A Perfect Match

Consider multiple options for deployment of biometric authentication

As more organizations implement biometrics, it is not uncommon to see an iris reader used to control access to an IT server room, a fingerprint sensor integrated into a laptop computer for desktop logon or a facial recognition system used to clock in on a factory floor. Although these are excellent examples of the use of biometrics, for many organizations the question remains, “Should we be using a biometric, and if so, what type?”

Whether the application is used for physical access control to a building, logical access control to a PC or time and attendance functions, biometric verification offers a number of benefits over traditional methods of authentication. Biometric verification is more productive and convenient than traditional methods and eliminates the need to remember multiple PINs or passwords. Additionally, each biometric is unique to a person, thus ensuring high-accuracy authentication for access control.

Which Solution is Right?
While there are no hard and fast answers regarding which biometric method works best for an organization, there are several issues, including regulatory compliance and/or government standards, that compel companies to consider deploying specific types of biometric installations.

The intense pressure for governance and compliance impacts organizations by amplifying the focus on security policies, controls, auditability and identity assurance. With increased regulatory considerations, including accounting and insurance security audits, these regulations and programs drive the need for multifactor authentication, especially where unsecured access to sensitive locations or information can lead to dire consequences. For instance, the government’s TWIC program requires that a biometric be enrolled on a smart card to access facilities, protecting U.S. ports from potential terrorist infiltration.

While most biometric solution providers offer both server and smart card-based methods of template storage and distribution, a smart card-based method enhances the privacy of biometric templates while reducing system installation costs and complexity. The result is an increased return on investment for the organization. Overall, the right biometric system will reduce costs and/or improve productivity such that it will pay for itself in a reasonable period of time, so long as the secondary authentication is protecting something of high value.

Deployment Within a Network
If an organization is looking to increase security within a facility, biometrics easily can be integrated into existing access control systems. Most biometric devices are equipped to support traditional Wiegand output, as well as bidirectional serial communication. Implementing biometrics can be as simple as adding a standard keypad or card reader. In this case, the question of where to install biometrics within the existing access control framework often arises.

Every organization’s needs are different, which often results in a tailored biometric installation. Organizations must weigh their need for increased security against cost, as well as increased throughput time and environmental considerations. For instance, organizations with larger physical spaces and security-sensitive locations, such as an airport, tend to install more biometrics to protect these locations, such as data centers and sterile areas. In contrast, organizations with few employees and less sensitive locations install biometric access on a smaller portion of physical access points like IT server rooms while using a biometric time and attendance system to ensure proper employee clock-in and clock-out.

For biometric installations at perimeter locations, an organization should consider that throughput time will increase. To prevent bottlenecks at main entrances, enough entry points should be available for employees. This is especially important for employees who use a biometric time and attendance application that requires them to clock in for their workday. For biometrics that will be installed on outdoor perimeters, consider a biometric that can perform and is rated for your climate. Additionally, it is important to work with a large portfolio of biometric products that can provide a variety of options, ensuring that the installation is tailored to meet the organization’s needs.

Application of Biometrics
Beyond standard access control, biometrics can be leveraged for other applications, including providing business efficiencies in the areas of time and attendance and logical access. Within the time and attendance space, biometrics can be used to confidentially support self-management at a PC terminal.

For instance, when an employee uses a biometric system to request time off or a shift change, the system is assured that the employee is the one who made the request. This helps to minimize the overhead of human verification and improves the ROI within an organization.

There are additional benefits of using a biometric. Once it can be positively confirmed who executed a transaction at a PC terminal using a biometric, more sensitive data can be shared, enabling employees to check their vacation time status, request time off and view short but important messages. The biometric adds non-repudiation, which is important when dealing with personnel issues.

What Should be Used?
Once the decision is made to deploy biometrics, the next question is usually, “What type of biometric should be used?” While there is no standard answer, there are several considerations for choosing which type of system to deploy, including:

Privacy. During enrollment, users often ask, “Is my biometric securely stored or will this be shared with any government agency?” Although biometrics are typically not shared, users often do not accept the argument and remain concerned with letting their information be stored on a server. In these cases, a better approach is to store the biometric on the user’s smart card and nowhere else. The template is read during the verification process and then discarded by the reader.

Cost. The key is to focus on the total cost of deployment and ongoing use, including the direct cost of the biometric equipment, as well as the cost associated with training users and maintaining the system.

Ease-of-use/traffic. For very hightraffic areas, such as the entrance to a large building, it may be necessary to use multiple readers to not delay employees during peak traffic times.

Installation environment. For environments where hands are used a lot for other tasks, the condition of the fingers may reduce the effectiveness of fingerprints. Even the best sensors have a difficult time reading wet and dirty fingers. In that type of environment, an iris-based biometric may be an effective solution, since no direct physical contact is required. Facial recognition—which performs best when the lighting at authentication is similar to when the user was enrolled—may require the biometric to be used in the same location every time, which can be impractical or problematic for portable use.

Form factor. This is a more sensitive topic when looking at the logical access arena. As travel restrictions become more prevalent and limitations are placed on carry-on luggage, it can be cumbersome to carry an extra peripheral for authentication when conducting PC log-on and single sign-on. This is where built-in biometrics is extremely beneficial.

Accuracy. The degree of accuracy desired must be balanced against speed and ease-of-use. For larger organizations with a biometric database that may have up to 100,000 records, it is not realistic to expect to identify a person in one second solely from a fingerprint presented at a door. Iris and retinal scans, while generally considered to be more accurate, are more time intensive.

Smart-Card Biometrics
Smart cards minimize the overhead when dealing with biometric template management and distribution. Rather than storing biometrics on a server and distributing them over a wired network, a smart cardbased system allows biometric templates to be carried by the card holder. By using smart cards, biometric templates are mobile and easily can transact with the biometric reader in the field, eliminating the need for the templates to be added, stored or purged on back-end systems.

With smart cards, security is often enhanced and privacy concerns are addressed with biometric template storage only residing on a secure card. Also, coupling a smart card with biometrics for some logical access applications can advance security, improve convenience for the end user and minimize help-desk calls for forgotten passwords in single sign-on cases.

System administration also is made easy with smart cards, as there is no need to download templates to biometric readers or worry about template capacity within the reader. Smart cards deliver template storage to an unlimited number of users. Additionally, the investment in smart cards returns an incremental benefit when adding more applications to the card.

The Algorithm Factor
Smart card-based systems also address privacy concerns by employing mutual authentication and encryption to protect the biometric template on the card. Algorithm choice also is something to consider when selecting a biometric system. There are two primary algorithms: a one-to-one and a one-to-many algorithm.

A one-to-one algorithm verifies the end user’s real-time data—fingerprint image or iris image—against his or her template. This algorithm requires that both a credential and real-time biometric data be supplied to initiate verification. A credential provides a unique identifier for the end user and/or the biometric template(s). Examples of credentials include iCLASS® and MIFARE contactless smart cards, magnetic stripe cards and keypad entry.

A one-to-many algorithm attempts to locate or identify an end user’s biometric information from a database of templates. The end user is only required to provide his or her real-time biometric data to the device; no card or PIN is required to initiate the process.

Although each algorithm has its advantages and ideal installation scenarios, a one-to-one algorithm is generally considered more secure and accurate. For a oneto- one biometric device, the end user must always supply at least two factors of authentication: the credential—what you have—and the candidate data—who you are. One-to-many algorithms attempt to match the candidate data to a potentially large database of templates. A one-to-one algorithm is only comparing candidate data against the template(s). These basic factors lower the probability for a false acceptance to occur within a one-to-one device. This system also addresses broader privacy concerns, as there is no database of biometric templates that can be hacked. Additional security can be achieved when factoring in the use of smart cards, which creates another layer of security via a diversified unique key specific to the site.

If you like what you see, get more delivered to your inbox weekly.
Click here to subscribe to our free premium content.

comments powered by Disqus

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • School Planning & Managmenet
  • College Planning & Management
  • Campus Security & Life Safety