There are a lot of concerns surrounding biometrics and privacy as well as an overall sense of fear of the technology itself. If you’re considering integrating biometrics access control into your security strategy, it’s important to consider both the challenges and opportunities.
Starting with the fear factor, we see concerns of near-infrared laser impact on the eyes and some fear that being in regular close proximity to any biometric scanners might give off some form of electromagnetic radiation, which is completely untrue. And then, there is my favorite, the very irritating “Liveness-Test” used by some older iris scanners. These scanners flashlight into the eye to see if the pupil contracts. The light often startles people and they look away. This causes the scanner to lose its lock, and the biometric match fails. Trying again is just as unpleasant.
A major privacy concern for many is that if their biometric data is collected for one purpose it may be used for another. For example, perhaps biometric access control is used to secure access to a workplace. Some worry this data could be used against them later for something completely unrelated if law enforcement gains access to them. I’d like to calm those concerns specifically around this issue because the biometric templates can’t be used to recreate a facial image or a fingerprint. And, if your facility uses Smart Cards for access control, the biometrics are typically stored on the card and can’t be accessed by anyone.
As for the elephant in the room, cameras recording the everyday lives of innocent people, then trying to match their faces to those of suspected terrorists or criminals, I’ll leave that ethics debate for others much more qualified than I am. It has nothing to do with the technology, rather how it is being used.
Common Biometrics in Security Today
Some of the more common biometrics used today include fingerprint, facial recognition, iris scans, and vein patterns. Smarter Security has worked with most of the major biometric authentication technologies over the past several years in response to our customer demands for more convenient access control. We have been able to fully integrate several third-party biometric authentication technologies by mounting, or embedding, facial recognition cameras, iris scanners, or fingerprint scanners into the Fastlane® optical turnstiles and Door Detective® anti-tailgating products.
Through many installations of this technology, we have developed an extensive understanding of the different styles, manufacturers, and types of biometric technologies. And, we can help you to understand which options are best suited to your particular Access Control Identity Verification requirements to ensure you avoid making an expensive mistake.
As illustrated below, the reasons biometrics are necessary for different situations are often left out of biometric discussions. The use of biometrics for criminal investigation or terrorist identification purposes generally makes headlines with the well-documented invasion of “privacy” claims for any camera involved in catching the bad guys. However, the use of those same biometric devices for simple access control in offices is much less newsworthy and is rarely mentioned.
Let’s explore some of those differences in the way biometrics can be used.
1) Biometrics for Access Control
Access control systems, for persons entering a secure facility, employ biometrics for identity verification only. In these cases, the person arriving at the entry turnstiles, gates, or doorways must provide proof that they are who they say they are, so they can enter the building and get to work. The employee has been enrolled in the facility’s access control system with a series of attributes such as their Employee Number, Name, Department, and Access Permissions. Such permissions may include areas they may go into, approved schedules of access, and more. These basic attributes can be linked to a stored biometric template and possibly also to a Personal Identity Card. Note that biometric templates are NOT stored images of the actual biometric.
Depending on the facility, the biometric templates collected during enrollment may be stored in a database for subsequent remote access. They may also be stored on a specialized identity card called a Smart Card. Smart Cards remain with the employee and the stored biometric template on it is matched to them when they present their card to confirm that they are the person the card was issued to. US government FIPS-201 cards and the TWIC port-worker ID card are large-scale examples of identity cards using this on-card stored biometric option.
Access control templates are created during enrollment by a computer mathematically generating a series of “ones” and “zeros” based on a scan of the actual biometric, i.e., face or fingerprint. Actual images of the biometric element are never actually stored anywhere during this process without the explicit knowledge and consent of the employee. From that point forward, all subsequent ‘matches’ against this person’s identity are made instantly when the employee walks up to a biometric scanner. At that point, a new “ones” and “zeros” mathematical template of, for example, their live face or fingerprint is created by the scanner and used to match against the original stored template.
To be clear, the biometric templates that are created for access control cannot be used to recreate an actual fingerprint or facial image for comparison against criminal databases. Unless mandatory background checks are required as a condition of employment, complete images of fingerprints are not actually collected during enrollment for access control purposes. For background checks, it is incumbent upon the employer to advise potential employees of this requirement before collecting the required images, and it is the right of the potential employee to refuse. Of course, that also prevents them from qualifying for the job.
2) Biometrics for General Identity Verification
Another growing area of biometric use is in the transportation industry, particularly in airports. The specific requirements vary from country to country but regardless of where it is done, a passenger must confirm their identity, confirm that their identity credentials are valid and belong to them and that their name matches the one on their boarding pass before they can get on a flight. Increasingly, these crosschecks are being done with the help of biometrics.
A great number of pilot biometric trials are being installed in airports throughout the world. One of the largest trials is in Changi Airport in Singapore wherein one terminal a passenger can go from the curb to their seat on the aircraft without ever having to talk to a real live person.
The key difference between these general identity verification use cases and the access control situations are that the passengers compare their biometrics against a template previously collected by a government agency, and stored on an Electronic Passport, Trusted Traveler card, or Enhanced Driver’s License carried by the passenger. These are similar in function to the access control smart cards mentioned earlier but, in this case, the airport or airline has no control over their issuance.
In some pilot installations, the photos on the face of non-electronic identity cards or passports are scanned and compared to the live scan of the passenger’s face for a match. At the same time, attributes of the document itself are examined to verify that they are valid, that they have not expired, and that the name on the card matches the name on the boarding pass. Despite problems with image quality on many of these documents, this type of solution will be required for quite some time until all government-issued identity documents are able to store biometric templates. And, photo matching to a live person’s face is exactly what is being done when the airline or TSA agent inspects a document and then looks at the person. However, the electronic scans are found to be ~20% more accurate than those agents in trials.
A variation of this identity verification approach is being used at many airports for customs and border control. The facial biometric template stored on the person’s electronic passport is compared against their live face to confirm their identity. This approach can considerably reduce border crossing delays, allowing agents to concentrate their time on passengers who need manual processing, allowing the others to quickly proceed through the gate.
3. Biometrics for Law Enforcement and Criminal Investigations
In the case of known criminals or terrorists, biometric matching uses a particular biometric known to belong to the individuals, and that is compared to biometric images collected from crime scenes. This can include fingerprints on a murder weapon, or a security camera image of someone breaking into a gas station. This process is like the old “Mug-Shot” books police used to refer to, only much faster.
Based on experience, there is a figure used by police forces claiming that up to 80% of crimes are committed by repeat offenders. So it makes sense to compare crime scene biometrics to the collected biometrics of known felons from the last time they were caught.
International and domestic terrorists are more of a challenge because there is often no stored database of the suspect’s fingerprints or facial images. Poor quality, grainy images that may be several years old, yield very low probability biometric match results, but the systems are getting much better.
In either case, the investigator needs the actual original fingerprint or facial image to work from as a starting point. This is where the news media usually gets it wrong. Actual fingerprints recovered from a crime scene are matched against the various fingerprint databases, such as IAFIS (Integrated Automated Fingerprint Identification System), that are available to police and security forces. Biometric templates used for access control cannot be used for this.
Facial Recognition and Video Cameras
Alternatively, a picture of a known terror suspect can be matched against stored pictures, or even video clips, of crowds of people arriving at an airport or other transportation hubs to make sure that the individual in question is not coming into the country.
The need for these cameras in public spaces is absolute, and the fact that one of these cameras will also see many innocent people is inevitable. What government agencies do with those captured images of innocent people is really the question that needs to be asked with respect to privacy. If they only keep them long enough to process the image matches, say a few days, before they irretrievably discard them, that is generally acceptable. However, if they permanently store all captured images of all persons walking through a specific area, people tend to get nervous.
The Boston Bombers were eventually identified using stored videos of the crowds. Is it good that they were identified and brought to justice? Yes. Is it appropriate that all of those stored images of mostly innocent people were accessible and used? That is the real subject of the privacy debate, and well beyond the scope of this blog post.
Biometric Accuracy Metrics
Unlike what people imagine, and largely dependent upon the skills of the manufacturer, some of these biometric systems are not always totally accurate. And, some can be incredibly slow, up to 30 seconds, to generate a match for access control. This can be a problem if you have a few hundred people trying to get through a narrow entry point in the morning to get to work on time.
The leading biometric systems from various major manufacturers have all been tested by NIST (National Institute for Science and Technology). This certification enables their products to be sold to the US government, or government-regulated, customers who need consistent measurement criteria in their performance evaluation reports.
The NIST reports describe how well a series of manufacturers did in a specific test scenario.
Some of the key elements to watch for include:
• FAR (False Acceptance Rate) – The percentage of unregistered users who were recognized by the system as being a person who was registered. The closer to zero this is the better.
• FRR (False Rejection Rate) – The percentage of registered users who were not recognized by the system when they present a valid biometric. This is usually higher than the FAR above, and a second try usually results in success, but it should still be near or below 0.1%.
• Speed of Enrollment – This is a measure of how long and how many repeated tries it takes to generate a template that consistently matches the person’s live biometric. 15-20 seconds is common, but it can be considerably longer.
• 1:n Match Speed (where ‘n’ is the number of stored templates) – This uses a template database of several thousand individual users and defines how long it takes on average to get an accurate match for an individual. This is important for access control situations and should be less than 2 seconds for best results.
• 1:1 Match Speed: The time it takes to match a presented template to a single stored template. This is useful for situations where two-factor authentication (2FA) is in effect. An employee must present their identity card and a biometric, to verify their identity. The stored biometric template, whether on the card or linked to the card from a database, is ready for a match. This match time should be small fractions of a second.
Is Biometrics for You?
As the biometrics industry evolves, accuracy and speeds will improve. Scanners will become less cumbersome and more user-friendly. For access control and airport identity verification purposes, biometrics systems can make things faster, easier and more pleasant. Even today, the airport industry refers to the use of biometric access technologies as the “improved passenger experience.”
So, should you consider biometrics for your organization for one of these applications? Absolutely! The benefits will far outweigh any short-term implementation issues that might arise. Start small (perhaps with IDEMIA MorphoWave or other fingerprint readers on your Fastlane optical turnstiles) and grow from there. Should you add more cameras to your lobby and building perimeter with facial recognition? Maybe, but prepare for the obvious privacy questions.
