printer friendly version

Taking IAM to the next level

Phil Scarfo

Today, decision-makers can be less concerned about whether technology works and more interested in how access control can be integrated into identity management systems for goals beyond the simple transaction of opening a door. Now they can use biometrics in customer facing applications like loyalty programmes. With the advent of the latest technologies, biometrics have been successfully deployed at major theme parks and bank ATMs.

But, that is not all! Can workflow finally be streamlined by a single authentication solution across an organisation? Can user authentication be tied into safety systems, as required by regulators or insurance providers? Can business patrons’ experience be enhanced by expanding the touch points that know who they are? The answers to these questions are being asked today by CIOs who are demanding seamless and holistic solutions to IAM challenges that revolve around the question, “Who?”

For the challenge has always been how to establish the 'who' in transactions. Who is accessing the warehouse? Who is punching the time clock? Who is the customer standing in front of me? The question is always, "Who?"

Until now, our response has been to use the best available tools to approximate identity. Thus, a person can present a credential – something they know like a password or something they have like a swipe card – to authenticate their identity. However, credentials alone simply cannot substantiate identity.

CIOs understand that others can know the password – it may have been shared, found or observed. Cards and tokens show what somebody has, but possession alone does not ensure identity: somebody else could have that card or token, via sharing or theft. Thus, while access and authorisation has always been granted to individual people, knowing a password or having a key is only superficially related to the authorised person, and neither can establish who. Only a biometric can do that.

The importance of who

Here is an example of why it is important to know who. Today, NFC-enabled smartphones are starting to get a lot of press. It is now possible to replace cards with virtual credentials on a smartphone. These credentials, when linked to one’s unique identity, provide an easier, simpler way to pay for merchandise. The customer just taps her smartphone to the cash register. NFC-enabled smartphones could also provide better access to buildings, data or devices.

Nonetheless, virtual credentials still only verify that somebody has the phone. Add a biometric to the phone and you know that the person using the phone is the person who is authorised to use it. That shows again why user authentication, and specifically biometric identity management, is becoming more and more important. Let us look at some industries and how they can take IAM to the next level.

Take access to pharmaceuticals as an example. It is important that only authorised people, such as pharmacists and certain nurses, have access to controlled substances in hospitals. Verifying who is imperative – and something that cannot be determined in a non-repudiated way by a card or password alone. Now, if you extend biometric authentication of drug access to other systems in a hospital – shared workstations, patient medical records, time clocks – the hospital can improve workflow efficiency, save costs at help desks, advance patient safety and privacy, and facilitate regulatory requirements. The hospital is assured that only the correct people are handling narcotics. Time and attendance is automated and the opportunities for buddy punching are erased. Nobody checks in with help desks because they have lost their fingers and compliance mandates are met, both on the physical and logical access control sides.

Thus, biometrics becomes extremely important in a hospital’s IAM scenario. Administrators know exactly who handled patient Jones’ Vicodin, when laundry room associate Zack Carter checked in for work and when he left, and if files coordinator Mary Smith went into the computer centre and when accounts payable clerk Charlie Adams checked on patient Jones’ billing status. Officials have the assurance that who is who, not just something known or being carried at the time. Thus, verifying who provides greater security but identifying who also provides an opportunity to streamline and improve workflow and facilitate any number of benefits throughout the hospital, ranging from auto-filling a form in a way that is most useful to that particular user to enabling better provisioning and rights management.

A hospital makes an easy case for IAM. It is needed from the beginning, at the doors and at data entry. Taking it beyond these two common access control tasks makes sense and is quite easy to define in a setting dealing with scores of standards and regulations. But, does such IAM have such an important role to play elsewhere?

Identify fraud – who is who?

There are some massive banking projects that are presently being announced. As the world attempts to cut back on the problems of ID theft and reduce waste, fraud and abuse, the banking sector will be huge for IAM and biometric authorisation. While the cost of identity theft and fraudulent online transactions continues to grow, the industry must, at some point, look for ways to ensure that these transactions and personal identities are secured.

As face-to-face transactions are becoming rare and online commerce continues to grow, better measures need to be deployed to accurately authenticate users. Current systems that deploy multiple passwords, pass phrases, and knowledge based identification are better but not sufficient to ensure that the right individual is at the end of that transaction. Data losses and the growing number of system attacks place any of these credentials at risk. Ultimately, biometrics could raise the security level and provide a better guarantee of user authentication.

The coupling of government issued ID documents in countries like Chile and Brazil enable the intelligent use of biometrics for personal identity at a bank ATM or service counter. In South Africa, a banking risk information centre (SABRIC) required banks to take active measure to become “safe, secure and risk free". In 2003, several large regional banks began to plan and focus on measures to eliminate fraud and adopt identity systems that would utilise biometrics as a means to achieve their goals. In India, initiatives related to Financial Inclusion and Public Distribution systems also turned to biometrics as a means of security field transactions and ensuring that the citizens were protected and government services were being provided to those who were authorised to receive those benefits.

The two most common offerings today are akin to conventional ATM systems where one can use a card plus a biometric to ensure that the user is authorised and legitimate. Often the card may include a biometrics template and the matching can be done either locally or online. The other is in the form of a portable, handheld device that can authenticate both user and service provider to ensure proper delivery of service and provide a complete non-repudiated audit trail of those transactions.

Who verifies cargo tracking and fleet maintenance personnel

In transportation applications, the control of assets via RFID tagging coupled with biometrics allows carriers to not only track merchandise and goods but also maintain a proper chain of custody – who is loading/unloading containers, transporting these goods, etc.

With many telematics systems, people are managing very expensive assets and they want to know everything and anything about these assets, including the last time the oil was changed, real-time information about the RPM, and about a particular engine in a particular vehicle. What they do not know now is who is in control of the asset. They do not know who is driving it or who is servicing that particular piece of machinery. So, you can imagine the value proposition of being able to add the who on top of all of the other elements that are known about these assets.

Who are you?

Lastly, there is a burgeoning desire by the hospitality and retail markets to introduce the 'personal experience' to their customers. They want to launch a whole new mode of customer service which combines the use of biometrics and RFID. For instance, when Joe arrives at a cruise ship (or men’s store, etc), he checks in with his fingerprint. An RFID bracelet – or his credit card – tracks where he is. As he approaches a steward, the steward says, “Good afternoon, Mr. Jones, will you want to eat out on the deck again or inside today?” At the men’s store, the sales clerk might ask, “Mr. Jones, would you be interested in our shirt sale? Many of them would go handsomely with the blue pinstripe suit you recently purchased.” And, of course, payment is with a finger tap.

Organisations within these industries and others are searching for similar IAM solutions. Today, biometrics that provide a clean read on the first try are finally available to offer the mix of user convenience, cost and non-questioned compliance that has been needed.

Share this article:

Further reading: