ISJ Exclusive: Biometrics for access control
James Thorpe
Share this content
Nicolas Raffin, VP Marketing, Biometric Devices at IDEMIA explores why biometrics technology is being increasingly utilised.
In this paper, we will first examine the reasons why a company would deploy biometrics while it very likely already uses various security technologies. We will then look at the various biometric modalities used for access control and the key selection criteria based on specific needs. Finally, we will review how the market has been impacted by COVID-19 and how it has reacted and we will provide recommendations for successful biometric deployments in this very special context.
Why biometrics?
Being relatively new to the security industry, I am often surprised by the technologies still used by many companies for the security of their premises and therefore assets and staff. The payment industry where I am coming from, is also strongly impacted and framed by security specifications imposed by schemes like Visa or Mastercard, or national or supranational authorities, like the EU regulation that imposes two-factor authentication for online payments.
But in the security industry, such obligations do not exist, having worked for twenty years on improving the level of security of payment cards up to recently embedding a fingerprint sensor, I was astonished to discover in a recent study that a huge percentage of companies are still using access badges/cards that are either by nature not secure (barcode, magstripe) or using RFID technologies that have widely-known security vulnerabilities. Such cards can easily be cloned and used, even without the company’s or holder’s knowledge. As pointed out in this study, “there is no direct means of determining if a system has been compromised, essentially worsening matters by providing a false sense of security”. Quite scary, isn’t it?
But that is also true with more recent RFID technologies: they cannot be cloned, but can be stolen, or “borrowed”, thus leading to possible intrusions. The main issue with an access badge is therefore: who is holding it when it is granted access on a reader?
It’s the famous three authentication factors: something you have (a badge that can be stolen or cloned), something you know (like a PIN code that can also be stolen) or something you…are (your physical characteristics: biometrics).
Only biometrics can ensure that the person passing that door or gate is the genuine employee with actual access rights, because your biometric data cannot be stolen or copied, provided of course you use the right biometric technology and devices.
It is not only national security agencies or nuclear plants that are the candidates for biometrics. In fact, all companies who want to protect their assets and employees and consider that the security provided by a badge is not enough for the above reasons, shall deploy biometrics.
Which biometrics?
As most readers here certainly know already, biometric data is extracted from a human body part (a face, a fingerprint or an iris) through the isolation of multiple reference points converted via an algorithm into a digital record (“template”). This template which is stored in the biometric device or in a server after the enrolment process, will be used as the reference for comparison with the data extracted by the device each time the enrolled employee will request access, if the two sets of data match, then the employee is granted access.
At this very high level stage of explanation, a first set of key criteria emerge, to select the good biometric technology matching your needs.
Adoption/acceptance: The chosen type of biometric modality (facial, iris, fingerprints…) can be based on the company’s security team’s evaluation or preferences, but it can also be influenced by cultural habits, or even take into account employees’ own preferences.
Accuracy: As we saw it, the way biometrics work is mainly a comparison between a stored reference and data that is extracted on the spot. So obviously, the algorithms used to convert data points on a face or a fingerprint into a template and then do the matching, must be very powerful, to avoid false rejects (that is rejecting someone who is a genuine enrolled employee, which leads to frustration and disorganisation if this happens too often) or worse, false acceptance (that is accepting someone who is NOT a genuine enrolled employee, so an intruder spoofing the system). And the system has to be accurate and reliable enough, even with large numbers of employees, as a biometric extraction performed at one given reader will be matched in 1:n mode against n (possibly tens of thousands) enrolled employees.
Anti-spoofing: Obviously, biometric equipment installed to provide a high level of security must not be easily tricked. It must therefore use efficient anti-spoofing hardware and software mechanisms, like false finger detection for a fingerprint reader and 3D/infrared cameras and image processing for facial recognition devices.
Algorithms: As we have seen, together with some key hardware components like the sensor for a fingerprint device or cameras for facial recognition, algorithms are an essential component. We recommend selecting products from vendors that develop their own algorithms and that rank high in the very stringent NIST evaluations.
Speed: From the above, we deduct that this biometric verification has to be very fast, as employees cannot start queuing in front of gates or doors, leading to other security or safety risks and a disastrous user experience. The best systems must offer throughput of at least 30 users per minute per device to provide fluidity and avoid queues.
User convenience: This is key for user adoption and satisfaction, but also to contain process-avoidance strategies with employees trying to find “tricks” to avoid using the access control system. So how easy is it to use the device? Do you need to prepare complete training sessions or is usage intuitive? In case of facial recognition devices, will users have to stop and stare at the device or will it adjust automatically whatever their size or face angle? If the device is used for night-shift workers, can it work efficiently in very low light conditions or even total obscurity thanks to infrared cameras or will it have to send a dazzling white LED flash into the eyes?
Enrolment: This is a key step because this is when the biometric data is originally captured for subsequent authentications. So this process must be very secure, but also quick and efficient.
Deployment: Part of a biometric devices deployment costs will come from the cost of the devices themselves, but a good part of it will come from the integration with your existing PACS (physical access control systems) and doors, turnstiles, speedgates. So to reduce deployment hazards leading to increased project complexity and costs, it is recommended to select vendors that have experience with and are already supported by the main PACS and hardware providers.
Operating costs: As with other hardware, the TCO (total cost of ownership) shall be considered rather than the initial face price. The TCO is influenced by criteria like quality and reliability, so our recommendation is to select vendors with field-proven experience and a robust maintenance and repair network to efficiently support you after the installation. A biometric device is not a piece of fast-moving consumer equipment like laptops or smartphones, when you install it, it is usually for a five-year cycle at least. So unless you do not really care about all the above criteria (but then why not keep the good old badge?), don’t be lured by extreme low cost equipment.
Biometrics and COVID-19
When the first confinement measures appeared, so did some emotional initiatives consisting of disabling or even worse, removing one-fingerprint touch readers to avoid finger contact. We think this is not a good approach. First of all, if a company decided to deploy biometrics, it was for good reasons, that COVID-19 did not solve or remove, indeed in such confused periods, risks are increased so biometrics are needed, more than ever maybe. Secondly, common sense shows that companies cannot and will not remove all objects touched by multiple users, like door handles that are grabbed, buttons in the elevator, at the copy or coffee machines, chairs, etc. So why remove biometric readers? Finally, a fingerprint sensor is only softly touched by a small surface on one finger during less than one second. A gel or wipe dispenser can easily be installed next to the fingerprint reader so that employees clean their fingers/hands after scanning (and grabbing the door handle!).
So those one-finger touch terminals which are affordable (but remember our recommendations from the previous section) and widespread can definitely be compliant with COVID-19 measures.
Contactless biometrics
However, it is fair to recognise that since the pandemic appeared, there was a strong surge in interest and requests for contactless biometrics, as they are perceived as the evident efficient solution for safe and secure employee verification for both access control and time attendance management.
Facial recognition naturally comes to mind as it is based on a non-contact body part since a picture of the user’s face is shot by the device. But the emergence of requirements to wear health masks led to a new challenge for facial recognition devices that capture far less data points from a face partly covered with a mask covering the nose and chins. Algorithms are thus being re-trained to take this new constraint into account and improve performances.
Iris devices that by definition only scan the users’ eyes are not impacted by this mask constraint. But they have other drawbacks in terms of speed and throughput capabilities, as well as a less favourable user perception, that limits them to specific use cases (for instance surgery rooms or laboratories).
But contactless fingerprint devices are also a very efficient option, instead of applying the fingers on a sensor surface, they are waved via a quick and fully touchless hand movement above the sensor that takes several 3D pictures of the four fingerprints. This high-tech technology is already widespread, as it can provide high throughputs, is very accurate and enables an immediate user adoption and it works with health masks.
Where does IDEMIA fit into the equation?
IDEMIA, the result of the merger between Morpho and OT in 2017, is a French multinational group and the leader of biometrics for access control with 25 years of experience and a worldwide presence. We develop our own algorithms that regularly top the NIST performance and accuracy rankings. We also design and assemble our terminals in our own manufacturing plant, which enables us to provide an unmatched, field-proven quality and reliability. We have a unique track record of prestigious industry awards, in recognition of our product excellence.
With COVID-19, we experienced a notable demand increase for contactless biometric readers like MorphoWave that scans and verifies four fingerprints in less than a second through a fully touchless hand movement and VisionPass, the 2020 SIA Award-winning facial recognition device, designed with clients and users and that features a 2D+3D+infrared camera set and advanced anti-spoofing mechanisms.
For smoother deployments, all our devices are already supported by all major PACS vendors and integrated by the majority of speedgates and turnstiles suppliers.
This article was published in the October 2020 edition of International Security Journal. Pick up your FREE digital copy here
