The biometrics industry is wildly fascinating. Not because of the technology, but because of all the other factors that come into play when using biometrics. It is rare to find a technology where you get a more polarized discussion. And as one who likes debate, I can't help myself. On one side, you have advocates of technology. These tend to be manufacturers or service providers that see biometrics as the end-all-be-all solution to provide a truly protected, assured, and absolute secure posture both logically and physically. But, on the other hand, speaking primarily to the North American market, you have a group, mainly the mainstream market asking and then saying, "No, not worth the cost?"
The reality is somewhere in the middle. Somewhere between "the-end-all-be-all" and "no." We are just not there yet. Even with biometrics’ long history, a clear positive understanding of what it can do, and putting the negative aspects or bad actors to the side, biometrics is still an emerging technology. The biometrics industry needs much work to be seen as a mainstream market application. That work, though, is usually the soft side of things. But in this case, it's the hard part. I know what I wrote needs to be clarified. That is on purpose. I'll explain.
When I say, "biometrics needs much work," what type of work do you think I am referring to? Insert technical response from the biometrics industry. Unfortunately for our industry, a question like that triggers a technical answer. But we don't have a technical problem with biometrics. There is an ongoing need to advance the technology, but it boils down to more of an ethics, communication, and mainstream market value creation problem. We are not going to technical our way out of this one. I don't know. I will ask," are biometrics just not a product made for the mainstream market?" For whatever reason, that doesn't sit right with me. But once the biometrics industry comes together, has a good answer for ethical concerns, and can communicate a much larger market value creation story, it will continue to struggle.
That said, from all the experts I speak to, the market has a need. And from all the data I see, biometrics as a solution is growing. The adoption is especially true when you go to the enterprise vertical. And even more so when that vertical looks to incorporate biometrics with an integrated access control and video surveillance solution. Let's put aside the critical concerns I spoke of earlier (ethics, communication, and market value creation) that need to be addressed.
What emerging threats are prevalent that would cause an enterprise to adopt biometrics? And when adopted, what should the enterprise consider as best practices for mitigation in creating a biometric infrastructure?
Instead of pontificating, I spoke to industry experts to hear what they had to say from real-life applications. I asked them those two questions:
- From your perspective, what security challenges do enterprise organizations face that would lead them to consider advanced biometric solutions that integrate with access control and video surveillance?
- What are your thoughts on emerging threats, best practices for mitigation, and the creation of a biometric infrastructure?
Here is what they had to say:
Bobby Varma, CEO & President, Princeton Identity
Generally, we encourage our customers interested in biometrics to focus on access control integration and avoid integration with a VMS solution. This is because using biometrics as part of a surveillance system can open up legal and ethical issues related to user privacy and consent. However, certain security challenges merit extending the integration into a VMS platform.
Connecting facial recognition to surveillance systems allows companies to track behavior beyond locations where access control is deployed. In high-security environments, such as data centers, financial institutions, military bases, and critical infrastructure facilities, biometrics may be used in real-time to identify specific individuals' abnormal traffic patterns and behaviors. For example, it could flag a video of someone walking around an area at a time of day when they are typically elsewhere or not onsite. When using biometrics in this manner, management should explain to enrolled workers exactly how their data will be used and obtain their consent. By law, they're required to do so in Illinois, Texas, and Washington. Other states will soon enact similar legislation.
In less sensitive commercial spaces, biometrics are more likely used for forensic purposes only, like identifying individuals involved in a crime captured on video. Therefore, there is less concern about biometric identity solutions violating privacy when used solely in this manner, after the fact, instead of for real-time tracking.
On the physical security front, many companies are turning to autonomous technology – robots and intelligent monitoring solutions – in place of human security guards. These solutions have proven to perform well and be cost-effective, but to deliver real value, they must distinguish between authorized individuals and trespassers, most likely through facial recognition. This growing sector represents a lucrative opportunity for biometric solution manufacturers. However, companies overreaching in their use of the technology may result in legislation that throws the baby out with the bathwater. (For example, see the recent news on Madison Square Garden using facial recognition technology to ban patrons).
The main concern when it comes to biometric security solutions is that primarily, we are respecting people's right to privacy, and secondly that any solution we are involved with complies with privacy requirements such as the GDPR. When gathering biometric data, the people taking their biometrics must be made aware of how their data will be used and stored.
In terms of authentication, we're seeing an increase in the use of multi-factor authentication…However, biometrics can be easily simulated, so the effectiveness of the technology depends on the quality of the reader and liveness detection implemented by the manufacturer.
Using biometrics raises privacy concerns because biometric data is considered personally identifiable information (PII). There are several approaches to implementing biometric systems, each with varying levels of PII stored in business databases.
These approaches include using a chip that individuals carry with them, storing the biometric PII in a central database and using edge devices for authentication, and using edge-based access decisions with a small database.
Very shortly, we expect smart devices with high levels of security for biometric authenticators to be a common authentication method.
Rick Caruthers, CEO, Galaxy Control Systems
We see many organizations deploying biometrics to add multi-factor authentication at the entry level. We also see the desire to have the enrollment embedded into the access control software allowing users to capture and assign biometric templates in one U.I. The secret to successful use is to make it easy and seamless.
One area of improvement that is needed and not offered by most biometric companies is cloud/web-based enrollment… Cloud-based users do not want to install a thick-based enrollment which goes against the spirit of being cloud based.
Today's enterprises are vastly different, diverse and geographically spread out. Managing physical or mobile credentials to access the buildings for the whole workforce in other places is a big challenge due to its cost and administration challenges. Biometric access control systems eliminate this problem by making managing and distributing credentials easy, secure and convenient. Today's touchless biometric credentials like facial recognition and palm recognition offer the following advantages:
● Faster authentication
● Convenient to use
● Remarkably high accuracy
● Easy to scale
The user's identity in today's world has become a very important asset used for identification and verification in both the physical and digital worlds. In today's world, MFA and SSO are implemented in almost every mid-large enterprise, and using cards, tokens, or mobile credentials can be very inconvenient, expensive, and cumbersome. This can be avoided by using biometric credentials and many MFA and SSO solutions that can be easily integrated with their existing infrastructure. In the future, these platforms will be more secure and robust by implementing decentralized identity and storing the data on a blockchain-based ledger.
Janet Fenner, CMO, Sentry Enterprises
Attempts to steal data from businesses are becoming more sophisticated and organized. Protecting data from hackers is a never-ending arms race for which CISOs, with limited budgets, need to be equipped. The average data breach cost is over $100,000, with the main culprits coming from phishing attacks, stolen credentials/passwords, and vulnerable multi-factor tools. In addition, the loss of physical entry devices, access cards, key fobs, and keys goes beyond the obvious security risk of a lost proximity device falling into the wrong hands.
Therefore, managers must always keep a stock of cards, fobs, or keys. A false sense of security can also lead to the theft of assets, damage to property, and harm to people at the hands of disgruntled employees, criminals, those looking to make a statement, and even terrorism.
These security risks have one thing in common: identity stored in a central location is 100% vulnerable to a potential data breach. Whether a company relies on a password, PIN, a physical credential, a code on a smartphone or a computer, or a combination of these credentials (multi-factor authentication), the risk is still present. These credentials rely on information that an individual knows rather than on something that imparts an identity to an individual. Something you know can be shared – name, birthday, Social Security number, password; while something that defines your identity – fingerprint, unique facial traits, retina pattern – cannot be shared. Trust is ensured when identity is assured.
There are two main challenges today's enterprises are looking to tackle that are inherently addressed by the latest integrated biometric access and video security solutions:
1. The desire for frictionless, touchless authentication across enterprise touchpoints.
In our post-pandemic world, organizations and users increasingly want modern physical security solutions that are intuitive, reliable, highly performant, and accurate. Powered by remarkable advances in A.I., biometric solutions have come a long way. Just as FaceID changed how we use our phones, "face-as-ID" will streamline physical access while improving user experience. Biometric technologies are now truly mature, with dramatically enhanced Accuracy and usability. As a result, touchless solutions leveraging face recognition have become one of the more popular solutions on the market.
- The need to consolidate disparate systems into an overarching converged identity platform.
The second challenge relates to integrating legacy, disparate, federated systems that are often incompatible or disconnected. In the days of identity cards, access points, and security cameras that were not fully integrated, identity data such as face images or fingerprints were often stored in separated, disconnected databases. Today, newer technologies allow users to seamlessly tie together various types of physical and logical security technologies. This enables users to engage with their identity data without having multiple tokens or passwords for different doors or portals. We call this concept "converged identity." The future of this space will allow biometrics to be safely and securely shared and leveraged across badge readers, access points, video cameras, and even P.C. login or web SSO, all with integrated technologies, processes, and policies to support consented use and protect privacy.
Shiraz Kapadia, CEO & President, Invixium
Security challenges for enterprise organizations have always existed. But despite companies understanding that they need safety measures to keep bad people out of their buildings, many of the most popular solutions fail to be truly protective. Biometrics is the only way to be sure that people are who they say they are when they attempt to enter your property.
Despite the obvious benefits of biometrics, many companies were slow to adopt the technology due to a lack of understanding. Finally, Apple's fingerprint and Face ID tools on the iPhone pushed people to a place of comfort, and the pandemic came, forcing people to use biometrics in their everyday lives even more.
To rise above all the security challenges that the pandemic created and exacerbated, companies need to press the reset button and realize that security, especially the superior quality security provided by biometrics, is not discretionary but necessary. Investing in biometrics provides proof of presence, can consolidate multiple technologies, and be more convenient and secure for end users. Even for brands that don't have the budget for biometrics at every door, installing units at key points, like perimeter doors and private rooms, is more than worth the investment.
When Apple and Samsung deployed smartphone biometrics to the world, consumers were intrigued and recognized how easier verifying their identities was. They also perceived biometrics as more secure than a simple password or PIN.
Biometrics has been in the access control industry for a long time. Analysts predicted early on that biometrics would eventually go mainstream, but two factors prevented this from happening sooner: price and speed.
Other than at high-security government facilities, it wasn't ideal to wait at a door for three to five seconds for biometric verification to be authorized in a secure area. However, modern biometrics technology has rapidly advanced to the point where price has been drastically reduced, and speed is now almost as quick as with standard credentials.
Some factors influencing companies to consider biometric deployment in their businesses include the following:
- Prices are becoming more attractive.
- Speed—most modern biometric devices are fast.
- Contactless devices are in demand Post-COVID
- Superior technology allows for loss prevention.
- Ease of integration with existing access control infrastructure.
- Reduction of ongoing credential costs.
- Reduced threat of credentials being stolen or copied.
- The environment is protected through the reduction of plastic card waste.
- Your biometric signature is your password.
- Multi-factor authentication is made stronger with biometrics.
The rise of biometrics is happening and is being influenced by users who are much more educated in biometrics than in the past. Enterprise organizations face several security challenges that make integration with biometrics the single most beneficial access control solution today.
Closing
One last thing before we end. I want to address the biometrics industry directly with a call to action. It is simple: rally as a community. Rally together and start unifying your message, and your value creation story, and address the mainstream market's concerns. There is no better time than now.
How do we get there? Let me know what you think by emailing me at [email protected] and let’s start the conversation.
About the author: Lee Odess is a globally renowned access control influencer, thought leader, consultant, speaker, and author who has spent his career reimagining the role of access technology in modern connected living experiences. Lee is a big believer that security goes beyond your front door and that true access means the enablement of spaces. Throughout his career, he has leveraged a number of platforms to help owners and operators adopt the latest technology to provide safe access, deliver innovative resident experiences and future-proof buildings.
