Selecting your biometric solution
September 2017, Residential Estate (Industry), Access Control & Identity Management
We know biometrics can solve many access and identity related problems, but what does one need to know when shopping for a biometrics solution. The sad reality is that all biometrics are not created equal, and while it may be a budget bonus to buy your products over the web at a cheap price with free shipping, you may be buying a world of trouble.
Then there’s the challenge of selecting an installer or systems integrator to advise you and do the installation of the biometric solution. Can you rely on the chap in the bakkie to set up the system properly, including the server and backups (and the security)? Can you count on them to support you over the long term?
We asked a few people to give us some insights into how an estate manager should go about making sure the biometrics and service provider chosen makes the grade. We also asked what needs to be done, or changed, with PoPI (the Protection of Personal Information Act) just around the corner.
So, what does a good biometric (or even a good access control) installer need to know? What questions should the security manager ask to see if they make the grade?
Marius Stoop and Marcel Kooiman from Security & Communication Warehouse say that a sound solution methodology is key to the standard offering. Further, a detailed requirement statement will help clarify the ability to meet the requirement. A good question would be to find out where similar systems have been implemented successfully, as well as:
• Understanding of the terms involved with access control is a good indicator if the installer is knowledgeable in the field.
• All access control systems require a firm understanding of IP networks, hence the installer needs to be able to set up a basic network.
• Operation of the software is easy once the IP setup is complete, if the installer can set the network up, the software training is usually the easiest part of the solution.
Andrew Levell-Smith from Regal Distributors says, “The simplest and most effective way of selecting an installer is to ask for references. Don’t only ask for reference sites, but actually visit them. Quality of installation is largely a matter of taste. Make sure that you like what you see and not only what you hear from others who may have different preferences to you. Ask their previous clients about their experiences.”
Embracing and extending this thought, PinnSec’s MJ Oosthuizen adds that the estate should ask to see the system or product in their own environment. “Enrol two or three users and test it for yourself. Too many products and offerings are made by integrators that work from a datasheet, without realising the true relevance of the product.”
Other issues Oosthuizen raises include whether fingerprint biometrics work in all environments on the estate. Additionally, what is the verification time for a user to be granted access, and what is the longevity, scalability and support on the system?
Selecting the technology and brand
How does one make the decision about which technology and which biometric modality to choose? Every vendor will tell you that their products are fast and secure, which is important, but what makes the technology work in the real world?
“In my opinion, speed and accuracy of the transaction in addition to the quality of the device should be a major consideration for residential estates with many tenants, visitors and contractors,” says Levell-Smith. “It is essential that devices that have international quality certifications, independently tested algorithms that aid in the accuracy and speed of transactions.”
Oosthuizen adds that, whether we like to admit it or not, budget outweighs requirements on many occasions. Considering a vendor requires one to look at the scalability of the system, and the ability to upgrade and grow the system as budget/requirements changes. “The time the proposed system takes for authentication (especially in high traffic or visitor access areas) needs to be considered as well as the longevity of the proposed system.”
Just as reference sites are crucial, so is the ability to develop specialised features the estate may require, note Stoop and Kooiman. “Many advances have been made through development and integration. Some new features, like recording the conversation of a visitor at registration, stored in a centralised database where the visitor can be audited and reviewed, should be considered as valued features.”
They add that access control boils down to three basic flavours:
• Memorised PIN: A very crude and ineffective access control method.
• Card: An intermediate option, card systems provide better security and are easier to install than biometrics, but are not as secure.
• Biometrics: This can be fingerprint, facial, iris scanners and many more. Though difficult to roll out, the system gives excellent security and is easy to use if set up correctly. It is well known that fingerprints are not always viable for all persons, so a mixed biometric/card system is recommended.
Levell-Smith agrees, noting that it is important to note that fingerprints do change as we get older, and even with all the advances in fingerprint technology, there are still fingerprints that simply cannot be captured. “So systems that are able to use multiple token types like cards, PINs and fingerprints should be considered above devices that only authenticate a single token type.”
And as an additional, although (we hope) unnecessary warning, he adds that there is a vast difference in terms of functionality, price and quality between the lower-end devices and top-tier devices. This is clearly evident in the pricing of a biometrics system. The old adage of ‘you get what you pay for’ is certainly apt when considering biometrics devices or systems.
“I would not recommend facial recognition devices for a residential estate until it is a proven method of accurate recognition under multiple environmental conditions. Having said that, there have been some amazing breakthroughs in this method of biometric recognition and it is definitely one to watch for the future.”
When selecting a vendor, Stoop and Kooiman advise that good communication between the vendor and their supplier is the key to a system. Brands that build their own readers and supply their own software are a must, as it eliminates many issues when software or firmware fixes are needed. A good variety of readers is also good, as customers can be very picky about device aesthetics.
Personal information management
When one has made the decision as to which vendor and biometric range to use, the challenges are not over. PoPI has been dragging its heels for many years, but it will eventually become a reality. This means estate managers will be responsible for the way their staff handle personal information – such as fingerprints and other identity data.
Moreover, people are increasingly worried about where and how their private information is stored, notes Oosthuizen. How secure is the data? Where is it stored (on a PC workstation in the guardhouse at the estate entrance)? One needs to ask the question on what the relevance of the requested information is. If there is no live and direct feed to a database to verify details like an ID number, any information, fictitious or real, becomes irrelevant.
Some key aspects of PoPI, according to Levell-Smith, are:
• How is the personal information processed?
• What reasonable measures are in place to ensure the personal information collected is secure?
• What reasonable measures are in place to ensure the personal information collected will not be used for or distributed to any third party?
• What reasonable measures are in place to ensure the personal information collected is only held for the necessary period?
In terms of fingerprints, it is important to ask how the actual fingerprint is processed. Is it possible to recreate the fingerprint from the collected template? Is the actual fingerprint image stored or simply the unique minutia information? Has a reasonable effort been made by the manufacturer to ensure that fingerprints cannot be copied and used on a device to gain access? This is commonly known as liveness detection or ‘fake and live detection’.
“What measures are in place to ensure that the personal information is deleted after a certain period or when the resident moves out?” Levell-Smith asks.
Data encryption and a chain of data custody can address most of the PoPI concerns, says Stoop and Kooiman. Also, the flexibility of the enrolment and management software and process should be able to help manage these requirements.
“The estate should always ask the level of the software’s encryption. Encrypted data is safe data. The estate should also be aware that they need to manage their own passwords and access to the system. It is also recommended that the supplier is not a state-owned company, experience has taught us that the state can and will abuse their access to other people’s systems, the WannaCry scandal should serve as a warning here.”
At the end of the day, selecting a biometric solution for an estate (or anywhere for that matter) is different from selecting a boom for your gate. Not to discriminate against booms, this equipment needs to be able to open and close hundreds or even thousands of times per day in large estates. However, your biometric solution needs to work fast, accurately and the estate also needs to secure the information collected and stored in accord-ance with regulations. Choosing the cheapest solution is not an option. You can always revert to a guard opening the boom if the electronics fail, but if your biometrics and data management fail, you will be compromising your security and your legal obligations.
For more information, contact:
• Pinnacle Security Solutions, +27 (0)11 990 6000, firstname.lastname@example.org, www.pinnsec.co.za
• Regal Distributors, +27 (0)11 553 3300, email@example.com, www.regalsecurity.co.za
• Security & Communication Warehouse, +27 (0)12 653 1005, firstname.lastname@example.org, www.securitywarehouse.co.za