Integrating Smart Cards with Biometrics

Strategies for high-security authentication


When creating an access control system, it is important to remember that there is no single, correct solution — there are combinations of solutions. However, when it comes to security, there is no question that smart cards and/or biometrics provide higher security than the commonly used proximity card. Today, the trend is not to use one or the other, but to use both smart cards and biometrics.

Unlike proximity cards, smart cards using MIFARE DESFire EV1 technology offer several different layers of security, including mutual authentication, which ensures that the reader and the card are allowed to talk with each other before any information is exchanged. They also provide AES 128-bit encryption, a key encryption technique that helps protect sensitive information. They additionally supply diversified keys, which virtually ensure no one can read or access the holder’s credentials information without authorization. A message authentication code (MAC) further protects each transaction between the credential and the reader, ensuring complete and unmodified transfer of information, helping to protect data integrity and prevent outside attacks.

Thus, smart cards provide organizations with a way to increase the security of their access control solution today while providing a pathway to other smart credential applications — ranging from company cafeteria charges to checking out equipment. For that reason, although organizations might be currently using proximity, they are quickly migrating to smart credentials because they can incorporate a multitude of applications on a smart card more easily.

Biometric technologies, such as hand geometry, enable a facility manager to ensure that only verified users have access to a facility at authorized times. Biometrics provide the highest level of assurance that the actual authorized individual — rather than just the authorized key, card, or code — has access to a secure facility.

In some cases, the smart card is used by itself — for example, to get into the employee door of a hospital, the smart card is typically enough. Perhaps, to get into the operating room, you need to use a biometric. And, lastly, to access the pharmacy, you must undertake a two-step verification, putting your smart card into a slot on the side of a hand geometry reader and then have your hand geometry read.

 

Storing the Biometric Template

Again, security professionals have a choice. The biometric template can be stored on the smart card or within the network —there are pros and cons to each.

A single smart card can store both the user’s ID number and biometric template. Because of this, there is no need to distribute hand templates across a network of readers or require the access control system to manage biometric templates. This means integration to any existing access control application is greatly simplified, eliminating extra network infrastructure costs. If the card is lost, there is no way for anyone to access the room protected by the biometric. Because the template only resides on the card, the solution also eases individual privacy concerns.

Providing the best of smart cards and biometrics, the solution provides dual authentication by requesting both the right card and the right person. A smart card reader is attached to or embedded into the biometric reader. A plastic cardholder is affixed to the side of the unit, and the verification process takes approximately one second.

With the hand reader, the hand template requires only 9 bytes to define the hand, the smallest in the biometric industry. This ensures that response times are fast and that the smart card can maximize its benefits by offering users increased room for other applications. In addition, the implementation supports multiple secure applications on the smart cards.

There are two main negatives to keeping the template on the smart card: First, the administrator cannot update all doors in the system quickly — each has to wait for the cardholder to drop by; and second, if a card is lost, that person needs to be re-enrolled.

This content continues onto the next page...