Evaluating Accuracy
- By Mark Clifton
- Aug 01, 2016
Installers and system integrators must consider a wide range of readers and
credential types in the evaluation process when designing an access control
system. Determining the appropriate solution for an application will depend
on a needs assessment conducted with the end user to define specific functionality,
compatibility and operational criteria for the new system. Among
the products that may be considered are legacy card readers, keypads, keycards,
integrated lock devices, proximity readers and biometric technologies—and all the
credentials each of these devices will require.
When it comes down to a final decision on access control technologies, one
key question is, which of these products and/or combination of devices delivers
the accuracy, security and cost-efficiency to best meet your defined system
criteria and budget?
Before exploring the answer to this question, it’s important to understand the
basic concept of identity, which affects nearly every aspect of security.
Identity is particularly vital with access control, where the decision to allow an
individual to enter any secured area depends on the ability to determine if he or
she is authorized to be there. Therefore, physical security depends on the ability to
connect authorities and permissions to the particular individuals who hold them.
This connection between identity and permission is critical for triggering actions,
including opening a particular door, admitting visitors, issuing keys, accessing sensitive
or valuable materials and more. This is why identity verification in security
systems—and particularly access control systems—is so important.
CONFIRMING IDENTITY
So, how can a person’s identity be confirmed? Generally speaking, the methods
used to confirm the authorization—and identity—of a person for security purposes
can be broken down into three categories: something you have, something
you know or something you are.
A card reader is an example of “something you have,” namely an access card.
For access control systems, other examples include a company badge, proximity
tokens and even garage door openers. Documents such as driver’s licenses and
passports may be used in staffed lobbies and security checkpoints. Whatever the physical “thing” may be the common
weakness is that it can be lost, stolen or
loaned to someone else.
One way to reduce the likelihood
of loss or theft is the “something you
know” approach to confirming identity
and authorization within a security
system. Most often these are passwords
or passcodes. In some cases, the
answer to security questions—such as
favorite food or first school—may also
be used. Unlike physical credentials,
these codes are harder to misplace in a
way that would allow them to be used
by imposters, but they can be vulnerable
to guessing or hacking using social
engineering techniques. They can also
be easy to forget, which is especially
true of strong passwords that contain
letters, numbers and symbols. Similar
to physical credentials, they are easy to
loan to another person simply by telling
them.
Commonly referred to as biometrics,
“something you are” is the third
of these approaches. Examples of these
credentials include fingerprints, palm
veins, facial features and one or both
irises. These offer two significant security
advantages over the first two approaches:
first, they offer higher identity
accuracy and therefore security, and
second, they are more difficult to lose,
steal or lend.
Many access control systems in
businesses use card readers for enabling
access. In these situations, an access
card is the sole means of confirming
the identity of the individual carrying
it, and the decision to authorize access
is made based on an individual presenting
a pre–programmed access card. The
card serves as confirmation of the person
carrying it. Obviously, this is the
lowest level of identity verification because
cards can be stolen, loaned, lost
or duplicated, making the link between
credential and identity tenuous and
vulnerable at best.
Without physical identity verification,
the reader cannot confirm that the
user is in fact the individual to whom a
card has been assigned. Two-factor authentication
(i.e., access card plus PIN
or password) is a security improvement,
but even that can be defeated with
skimmers and cameras that are readily
available. Organizations that use card
readers have determined that the low
level of security is sufficient for their
needs; the truth is that every member
of their staff is a potential weak point
or vulnerability that could allow criminals
or others with malicious intent to
gain entry.
It is clear that of the three main
methodologies, biometrics has the
strongest link to an individual’s identity,
making it best suited for ensuring
the security of an access control
system. Within this general category,
the main biometric identifiers used to
verify identity are fingerprints, facial
and iris recognition.
FINGERPRINTS
Fingerprints are thought to be unique to individuals,
and can therefore be used for biometric identity
confirmation. One positive aspect of this modality
is that most people don’t mind having their fingerprints
recorded. Fingerprint readers are easy to use
and require no special environmental conditions—
the messy ink of yesterday has been replaced with
digital scanners that take only a second or two to
capture the pattern.
As for drawbacks, fingerprints typically require
physical contact with something that’s been touched
by other people, which poses a hygiene issue, particularly
during the cold and flu season. Fingerprints also
change over time and as a consequence of activity—
for example, age, scarring, calluses and other factors
can change fingerprints enough to prevent matching.
FACIAL RECOGNITION
Faces contain features that can be used for individual
identification. These include the relative position, size
and shape of facial elements such as the distance from
forehead to chin and eye to ear, for example. Biometric
systems capture selected identifiers and turn them
into a unique code, which is stored in the reference database
and compared to other images to find a match.
One advantage of facial recognition is that it can
be performed using a simple image—for both enrollment
and identity verification. However, facial
characteristics can be easily modified with make-up,
hairstyle, facial hair, glasses and similar alterations
that could prevent a match. Plus, faces are naturally
unstable, with features changing over time—so people
must be regularly re-enrolled to maintain accuracy.
IRIS RECOGNITION
Excluding DNA, iris recognition is one of the most
accurate among current biometric modalities. Iris
identity authentication is also fast—it can take less
than a second and readings are non-contact and noninvasive.
In the past, iris recognition systems tended
to be more expensive than other methods, but new
models leverage technology advances in processing
power, cameras, and LED illumination, making them
available at surprisingly affordable costs. Fixed readers
are available, as well as high-throughput systems
that can perform iris-based recognition while users
walk by at normal speed.
There are still misconceptions in the market about
biometrics in general and iris readers in particular.
Some facts and an explanation of how iris reader
technology works might help to debunk some of these
mistaken beliefs. First, remember that reading an iris
is not a retina scan. The retina is a layer at the back
of the eye’s interior, and requires a relatively intrusive
scan to capture. The iris is the clearly visible colored
portion of the eye, and can be captured with a camera
in a process similar to taking a photo.
The iris pattern has desirable properties for verification
compared to other biometrics because of
its uniqueness, stability over time and relatively
easy accessibility. And iris recognition has high accuracy
among biometrics. According to Cambridge
biometric expert Dr. John Daugman, a typical iris
is extremely complex, with more than 200 degrees
of freedom that can be used for identification. This
complexity allows for the development of far more
accurate identification systems than could ever be
achieved with fingerprints (which have only about 35 degrees of freedom) or faces (which have about
20). Plus, an iris cannot be shared or lost, and iris
readers cannot be deceived by makeup, hair or clothing
changes. Some readers can capture an iris image
through eyeglasses, sunglasses and contact lenses,
even in outdoor environments.
GREATER VALUE AND ROI
Because of its non-contact nature, iris recognition
technology can be deployed in locations such as
pharmaceutical manufacturing where users may wear
gloves, at a construction site or port when hands may
be dirty or in environments where users wear protective
clothing.
As an identity management solution, iris readers
have been deployed in applications as diverse as
federal, state and local law enforcement, correctional
facilities, travel and border security, healthcare, financial
services and sports and entertainment venues, in
addition to mainstream security locations.
The accuracy of iris recognition systems for identity
authentication extends their potential use beyond
security to applications such as workforce management,
inventory control, logical access and more.
For example, consider the efficiency and productivity
gains that result from using iris recognition for time
and attendance, making “buddy punching” impossible.
By eliminating extra steps between punching
in, recording hours, processing payroll and performing
analytics, iris recognition is also more convenient.
These and other non-security applications increase
the value of iris recognition systems and deliver greater
return on investment for end users.
In general, a higher degree of accuracy translates
into a higher level of security, and vice versa. Card/
badge-based and PIN/password-based access control
systems cannot accurately determine whether the user
is who he or she claims to be. For this potentially difficult
task, biometrics is the only one of the three main
access control and credentialing methods that can do
the job most effectively.
Technology advances in processing power, cameras
and LEDs have made iris reader systems available
at much more competitive costs, and new form
factors are rapidly increasing their reach. Iris biometric-
embedded tablets, for instance, combine the
accuracy and convenience of iris recognition with
the functionality and customization of a mobile
computing platform for increased security levels.
Other new systems on the market offer high speed,
making it possible for users to simply walk through
a checkpoint without stopping.
Without question, biometrics is the most fool-proof
of the credentialing methods used to verify identity,
and today’s iris readers meet all three of the main
evaluation criteria for access control systems: accuracy,
security and cost-effectiveness. As more organizations
place greater emphasis on risk management,
iris readers are being deployed in growing numbers to
strengthen access control and identity management
systems that increase the level of security while delivering
numerous additional benefits. In any evaluation
of access control systems, biometrics—specifically iris
readers—should not only be part of
the conversation but should move to
the top of the list.
This article originally appeared in the August 2016 issue of Security Today.