Biometrics In Access Control

Nov. 1, 2008
Authentication is the essential ingredient in all access control, determining if the individual is authorized to enter. The more authentication factors used, the more effective the access control.

Security awareness may be at the highest levels ever. Just about everyone shares concerns over national security, identity theft, school and public safety, protecting their property, or keeping their homes and workplaces safe.
Logical access control addresses the issues associated with protecting electronic assets such as data and networks from unauthorized use, disruption or theft.

Physical access control endeavors to control access into premises by requiring persons to pass through a physical barrier in order to enter. Once someone gets through the physical security layer, they very well may also have to then negotiate a logical security layer, for example when they attempt to log on to their computer.
Biometric access is a hot topic these days, and this technology is used for both physical and logical access control and for both authentication and identification.

Authentication is the essential ingredient in all access control, determining if the individual is authorized to enter.

Factors used to authenticate an individual are:

•           What you know (for example, a password)
•           What you have (for example a ‘valid’ credential)
•           Who you are (for example, your fingerprint, an example of Biometrics)

Electronic access control uses one of these factors for the purpose of identification of the person requesting access. For higher security, an additional factor is added to further authenticate the individual’s identity. The more authentication factors used, the more effective the access control.

Security started with a formidable physical barrier, which blocks entry until the person wishing to enter is visually identified. Once upon a time, the guards’ eyes did the authentication by recognizing the person. Maybe the guard would demand a document or a password as well.

In other cases a person needed a key to open a mechanical lock. Possession of the key was all that was required. Later mechanical keypad locks controlled access by requiring the entry of a pass code. All users were issued the same pass code.

Technology then began making quantum leaps. This is the time frame in which most Locksmith Ledger readers have been locksmiths. You probably participated in this era of technological transition in security.
So all our new technology is just a redeployment of traditional access control techniques, automating the processes and eliminating human intervention in the process.

THE DAWN OF BIOMETRICS
Biometrics are being used increasingly in access control for authentication (verification) or identification.
Biometric technologies make a template of some unchangeable characteristic of a person which can be used for a variety of purposes.

Biometric technologies can be used to authenticate that a credential is being used by the person to whom the credential was issued, or confirm that the biometric characteristic or trait (for example, a finger) being presented to the access control system matches the one stored in the system’s database.

Biometric Verification: When a biometric reader is used in conjunction with a smart card, the biometrics authenticates the identification of the cardholder by comparing the biometric characteristic presented to the reader with the template stored on the credential. By using the card with biometrics, you eliminate the possibility of a stolen credential.

Automated Positive Identification: When a standalone biometric reader is used without a credential containing a template, it is used for identification. The finger or hand is compared with database of enrolled templates. In some cases, the database is stored right in the door unit. Most systems of this type have a limit to how many templates they can store due to memory constraints. “On line” biometric readers, which are connected to a host computer database, compare the entrant’s biometric profile with those stored in the biometric database.

A number of biometric technologies and characteristics are in use. Which one is the best? This is the subject of much contention between not only vendors but also consortiums that make studies and comparisons.

There are number of human characteristics which have been studied and implemented into Biometrics.

•           finger print
•           hand scan
•           iris scan
•           retinal scan
•           hand vascular
•           facial recognition
•           Infrared imaging
•           voice, handwriting/keyboard dynamics and other behavioral pattern analysis

Biometrics can be further divided into the following three categories.

Behavioral Traits are activities which a person does in a regular, learned or otherwise consistent manner. Examples are handwriting, keyboard dynamics and voice verification.

Topological Traits are physiological characteristics which remain reasonably stable enough throughout an individual’s lifetime to serve as bioidentifiers. Examples are fingerprints, hand geometry and facial features.

Discrete Traits are neither behavioral nor topological. Discrete traits may not be acquired without the knowledge and consent of users nor be used to track persons. Retinal vasculature is an example of a discrete trait.

SELECTING BIOMETRIC TECHNOLOGY
The factors which the locksmith can take in to consideration when selecting or recommending biometrics include:

Risk Assessment: What budget amount can be justified based on the perceived level of threat to which the target is exposed?

Throughput Required: This means how many individuals the system will be required to screen, and how fast must this be accomplished without creating delays and user frustration.

Existing system capabilities: Many Biometric upgrades are possible without having to run cabling or changing system head-ends. Many Biometric deployments involve totally new installation, while others are standalones with minimal infrastructural requirements.

End-User Reaction: Some people don’t want to touch things Many view Biometrics and actually any form of security as an intrusion on their privacy and freedom, rather than systems intended to ensure their safety and security

Reliability, Efficiency and Ease of Use: Every person who will use the system will have to be ‘enrolled’. The identity of every person using the system must be verified. Misreads or malfunctions will cause big problems.

ERROR RATES
In a biometric device, the False Accept and False Reject Rates can be affected by increasing or decreasing the sensitivity of the device. The two rates are inversely proportional and can be likened to an alarm system. When your alarm is very sensitive, the probability of a success burglary (a false accept) is very low. Yet the chances of accidentally setting off the alarm (a false reject) are higher. Reduce the sensitivity and the number of false alarms will go down, but then you increase the chances of being robbed.

How much each error rate is affected by altering the sensitivity is a characteristic of each manufacturer’s device. A device may offer an extremely low False Accept Rate at a given sensitivity, but the corresponding False Reject Rate may be totally unacceptable. The balance of the two error rates for a given application is critical to the success of a biometric installation.

Equal Error Rate is the point where the two error rates equal one another. The corresponding sensitivity setting for the Equal Error Rate is found on the lower axis. The Equal Error Rate can be a good indication of the biometrics’ all around performance. The smaller the Equal Error Rate, the better.

Many physical security providers have missed the reported stampede towards some of the market leaders, as reported by some of the trades, and of course by the manufacturers of these products.

Our own company installed a Korean Biometric standalone lock a couple of years ago, and immediately began regretting it. The moral here is: pick hardware from a reputable manufacturer with warranty protection and technical expertise.

But then again, the head locksmith for one of our major accounts, (a state university) dropped by the shop recently and remarked to me that he was using those very same locks, and he was getting great pricing and support and dealing with the Korean company’s New Jersey headquarters direct.

TIME & ATTENDANCE
Physical and logical access control actually converge with a time and attendance system, because the same unit may be used to both control entry into a premises and also provide enter employee attendance data into the employer’s database.

As we remarked in a recent review of the CCTV Imports Time & Attendance Unit; biometrics can be used in these situations to reduce abuses which might occur if a non-authenticated credential or password is used with the system.
The trend is undeniably towards an increased deployment of Biometric-based access controls. This is fueled by federally propelled mandates, and the inescapable fact that biometrics works and it will continue to become more reliable and economical.

About the Author

Tim O'Leary

Tim O'Leary is a security consultant, trainer and technician who has also been writing articles on all areas of locksmithing & physical security for many years.