printer friendly version

Choose your biometric carefully

It is interesting to see the enormous differences of opinion about the capabilities of biometrics. Most people who work in a security-related industry have had some experience with biometrics. Outside of that group, lots of people know something about the topic – ranging from the fact that the police use fingerprints, through to some form of contact with biometrics either at work, perhaps at their bank, or from stuff they’ve seen on CSI.

Apple also recently announced that its next iPhone would have an integrated fingerprint scanner. This is viewed by the global biometric industry as the dawn of mainstream biometrics, leaving many to ask various significant questions. For example, are we going to move towards using biometrics to identify people at ATMs or when we use payment cards at the tills, will biometrics replace our PINs and passwords.

It is true that there are many different biometric modalities available on the market. Nothing however comes close to fingerprints in terms of convenience, accuracy and reliability. Not only is fingerprint technology by far the most widely used form of biometrics, it’s also the most advanced and the most mature of all the biometric methodologies. As we see fingerprint biometrics increasingly being used in business critical identity control applications, it’s important that we revisit some of the important selection criteria for making a good purchase decision.

Hi-Tech Security Solutions spoke to Marius Coetzee, MD of Ideco, SA’s largest supplier of fingerprint technology, to find out his experience over the past 10 years in the use of biometrics within access control and workplace attendance systems. “We work closely with our certified partners to ensure that our products can provide highly accurate and reliable identification within the work environment, and we have seen many fascinating challenges that customers face on a daily bases.”

Facing reality after implementing a biometric solution

Biometrics is regarded as a real-time solution. When you scan a fingerprint, you need an immediate and accurate response. Good biometric caters for everyone, every time and anywhere.

Before we can assess best practices, let's have a look at the common problems customers face and the factors affecting the success of a biometric implementation:

* Many biometric scanners require you to place your finger in exactly the same position as when you were enrolled. The reader does not have the ability to match a partial, slightly rotated or even a stretched (due to too much pressure) fingerprint, which are all common realities of our fast pace work-life. The result is many false rejections and multiple re-attempts that cause increased levels of user frustrations and a decrease in productivity.

* One should also remember that although the fingerprint remains constant from the age of approximately 16 years, it could get damaged through injury, wear and tear and normal ageing. Some readers do not have the ability to cater for these changes and would require re-enrolment at regular times.

* Some parts of our country or even areas in our workplace are prone for high levels of static electricity. Most capacitive biometric scanners cannot withstand these levels of electrostatic discharge, which cause damage to the electronics and eventually failure in the biometric scanner, making the reader unusable.

* Some readers work perfectly the first few months but due to a deterioration in the optics inside the scanner, i.e. the plastics in the sensor, the image starts fading and the performance of the scanner goes down the drain.

* Some readers simply do not have the ability to accurately identify true minutia in a fingerprint. The scanner algorithm would randomly assign matching points to the fingerprint, which would have a direct impact on the possibility of false acceptance. The reader will also work well when there are only a few users on the database, but as the size increases, the accuracy and speed decreases.

* Some biometric scanners use multiple spectral of light to illuminate the finger when reading the print and claim to 'see it all'. The result is an image that has some fingerprint data with a picture of the meat below the skin, superimposed in the fingerprint. This is the main reason why this biometric technology is not FBI certified and would most likely fail as evidence in a court of law.

* Some readers are sold on the strength of their ability to distinguish between real and fake fingers. But never underestimate the ingenuity of villains. They will soon find out that if you touch that biometric scanner on the right spot with a live finger, you can still present a fake finger and clock with it.

* Then there are a few practical considerations such as the positioning of reader to make it convenient for the user. Preferably users would like to scan their fingerprint just before opening the door, all in one go. When a reader is installed at the correct position and place, biometrics should not interrupt the normal flow through a door.

* Ambient light could also have a major impact on the performance of some readers and in some instances a reader can even clock the latent print of the previous person with some reflected light from the next person.

* We have also seen readers with an unstable internal clock where the time drifts more than an hour in one week, causing the clocking records or time stamps to be totally unreliable. This obviously has a major impact on payroll calculations.

* And by the time the customer decides to implement a better biometric solution, he has to re-enrol the total workforce as there is no inter­operability between the biometric templates of two systems.

A poor experience with biometrics is almost certainly down to poor technology. It’s a matter of selecting the right technology for your environment. And to a certain extent it’s another old story: you pay your money and you take your chances. This is all about what you want the technology to deliver in terms of sound business benefits.

If your company is suffering losses from any form of identity-based fraud or unauthorised access, then it’s certainly worth looking at what these problems are actually costing you year in, year out. People share their cards and PINs, clock-on for one another and get paid for not being on the job. Thousands, yes thousands, of SA organisations have completely eliminated these risks by replacing their card-based systems with fingerprint scanners.

But biometric technology isn’t just restricted to preventing payroll fraud or controlling physical access to your premises. Link it to your IT systems and you get rid of all those passwords and PINs and all the problems and risks they cause. Fingerprint-based identification can be used to control a whole host of IT activities such as who can make EFT payments, alter invoice details or modify stock-control reports.

Given all the possible applications of biometrics with its associated benefits, why is it then not pervasive or the preferred way of identifying a person? Simply put, the knowledge required to design and deploy a successful biometric system is not widely available. A successful implementation of biometric solutions involves a continuing process with five fundamental principles at the core of every design.

1. Pre-qualification of employees: Many organisations today do intensive pre-employment screening to fully understand whom they employ. For instance if the employee needs to travel, do they have a valid drivers licence or if they will be responsible for company finances do they have a good standing credit record, or do they have a past criminal record? All these traits may have a direct impact on different levels of privileges required per employee, time and physical zones they may access and groups and reporting structures they belong to. This initial profiling will ensure only legitimate and trusted identities are enrolled onto your biometric system.

2. Scan quality of fingerprints: This is by far the most important aspect of a fingerprint biometric system design with many interrelated aspects. Besides the basic sensor requirements such as image resolution, scanner measurement area, speed and accuracy of template extraction, the number of impressions for a successful enrolment and the format in which the fingerprint data is stored, one should also consider the importance of liveness detection and prevention of identity fraud at the point of scanning. Also keep in mind that the initial enrolment will determine the success of all future identity verification transactions. De-duplication using a small AFIS (automated fingerprint identification system) will ensure there is only one biometric profile per employee on the database – the only way to accurately remove any ghost employees. Fortunately NIST in the US (the National Institute of Standards and Technology) is doing great work for organisations such as the FBI, and have defined a minimum set of standard that is accepted by most responsible organisations across the world.

3. System performance measurement: It is not possible to predict system performance based on vendor promises. The only way is to measure and understand system performance through scenario testing and adjust this performance to meet your overall system requirements. A simple test such as simulating a cut or a blister on a finger could tell a lot about the accuracy and capability of the scanner. Also, a phased implementation would allow you to evaluate system performance in a controlled environment to eliminate surprises on an enterprise wide implementation. What remains critical throughout any implementation is to ensure full interoperability to all open standards.

4. Audits and compliancy: All of the above will render futile if the solution does not offer a non-repudiation capability that will provide unbiased evidence that is traceable and compliant to the relevant regulations and laws of South Africa. In addition to irrefutably linking an act of fraud with a specific user in such a way that such evidence is admissible in a court of law, it could also assist in preventing future losses that would have taken place as a result of stolen identities and credentials. Although a biometric template cannot be re-engineerd to recreate the original image, it is still regarded as personal information that is subjected to legislation that prescribes secure transmission, databases handling, protection against disclosure and various other regulations.

5. Post implementation support: As a final consideration it is important to determine the total cost of ownership of your biometric solution. This includes direct costs such as the cost of the equipment, implementation cost, operational costs, maintenance and support over the product life expectancy, repair and replacement costs as well as indirect costs such as cost of downtime, loss in productivity, risk during exposure, backup measures in case of failure and future transition cost to replace the solution at end of life. Dealing with an organisation that has a longstanding track record for quality service and support is a good starting point.

The benefits of world class biometric solutions are certainly not limited to big businesses that can afford to run their workforce management systems on advanced software platforms. For example, Ideco offers ES² through its certified partners, which is a free software package that controls up to six Morpho scanners for straightforward physical access control and time management.

It therefore really comes down to a business decision rather than a technical one. If a stronger form of identity control would save your organisation money, then the right biometrics can make solid commercial sense by cutting risk and cutting losses. It would be an error to simply forego all the risk-cutting benefits of biometrics simply because of a past bad experience with biometrics.

Share this article:

Further reading: