Innovative technologies and techniques in the field of identity management are enabling change in the world of traditional security and facilitating the migration from physical credentials (access control proximity cards and smart cards) to digital, electronic ones. Threats, unlike any previously imagined have become real and commonplace; from cloned credentials to compromises of underlying communications between traditional security components. To meet these threats requires the ability to secure and confirm one’s identity for authorization of access rights, to transmit that identity securely and quickly, all the while ensuring privacy and trust.
Innovators are creating new business opportunities along with new technical and ethical challenges while strengthening the traditional modes of security. System architects require an even greater knowledge of information systems on top of a foundation in physical security to deploy trustworthy software and hardware components.
Security managers are looking to improve security and increase convenience. They are seeking ways to grow employee satisfaction by transforming the process of entry into a frictionless experience, while asserting stronger authentication which prevents identity misuse. With regulations getting stricter for data centers, bank vaults, and other high value areas, biometrics are becoming a must for two-and three-factor authentication scenarios. In recognition of the low costs and risk of duplication, the traditional card and pin do not hold up for the security requirements needed by today’s customer.
Physical security is becoming not only a general facilities concern, but more fundamentally an Information Technology (IT) concern. Protection of company assets is impossible without considering their value in an IT infrastructure, beyond the level network security with firewalls and anti-virus applications. Preventing access to physical machines and networking using biometric credentials is in keeping with a broader industry trend to phase out easily compromised techniques such as passwords and pins. Traditional access control systems permit physical access to premises based on the receipt of a recognized card number and allow logical access to a network or application based on the receipt of a recognized username and password. The person is not identified, but rather the card, username, and password are recognized. Adding biometric identification gives security managers certainty that the individual is physically present and that the credential cannot be shared or cloned.
Security no longer involves simply physical access; it now must embrace digital access and the authorization to execute transactions and services using personal devices. Examples include leveraging biometrics built into mobile devices such as a mobile phones and electronic wearables to provide real-time requests for authorization to complete transactions, access systems, or to move data. Electronic objects and networks which may be connected and accessed using personal electronics include:
- The onboard computer system in vehicles, such as automobiles and scooters
- Medical devices, both external and inside the body
- Financial accounts, payment systems, and healthcare systems
- Entertainment platforms, such as video games and television
- Exercise equipment
- Luggage tracking
- Home appliances and HVAC Systems
- Access control door readers with Bluetooth technology
In the world of digital security these are all considered “connected objects.” Biometric solutions play a mission critical role in the new world of “connected objects” to provide verification and trust (certainty) of an individual’s identity for frictionless, secure physical and digital access. Biometrics provides assurance that only an authorized individual can access their “connected objects.” This provides peace of mind, guaranteeing that a bad actor can’t take control of a vehicle’s onboard computer, a loved one’s medical device, or access a secure area or network in the workplace.
Biometrics is the use of one’s own unique physical or behavioral characteristics for identification and authentication. Where you go, your biometrics goes. Biometric technology includes a capture device whether it be a camera, an optical sensor (contact or contactless), a keyboard or a microphone to acquire an individual’s raw physical characteristic (raw data). This data is then converted into a reference template, a digital representation typically using mathematical algorithms that are patented and proprietary.
Biometric characteristics include face, iris, palm, fingerprint, finger vein, voice, gait, and keystroke patterns. Unlike passwords, biometrics are the only method that establishes a definitive link between our physical and digital identities. The biometric identifier, the reference template, may be a string of numbers or a random number. Biometrics verify and identify a person for the access control system to determine the rights or privileges (access, services, etc.) assigned to that individual.
Biometrics Used in Advanced Access Control Systems
We need our biometric identity to travel with us seamlessly in the physical and digital world; we require our identity protected, secured and available when and where we need it. Critical to the protection and securitization of one’s biometric identity is the assurance that it cannot be stolen, cloned, corrupted and it remains under one’s control. The biometric identity owner determines when, where, and how it may be used. An interesting way to accomplish this is using innovative technology that employs one biometric technology, such as facial recognition on a personal device, to decrypt an electronic container to release a second stored biometric technology such as iris or fingerprint for live matching to the biometric owner.
Critical to providing security is a public key infrastructure (PKI). PKI technology provides the mechanisms for mutual authentication between “connected objects,” such as personal digital devices, the onboard computer of your car, etc. PKI technology also provides the ability to encrypt the communication channel between digital objects, an internal network and access to cloud technologies.
Authorization for access must include biometric authentication of the individual initiating the request for access, the digital transaction. PKI only provides half the security needed to protect the IT infrastructure. It provides securitization of the communication channel and mutual authentication between digital objects or networks. But PKI is unable to authenticate the individual human initiating the connection to the digital device or “connected object.” This could provide the means for an unauthorized individual to gain access into the digital or virtual workplace.
Critically important to system integrators who specialize in the installation and maintenance of access control systems is the understanding and education of their personnel in how to properly implement existing security features to secure the access control system itself and its network communication. This includes but is not limited to:
- Working with the customer’s IT department to assign certificates (PKI) for mutual authentication between the host of the access control software and the access control panels that manage the door.
- Configuring the biometric devices and all elements of the system that communicate on the network to connect to backend software wirelessly or using a wired network executing TLS 1.2 security.
- Enforcing password rules and role assignments to prevent unauthorized access to the access control management software.
- Disabling any existing default username and password accounts once the system had been tested and accepted.
Managing Complex Security Environments
Security professionals are often challenged trying to effectively manage security operations where there are multiple physical access control systems, different biometrics systems, and multiple trusted sources. Reconciling these issues in order to have a robust security ecosystem is becoming easier with standards by organizations like the Physical Security Interoperability Alliance (PSIA).
In a typical enterprise organization, an employee is on-boarded their identity documents required for employment eligibility are stored electronically and may be associated with some form of biometrics. This is normally managed by a human resource system or identity management system. As part of the on-boarding process the employee is enrolled in a local access control system, a logical access system such as Active Directory, and assigned access rights and privileges to buildings, networks, and applications. When mergers and acquisitions take place, large companies must manage multiple access control systems. As employees travel to different office locations, redundant data entry, enrollment, into the local access control system and/or logical access system takes place. This can result in a second credential based on different card technology which may be assigned a different domain and username to access the physical and network access issued to the employee.
The PSIA has defined its Physical Logical Access Interoperability (PLAI) specification which addresses this problem by normalizing identity data and allowing the transfer of an individual’s assigned credentials across disparate access control platforms. There are two components to PLAI, an Agent and an Adapter. The PLAI Agent interfaces with the HR system or Identity Management System where the employee was first on-boarded and assigned an identity in the Active Directory and a membership in a network domain.
The second component is the PLAI Adapter, which interfaces with the Agent and a specific access control system or biometrics system. For example, if a large enterprise organization has four different physical access control systems (PACS), each would have a PLAI Adapter, which would normalize the identity data. It would then send it to the Agent, allowing it to share across the security ecosystem. One trusted source to provide the identity data is an important feature, allowing a much more robust security infrastructure.
About the author: Consuelo Bangs, Senior Program Manager, IDEMIA Identity & Security USA, LLC. Consuelo Bangs brings over 40 years’ operational and management work experience: 20 years as a program manager, project manager, implementation specialist and business development specialist of biometric access control solutions; eleven years as project manager and consultant for process improvement and work re-design; and thirteen years in education. Currently she coordinates the requirements definition of IDEMIA access control products with engineering to meet commercial and government customer requirements, provides pre-sales and after sale support of customized projects. She holds a Bachelor of Science from the University of Virginia, a Master of Science Degree from The George Washington University and held an IEEE Certified Biometrics Professional certificate.