BIO METRICS: The Future Is Today
Jun 1, 2003 12:00 PM
By Michael Fickes
For more than two decades, card access control and CCTV systems have anchored the lion's share of commercial and government security programs. Today, business and government are discovering a new anchor: biometric technologies that solve nagging access control problems while addressing a host of other security concerns.
Many large companies, for example, have encountered a new security issue in recent years, says Frances Zelazny of Identix Inc., Minnetonka, Minn. Individuals terminated at one company location occasionally re-apply for employment at another location. Biometric technologies such as facial recognition, fingerprint and hand geometry systems can prevent this practice, while also tightening physical access control.
Take the case of a major multinational technology manufacturer. With dozens of worldwide locations, 150,000 employees, and tens of thousands of former employees, the company sought to ensure that newly-hired individuals had disclosed any past relationships with the company. Identix provided a facial recognition solution.
With this system, the human resources department photographs all new hires and conducts a one-to-many search of a photo database containing images of current and former employees. If the search does not turn up any undisclosed previous relationships with the company, the new employees receive photo ID badges encrypted with facial templates.
The badges then control physical access. Equipped with small radio frequency transmitters, the cards activate access control systems when employees approach restricted facilities. The system reads an employee's card number and searches a database for the facial template linked to the number. A camera at the door snaps the employee's photo and extracts a second facial template. The system then compares the new template with the one already in the database. A match confirms the employee's request for access and the door opens accordingly. Not only does the system limit access to people with ID badges, it also ensures that an individual requesting entry is not using another person's badge.
Zelazny calls this "continuity of authentication" ¡ª a process that begins with screening in human resources, continues through badging, and extends to access control. "This is an innovative application," she says, "and I think it is on the cusp of a trend. I have had a number of unsolicited inquiries about this type of system from large companies."
Beyond Conventional Access Control
Biometrics makes new security initiatives possible as well. O'Rourke Construction in the United Kingdom, for instance, uses an Identix facial recognition system at the company's 90 construction sites. The system renders three services. First, it enables employees to punch in for the day. Second, it prevents buddy punching because templates stored on ID cards must match the face of the person punching in. Last, it satisfies an insurance requirement for properly matching time-and-attendance records with the people actually at work on the site. In the UK, according to Zelazny, insurance companies require contractors to prove who was on a construction site at the time of an accident. Mismatched records may cause insurers to refuse to pay a claim.
"More and more corporations are changing from traditional photo ID and access control cards to biometrics," agrees William Spence, director of marketing for Recognition Systems Inc. (RSI), a unit of Ingersoll Rand and a manufacturer of hand geometry systems.
Often used as a time-and-attendance technique that prevents buddy punching, hand geometry has also found applications in co-located corporate server farms and self-service safety deposit boxes at financial institutions.
The state of Washington uses RSI hand readers to build automated check-in stations for parolees. According to Spence, the system handles 26,000 checks per month in 150 locations.
All told, RSI has installed more than 70,000 hand readers for businesses and governments. Company officials estimate that tens of millions of people have been enrolled in these systems, which record time and attendance and control access to facilities. Sometimes the time-and-attendance and access control functions operate simultaneously using the same set of readers.
Fingerprint systems are also gaining wider acceptance. Mississauga, Ontario-based Bioscrypt Inc., for example, has installed more than 50,000 fingerprint readers worldwide. Applications include time-and-attendance, facility access control, and logical access control.
Emerging uses for biometric technology include cashless vending, where fingerprints linked to credit cards enable people to leave their credit cards in safety at home and let their fingers do the charging or debiting. For people who object to registering their credit card information with a cashless vendor service, alternative systems can encrypt fingerprint geometry onto credit cards. At the point-of-sale, individuals can swipe their cards and touch a fingerprint reader. By matching the offered fingerprint with the print stored on the card, consumers and vendors can prevent unauthorized uses of credit cards.
Government uses are also expanding for biometrics. At the beginning of this year, frequent travelers arriving at airports in Toronto and Vancouver began undergoing expedited security screening by way of an iris recognition system. The Canada Customers and Revenue Agency, which manages the program, plans to enroll 200,000 frequent travelers over the next five years. The system can make one-to-one matches of travelers carrying an identifying token; it can also carry out one-to-many searches that match individual iris scans with iris templates stored in a central database.
Privacy And Biometrics
As corporate and government interest in biometric security technology expands, applications have run up against public concerns about privacy.
"It is easier to keep a centralized database of biometric templates," says Tim Meyerhoff, business development manager, iris recognition systems, with the Secaucus, N.J.-based Panasonic Digital Communications and Security Company. But this can make people uncomfortable, he says. "While we can't make a biometric image from a template stored in a database, people often believe that we can."
Many biometric technologies on the market do not make exact copies of fingerprints, hands, irises and faces. Instead, most biometric technologies construct templates and employ sophisticated algorithms to match an offered template with one stored in a database.
Exceptions include law enforcement applications called automated fingerprint identification systems (AFIS). These applications use exact images to match fingerprints. Some commercial biometric fingerprint systems apply this technology to security systems. Other companies have developed their technology around the goal of avoiding privacy concerns. "We have focused on being absolutely incompatible with AFIS systems," says Robert Gailing, marketing manager for Bioscrypt. "We don't care if you have a past or not. We just want to know if you are authorized to enter a building."
Privacy concerns will persist and may limit the use of biometric security technology to some extent. Biometric technology offers an operational alternative that addresses privacy. Instead of storing biometric identifiers in a central database, it is possible to store them in a chip mounted on a smart card. Under this scenario, a special reader downloads the biometric identifier when an individual presents his or her card. Next, the individual provides a live biometric: a handprint, fingerprint, iris scan, or facial scan. The reader checks the offered biometric against the one stored on the card and the door opens on a match. Since the person seeking entry carries both biometric identifiers, the system has no need to store identifiers in a database. According to the Smart Card Alliance, which promotes this plan, eliminating the need to construct and manage large central databases also offers operational efficiencies.
"Either way, it is going to take time before peoplefbecome comfortable with the changes biometrics are making to security procedures," says Panasonic's Meyerhoff.
Overcoming Proprietary Biometric Barriers
The proprietary nature of new technologies often limits initial markets. Biometric technologies are no different.
Most biometric applications today come with their own proprietary software. These systems generally use readers to enroll employees and then transfer the biometric identifiers to other system readers according to access privileges given to individual employees. Readers usually cannot store and manage large databases. Bioscrypt readers, for example, cannot store more than 4,000 templates when used in a one-to-one search mode. For one-to-many searches, Bioscrypt readers can hold only 200 templates.
Proprietary biometric products also tend to limit the number of readers that can be connected to a system. In addition, readers often cannot operate across wide area networks (WANs). So an employee of a New York City company probably would not be able to touch a fingerprint reader at the Dallas office and gain access.
To find wider markets, proprietary technologies must eventually open up and integrate with other corporate and government systems. Lenel Systems Intl. Inc., Rochester, N.Y., has built its business around integrating larger corporate systems. In recent years, Lenel has begun to deal with this challenge in the biometric arena. "We've patented an enterprise solution that allows us to transfer data from one point to another and have it all maintained and secure with a solid database structure," says Robert Pethick, manager of hardware platforms for Lenel.
For example, Lenel systems now talk to a host of different biometric readers including those manufactured by RSI, Bioscrypt, and Identix. The Lenel innovation overcomes the limitations of proprietary systems. "The limits have been changed from what can be stored in each proprietary reader to what we can store in Lenel controllers and databases," Pethick says. "We've also implemented a system that has no limitation on the number of enrollment work stations you can have. With our system, there are no limits on the numbers of readers that can be connected. There are no limits on the ability to transfer data across a WAN."
Lenel's systems are compatible with biometric systems designed to work with or without access control cards. It can also work in either of these modes simultaneously.
According to Pethick, Lenel has installed its enterprise system, called OnGuard, for approximately 100 corporate customers. As OnGuard sales have increased in the past two years, sales of biometric readers have increased to approximately 10 percent of the company's overall sales of readers.