A Perfect Match
Consider multiple options for deployment of biometric authentication
- By Damon Dageenakis
- Sep 01, 2008
As more organizations implement biometrics, it
is not uncommon to see an iris reader used to
control access to an IT server room, a fingerprint
sensor integrated into a laptop computer for desktop
logon or a facial recognition system used to clock in
on a factory floor. Although these are excellent examples
of the use of biometrics, for many organizations the
question remains, “Should we be using a biometric, and
if so, what type?”
Whether the application is used for physical access
control to a building, logical access control to a PC or
time and attendance functions, biometric verification
offers a number of benefits over traditional methods of
authentication. Biometric verification is more productive
and convenient than traditional methods and eliminates
the need to remember multiple PINs or passwords.
Additionally, each biometric is unique to a person, thus
ensuring high-accuracy authentication for access control.
Which Solution is Right?
While there are no hard and fast answers regarding which
biometric method works best for an organization, there
are several issues, including regulatory compliance and/or
government standards, that compel companies to consider
deploying specific types of biometric installations.
The intense pressure for governance and compliance
impacts organizations by amplifying the focus on security
policies, controls, auditability and identity assurance.
With increased regulatory considerations, including
accounting and insurance security audits, these regulations
and programs drive the need for multifactor
authentication, especially where unsecured access to
sensitive locations or information can lead to dire consequences.
For instance, the government’s TWIC program
requires that a biometric be enrolled on a smart card to
access facilities, protecting U.S. ports from potential terrorist
While most biometric solution providers offer both
server and smart card-based methods of template storage
and distribution, a smart card-based method enhances the
privacy of biometric templates while reducing system
installation costs and complexity. The result is an
increased return on investment for the organization.
Overall, the right biometric system will reduce costs
and/or improve productivity such that it will pay for itself
in a reasonable period of time, so long as the secondary
authentication is protecting something of high value.
Deployment Within a Network
If an organization is looking to increase security within
a facility, biometrics easily can be integrated into existing
access control systems. Most biometric devices are
equipped to support traditional Wiegand output, as well
as bidirectional serial communication. Implementing
biometrics can be as simple as adding a standard keypad
or card reader. In this case, the question of where to
install biometrics within the existing access control
framework often arises.
Every organization’s needs are different, which often
results in a tailored biometric installation. Organizations
must weigh their need for increased security against
cost, as well as increased throughput time and environmental
considerations. For instance, organizations with
larger physical spaces and security-sensitive locations,
such as an airport, tend to install more biometrics to protect
these locations, such as data centers and sterile
areas. In contrast, organizations with few employees and
less sensitive locations install biometric access on a
smaller portion of physical access points like IT server
rooms while using a biometric time and attendance system
to ensure proper employee clock-in and clock-out.
For biometric installations at perimeter locations, an
organization should consider that throughput time will
increase. To prevent bottlenecks at main entrances,
enough entry points should be available for employees.
This is especially important for employees who use a
biometric time and attendance application that requires
them to clock in for their workday. For biometrics that
will be installed on outdoor perimeters, consider a biometric
that can perform and is rated for your climate.
Additionally, it is important to work with a large portfolio
of biometric products that can provide a variety of
options, ensuring that the installation is tailored to meet
the organization’s needs.
Application of Biometrics
Beyond standard access control, biometrics can be leveraged
for other applications, including providing business
efficiencies in the areas of time and attendance and logical
access. Within the time and attendance space, biometrics
can be used to confidentially support self-management
at a PC terminal.
For instance, when an employee uses a biometric system
to request time off or a shift change, the system is
assured that the employee is the one who made the
request. This helps to minimize the overhead of human
verification and improves the ROI within an organization.
There are additional benefits of using a biometric.
Once it can be positively confirmed who executed a transaction at a PC terminal using a biometric,
more sensitive data can be
shared, enabling employees to check
their vacation time status, request time
off and view short but important messages.
The biometric adds non-repudiation,
which is important when dealing
with personnel issues.
What Should be Used?
Once the decision is made to deploy biometrics,
the next question is usually,
“What type of biometric should be
used?” While there is no standard
answer, there are several considerations
for choosing which type of system to
Privacy. During enrollment, users
often ask, “Is my biometric securely
stored or will this be shared with any government
agency?” Although biometrics
are typically not shared, users often do
not accept the argument and remain concerned
with letting their information be
stored on a server. In these cases, a better
approach is to store the biometric on the
user’s smart card and nowhere else. The
template is read during the verification
process and then discarded by the reader.
Cost. The key is to focus on the total
cost of deployment and ongoing use,
including the direct cost of the biometric
equipment, as well as the cost associated
with training users and maintaining
Ease-of-use/traffic. For very hightraffic
areas, such as the entrance to a
large building, it may be necessary to use
multiple readers to not delay employees
during peak traffic times.
Installation environment. For environments
where hands are used a lot for other
tasks, the condition of the fingers may
reduce the effectiveness of fingerprints.
Even the best sensors have a difficult time
reading wet and dirty fingers. In that type
of environment, an iris-based biometric
may be an effective solution, since no
direct physical contact is required. Facial
recognition—which performs best when
the lighting at authentication is similar to
when the user was enrolled—may require
the biometric to be used in the same location
every time, which can be impractical
or problematic for portable use.
Form factor. This is a more sensitive
topic when looking at the logical access
arena. As travel restrictions become more
prevalent and limitations are placed on
carry-on luggage, it can be cumbersome
to carry an extra peripheral for authentication
when conducting PC log-on and
single sign-on. This is where built-in biometrics
is extremely beneficial.
Accuracy. The degree of accuracy
desired must be balanced against speed
and ease-of-use. For larger organizations
with a biometric database that may have
up to 100,000 records, it is not realistic to
expect to identify a person in one second
solely from a fingerprint presented at a
door. Iris and retinal scans, while generally
considered to be more accurate, are
more time intensive.
Smart cards minimize the overhead when
dealing with biometric template management
and distribution. Rather than storing
biometrics on a server and distributing
them over a wired network, a smart cardbased
system allows biometric templates to be carried by the card holder. By using
smart cards, biometric templates are
mobile and easily can transact with the
biometric reader in the field, eliminating
the need for the templates to be added,
stored or purged on back-end systems.
With smart cards, security is often
enhanced and privacy concerns are
addressed with biometric template storage
only residing on a secure card. Also,
coupling a smart card with biometrics for
some logical access applications can
advance security, improve convenience
for the end user and minimize help-desk
calls for forgotten passwords in single
System administration also is made
easy with smart cards, as there is no need
to download templates to biometric readers
or worry about template capacity within
the reader. Smart cards deliver template
storage to an unlimited number of users.
Additionally, the investment in smart cards
returns an incremental benefit when
adding more applications to the card.
The Algorithm Factor
Smart card-based systems also address
privacy concerns by employing mutual
authentication and encryption to protect
the biometric template on the card.
Algorithm choice also is something to
consider when selecting a biometric system.
There are two primary algorithms: a
one-to-one and a one-to-many algorithm.
A one-to-one algorithm verifies the end
user’s real-time data—fingerprint image or
iris image—against his or her template.
This algorithm requires that both a credential
and real-time biometric data be supplied
to initiate verification. A credential
provides a unique identifier for the end
user and/or the biometric template(s).
Examples of credentials include iCLASS®
and MIFARE contactless smart cards,
magnetic stripe cards and keypad entry.
A one-to-many algorithm attempts to
locate or identify an end user’s biometric
information from a database of templates.
The end user is only required to provide
his or her real-time biometric data to the
device; no card or PIN is required to initiate
Although each algorithm has its advantages
and ideal installation scenarios, a
one-to-one algorithm is generally considered
more secure and accurate. For a oneto-
one biometric device, the end user must
always supply at least two factors of
authentication: the credential—what you
have—and the candidate data—who you
are. One-to-many algorithms attempt to
match the candidate data to a potentially
large database of templates. A one-to-one
algorithm is only comparing candidate data
against the template(s). These basic factors
lower the probability for a false acceptance
to occur within a one-to-one device. This
system also addresses broader privacy concerns,
as there is no database of biometric
templates that can be hacked. Additional
security can be achieved when factoring in
the use of smart cards, which creates
another layer of security via a diversified
unique key specific to the site.