Biometrics advance is relentless

Access & Identity Management Handbook 2017 Editor's Choice, Access Control & Identity Management, Integrated Solutions

According to Radiant Insights, the financial value of the global biometrics market will reach $44.2 billion by 2021, primarily from four segments law enforcement, border control (which includes government identity systems), workplace access, and consumer identity.

Governments are a key driver in the rollout of biometrics with enormous projects underway in, among others, China and India. Another driver is expected to be the financial market which is finding more reliable ways of identifying people and combating fraud, both internally and externally.

It wasn’t too many years ago when South Africa was a primary driver in the biometrics market. The uptake of biometrics in the country was driven by the private sector, with government catching on before too long. Today, using biometrics is common for millions of South Africans at work, collecting pensions or getting a new passport. And that ignores the growth of smartphones and other devices that have biometrics embedded.

From a business perspective, both private and public, biometrics plays and will play, a significant role in various applications, from access control to time and attendance tracking, through to workforce management and financial authorisations. Hi-Tech Security Solutions asked the leading biometric suppliers in the region to tell us more about the market, as well as about reports claiming it is easy to fool biometric readers.

We received input from people from three respondents:

• Hendrik Combrinck from ZKTeco.

• Walter Rautenbach from neaMetrics, local Suprema distributor.

• Deon van Rensburg from ViRDI Distribution.

Hi-Tech Security Solutions: There are stories doing the rounds that criminals have ways of skimming your fingerprints at ATMs. Then there are the never-ending stories about the poor quality and reliability of biometric authentication systems? How would you respond to this?

Hendrik Combrinck: Through many years of research and working with the banking sector extensively, we have concluded that biometrics by itself will never be the silver bullet everyone was looking for in identification and authentication. Biometrics will always form part of the full solution where it will be used as one of the criteria in multifactor authentication. So the ATM user will still need to enter a PIN, account number or just insert the card, but with that a fingerprint, face, retina or iris will be compared to the system. The biometric systems the banking sector is looking for now are meant to strengthen their existing identification systems and not to replace them.

Walter Rautenbach: There is no such thing as perfect technology, and whilst flaws exist, and with financial gain as a motivator, there will always be enthusiasts willing to exploit these weaknesses.

As Albert Einstein said, “We cannot solve problems by using the same kind of thinking we used when we created them”. The same applies to biometrics. One must consider the progress security has made to ensure true identity through biometrics over the current flaws in identifying a person based on something they have (card, phone) or something they know (account number, PIN, passwords). There will still be many advancements in skimming of data, be it biometrics or not, and hence the need for continuous enhancements in technology.

Reliable, good quality biometric solutions have been in existence for many years, but their cost has not justified the cause. Complaints of poor quality and reliability arise more often than not as a result of cost winning the battle over quality, to the detriment of the technology as a whole.

The past decade has seen a general improvement in biometric technology, processing speed and accuracy, with the driving force being fierce competition between vendors and modalities in search of a positive authentication technology that delivers the most business value (cost versus effectiveness). Credit must be given to those that spend extensive time to ‘flaw’ systems because without that vendors would have no reason to innovate and improve.

Users also play a vital role by demanding technology that works and which overcomes the flaws that receive attention. International benchmarking of vendors and modalities across large databases, previously not available, also assist users in making educated decisions on viability and selection. Certain implementations might justify placing a finger three times for it to work or having a high false acceptance rate. The rest has a wealth of information and research readily available to ensure they make the right decisions.

The thought of a having one’s identity stolen is also a driver of technology improvement. Liveness detection was a good start, kerbing at least the motivation of someone to steal your finger. Protecting the data generated at the time of interaction to completion of the transaction, with the purpose of interjecting the same later to execute another transaction is another challenge. It is, however, a general problem with any data, and continuous improvements in protecting this are essential.

Statistics show that acceptance has increased, which my mind translates to decreasing scepticism. Competition is fierce and bad publicity hurts billion dollar enterprises. Technology is imperfect, but my answer is ‘Yes’, True Identity will improve our society and we can only solve the new problems we create with new thinking.

Deon van Rensburg: There is a misconception about fingerprint systems that is at the heart of these rumours. Major biometric vendors each have their own extraction and matching algorithms which converts the fingerprint into a mathematical string called a template. Good systems then encrypt these templates further to comply or exceed with ISO 27001:13. Extremely good systems also exceed the FBI iAFIS/NIST/MINEX standards.

Even if this template is stolen, it is virtually impossible to reconstruct a physical image of a fingerprint from these templates. Add to this live and fake fingerprint technologies or multispectral response imaging technologies (or in the case of ViRDI, a combination of both) and these stolen templates are virtually useless.

There have been numerous cases over the last few years where biometric data has been stolen. The US Office of Personnel Management hack or the Philippine Voter Registration Database hacks are the most prominent. With the OPM hack more than 6 million biometric data records were hacked and with the Philippine hack more than 15 million biometric fingerprint records were hacked. Yet, not once has there been any correlation between these hacks and any criminal activity where stolen biometric data has been used.

A major source of concern for the general public was the mobile phone manufacturers’ first forays into fingerprint biometrics. Both Apple and Samsung were ‘hacked’ i.e. spoofed within hours of their flagship phones featuring fingerprint technologies being released. What people tend to forget is it was a trial for these manufacturers. Just as with the first trials of other technologies (like Bluetooth), development was needed to make it better and more foolproof. The fingerprint scanning technologies they used were proven by the mainstream to be obsolete and not worth investing in.

Both Apple and Samsung (Huawei and Redmi as well) are currently developing new fingerprint scanning technologies for mobile use that is already far superior to anything they used previously. Even ViRDI’s sister company – Nurugo – is developing optical scanning technologies for mobile fingerprint scanning use that incorporates optical scanning with live and fake fingerprint detection. Taking the above into consideration, the chances that a fingerprint is skimmed and then becomes useless is negligible.

Hi-Tech Security Solutions: How do biometric systems, whether fingerprint, facial iris etc. detect that the subject is alive and that someone is not presenting a fake finger or image?

Hendrik Combrinck: Most manufacturers have their own methods of establishing if a biometric reading is from a live person or not. Most of the time it is done through a process where different coloured light is either absorbed or reflected by the object being read. This reading then forms part of the whole algorithm of each manufacturer.

Many questions come up as to the reliability of these processes, but no company has ever made any claims of being 100% foolproof. This brings us back to a multifactor authentication, and this can also now include multi-biometrics. People will still try extensively to fool a one factor biometric system, but with a multi-biometric system they will think twice.

Walter Rautenbach: Liveness detection has drastically improved over the past few years and many patents have been registered. Many of these utilise specialised algorithms that measure life through specific behaviour and pattern analysis. For example, the difference between a picture of a face and live feed of a portrait image is the variation of the facial pattern over several captures.

With facial recognition, some vendors will enhance this through specific on-demand requests such as smiling or closing a specific eye, although people prefer not to smile or blink at an ATM. With certain modalities, it progressed by introducing hardware components, such as infrared light for facial authentication, utilising 3-dimensional face modelling, or external specialised light emitters and sensors for fingerprints, which can detect a physical pulse. As with biometric technology in general, these protection methods have been under attack and have been improving drastically to compensate.

Suprema has, over the years, been developing and improving its liveness detection technology and developed its own algorithm. The new and advanced Live Finger Detection technology applies machine learning, which analyses and categorises image patterns according to optical characteristics. It further utilises a technology called Dual Light Source Imaging which applies infrared and white light to detect liveness instantly.

Deon van Rensburg: Different vendors each have their own version of live and fake biometric detection. This always consists of a range of different technologies working within a system and is rarely, if ever, a single technology. As with everything, there are constant evolutions and development within these technologies and the proof of the pudding lies in how vendors apply each of these technologies in a system to make their system spoof resistant.

Since I represent ViRDI, I will highlight how our systems operate. With fingerprint scanning we firstly measure capacitive discharge from a human fingerprint. Without capacitive discharge, the system remains in idle state. We then bombard the fingerprint with infrared and measure a very specific IR bounce back that is unique to human skin. As a third step, we use multispectral response imaging technology to scan the fingerprint, and lastly our algorithm looks for certain characteristics that are unique to human fingerprint and cannot be duplicated by means of composite materials such as rubber, paper or silicon.

For facial recognition we use 3D geography with isometrics, i.e. we specifically look for curvature and shapes of features. We also extract the image via infrared and not via colour. Iris scanning systems are the most challenging. I recently read a study where iris systems were successfully spoofed, but with the addition of EEG (Electroencephalogram) technologies, this spoofing was successfully thwarted.

Hi-Tech Security Solutions: How do biometrics work in terms of recording someone’s fingerprint (or other) details?

Hendrik Combrinck: Most manufacturers have their own methods, but most of the time it is certain points on the biometric object that are read and put through a proprietary algorithm that is then stored on a database on a server or on the device itself. In most cases, it is not dangerous to transmit this information because it is encrypted at all levels.

Walter Rautenbach: Encrypted transmission and storage are essential. With today’s hard-core processing power it is becoming easier to do brute force attacks on encrypted data by exploring as many encryption keys as possible to find the one that will open the data. To kerb this, it is essential to use session keys for data transmission, meaning unique session keys are negotiated between transmitter and receiver and are valid for a particular transmission only.

This means that if skimmers pick up transferred data packages and attempt brute force decryption on this, the specific security key found is long lost and not usable anymore. Still, if they found the key, it means they could open the transmitted package, and should it contain identity data then the identity data is in the open. This, as well as brute force attacks on data stores, are typically prevented through data fragmentation where the personal data and biometric data is separated, leading brute force attacks to find the biometric data, but not being able to link it to a person for exploration purposes.

The sophistication of this type of fragmentation varies from implementation to implementation and exponentially decreases the likelihood of opening up the identities for exploitation. Another element used to protect data even further is the utilisation of external tokens, such as smartcards and dongles, in the encryption process. The greatest weakness in these systems is knowing what methods are used to protect data. This saves hackers the effort to figure out what decryption to attempt and brings the focus merely to finding the right keys to open the data.

For this reason, system architects and owners obfuscate as much of this information and certify their security layers only through external organisations hired to try to break in. This in itself creates risks by providing hired hackers with great equipment and also relies on the success and skills of their tests over the particular test period. It is, therefore, imperative to find an identity partner that invests in data protection, who performs as many external security certifications as possible and who uses proper key sizes, upgrades encryption algorithms before they are compromised and implements a sophisticated data fragmentation that separates the biometric data from personal data.

Deon van Rensburg: Biometrics uses something called an algorithm, which in essence is a range of mathematical equations that performs a series of automated functions that includes a) quality assessment, b) enhancement, c) feature extraction, d) classification/indexing, e) matching and fusion, and f) compression to reduce storage space and bandwidth.

Once a fingerprint image has been extracted, the algorithm converts the image into a mathematical string called a template. Think of this as GPS coordinates that would indicate location on a map where the coordinates are features that can be used to indicate certain unique identifiable features to match to. This is why reverse engineering a full fingerprint image from a template is all but impossible – you have the coordinates, but you have no map to reference to.

The top biometric vendors – who developed their own internal algorithm – also encrypt this template to comply with or exceed ISO 27001:13 / NIST / MINEX/iAFIS. With ViRDI, this encryption exceeds military specification and the decryption key is our most highly guarded industrial secret. Because of this, the data traffic between device and database is secure. The protection of the network, however, is something that is out of the hands of the biometric vendors and, as with any other data, the level of network security is very important.

Hi-Tech Security Solutions: We know the security industry is price conscious. What advice would you offer to potential buyers/users to assist them in ensuring they obtain the appropriate technology that they can rely on?

Hendrik Combrinck: My best advice to the market will be to firstly choose the correct biometric technology for your company’s environment where the reading will take place and the application is going to be used. The correct installation partner must also form part of the decision, because sometimes technology is only as good as the installation.

Walter Rautenbach: The best advice is to find a knowledgeable partner that continuously invests in new technologies and which has a proven track record.

Deon van Rensburg: South Africa is historically a society that are slow adopters of new technology and when they do adopt, pricing is always an issue. This makes the adoption of biometrics quite surprising. South Africa was one of the first adopters of the technology outside of Asia and from the very beginning, pricing didn’t seem that big an issue.

There are applications where a high-end high security solution is not required and which is perfect for the more cost-effective solutions. Think of a small butchery with five employees that wants to keep T&A records by using biometrics. A high-end system is not the appropriate solution. However, there are spaces where extra security and functionality is required with large volumes of users. For these applications, the cost-effective biometric systems are totally inappropriate and the high-end systems come into their own.

It is up to the specifiers/installers/consulting engineer to recognise which system is appropriate and which are not. Let’s be honest, as with all electronic technologies, there are vendors out there that are dirt cheap and their product is an embarrassment to the industry, but in the biometric industry they have not had such a major impact as they did in the CCTV, intruder detection and access control market segments.

My advice to a potential user is this: how accurate must the system be, how secure must the system be, what speed of use is required for the volumes of traffic flowing through the system, how long do you want it to last, and what functionality is required by the application? Then choose your system accordingly.

Hi-Tech Security Solutions: What are the latest solutions your company has released to market and what are their distinguishing features?

Hendrik Combrinck: Our biggest launch this year was of our professional enterprise access control platform, ZKBioSecurity (see separate article in this issue). This platform competes against the regular names in the access control market, but at a much lower price point. Included in this platform is a full array of door controllers, standalone access control units and multi-biometric units that uses push technology to communicate to a central server, be it a local or cloud server.

The browser-based software makes implementation and setup fast and easy, and also makes multi-sites a headache of the past. The ZKBioSecurity software already has video integration with Hikvision and Dahua, as well as a fully operational elevator control module and visitor module. The biggest advantage of using our controllers are that they do the biometric authentication onboard so there is no need for expensive biometric readers to be linked to the controller; you can now just use our F12 slave readers, which are a fraction of the cost of an intelligent biometric unit.

Walter Rautenbach: Suprema has launched a few new products to market:

New sensor optics: Multi Dynamic Range (MDR) technology.

Fingerprinting has been increasing in areas other than well-controlled indoor environments with the increase in mobile devices and the popularisation of fingerprint use. However, existing scanners have difficulty in obtaining accurate fingerprint information according to environmental changes. In particular, fingerprint information is not attainable or is distorted by external lighting, such as direct sunlight. Applying the company’s self-developed MDR technology, an improvement on existing HDR technology, it can capture normal fingerprints even under 100 000 LUX direct light, which is impossible with other products. The improved level of detail and sensing capability allows for capturing an exceptional quality image, independent of dry and difficult fingers or external light conditions.

Live Finger Detection (LFD)

As the use of fingerprints increases and applications are extended to the financial field, such as banking or pension collection, the importance of fake fingerprint detection is growing. Suprema’s LFD technology is made using the solid experience and expertise accumulated by Suprema in false fingerprinting and overcomes the limits of existing sensors. The new and advanced Live Finger Detection technology applies machine learning, which analyses and categorises image patterns according to optical characteristics. It further utilises a technology called Dual Light Source Imaging which uses infrared and white light to detect liveness instantly. As the new standard, all new Suprema terminals will come equipped with LFD.

Increased performance

From this year, all new Suprema terminals will boast a minimum storage of 500 000 fingerprints (1:1), will allow for 1:100 000 identification without additional licence fees and will perform matching of 1:150 000 in less than a second.

BioMini Slim Plus 2

Suprema’s latest fingerprint authentication scanner offers unrivalled image quality, durability and security features. The new BioMini Plus 2 was tested in full compliance and received certification from the Federal Bureau of Investigation (FBI) for the agency’s PIV-IQS/Mobile ID standards and also received the Indian government’s STQC certification.

BioMini Plus 2 provides loads of innovative features to enhance its image quality, performance and mobile-readiness. Unique to the industry, Suprema’s patented Multi Dynamic Range (MDR) technology guarantees high-quality image capture even under extreme lighting conditions regardless of the moisture level of captured finger skin. It also includes Suprema’s LFD technology effectively identifying fake fingers as opposed to live fingers. This latest addition to Suprema’s range is ideal for any biometric authentication platform and is ideal for financial transaction authentication.

Deon van Rensburg: We recently launched our AC2200 series biometric terminals which feature a new generation CPU/memory combination and which is IP65 rated for external/industrial applications. Our current range will undergo a facelift with this new generation CPU/memory combination being deployed.

Additions to the range will be released later this year which include the T1 entry-level IP65 rated unit to the AC1100 Android based card reader with VoIP capability. Certain features will be made standard across the whole range – a digital still camera and Bluetooth Low Energy (to be able to use our new MobileKey service where a user’s mobile phone becomes a proximity card, negating the need for issue of proximity cards) being two such features.

We are also adding two software modules. The Visitor Management app for Android smartphones that has the ability to scan drivers licence and vehicle licence discs directly into the existing Visitor Management module within our UNIS V4 software. The second is the UNIS Messenger add-on that ties in with the OHS directives on medicals, inductions etc.

We also recently released our first version of MineStile with our partner iMAT, whereby a breathalyser, biometric terminal and man-trap turnstile combination is presented as an all-in-one solution to address sobriety requirements in the workplace.

For more information:

neaMetrics/Suprema: /




Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Prime time for palm vein identification
Fulcrum Biometrics Editor's Choice
Ingenico and Fujitsu Frontech North America, represented by Fulcrum Biometrics in South Africa, unveil queue-busting solution for secure in-store commerce.

A closed security concept for test halls and perimeter
Dallmeier Electronic Southern Africa Editor's Choice
At its factory facilities in Vilsbiburg, Germany, Flottweg SE relies on tailored video security technology from Dallmeier for perimeter security and workplace safety.

Advanced server performance and energy efficient design
Editor's Choice IT infrastructure Products
Dell PowerEdge server portfolio expansion offers more performance, including up to 2.9x greater AI inferencing while Dell Smart Flow design and Dell Power Manager software advancements deliver greater energy efficiency.

Free-to-use solar score for South African homes
Technews Publishing Editor's Choice
The LookSee Solar Score is one of the first of its kind to provide insight into the potential of solar power for South Africa’s residential properties.

31 percent of all IoT SIMs managed with third-party IoT CMPs
News Integrated Solutions
Berg Insight recently released new findings about the market for IoT connectivity management platforms (CMPs), a standard component in the value proposition from mobile operators and IoT MVNOs around the world.

Fast, reliable and secure cloud services
Technews Publishing Editor's Choice Cyber Security IT infrastructure
Security and speed are critical components of today’s cloud-based services infrastructure. Cloudflare offers a range of services supporting these goals beyond what most people think it does.

Smart car parking solution eases traffic flow
Dahua Technology South Africa CCTV, Surveillance & Remote Monitoring Integrated Solutions Products
Ethiopia’s first smart parking lot, designed to improve traffic flow and management efficiency, has been built and installed using Dahua Technology’s smart parking solutions.

Fire-fighting force at Vergelegen
Editor's Choice Fire & Safety Residential Estate (Industry)
Vergelegen wine estate in Somerset West, and its neighbours, are set to enjoy greater peace of mind this summer, thanks to the delivery of a brand new fire truck .

VMS 7.2 supports the investigation process and adds cloud capabilities
CCTV, Surveillance & Remote Monitoring Integrated Solutions Products
Qognify has launched the second release of its VMS, including extended support for body-worn video, additional functionalities to support investigations, and a new web client architecture. VMS 7.2 addresses the increasing use of body-worn video (BWV) across many sectors.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.