Biometrics At The Tipping Point

June 18, 2014
Using biometrics in multiple-factor authentication provides a high level of security and fast throughput

Biometrics is not a new phenomenon.  Drawings made during the cave man era show a palm print identifier made by the artist.  Five hundred years ago the Chinese used palm and footprints as a means of child identity. Certain skull measurements and lengths of fingers were used to assist in identifying individual criminals during the 19th century.

A popular use for biometrics during the 20th century has been to maintain identities of criminals. Any other use for biometrics was seldom considered due to the extended amount of time it took to manually search fingerprint records in order to find a possible match. Today’s electronic systems can search through thousands of fingerprint files within seconds, and manufacturers have quickly found new ways to add biometric devices to the list of available access control credentials.

Credentials used for controlling access come in several forms. A long-standing credential has been a mechanical key. Electronic devices are taking an increasing share of the access control field and keypads were one of the first credentials to be used. Card access systems have an increasing role as an access control credential. Early cards contained bar codes. Bar code cards evolved into magnetic stripe cards.  Proximity card usage has become predominant over the last decade while smart proximity cards which contain additional security against cloning are slowly supplanting the original proximity card systems.  A current addition to the list of access control credentials is the smart phone.

Additional security can be gained by requiring dual credentials such as a keypad code and a card. But keys, keypads, cards and smart phones have one thing in common. A PIN or a physical object such as a key, card or phone can be transferred from one person to another. When a key, card or PIN number is used, there is no way to be certain that only the authorized person has used one of these transferrable credentials.

Biometric credentials are not transferrable. A biometric credential cannot be lost or stolen. Authorization for gaining access depends on 'who,' 'what' and 'why.' Biometrics is the only available credential today which can positively answer the 'who' question.

Biometric measurements are said to be different for each person in the world. Even a close similarity is estimated to only occur in one case out of 60 billion humans.  Repugnant ideas such as using a severed finger to operate a fingerprint reader have been counteracted by manufacturer reader options which can check for normal blood flow or body heat in the finger being used before someone can gain access. 

Biometrics can be used in two different ways. Police use biometrics for identification. Fingerprints taken from a criminal are compared to a huge database of fingerprints. If a match is found, that criminal can be positively identified. The same is true for DNA. But the high cost of equipment used for searching large databases and the time involved in conducting the search make biometrics identification an unwieldy system for building access control purposes.

Because the police use fingerprints for identification, some people have grown to believe that fingerprint readers could be an invasion of privacy. People may think that a fingerprint used by an access control system may somehow be added to a police identification program. Biometric Information contained in an access control system is saved as a mathematical formula, not as a real fingerprint picture. Information from a fingerprint or hand scan is changed to a similar mathematical formula and the mathematics are compared. Mathematical access control biometric readings are not usable by the police for identification purposes.

Biometrics can also be used for authentication. By developing a small list of biometric scans only for the group of people who are allowed to enter a given area, the authentication search through this short list can be completed in milliseconds. If two credentials are used, such as a proximity card and biometrics, a search is only required to cross-reference the card holder to the one biometrics listing for that individual and the search process can be accomplished even faster.

Fingerprint identification is the most widely recognized type of biometrics.  A simple finger touch on a small reader screen begins the authentication process. Security product manufacturers are also offering products for conducting hand geometry scans, facial geometry scans and iris scans. Some scanning systems only require a user to be in close proximity to the viewing screen. As example, a user might put his hand on a wire rack and the reader will take an image of the hand characteristics for authentication.  In the work-a-day world many people are not prepared to stand patiently in front of a facial viewer or spread their fingers as needed for a hand scan. Improvements in the usage comfort level of these products may be required before they gain wider acceptance.

Drawbacks to biometric authentication include limited amounts of individuals who can be enrolled in a access control system before the authentication process becomes too slow for normal usage. At one time a generally accepted figure was approximately a maximum of 200 users.  Maximum users allowed in an access control system have increased as the capability of computers has increased.  Access control systems on some college campuses now have biometric users ranging in the tens of thousands.

Accuracy in biometrics readings is measured by False Rejection Rate (FRR) or False Acceptance Rate (FAR). FRR is a measure of the percentage of authorized persons who are rejected by the system and cannot enter. FAR is a measure of the percentage of unauthorized persons who are wrongly allowed to enter. Manufacturers have developed several methods of using smaller or larger amounts of biometric information to determine authentication. When using more information, authentication may be more accurate but the process may be slowed. When using less information, authentication may be determined more quickly but the chances of a false reading may increase.

Modern fingerprint sensors use multiple spectrums of light to determine fingerprint characteristics from both the skin surface and below the skin surface. Moisture, dirt and blemishes can obscure readings on the skin surface but lower levels of the skin can provide added information to fill in any missing information before authentication. 

Past and present access control credentials have closely followed public demand.  Keys, keypads, cards and even cellphones are devices which can be touched and held.  As public awareness of the electronic evolution continues to grow, increased acceptance of new and different ways of personal identification will follow.  Use of biometrics in the access control field is a logical progression of events whose time has come.

Q & A: Zwipe’s Kim Humborstad

Zwipe is an example of how biometrics technology is being utilized in the access control field. Zwipe technology consists of a small fingerprint reader mounted into special cards. Zwipe cards can be configured to operate with an existing building card-based access control system. A card holder must touch the fingerprint reader on the card while using the Zwipe card.  Cards are activated and access is granted only if card-holder biometrics data matches the biometrics data pre-enrolled on the card.

Fingerprint data is captured by the on-card fingerprint scanner and is thereafter encrypted and stored only inside the card. No exchange of data is conducted with external systems. This provides secure template management since the fingerprint never leaves the card. It also eliminates user concerns with privacy issues. The card is unique to the user and only the authorized card holder can activate card communication with the reader. When a positive match occurs, the Zwipe biometric card will activate encrypted communication with the lock or reader in the same way as other ISO 14443 contactless smart cards.

Zwipe CEO Kim Humborstad answered our questions about Zwipe.

What technology is the Zwipe credential? It there proximity capability?

Zwipe is compatible with 125 khz Prox, 13.56Mhz Mifare Classic and 13.56 Mhz Mifare Desfire.

Where has this product been deployed?

It is deployed in commercial office buildings (banks, lawyer offices, etc) and universities (to protect labs).

What are the benefits for the user?

No PIN numbers to remember, no external databases (fingerprint data never leaves the card), easy to operate. 

What are the benefits for building management?

Lost or stolen cards no longer pose a security threat. Cards cannot be passed from person to person which creates an ironclad audit trail.  The system operates with existing contactless readers and is highly secure and trustworthy.

If the credential is stolen, what prevents the fingerprint template from being cloned?

It is impossible to get the fingerprint template.

How is a fingerprint enrolled?

It is similar to enrollment on an iPhone 5. Enrollment is directly on the card. The first time a person uses the card, he or she must touch the sensor on the card several times until a complete template is made.

What fingerscan algorithm is used and can its parameters be 'tuned'?

The algorithm is proprietary to Zwipe. It has been developed over a five-year period and is patent protected. Some of its features include ultra-low power consumption and a robust detection method. It will only detect live fingers.

How durable is the finger scanner?

It is tested mechanically with more than 10 million usages (in a machine).

Is special apparatus or software required to deploy or manage the credentials?

No special apparatus or software is required. However, we do offer a web-based tool to support the enrollment process. Standard access control equipment is used for implementing the card into the existing card access system.  

Do end-users enroll more than one finger (in case the primary finger is injured)?

Yes, it is possible to enroll all 10 fingers in our new card.

What is the advantage of offering this product to their access control customers?

You are now able to offer a biometric solution to customers who already have a card-based access control system and generate a new revenue stream.

Where can Zwipe products be purchased?

Zwipe: Cards are sold through the Farpointe channel in the United States. For more information, visit www.zwipe.com.