Fact, Fiction or Future Reality?

In the late 1970s, there was a rumor that research was being done on using the brain’s alpha waves as a unique identifier of a person. It was posited that alpha wave activity could be measured using electroencephalography (EEG) or magnetoencephalography (MEG) as someone walks through a portal.

There are a few potential problems: alpha waves are most common during relaxed wakefulness with eyes closed (rather than during alert activity such as walking) and their frequency is very low (about 10 waves per second) permitting only a small sample to be read. However, the concept behind the rumor points to the pot of gold at the end of the authentication rainbow: the ability to positively identify someone without them touching anything or requiring them to interrupt their activity — the goal as yet only seen in science fiction.



The first factor in positive access control relies on a credential that is physical, e.g., a card (what you have); memorized, e.g., a password (what you know) or a measurable aspect (biometric) of the person, e.g., fingerprint (what you are).

Card systems are becoming more and more sophisticated in their capability for multiple uses and also in their security. For example, HID Global’s Secure Identity Object (SIO) and Trusted Identity Platform (TIP) frameworks; however, on its own, validating an access card does not verify or validate the person — only the credential.

Password systems have evolved as our data has become more important and/or personal. Simple four-digit PINs have been replaced with passwords containing stronger mixes of alpha, numeric and special characters. Their limitations mostly relate to the frailty of the human memory that lead us to either select passwords that are easier to memorize.

Biometric identification has been around for eons: we use many human characteristics to recognize people we know: like face, voice and mannerisms, language, behavior, accents, hairstyle, clothing style and even eye color. Fingerprint, hand geometry and signature dynamics were three early leaders in a field that has expanded to include facial recognition, scanning of the iris, and blood vessel patterns in the eye, wrist, back of the hand, and the palm.

To be a candidate for biometrics, the characteristic under consideration must meet a number of criteria:

• The biometric must be measurable in real time — waiting an extended period of time at a door while a DNA sample is processed is far from acceptable.

• The biometric must be reducible to a template that can be recordable and searchable for comparison. Again, the processing time needs to be within fractions of a second to be acceptable.

• The characteristic must be sufficiently different to uniquely and repeatedly identify that person; and it should be stable over time.

• The biometric feature must be very difficult to falsify — for example, height and weight could easily be replicated, but blood vessel patterns would require extraordinary measures to synthesize.

A live biometric measurement never exactly matches the owner’s stored template, so some leeway is given to the acceptance/rejection threshold. On many biometric systems, error rates are adjustable, in some cases on a per-person basis to accommodate special characteristics. Examination of the point where errors are the same — the “Crossover Point” — enables comparison of different biometric systems.

Many biometric systems are based on hands. The PalmEntry2 from Fujitsu uses near-infrared light to measure vascular patterns in the palm. The device requires the blood in the veins to be flowing so the dismembered hand of a once authentic individual is not a valid credential. Taking the biometric measurements does not require contact with the sensor — the palm is held about two inches above the reader — and is not affected by surface skin conditions on the palm. It can include multi-factor authentication by adding PIN and/or card technologies.

Iris scan is seeing new applications, with readers integrated into turnstiles. The IrisAccess system from Iris ID Systems still requires cooperation of the person to pause and look at the iris camera, but it can capture images of both eyes in two seconds from feet away, rather than inches.

Biometrics are clearly progressing to the goal of authenticating someone in full stride.


Carried Credentials

Much progress has been made in reading and transmitting data from credentials — passive contact and contactless cards as well as active devices. Near Field Communications (NFC) technology is the target of a bundle of development money from companies that include such heavy-hitters as Honeywell, Assa Abloy and HID Global. The goal is to add this technology to our smart phones and turn them into access credentials.

The TSA is piloting a program to test NFC-enabled phones for passenger ID credentials. In addition to access control, NFC-enabled phones can be useful for vending and other purchasing functions where your credit card is accepted.

It is estimated that 46 percent of smart phones will be NFC-enabled by 2016. The only caveat is battery life — there will be backlash if you cannot open your doors with a dead phone.

Another technology whose time has come is the active RFID (Radio Frequency Identification) tag. Detectable through triangulation, they can alert or alarm if an individual moves to an unauthorized area. Such devices have been used for infant monitoring in hospitals for years — Vizbee RFID Solutions promotes this technology for access control and infant protection, asset (and people) tracking, warehouse management, chain-of-custody and retail.

The day may be coming where a subcutaneous active tag will help achieve the authentication dream.


Locking Devices

Until recently, locking devices have long been considered low-tech components of access control; however, developments in offline and wireless card and PIN pad locking systems have shown that locks are coming of age.

One of the benefits of these locking systems is their low cost of installation with no cabling required. Battery-powered offline locks will support thousands of activations, while many online wireless locks need to skimp on data transmission to save battery power.

This limitation has been blown away by Assa Abloy, which won one of ASIS’s 2012 Accolade Awards with its Securitron PowerJump inductive coupling power transfer (ICPT) device, which wirelessly transmits up to 6 watts of power (12 or 24 VDC) across the gap (up to ¼ inch wide) between the frame and door. This is the same technology that Apple uses for contactless cell phone charging. Assa Abloy’s next trick? They are researching the possibility of wireless data transmission using the same inductive coupling technology.

The company also won an ASIS accolade for its wireless, battery-powered cabinet lock (from HES) with built-in contactless smart card reader. This provides a cost-effective solution for access to individual racks in data centers and web hosting/IT hotel facilities.


The Future?

Regardless of the state of the economy, innovation is alive and kicking. New technologies will continue to surface; in fact, research is under way in Finland on the measurement and analysis of rapid involuntary eye movements called saccades. Patterns of these movements are as unique as fingerprints but preliminary tests show a requirement of 30 seconds to measure enough saccades to yield a high degree of accuracy.

Moore’s Law says technology will double every two years, so whatever the outcome, we are in for a thrilling ride!


David G Aggleton, CPP, CSC, develops security system design solutions for managers and tenants in more than 150 commercial office buildings. He’s a member of the Intl. Association of Professional Security Consultants (IAPSC.org) and the ASIS Security Architecture & Engineering Council. Email him at: dave.aggleton@aggleton.com.