A close look at the emerging role of biometrics for identity management solutions
Increasing concern over identity fraud and national security has posed new challenges for those charged with the design, installation or management of access control systems. David Mackintosh, a past chairman of the International Association of Biometrics and Managing Director of OmniPerception, looks at the emerging role of biometrics in the search for effective identity management solutions.
By David Mackintosh
TWO OPPOSING TRENDS
Doors especially in cooler climates are useful to keep out the cold but for that purpose alone they wouldn¡¯t need locks. Apart from in HM Prisons and other parts of the Criminal Justice System, where doors keep people in, doors are primarily there to keep them out.
This would be relatively easy were it not for the fact that entry systems are usually required to distinguish in some way between those who need to be let in and those who should be kept out. They need to open as well as close. This obvious and apparently simple task is in fact hugely complex and has become increasingly demanding as two twin tendencies of modern life bring themselves to bear.
First of all, modern mankind, whatever role he or she is playing at any given time, is more demanding than ever before in terms of the quality, speed and convenience of almost everything he or she consumes. Time is at a premium. Speed and efficiency are seen as vital and are increasingly taken for granted. Whereas previous generations, used to queuing, saw patience as a virtue -- ¡°they also serve who only stand and wait¡± -- people today get anxious if their PC makes them wait for more than about 5 seconds. Patience is in short supply. So if someone needs to get into a place or a piece of equipment -- whether for work or for pleasure -- they expect to gain access fast and with a minimum of effort and fuss.
Secondly, with crimes of personal identity fraud growing and other concerns about identity in the context of national security also rising, attitudes, both public and private, are hardening in favor of ¡°better safe than sorry¡°. People want to be able to have confidence in the security systems that are there to protect them and their property.
These two opposing trends create a significant challenge for those charged with the design, installation or management of an access control system of any kind. Except where access is intended to be unlimited, all outside gates and doors (entry/exit points to/from the premises) and many internal ones (to secure areas, vaults, dark-rooms, etc.) need to be efficient and effective filtering solutions. They need to allow all the legitimate traffic to pass without let or hindrance but bar entry to anyone who isn¡¯t authorized.
MORE OF A FILTER THAN A BARRIER
So much is obvious. Until relatively recently the two main ways of achieving this apparently simple feat were:
a) A manned gate or door at which a trusted person or team of people either recognized the entrants personally or examined their credentials until they were satisfied with their bona fides; or
b) An unmanned locked door or gate, to which an appropriately authorized person would have his or her own key.
Whether manned or un-manned, an entry point that needs to be secure against unauthorized entry of course needs a good lock. Advances in the design, manufacture and installation of door and lock systems -- not to mention safes -- have placed hugely effective solutions in the hands of those who need to keep people out. Lock system technology has reached a point where activation and deactivation can be achieved by anyone of a bewildering array of means -- physical, electrical, electronic, sonic, wired or wireless. Interoperability is not as universal as would be ideal and further future improvements in standardization will help, but essentially it is not the robustness of the barrier, nor the efficiency of the lock that is the problem. The key questions are -- who is and who is not authorized to enter and how are we to know the difference?
THE LEAST WORST SOLUTION
The ¡®modern¡¯ way of course is to have some kind of automatic system based on a PIN number or password, a swipe or smart card or an identifier based on RFID. In this way, authorized persons can be self-identified by what they know or what they carry, without the need for individual keys or personal face-to-face identification.
For manned entrances, this solution helps greatly with the problem of guards and receptionists often not being acquainted with all the people involved; while for unmanned entry points, it¡¯s clearly a much cheaper and safer solution than issuing keys to large numbers of people and then having to change all the locks when one of the keys goes missing or one of the people goes awol.
For a long time these ¡®modern¡¯ solutions were widely seen as perfectly adequate. Authorized persons carried with them, or committed to memory, an identification ¡®tag¡¯ of some kind that proved their authenticity and their authorization to pass through the ¡®filter¡¯. Security experts have of course long known that PINs, passwords and plastic ID cards (whether RFID or not) are all fatally flawed solutions to the problem of effective and efficient secure entry because they¡¯ree so vulnerable to compromise; but in the absence of a really pressing incentive to adopt a safer system, the PIN, password and card route have for many years seemed the ¡®least worst¡¯ solution.
As with so many aspects of security, the greatest vulnerability is from insiders who actually are authorized to enter, or from outside intruders who have found a way to pose as insiders. The more trusted the insiders are and the more confident the organization is in its standard method of self-identification, the more vulnerable the system will be to impersonation attacks. Cards found or stolen, passwords discovered or hacked, PIN numbers copied from convenient pieces of post-it paper; are all common ways in which members of the criminal or terrorist fraternities gain easy entry to places that would otherwise be all but impossible for them.
The realization of this, coupled with the cost of ID fraud and the serious security implications of easy un-authorized entry, have combined to generate an acute and growing interest in better ways to ensure positive identification of individuals; ways that are linked directly to the person and don¡¯t rely solely, or even principally, on the ownership of plastic cards or the knowledge of this week¡¯s password or PIN number.
|
A member of the construction staff identifying himself by looking into a camera lens (Photo by OmniPerception) |
NO MORE IMITATION
The generic term for such systems of course is biometrics -- biological or physiological features of an individual that are measurable, distinctive and enduring. There is an increasing number of biometric measures being used or touted as reliable identifiers, but the ones being used most widely and with most success are facial biometrics, finger-prints, hand geometry, hand vein configuration and iris scans. Each one has advantages and disadvantages and in many cases one of these top biometrics will be more appropriate than the others. They have all come a very long way since the early days, more than a quarter of a century ago, when new biometrics like face and iris were first appearing to challenge the hundred-year-old supremacy of fingerprints. All now have a role to play in the design and delivery of modern identity management solutions.
Each biometric requires its own particular hardware, software and general solution infrastructure. What they have in common is that they all relate directly to the individual person we¡¯re dealing with -- giving positive personal ID -- and all can be used in automatic mode to activate door, gate and/or other secure access control mechanisms as well as to link individuals to their documents (e.g., passports, visas or national identity cards).
Like any other security system, biometric access control is at its most secure when the automatic element is backed up by invigilation, with well trained staff in attendance. However, where an automated system is required, the right biometric identifier, properly used, can add new levels of security and confidence.
Biometric identifiers bring to an end the lottery of hoping that cards are in the hands of the right people and that no outsider has acquired an insider¡¯s password. To ¡®imitate¡¯ an authorized person by using their card and/or PIN number is orders of magnitude easier than actually having to impersonate them, right down to faking their fingerprints -- or facial features or, in ultra-secure environments, both of these biometrics.
BIOMETRICALLY DETERMINED ACCESS
Biometrically determined secure access is now becoming an increasingly popular and well-recognized solution for previously intractable problems; but clearly any organization contemplating up-dating their system to biometrics needs to be sure that the benefits will pay for the change. A good example of the mechanics of this judgement can be found in the construction industry, where biometric systems for clocking on and off have been in extensive use for longer than in any other industry in the U.K. Three of the main concerns for a contractor setting up a building project on a large site relate to site access as follows:
-
Making sure that the right employees get paid the right rate for genuine attendance, including over-time;
-
Conducting and being seen to follow through on appropriate health and safety training and instruction, individual by individual, with accurate records kept; and
-
Avoiding loss of or damage to property and equipment through theft or vandalism.
For all three of these areas of concern, accurate identification of individuals is a critical factor and biometric identification is by far the best way to achieve this. You may forget a PIN number or forget to bring your ID card, but if you¡¯re turned up for work at all you¡¯ll have brought your face and your fingers along. There¡¯s nothing to lose or forget.
Increasingly, large construction sites nowadays will have a well protected perimeter with turn-stile access control. Over 500 of these are now controlled by pulses from biometric identification systems, the vast majority being activated by facial biometrics. Picture above shows a typical such installation (built and installed by Aurora Computer Services) with a member of the construction staff identifying himself by looking into a camera lens. The software behind the camera then processes the information gleaned from his facial features, verifies that his ID is correct and sends a ¡®yes¡¯ pulse to the turn-style (which, as can be seen in the second picture, is a full-height affair that prevents entry by jumping over).
Information is also sent simultaneously to the time and attendance system for incorporation in payroll and other relevant applications, so that everything relevant to that individual is directly connected to him via his own unique facial biometric ID.
|
The software behind the camera processes the information gleaned from his facial features, verifies that his ID is correct and sends a ¡®yes¡¯ pulse to the turn-style which is a full-height affair that prevents entry by jumping over.
(Photo by OmniPerception) |
THE FACE FITS
As is increasingly the case, the system shown here use face recognition rather than iris, finger or any other biometrics, because face is much more user-friendly than other modalities. In construction, where people are often wearing protective clothing and may also be in occupations that affect the usability of their finger-print, the finger biometric is not ideal. Iris scanning can be a very accurate identifier but it requires a high accuracy of head placement and the maintenance of very little movement throughout the process; so much so that it is regarded as impracticable for everyday uses such as construction site staff clock-in. Until recently, identification at high levels of accuracy was hard to achieve with face recognition without very careful control of the lighting conditions used; but this has now been overcome by the use of new hardware and software combinations that fit very neatly into the clocking in process and create fast and accurate throughput in full sunshine, pitch darkness and anything in between. All the employee has to do is look straight at the camera and the system does the rest. With the success of such systems in widespread use across the construction industry, other organizations are now starting to adopt biometric identification for use in similar applications some using the biometrically derived input to drive door locks directly and some to assist staff at manned entry points. From early adopter information it seems likely that the financial community is likely to be in the forefront of this trend. Here, as in construction, the case in favor outweighs the costs.
As a serving member of an English police force remarked recently after extensive trials of facial biometrics in his area -- ¡°Biometrics works and it¡¯s here to stay.¡°
David B McIntosh is Chief Executive Officer of OmniPerception Limited (www.omniperception.com) and Chairman of the International Association for Biometrics.
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved.
|