printer friendly version

Make the right biometric choice

Fingerprint biometrics is a secure foundation for access control and time and attendance (T&A) solutions. The technology has a rock-solid reputation for cutting the risks and losses caused by unauthorised access and activity within the workplace. In comparison to the outmoded access cards that biometrics are rapidly replacing, the technology delivers completely new levels of security control.

All sorts of organisations, from mines to retailers, have dramatically cut these types of loss by introducing fingerprint-based identification of employees, contractors and visitors. The business case is straightforward: the right technology pays for itself.

But this widespread commercial success does not mean that all biometrics are all the same – some are definitely more capable than others. To decide on which biometric to choose, you need to assess the technology’s competency in five key areas: accuracy, capacity, speed, integration and security.

Your assessment should focus on how each of these key technical competencies translates into measurable business benefits.

Marius Coetzee

Accuracy

This is about how well the technology differentiates between the people it must identify. The process of fingerprint-based identification begins by registering or enrolling the fingerprints of people who will use the system. The key objective of the enrolment process is to record the best possible fingerprint data for each person that the system will later identify. Successful enrolment depends on technology combined with methodology. Procedural tasks need to be completed correctly during enrolment in order to achieve the optimum results.

These results are based on the technology’s ability to recognise the characteristics – known as Minutia Points – that distinguish one fingerprint from all the other fingerprints in the world.

Minutia Points are the precise locations on a print’s surface where the ridges on your fingerprint either split or end. The pattern formed by these points is unique. Every time you scan your print, the technology creates this pattern and then compares it to the enrolment record stored in the system’s database.

If the technology is unable to recognise these points accurately, that is where the problems start and levels of accuracy begin to fall.

Enrolment accuracy is measured in terms of failure to enrol (FTE). Based on Ideco’s experience over the past eight years in a wide variety of SA workplaces – and the fact that over 2,5 million local people have been enrolled on our scanners – any technology with an FTE rate higher than 0,2% should be avoided.

Two other accuracy-related factors also need to be considered: false acceptance rates (FAR) and false rejection rates (FRR). False acceptances occur when the technology confuses the fingerprints of two people. False rejections happen when the technology does not even recognise Jack’s fingerprint and wrongly denies him access. Currently, the most competent fingerprint technology will deliver a FAR of under 0,01% and a FRR of below 1%.

Always look for proof. Who says that the technology is capable of performing at these levels of accuracy? The international benchmarks have clearly been established through technology-testing by organisations like the FBI and America’s National Institute for Science and Technology (NIST). Ask your vendor for these latest test results.

FTE occurs when you cannot register a person’s fingerprints. It happens when the technology is unable to record sufficient data from a print and can be caused by factors such as worn or scarred prints. The consequence of technologies that produce high FTE rates is that you will not be able to include everyone you want in the system. You will have to start creating exceptions. You will have to use another means of controlling access for these people. And that means more cost because you now have to install and administer two separate systems.

FAR, FTE and FRR might sound like techno-jargon but in reality they create a lot of unnecessary expense.

Capacity

How many people’s prints can the technology manage and still maintain their optimum levels of accuracy? Some technologies cannot even handle a few hundred people before their FAR and FRR levels go through the roof or they just hang and need to be re-booted.

These technologies might be fine in a test environment when you are running a proof-of-concept trial with just 20 users, but what happens when the system gets deployed across the full workforce and does not perform as expected? What will it then cost you to switch to a competent technology and what recourse will you have with the supplier?

In contrast, the leading fingerprint technologies work perfectly with many thousands of prints. That is primarily because that is what the leading technology was initially designed to do within law enforcement and government agencies around the world.

Within the workplace, an increasing number of business functions are leveraging the accuracy of fingerprint-based identity data. A clear example of this is how data from access control systems is also being used by HR within the payroll function to monitor hours worked and remuneration.

Sharing identity data across different business functions leads to cost sharing across the organisation. The biometric system can be funded by multiple business units. While this is great in terms of increasing ROI, it can also increase the number of users that must be identified. Can the fingerprint technology handle the higher volumes of users?

Speed

This is all about processing times, how long does it take the technology to accurately recognise users and either grant or deny access? A technology that delivers 100% accuracy is probably not much good to you if it takes five minutes to identify each user. Look for processing times of under one second per user – even for a system that will need to manage several thousand users.

Slow processing times create delays. People have to queue for longer in order to gain access or clock-on. To counter the delays caused by inferior biometrics, you will need to create more access points and install more scanners. In other words, you have to spend more on infrastructure and technology. You might need to use four turnstiles and four fingerprint scanners instead of only two. Or you could compensate for the inadequacies by changing your working hours to allow for a longer, phased clocking process at the start and end of the day.

If you choose the right fingerprint technology all this additional, unnecessary expense can be avoided right from the outset.

Integration

Having assessed performance in terms of accuracy, speed, capacity and security, it is clearly important to consider how the fingerprint technology will work within your organisation. How it will integrate with various business functions.

Successful integration determines how you will be able to maximise the business benefits that can be derived from the technology. For example, is it compatible with all the various components of the existing systems that handle your access control and T&A? Will it work with your hardware such as turnstiles and vehicle barriers and will it work with the software package that manages your payroll?

Another important benchmark here is the technology’s ability to meet its performance criteria in a variety of physical environments – hot, cold, dusty, arid, wet, humid, inside and outside. It is important to be able to cover all the bases with one fingerprint technology rather than getting into all the complexities of a mix-and-match solution.

A final consideration concerns the compatibility of your system’s fingerprint data with external agencies such as local law enforcement and government systems. As we see biometrics increasingly being used to identify people beyond applications in the local workplace, the significance of this compatibility will become more and more important.

There are two key questions concerning external integration. Firstly, is the fingerprint technology compliant with SA’s requirements that govern the use of digital fingerprints within our legal system – is it accepted as proof of identity in a court of law? Can it, for example, be used to prove the identity of a person who authorised a fraudulent EFT payment with their fingerprint?

Secondly, is the fingerprint data fully-compatible with the data held by government entities such as Home Affairs and the National Centre for Certified Identities (NCCI)? For example, if a duly-authorised financial services organisation chooses to confirm customers’ identities by comparing their prints with those stored by the Home Affairs National Identification System (HANIS), will the two technologies be fully-compatible?

In other words, be very wary of technology such as multi-spectral imaging that does not comply with the relevant international standards.

In isolation, the biometric technology might tick all the right boxes, but if it is not compatible with your current systems, then what will it cost to replace them? If integration is required, how long will it take and what is the bill going to come to?

In terms of access control and T&A, the leading fingerprint technology has already been fully-integrated with all the major local solutions. No ifs and buts, it has already been tried, tested and proven in local organisations ranging from mines and factories to retailers and residential estates. This is commercially significant because past implementations are your assurance of future success, so it is clearly sensible to learn more about these real-world examples of biometrics in action.

The ability to work with external systems like HANIS, SAPS Criminal Record Centre and the NCCI is significant for a variety of reasons ranging from HR’s background checking of new employees through to establishing customers’ identity and their credit-rating. The need to do this might not exist in your organisation today. But it might tomorrow.

Security

How secure does the system need to be? This will vary according to the particular application, but it is important to understand that different technologies offer different levels of security. For example, some technologies can recognise fake fingerprints, others cannot. What is important here is to first decide upon the various levels of security required for different business processes and then choose a single, unified technology that can deliver all of this within its range of products.

For example, the access control system at your main entrances might only require standard fingerprint-based identification. However, access to more secure locations, perhaps a server room, may need to be more strictly controlled.

Equally, activity within different business functions may merit higher security measures. Physical entrance to the accounts department might not warrant the same controls as access to your invoicing and payment systems. Authorising and making large EFT payments may need to be controlled with the highest levels of biometric authentications.

This is about reducing risk, cutting costs and preventing losses by using accurate identification to control and monitor who can do what within the workplace. It means reinforcing security within any business function that can easily be compromised by unauthorised access and activity – I use your card and you use mine.

From physical access control and T&A, through to managing health and safety policies and accurate authentication of IT users, fingerprint-based identification is clearly a powerful risk-management tool. But it also cuts costs by accelerating business processes. An obvious example is how accurate identity data cuts the admin costs within the payroll function by eliminating disputes over hours worked. Any process that is dependent on identity data can benefit from biometric-based monitoring. Who issued that piece of protective equipment and who received it? Who delivered these goods and who took them into stock? Who ordered them and who issued payment?

By selecting the right fingerprint technology, you are also selecting a single platform that is capable of handling the future security of so many aspects of you organisation.

Beyond ACSIS

An appraisal of fingerprint technology based on the performance criteria of ACSIS clearly makes sound business sense. However, there are other equally important factors which should influence your biometric buying decision.

Service, support, advice, training, warranty, repairs and product-availability are all important commercial criteria that have a direct impact on maximising the business results that are being achieved by biometrics. But none of these functions come in the box with a fingerprint scanner. In each of these areas, the competencies of the technology supplier will directly affect the overall performance and cost of running a biometric-based system.

Because the technology is now so commonplace in the South African workplace, there are many suppliers you can choose between. And just as all biometrics are not the same, not all suppliers are either. Choosing the right technology is one thing. Making it work in your organisation is something quite different.

Share this article:

Further reading: