How to design automated access and parking systems for university campuses

Access & Identity Management Handbook 2004 Access Control & Identity Management

Identification is the action where an identity is assigned to a specific individual, and authentication the action designed to verify a user's identity. An individual can be identified and authenticated by what he knows, by what he owns or by his human characteristics.

There is a variety of means for identifying a person's identity, including:

* Appearance (how the person looks, eg, height, gender, weight).

* Name (what the person is called).

* Knowledge (what the person knows, eg, password).

* Possession (what the person owns, eg, smartcard or passport).

* Natural physiology (who the person is, eg, facial characteristics).

* Imposed physical characteristics, such as tags, collars, bracelets.

The goal of authentication is to protect a system against unauthorised use. This feature also allows for the protection of individuals by denying the possibility for someone else to impersonate authorised users. Authentication procedures are based on the following approaches:

* Proof by knowledge - known information regarding the claimed identity that can only be known or produced by an individual with that identity (eg, passport, password, personal identification number (PIN), questionnaire).

* Proof by possession - the claimant will be authorised by the possession of an object (magnetic card, smartcard, optical card, etc).

* Proof by property - the claimant directly measures certain claimant properties using the unique human characteristics of the individual (eg, biometrics).

Breaching security

Identity documents can be stolen, passwords and personal identification numbers can be forgotten or broken. Security breaches resulting in access to restricted areas of airports or power plants have caused terrorism. Although there are laws against false identification, incidents of intrusions and unauthorised modifications to information, systems, and organisations occur daily with catastrophic effects. Credit card fraud is rapidly increasing, causing financial distress and even bankruptcies. Traditional technologies are not sufficient to reduce the impact of counterfeiting. Additional convenient security barriers are needed as our society gets more and more computer dependent.

Biometrics, the use of biology that deals with data statistically, provides an answer to this need since the uniqueness of an individual arises from his personal or behaviour characteristics with no passwords or numbers to remember. Biometric systems verify a person's identity by analysing his physical features or behaviours (eg, face, fingerprint, voice, signature, keystroke rhythms). The system records data from the user and compares it each time the user is requested to positively confirm his/her identity.

Authentication procedures

As stated in the introduction, authentication procedures are based on proof by knowledge, proof by possession or proof by property.

Proof by knowledge

The most common approach of user authentication is the proof by knowledge because of its simplicity and ease of implementation. Passwords are traditionally used in military applications, protocols for accessing computer systems, telecommunications, and banking. There are many reasons why this approach is unsafe: users usually choose predictable passwords; there are also sophisticated computer programs for searching passwords. Passwords might not be securely transmitted through the systems to the legal users. Especially in a network environment where an eavesdropper can easily pick up the password, which is changed infrequently and flows over the network. If this happens the eavesdropper can gain access to all resources. There are four types of passwords:

* Group passwords are known to all users in the system. These kinds of passwords are dangerous for all systems.

* Unique passwords for each individual are usually kept on a piece of paper instead of being memorised. This puts the security of the system at risk.

* Non-unique passwords which are used to confirm a claimed identity. A short password is given to users where identification depends on a long number stored in a card (eg, magnetic card). Unfortunately these numbers can be read and changed.

* Passwords which change each time a system is accessed have the disadvantage that a list of passwords should be kept at the central system and a copy should be distributed to each user. The mishandling of these lists may lead to disclosure. The secure transmission of passwords from a central to legal users is a big problem.

Questionnaire is another method used in this approach. A list of questions is answered by individual users and their answers are used to distinctively identify them. However, if someone knows the user well enough he can answer these questions and impersonate his identity. This threat makes the method very weak.

Proof of possession

Passwords and questionnaires are providers of minimum security and are not capable of stopping a malicious hacker. Therefore, the other two approaches are more sophisticated alternatives to address the authentication concern. The proof by possession approach considers the use of cards. Cards that can be used, depending on the application, are as follows:

* Magnetic stripe cards.

* Radio frequency identification cards (RFID) and tags.

* Optical memory cards.

* Smartcards.

Magnetic stripe cards are highly acceptable since they have been used for a long time in various applications. Terminals using the cards are standardised. Magnetic cards are widely used in automatic teller machines (ATM) for credit validation, for access control to secure sites etc. The user identity is stored on the magnetic stripe. The magnetic card is used in combination with a PIN (personal identification number). The danger of using these cards is that the PIN might be stolen; the cards can also be easily copied. New technologies have enhanced the magnetic cards by incorporating additional anti-counterfeiting techniques. New techniques known as Brocade or Biotin allow biometrics templates to be stored on a magnetic stripe card since they store them coded.

RFID Cards contain a tiny radio transmitter activated with the receipt of a signal with a specific frequency. If a biometric template is stored in such a card it could be sent to the biometric device directly from the user's wallet without him knowing it.

Optical memory cards have information encoded in them that cannot be changed. The advantage of these cards is their large memory capacity that enables the installation of encryption mechanisms.

Smartcards are plastic cards with embedded computer chips (memory only chips, logic-memory chips or microprocessors). These cards have their own operating system, programs and data. More advanced smartcards rely on VLSI technology for information storage and processing. These cards are used as telephone cards, banking cards etc. Assuming that the card itself is authenticated there is a weakness since the card still needs to identify the cardholder by some means. One of the most common techniques is the cardholder to carry out a PIN check inside the card. However, this identification method is vulnerable to attack.

Proof by property

Biometric methods used in the proof by property approach are the most advantageous means of authentication since it cannot be stolen or transferred to other people. Smartcards equipped with a microcomputer can store the biometric template and perform the verification process and are suitable for voice, signature or fingerprint biometrics.

Biometric classification

Biometric techniques can be classified into two classes:

* Physiological based techniques - include facial analysis, fingerprint, hand geometry, iris analysis, DNA and measure the physiological characteristics of a person.

* Behaviour based techniques - include signature, keystroke, voice, smell, sweat pores analysis and measured behavioural characteristics.


(i) No single biometric dominates the market. Different technologies are used for the same applications. The current need in the biometric identification field is to have the market make greater use of what already exists.

(ii) The current generation of biometric identification devices offers cost and performance advantages over manual security procedures.

(iii) The claims of systems designers need to be assessed by independent evaluators. The establishment of evaluation centres will bring the confidence that is missing today. An independent screening testing of all devices should be performed, ie, treating the biometric devices as black boxes to examine how well the devices perform. These tests should be performed by independent institutions where manufacturers are not involved.

(iv) The lack of confidence in biometric technologies is caused by the lack of standards and testing. Standards will demonstrate that biometric technology is a reliable choice for the provision of security. They will give users from government and public sectors a choice among the various biometric technologies available, will expand the biometric market and will make it competitive and trustworthy. It will also help manufacturers to evaluate their biometric products against standard tests. Different standardisation bodies should cooperate in order to establish global standards.

(v) The fear of 'Big Brother' that biometric technologies face can be overcome by various means, as follows:

* Use cards to store the biometric templates whenever possible. The storage of templates in a central data base brings hesitation and discomfort.

* Educate people on the different technologies. Most people are very sceptical of these technologies because they do not have significant information about them.

* Emphasise the advantages of the biometric technologies. Counter examples of fraud using other authentication methods should be reported.

* Provide awareness of when, how and where people are authenticated. People should know when and where they are identified and verified, and which technology is being used.

(vi) Biometric devices are the future technologies since traditional technologies are not sufficient to reduce fraud and protect our computer systems and networks. It is natural to use these technologies in various applications where security is the highest priority, eg, law enforcement, physical access control and banking. Securing sensitive data on the Internet is a popular concern. Internet banking and electronic commerce will be sectors where biometric technologies will provide a natural and logical solution.

The author would like to acknowledge the work of Dr Despina Polemi of the National Technical University of Athens during the writing of this article.

Brian Barnes is a security technology specialist, he can be contacted at Hodari Security Technologies, 082 973 8295.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Simple steps to protect yourself against identity theft
November 2019 , Access Control & Identity Management
Are you doing enough to reduce the risk of having your identity stolen?

Looking ahead with mobile access technologies
Access & Identity Management Handbook 2020, Technews Publishing, HID Global, dormakaba South Africa, Salto Systems Africa, Suprema, Gallagher , Access Control & Identity Management, Integrated Solutions
Given the broad use of smartphones around the world and the numerous technologies packed into these devices, it was only a matter of time before the access control industry developed technology that would ...

Mobile access is more secure than card systems
Access & Identity Management Handbook 2020 , Access Control & Identity Management
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology.

This is the future. This is what we do.
Access & Identity Management Handbook 2020, ZKTeco , Access Control & Identity Management
ZKTeco has created a unique range of visible light facial recognition products combined with a flexible Android platform.

The security of biometrics
Access & Identity Management Handbook 2020, ViRDI Distribution SA, IDEMIA , Technews Publishing, Suprema , Access Control & Identity Management
Hi-Tech Security Solutions asks whether your personal biometric data is safe from prying eyes.

A picture spoofs a thousand cameras
Access & Identity Management Handbook 2020, NEC XON, Hikvision South Africa, Technews Publishing , Access Control & Identity Management
Hi-Tech Security Solutions looks into the reliability and effectiveness of facial biometrics as well as the concerns about privacy.

IoT and behavioural authentication
Access & Identity Management Handbook 2020, CA Southern Africa , Access Control & Identity Management
IoT represents an increasing security risk to individuals in the form of pervasive, always-on monitoring of your personal activity with a potential compromise of your most personal security credentials.

Border crossing and national identification
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Amidst a choice of technologies, diversity of policy frameworks, and emergent priorities, countries that intend to upgrade their identification systems today find themselves drawn into a complex vortex.

T&A by biometrics in the cloud
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Time and attendance solutions have evolved from punch cards to cost-effective and more accurate cloud-based biometric systems.

Scalable access solution
Access & Identity Management Handbook 2020 , Access Control & Identity Management, Integrated Solutions
Bosch Building Technologies makes access management simple, scalable and always available with Access Management System 2.0.