Choosing the right biometric technology in the new normal

Access & Identity Management Handbook 2021 Access Control & Identity Management

Nowadays, positively identifying an individual requires more than a badge or a PIN. Biometrics, widely acknowledged as the most accurate form of identification, is increasingly incorporated into the security protocols across industries. We explore the various biometric modalities available and review how the market has been impacted by the current pandemic. Furthermore, we share recommendations for successful biometric deployments in this very special context.

When what you have and what you know … are not enough

Multi-factor authentication is very famous in the security industry. It consists of increasing the security level by requiring something you have (a token such as a badge or a card), something you know (a PIN code or password) and/or something you are (your physical attributes like biometrics).

Tokens and PIN codes can be stolen, shared or broken. This is not the case with biometrics. Biometrics are the only means of authentication today which can ensure that, for instance, the person passing through a gate is a genuine employee with actual access rights. Coupled with the right biometric access control technology, all business rules and regulations can be enforced specifically for the person trying to gain access, and depending on the use case: compliance for mining, health check, sobriety check, etc.

Long gone is the time when biometrics were reserved for government agencies. Today, it can benefit everybody, from companies to gated communities.

Which biometrics?

Biometric data are extracted from a human body part (a face, a finger or an iris) through the isolation of multiple reference points converted via an algorithm into a digital record (‘template’). This template is stored in the biometric device or on a server, and used as the reference for comparison with data extracted by the device each time an individual requests access. Once the two data sets match, the individual gains access.

So, how do we select the appropriate biometrics to meet our needs?

Adoption/acceptance: The chosen type of biometric modality (facial, iris, fingerprints) depends on the use case’s security requirements and preferences, but can also be influenced by cultural habits, beliefs, or others.

Accuracy: With biometrics, trust is paramount. Users must trust and be confident that the system can positively identify them every time, all the time. It must be true whether one person or 10 000 people use the system, but it must also be true if using the system for verification (1:1) or for identification (1:n). The difference between verification and identification is simple but the complexity is exponential.

Verification happens when someone presents a token (card or badge) which is associated to a biometric template. In this case, the system will test the biometric data presented against the biometric template linked to the token number. With identification, no token is involved. The algorithm must determine if the person in front of the reader is indeed allowed or not. Identification is much more complicated and requires some specific expertise.

Anti-spoofing: Biometric equipment installed to provide a high level of access security must not be easily manipulated. It must therefore use efficient anti-spoofing hardware and software mechanisms, like false finger detection for a fingerprint reader and 3D/infrared cameras and image processing for facial recognition devices.

Algorithms: Together with hardware components like the sensor for a fingerprint device or cameras for facial recognition, algorithms provide the processing power and speed. We recommend selecting products from vendors that develop their own algorithms and that rank high in the very stringent NIS[1] evaluations.

Speed: High-speed processing is key for efficient operations, from an office building to a residential estate. The appropriate systems must offer throughput of at least 30 users per minute per device to provide fluidity and avoid queues. It is paramount when a large number of people need to get access or leave a site as quickly as possible (whether it be a 1000-person shift or resident(s) entering a community by car).

End-user convenience: This is key for user adoption. If users have trouble using a system or struggle to be identified first time, they will resist its use. This also includes changing conditions throughout the day. When a system functions identically with various light conditions, it saves much frustration for users.

Enrolment: This is a key process whereby user biometric features are first captured for subsequent authentications. This needs to be secure and frictionless.

Deployment: The bulk of the cost of deployment usually comes from integration with your existing PACS (physical access control systems) and doors, turnstiles, speed gates, etc. Therefore, to reduce deployment hazards leading to increased project complexity and costs, it is advisable to select vendors integrated with mainstream PACS and hardware providers and with a proven record of successful implementation.

OPEX: As with other systems, the TCO (total cost of ownership) and ROI (return on investment) have to be considered rather than the initial capital investment only. The TCO is impacted by criteria such as quality and reliability. Selecting vendors with field-proven experience and a strong support, maintenance and repair network is paramount for efficient support when needed.

Biometrics and the #newnormal

With concerns surrounding contamination from surfaces, contactless biometrics have gained traction in the #newnormal.

Facial recognition is a natural alternative that comes to mind, but the emergence of facial mask requirements, which cover part of the nose and the entire mouth and chin areas, poses a new challenge for facial recognition devices. Technology companies are currently re-training algorithms to take this new constraint into account and improve performances.

Iris capture devices that by definition only scan the users’ irises are not impacted by this constraint, but they have other drawbacks in terms of speed and throughput capabilities, as well as a less favourable user perception, that limits them to specific use cases (for instance surgery rooms or laboratories).

Contactless fingerprint capture devices are a very efficient alternative. There are various options on the market, with the IDEMIA MorphoWave Compact being one. 3D images of four fingerprints are captured in a quick and fully touchless hand movement above the sensor. This innovative technology is already widespread, as it can provide high throughput, is very accurate and enables immediate user adoption. It is currently the preferred solution for real estate complexes in South Africa.

With COVID-19, we experienced a notable demand increase for contactless biometric readers like MorphoWave that scans and verifies four fingerprints in less than a second through a fully touchless hand movement, and VisionPass, the 2020 SIA Award-winning facial recognition device, designed with clients and users and that features a 2D+3D+infrared camera set and advanced anti-spoofing mechanisms.

[1]National Institute of Standards and Technology


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Suprema ranks first in survey
Issue 2 2021, Suprema, neaMetrics , News, Access Control & Identity Management
In a recent survey conducted in Korea, Suprema was chosen as the top brand for access control management software and mobile access solutions.

Suprema integrated with Nedap
Issue 2 2021, Suprema , Access Control & Identity Management, News
Suprema recently announced that it has integrated its latest facial recognition devices into Nedap's access control system, AEOS, to enable organisations to manage their access control by making use of Suprema’s latest facial recognition technology.

Single bollard stops and destroys simulated bomb truck
Issue 2 2021 , Access Control & Identity Management
Delta Scientific announced the successful testing of its Model DSC635, a single shallow foundation bollard design that stops and destroys a 6804 kg test truck with less than 0.6 m of static penetration and 1.87 m of dynamic penetration.

Size of OSDP-verified list is underappreciated
Issue 2 2021 , Access Control & Identity Management
Farpointe Data announced that, at first glance, it appears that there are just 25 devices from seven different vendors listed as OSDP Verified. Although that doesn't seem like a lot, it really is.

Mail.Ru selects HID Global
Issue 2 2021, HID Global , Access Control & Identity Management
HID Global announced that Mail.Ru has chosen its HID Mobile Access solution for secure and convenient access control using smartphones and other mobile devices.

Honeywell and IDEMIA announce strategic alliance
Issue 2 2021, IDEMIA , Editor's Choice
The alliance will integrate Honeywell’s security and building management systems with IDEMIA’s biometric-based access control systems to create frictionless, safer and more efficient buildings of the future.

Paxton hires top talent in South Africa
Issue 1 2021, Paxton , News, Access Control & Identity Management
The international access control and video surveillance manufacturer, Paxton, announced it will continue to invest in new talent to accelerate expansion into the South African market.

Gallagher achieves UK cybersecurity standard
Issue 1 2021, Gallagher , Access Control & Identity Management, Cyber Security, Government and Parastatal (Industry)
The Gallagher UK CPNI CAPSS High Security System features compliances to the Cyber Assurance for Physical Security Systems (CAPSS) standard, and the Centre for the Protection of National Infrastructure (CPNI) Readers and Tokens standards.

OSDP verified readers/credentials preferred
Issue 1 2021 , Access Control & Identity Management, News
Farpointe is among the first three manufacturers to have earned the SIA’s new OSDP Verified mark on its mobile, contactless smartcard and proximity solutions, while simultaneously finding that OSDP is specified more than ever before.

Three key areas for zero-trust access
Issue 1 2021, Cyber Security South Africa , Editor's Choice, Access Control & Identity Management, Cyber Security
Protecting the network with this zero-trust access (ZTA) approach means that all users, all devices and all web applications from the cloud must be trusted, authenticated, and have the correct amount of access privilege (and no more).