Designing Biometrics Into Access Control

Oct. 27, 2008
Before you buy that fingerprint scanner, think about the infrastructure and management needs of the system

[Note: This article is excerpted from NBSP’s Biometric Technology Application Manual, Vol.2, which is now in development. Publication is scheduled for mid to late Q1, 2007.]

A biometric device can be applied in virtually any application in which one might otherwise use keys, cards or passwords to control access to a physical facility, a virtual domain (information system) or a process. The deployment of biometric technologies is increasing over a wide array of industries as organizations and individuals look to increase security through enhanced identification technologies.

Access control applications include physical and logical access control. Physical access applications include national programs such as border control, campus-level applications for area control, facility or room access applications, container access and records access. The latter includes access to medical records, human resource and educational records.

Logical or virtual access control applications include access to distributed information systems, local area networks and stand-alone systems or computers.
At the simplest level one does not design a biometric security system; instead, one develops a security system with biometric components designed to improve access control by enhancing identity assurance. In some designs, the biometric device itself enables access, while in other designs the biometric device sends a captured biometric template image to a central processor. If the template matches that of an enrolled person, the central processor enables access.

Physical Access Systems
In physical access control systems, the biometric device typically replaces a non-biometric device controlling access to a campus, building or room. Architecturally, the primary security system design remains mostly unchanged. However, there are issues that need to be resolved before the design can be completed.

• Will the biometric device of choice operate in a stand-alone mode in which all users are enrolled at the device? In this instance:

- Does the device enable access or does it send a signal to a separate access control mechanism?
-Does the device record each entry for subsequent downloading?

• If enrollment is centralized and new enrollments are distributed through a network:

- Does the data flow into the primary security system or directly to a proprietary access control system?
- What are the power requirements and where are the power sources?
- What alarm reporting and response provisions does the system offer?

Logical Access Systems
The use of biometrics to control access to logical systems is not nearly as well matured as biometrics for physical access control. Most implementations are at the workstation level; the biometric control is integrated into the physical case and electronics of the desktop or laptop workstation. Other systems enable a biometric device, typically a fingerprint system, to be plugged into a USB port. Plug-in devices may not be able to satisfy the higher levels of secure government computing protocols.

In virtually all cases, the biometric device evaluates the presented biometric and, if identity is verified, enables operation of the workstation. The computing system and anyone at a remote terminal communicating with the secured workstation assumes (and this is a very profound assumption to be aware of) that the keystrokes or the file access requests following authentication are the actions of the authenticated person.

Some computing systems include a keystroke recognition sub-routine that continues to verify the user as he or she types. In principle, this approach would establish continuing authentication of the user, but keystroke dynamics are not an independently proven technology. Another approach would be to use a constant video assessment confirming one person at the keyboard and using facial or iris recognition to verify that person’s identity.

Facilities and Systems

Before you decide on a biometric implementation, consider the physical and virtual environment in which the biometric components will be expected to function. Will they be installed in a new or an existing security system?

• New System. If you’re installing biometrics in a new system, you have the advantage of being able to prepare a well-considered design using the most current and cost-effective components and procedures available. A potential downside to a new system installation is that there is no baseline of performance for comparison. New biometric systems (like most new technical systems) can sometimes require considerable troubleshooting before they fulfill operational expectations.
One way to avoid unnecessary problems is to minimize the level of innovation throughout the system, avoiding reliance on new and unproven equipment and technologies without a sound and rational reason to embrace them. In any event, introduce and fire up only one new piece of technology at a time. Ensure that the system is functioning properly before moving on to another system containing innovations.

• Legacy System. As often as not, the design of a new biometric component to an access control system will be integrated into a well-established legacy system. You must have a comprehensive understanding of the system into which the biometric will be introduced.
Underlying the decision to renovate a legacy security system with biometrics is an assumption that the biometric technology will afford a higher level of personal identification leading to a higher level of security. It helps in the assessment and validation of this assumption if there is a current or anticipated level of security compromise in the existing system that can be quantified. For example: “We currently experience a loss to pilferage from our storerooms greater than $10,000 per month as the result of the theft or misuse of keys issued certain employees. By installing some form of biometric identification, we can reduce this loss to nearly zero.”

Distributed vs. Centralized Processing
In any access system with a biometric component, the access decision can be made in one of three places: at the portal, at a central control point, or at some intermediate location.

In the first, stand-alone scenario, authorized personnel are enrolled at the portal. Some technologies offer a nominal database that records who has activated the device and at what time and date. These data are downloaded periodically by a wired or wireless link between the device and a portable data collection platform; however, in less expensive products, there is typically no enduring record of transactions.

In a central control process, enrollment information is collected and stored at a central location, where massive databases for the entire enterprise can be maintained. Biometric templates collected at portals are transmitted to this location for processing, image comparison and decision making. This mode offers improved security, significant system oversight and overall awareness of activity in the facility. System efficiency, however, depends upon sustained network communications. In the event of a power or communications failure, no portal activity can continue, effectively locking employees out of their offices or labs and, in applications requiring a biometric request to exit, locking these employees in their work space. In such applications a system override may be necessary.

These functional concerns led to the development of remote door control units (DCUs). DCUs function much the same as a central control in that they have capacity for a large number of enrolled templates, but they are not affected by loss of power at the central control. When a person is enrolled in the enterprise system, necessary template and administrative information is transmitted to each door in the enterprise through which that person is authorized to pass. The main design consideration is the location of the DCU so that it is protected from outside attack and tampering. For ease of installation, unfortunately, many DCUs are placed directly in the plenum just above the protected door. This can be and has been exploited by informed adversaries to bypass the system’s safeguards.

Expansion Requirements
The choice of technology for a security system is influenced in part by the population of authorized persons it has to monitor and accommodate. While the current population value must be known at the start of the design process, it is even more important to know what the projection is for future population expansion over the next five to six years. The resulting system design must account for this expansion to avoid costly retrofitting two to three years (or even three to four months in the case of rapidly growing offices) in the future.

Realistic Expectations
No control system solution achieves zero false accepts (false matches), false rejects (false non-matches), failures to enroll, and delays affecting throughput. All control systems have some degree of error. Further, the technologies are normally subject to adjustment so that false accepts and false rejects can be modified to force the system to adjust to your operational preferences.

The economic aspects of biometrics are and will be constantly changing; we cannot say definitively and forever that a given biometric technology is or is not cost-effectively suited for a particular application. The best we can do is outline an approach for evaluating the cost-effectiveness and investment returns as the result of adopting a biometric solution for access control.

Russ Ryan is a vice president of the National Biometric Security Project (NBSP). The company’s mission is to help government and private-sector organizations protect the civil infrastructure from terrorist attacks via the timely deployment of biometric technologies for authentication and identification. NBSP provides the government and private sectors with authoritative training, product and technology testing and research and acquisition support to aid in the evaluation, acquisition and deployment of biometric technology. Mr. Ryan is responsible for NBSP’s private-sector outreach along with the management of the company’s strategic and marketing communications programs.