The following article was provided by Debra Spitler, Vice President of Marketing, ASSA ABLOY Identification Technology Group (ITG). Ms. Spitler is a longtime leader in the physical access control industry and an active contributor to industry groups and conferences. Her role within HID and its parent company ASSA ABLOY has positioned her at the forefront of major technology revolutions impacting the security and access control markets. In this piece, part one of two, Ms. Spitler investigates the current revolution that is merging biometric technology with existing access control technologies.

The world of physical access control was altered by the events of September 11, 2001, as veterans of this industry will attest. Prior to this time, physical access control systems relied upon technologies such as barium ferrite, magnetic stripe, Wiegand, and proximity to provide an appropriate level of physical access control.

Biometric technology was rarely considered for use in a physical access control system. The need for “high security” translated into the requirement to provide a proximity reader and card as opposed to a magnetic stripe reader and card. Further, the concept of “identity verification” did not enter the picture.

Times have changed. U.S. government agencies such as the Transportation Security Administration (TSA) and the Federal Aviation Administration (FAA), as well as private industry, are seriously considering the benefits of a second level of physical security that incorporates the use of biometric technology. In addition, biometrics solutions eliminate the hassles of passwords and PINs. As a result, biometric technology providers are seeking ways to transfer their knowledge to the physical access control marketplace.

Likewise, access control system manufacturers and large system integrators are beginning to take an active interest in learning about and supporting biometric technologies at the end-user level.

As new opportunities for growth in the access control arena emerge, it is important to remember that biometrics is a technology, not an industry, says John Hunepohl, president of Exact Identification Corporation. “Before applying any technology, first identify the problem. Second, define a solution. Third, see how “your” technology can become part or all of the solution.”

What Are Biometrics?

Biometrics systems use automated techniques that verify or identify people by their physical characteristics. Various technologies are currently available for biometrics authentication:

• In terms of revenues, the fingerprint market leads the other biometric technologies. Supported by the largest number of vendors, it is an extremely dynamic market. Factors driving this market include the miniaturization of sensors, falling prices, and access control and network security applications. Manufacturers of electronic devices such as cell phones, PDAs and laptop computers are planning to add fingerprint biometric sensors to secure information and enable the devices for electronic commerce, according to Julia Webb, vice president of global marketing for Bioscrypt.
• A veteran in the biometric market, hand geometry is slowly losing market share to other emerging biometric technologies. Some key factors driving this market include small template size and the need for highly secured areas (such as server rooms, telecommunications’ areas, etc.) Hand geometry is well-suited for such applications as access control, time and attendance, airports and border crossings.
• A fast growing technology, iris recognition will be the second largest technology in terms of revenues by 2006. Factors driving this market include accuracy, the non-intrusive nature of the technology, financial applications network security, and the introduction of new price competitive products to the market.
• Currently in its infancy, voice verification will increase in use due to its advantage of incorporating existing infrastructure. It is the only biometrics technology that can be used over telecommunications’ networks. This market will expand due to the technology’s intuitive, user-friendly, unobtrusive, and cost-effective nature. Additional drivers include the existence of an infrastructure framework, high utility for wireless telephone users, and opportunities driven by voice-enabled commerce.
• A passive technology that requires no effort by the user, face recognition will grow rapidly due to surveillance and monitoring. It is also predicted to make a mark in the travel industry. The face recognition market will be driven by the fact that the technology is non-intrusive and passive, cost-effective, and is good for use in government, law enforcement and casino applications. The technology is recognized by the International Civil Aviation Organization (ICAO), which develops, adopts and amends international standards to increase the safety and security of international civil aviation.
• The area of signature verification is an emerging commercial market fueled by its application of paperless document management. Factors driving this market include electronic signature legislations, paperless document processing, social acceptance, cost-effectiveness, and wireless devices.
• Used mainly in high-security government and military locations, retina recognition is currently seen as a highly intrusive technology. Factors that will impact this market include the need for high security access control, small template size, and the price-competitive nature of the technology.

Level of Security

Voice and signature recognition techniques are generally considered to be appropriate for many non-PC access authorization uses, but in most cases are not good candidates for PC and network user authentication. Biometric techniques that identify physical features are more accurate; therefore, they offer a higher level of security.

Accuracy

Retinal scanning and iris identification are both highly accurate ways of identifying individuals; however, they are both expensive to implement and most organizations do not need this level of accuracy. Hand, face, and fingerprint authentication techniques offer good accuracy for a smaller investment in scanning hardware.

Physical changes such as cuts, scars, and aging can affect the accuracy of certain types of biometric authentication techniques; however, user identification databases can beupdated to overcome most of these problems.

Biometrics in Physical
Access Control

The role of biometrics in physical access control is to provide security and convenience. “Given the new security-conscious climate and the reduction in cost for biometric devices, there is an increasing adoption based on security requirements,” says Frances Zelazny, director of corporate communications for Identix Inc. “In cases where convenience is a main factor, the security aspect of the biometric is a foregone conclusion.”

In reality, the use of biometrics for physical access control is one of the most demanding applications. To be successful in today’s access control environment, basic principles must be adhered to.

1. The biometric template must be stored in the secure memory of a smart card, rather than in a database.
2. The comparison between the template in the card and the actual biometric template is made at the door in the reader. If there is a match, the reader sends a Wiegand code from the card to the system. The system recognizes the code and opens the door.
3. Use verification rather than identification. Verification means proving the card belongs to the cardholder. Identification means selecting the cardholder from a database of many card holders. This means that we refer to one to one versus one to many.

Initial biometric systems were standalone and did not integrate with existing access control systems. However, most companies now provide systems that integrate quite easily with legacy hardware by means of Wiegand data. In this case, the biometric reader looks to the door controller just like a normal card reader. This typically requires that the biometric data be handled separately from the user data managed by the access control system. Biometric data is handled by software provided by the vendor.

One way biometric vendors have maneuvered around this drawback is to offer products that utilize smart card technology. When biometric templates are stored on the card, there is no need to distribute the biometric data to the various readers in a facility. The access control system still manages access rights by means of the ID number sent from the biometric reader to the door controller.

One of the more interesting uses of biometrics involves combining biometrics with smart cards and public-key infrastructure (PKI). A major problem with biometrics is how and where to store the user’s template. Because the template represents the user’s personal characters, its storage introduces privacy concerns. Furthermore, storing the template in a centralized database leaves that template subject to attack and compromise. On the other hand, storing the template on a smart card enhances individual privacy and increases protection from attack, because individual users control their own templates.

Vendors enhance security by placing more biometric functions directly on the smart card. Some vendors have built a fingerprint sensor directly into the smart card reader, which in turn passes the biometric to the smart card for verification. At least one vendor, Biometric Associates, has designed a smart card that contains a fingerprint sensor directly on the card. This is a stronger secure architecture because cardholders must authenticate themselves directly to the card.