Standards Expand Biometrics in Logical/Physical Access Control

Technology crucial in establishing chain of trust in the issuance of a credential

The role of biometrics continues to increase in logical and physical access control and end-users, solution providers and system integrators can look to current developments to help them understand the technology and its use. This is evident in the U.S. in the recent draft of Federal Information Processing Standard 201-2, dated March 2011. This is the latest version of the evolving standard for a single converged credential for logical and physical access control and its supporting technical standards and is a great example of the role biometrics plays in access control. Biometrics are factors in both the credential issuance process as well in use.

The FIPS 201 standard titled "Personal Identity Verification (PIV)," makes it clear that biometrics are a crucial component in establishing the chain of trust in the issuance of a credential as well as a requirement for the binding of an individual to that credential. Biometrics are gathered during the identity registration in combination with other supporting "breeder documents" and then used again at the time of issuance of the credential. In doing so, biometrics form a crucial link in the chain of trust in issuing secure identity credentials. The PIV standard has been expanded to include commercial enterprises in the PIV Interoperability (PIV-I) framework.

The PIV standard reinforces the fact that the highest level of identity assurance on which to base an access control decision can only be obtained through the use of a credential that uses strong cryptographic techniques as the basis of 'something you have' such as a digital certificate and the associated private/public (asymmetric) or shared (symmetric) cryptographic keys and by using 'something you are' (biometrics). The standard includes provisions for the use of fingerprint and iris biometrics as well as a facial photograph. In fact, the use of standards-based fingerprint minutiae that allow the use of fingerprint readers from multiple vendors is an important development in the access control marketplace. For iris recognition the standard makes use of standard iris and facial images that also help promote interoperability.

The standard makes the important point that the use of biometric authentication factors requires the protection of digital signatures to maintain their integrity. Digital signatures make sure that the reference biometric has been unaltered and comes from a trusted issuer. Digitally signed biometrics, in combination with mutual authentication between a reader and the credential (smart card), present a nearly unassailable method of doing access control. It also introduces on-card biometric comparison.

"Biometrics are becoming increasingly important as an enabling technology for automated person identification in a variety of applications such as facility and information system access control. As the technology evolves, we are seeing increased performance while prices for biometric sensors continue to fall. Also, sensors for fingerprint, facial image and iris recognition are now so small and cost-effective, they can be embedded in smart mobile devices to enable an expanded range of financial transactions and other applications with high levels of security and privacy," according to Walter Hamilton, chairman of the International Biometric Industry Association.

The draft of FIPS 201-2 looks to take advantage of some of the latest developments in biometrics. One example is the inclusion of the aforementioned use of on-card biometric comparison. In this case, the actual matching of the fingerprint minutiae captured during enrollment and stored in a secure container on the smart card is performed on the smart card using its processing capabilities. This has the advantage of never having an individual's biometric data leave the card, helping to address privacy concerns over the use of biometric information. It also helps to address the growing requirement around the handling of personally identifiable information.

This content continues onto the next page...