Query the Access Control Expert: FIPS 201 Standards

Oct. 27, 2008
Confusion when Specifying Access Credentials

Q: What needs to be specified for biometrics when creating an access control front end for government installations?

Much of the confusion over biometrics standards has to do with the word “interoperability” and where that ends. In FIPS 201 parlance, the card and biometric standards primarily have to do with which card and biometrics technologies are used in authenticating the individual at the credentialing offices or visitor centers, not necessarily at the doors.

FIPS 201 only allows this “reference” template to be accessed through the contact part of the card. In fact, after the card is inserted into a contact reader, a PIN number must be entered to access the biometric information. This approach makes perfect sense for the initial authentication of a cardholder.

The FIPS 201 specification draws heavily on protecting access to an IT network infrastructure. That’s why FIPS 201 specifies using the contact portion of the smart card. This makes little practical sense for wide-scale deployment at doors in physical access control systems. The contactless portion of the smart card would be a far superior choice. And, indeed, FIPS 201 lets any government organization use whatever biometric they desire when using the contactless portion of the card.

By specifying the use of INCITS 378 standard fingerprints and a contact smart card in FIPS 201, the government makes the initial authentication for a cardholder at multiple sites easy and safe. It eliminates performing, over and over, the long and costly background checks that would need to be preformed without interoperable biometrics.

The typical process for being entered into a site’s access system is:
1. Submit fingerprint images on a standard 10-print card.
2. FBI background check is performed.
3. If passed, a scan is taken of two fingerprints from the 10-print card. This reference template is placed on the contact part of the employee’s smart card using the INCITS 378 fingerprint minutiae standard, the only format allowed within FIPS 201.
4. The cardholder-to-be reports to the credentialing office.
5. At the credentialing office, the cardholder-to-be has a finger scanned using a reader incorporating the 378 standard. Once matched to a reference template in the card, the cardholder-to-be becomes a cardholder.
6. The cardholder’s ID (CHUID) from the contactless side of the card along with additional info (name, photo, etc.) is entered into the local—or door—access system.
7. The cardholder is then enrolled in the department’s operational—or “door”—biometric device, which can be hand geometry, iris or fingerprint, among other biometrics.
8. The cardholder’s operational or “door” biometric templates are written to the contactless side of the card or stored in the access system and associated with the CHUID for that person.
9. Access rights are assigned.
The government saves money if or when the above cardholder needs to be authorized to enter another government agency’s facility. This cardholder can now skip Steps 1-3, eliminating constant repeats of the 10 print background check.

Bashar Masad is Senior Product Marketing Manager, Schlage Recognition Systems.