Electronic access control, investigating the new frontier

Innovative technologies and techniques in the field of identity management are enabling change in the world of traditional security and facilitating the migration from physical credentials (access control proximity cards and smart cards) to digital, electronic ones. Threats, unlike any previously imagined have become real and commonplace; from cloned credentials to compromises of underlying communications between traditional security components. To meet these threats, the user must have the ability to secure and confirm his or her identity for authorisation of access rights. In addition, the user must be able to transmit that identity securely and quickly, all the while ensuring privacy and trust. Innovators are creating new business opportunities along with new technical and ethical challenges while strengthening the traditional modes of security. System architects require an even greater knowledge of information systems on top of a foundation in physical security to deploy trustworthy software and hardware components.

Security managers are looking to improve security and increase convenience. They are seeking ways to grow employee satisfaction by transforming the process of entry into a frictionless experience, while asserting stronger authentication to prevent identity misuse. With regulations tightening for data centres, bank vaults and other high value areas, biometrics are becoming a must for two-and three-factor authentication scenarios. While the traditional card and pin are widely used, the risk of these authenticators being passed to an authorised individual or duplicated for use by an unauthorised individual outweigh their low cost. Card and pin do not hold up to the security requirements of today’s customer.

Physical security is becoming not only a general facilities concern, but more fundamentally an Information Technology (IT) concern. Protection of company assets is impossible without considering their value in an IT infrastructure, beyond the level network security with firewalls and anti-virus applications. Preventing access to physical machines and networking through the use of biometric credentials is in keeping with a broader industry trend to phase out easily compromised techniques such as passwords and pins. Traditional access control systems permit physical access to premises based on the receipt of a recognised card number and allow logical access to a network or application based on the receipt of a recognised user name and password. The person is not identified, but rather the card, user name and password are recognised. Adding biometric identification gives security managers certainty that the individual is physically present and that the credential cannot be shared or cloned.

Security no longer involves simply physical access; it now must embrace digital access and the authorisation to execute transactions and services using personal devices. Examples include leveraging biometrics built into mobile devices such as a mobile phones and electronic wearables to provide real-time requests for authorisation to complete transactions, access systems or to move data. Electronic objects and networks which may be connected and accessed using personal electronics include:

• The onboard computer system in vehicles, such as automobiles and scooters
• Medical devices, both external and inside the body
• Financial accounts, payment systems and healthcare systems
• Entertainment platforms, such as video games and television
• Exercise equipment
• Luggage tracking
• Home appliances and HVAC Systems
• Access control door readers with Bluetooth technology

In the world of digital security these are all considered “connected objects.” Biometric solutions play a mission critical role in the new world of “connected objects” to provide verification and trust (certainty) of an individual’s identity for frictionless, secure physical and digital access. Biometrics provides assurance that only an authorised individual is able to access their “connected objects.” This provides peace of mind, guaranteeing that a bad actor can’t take control of a vehicle’s onboard computer, a loved one’s medical device or access a secure area or network in the workplace.

Biometrics defined

Biometric technology is the use of one’s own unique physical or behavioural characteristics for identification and authentication. Where you go, your biometric goes. Biometric technology includes a capture device whether it be a camera, an optical sensor (contact or contactless), a keyboard or a microphone to acquire an individual’s raw physical characteristic (raw data). This data is then converted into a reference template, a digital representation typically using mathematical algorithms that are patented and proprietary. Biometric characteristics include face, iris, palm, fingerprint, finger vein, voice, gait and keystroke patterns. Unlike passwords, biometrics are the only method that establishes a definitive link between our physical and digital identities. The biometric identifier, the reference template, may be a string of numbers or a random number. Biometrics verify and identify a person for the access control system to determine the rights or privileges (access, services, etc.) assigned to that individual.

Biometrics used in advanced access control systems

We need our biometric identity to travel with us seamlessly in the physical and digital world; we require our identity protected, secured and available when and where we need it. Critical to the protection and securitisation of one’s biometric identity is the assurance that it cannot be stolen, cloned, corrupted and it remains under one’s control. The biometric identity owner determines when, where and how it may be used. An interesting way to accomplish this is using innovative technology that employs one biometric technology, such as facial recognition on a personal device, to decrypt an electronic container to release a second stored biometric technology such as iris or fingerprint for live matching to the biometric owner.

Critical to providing security is a public key infrastructure (PKI). PKI technology provides the mechanisms for mutual authentication between “connected objects,” such as personal digital devices, the onboard computer of your car, etc. PKI technology also provides the ability to encrypt the communication channel between digital objects, an internal network and access to cloud technologies.

Authorisation for access must include biometric authentication of the individual initiating the request for access, the digital transaction. PKI only provides half the security needed to protect the IT infrastructure. It provides securitisation of the communication channel and mutual authentication between digital objects or networks. But, PKI is unable to authenticate the individual human initiating the connection to the digital device or “connected object.” This could provide the means for an unauthorised individual to gain access into the digital or virtual workplace.

Critically important to system integrators who specialise in the installation and maintenance of access control systems is the understanding and education of their personnel in how to properly implement existing security features to secure the access control system itself and its network communication. This includes but is not limited to:

• Working with the customer’s IT department to assign certificates (PKI) for mutual authentication between the host of the access control software and the access control panels that manage the door.
• Configuring the biometric devices and all elements of the system that communicate on the network to connect to backend software wirelessly or using a wired network executing TLS 1.2 security.
• Enforcing password rules and role assignments to prevent unauthorised access to the access control management software.
• Disabling any existing default user name and password accounts once the system had been tested and accepted.

Managing complex security environments

Security professionals are often challenged trying to effectively manage security operations where there are multiple physical access control systems, different biometrics systems and multiple trusted sources.  Reconciling these issues in order to have a robust security ecosystem is becoming easier with standards by organisations like the Physical Security Interoperability Alliance (PSIA).

In a typical enterprise organisation, an employee is on-boarded their identity documents required for employment eligibility are stored electronically and may be associated with some form of biometrics. This is normally managed by a human resource system or identity management system. As part of the on-boarding process the employee is enrolled in a local access control system, a logical access system such as Active Directory, and assigned access rights and privileges to buildings, networks and applications. When mergers and acquisitions take place, large companies must manage multiple access control systems. As employees travel to different office locations, redundant data entry, enrollment, into the local access control system and/or logical access system takes place. This can result in a second credential based on different card technology which may be assigned a different domain and user name to access the physical and network access issued to the employee.

The PSIA has defined its Physical Logical Access Interoperability (PLAI) specification which addresses this problem by normalising identity data and allowing the transfer of an individual’s assigned credentials across disparate access control platforms. There are two components to PLAI, an Agent and an Adapter. The PLAI Agent interfaces with the HR system or Identity Management System where the employee was first on-boarded and assigned an identity in the Active Directory and a membership in a network domain. The second component is the PLAI Adapter, which interfaces with the Agent and a specific access control system or biometrics system. For example, if a large enterprise organisation has four different physical access control systems (PACS), each would have a PLAI Adapter, which would normalise the identity data. It would then send it to the Agent, allowing it to share across the security ecosystem. One trusted source to provide the identity data is an important feature, allowing a much more robust security infrastructure.

Mobile credentials

With all employees now carrying cell phones today, large organisations are looking to associate a mobile credential with the card credential, allowing employees to present their cell phone to door readers and/or biometric readers with Bluetooth technology. The biometric template could be distributed across locations using the PLAI Agent and PLAI adapter. This eliminates the need for re-enrollment allowing dissemination of the existing biometric template to local devices between locations A and B.

Alternatively, the biometric templates may be associated with an assigned mobile credential loaded onto an employee’s personal phone or a company provided cell phone. Using the camera on the cell phone to capture the person’s face or iris, or the touch pad to capture the fingerprint to match the live biometric against the stored template written to the embedded SIM card of the phone.

In summary, biometrics represent an important component in effective security environments. The technologies to transition from physical credentials, which can be lost, stolen, or given to an unauthorised individual, to digital virtual credentials, which can be protected by biometrics and PKI exists today. It is incumbent on the developers of “connected objects,” the suppliers of the wireless, cellular, wired networks and the integrators that install the digital ecosystems include technologies which assure privacy, secure the communication and verify the identity of the consumers who work, play and operate in this new digital world.

Consuelo Bangs is Senior Program Manager at Idemia Identity & Security USA LLC

www.idemia.com