-201. And, the RUU-201 can use the network to communicate to a card management system, identity management system or physical access control system. Additionally, the RUU-201 can use a network to do a real-time PKI certificate check with an internal or third-party certificate authority over the LAN/WAN or Internet to ensure the card has not been revoked by the original issuer

Q. What is the PKI certificate check all about, and what is its value?
A. Public key infrastructure is a security tool that has become popular with IT departments to verify the identity of a person logging onto the network, to electronically sign e-mail and to verify the authenticity of a document. The verification station can validate a PKI certificate stored on the card. It works like this: After the card, PIN and fingerprint are read, the verification station (if configured for PKI-check mode) obtains the certificate from the card. The verification station sends the certificate out its Ethernet port and across the LAN/WAN/Internet network, via a secured connection, to a certificate authority, such as an online credential status provider or credential revocation list. The card's certificate is checked by the OCSP or CRL, and a result (e.g., certificate "valid" or "revoked") is returned to the verification station for appropriate action.

Thus, in the case of a recently terminated employee, even though the cardholder's PIN, unique number (e.g., FASC-N) and fingerprint may be valid, the verification station will reveal the card's certificate to be invalid. This extra step—the PKI certificate check—is important for many applications. However, the local site or physical access control system must establish communication to the card issuer's infrastructure and use an OCSP or a CRL to use this feature.

Q. So this is an "edge reader" then, distributing intelligence to the edge of the IT network?
A. Right. In fact, it is one of the first true edge readers on the market. In comparison to the other products we've seen on the market, the Hirsch verification station is the most sophisticated, integrated and secure edge reader available. It's more than a reader though, because it can communicate with the identity management system, card management system and physical access control system. And it can serve as a four-factor, high-security identity verification unit and as a standalone door controller.

Q. Is the verification station integrated with solutions from other companies?
A. Yes. The verification station is part of an integrated, end-to-end solution for FIPS 201 compliance offered by Hirsch and its partners. Hirsch's partners include the leading players in the IDMS, CMS and enterprise database solution sectors. The verification station also can be used with Hirsch's Velocity Security Management System, and it can be used as a door reader attached to nearly any brand of access control system.

Scott Howell is the manager of worldwide marketing for Hirsch Electronics.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events

  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

Most   Popular

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”