Biometrics is the use of unique human physical characteristics to iverify the identity of authorized personnel. You can use these devices to control doors, gates, etc. Although I'm presenting a detailed discussion of biometrics as they apply to physical access controls, all the principles discussed also apply to biometrics-based network or device login.
There are several human physical traits that can be used to uniquely identify a person. They include:
- The retina, specifically the blood vessel pattern inside the eye
- Voice patterns
- Signature dynamics
- Finger or hand geometry, including finger prints, finger or hand height and width, etc.
- The features of the iris, the colored area of the eye surrounding the pupi
Of these, the iris, retina, and finger/hand geometry are the most effective. A person's voice may be recorded and signatures can be forged.
When considering the purchase and implementation of a biometrics identification system, you should address the following eight critical success factors:
- Accuracy
- Speed
- Resistance to counterfeiting
- Reliability
- Data storage requirements
- Enrollment time
- Perceived intrusiveness
- User Acceptance
Accuracy
Biometric devices have improved significantly over the past several years. However, there are still no guarantees of 100% accuracy. It's your responsibility to select the level of inaccuracy that you and your employees can tolerate. When judging error rates, consider the principle types of errors - Type I and Type II. Type I errors include all instances in which a biometric system denies access to an authorized user. The identification of an unauthorized user as an authorized user is an example of a Type II error. By adjusting the sensitivity of the biometric sensor, you can increase or decrease the occurrence of each error type. However, as you decrease Type I errors, you might increase Type II errors. The opposite is also true.
The key objective in implementing a biometric system is the proper balance between the two error types. The most common method is to focus on the Cross-over Error Rate (CER). See Figure 8. This is the point at which the frequency of Type I errors and the frequency of Type II errors are equal. When shopping for the right system for your business, the CER is the best indicator of overall accuracy.
CER is expressed as a percentage. Lower values are better. Values of two to five percent are generally considered acceptable.
Speed
When considering the probability that your users will accept the use of biometrics, the speed at which a sensor and its controlling software accept or reject authentication attempts is the most important factor. The effective throughput, or how many users a biometric sensor can process in a given period, is a function of the entire authentication process. Figure 9 depicts the several stages involved. Acceptable throughput is typically five seconds per person or six to ten people per minute. User frustration begins to set in at lower throughput rates.
Resistance to counterfeiting
Again, signature dynamics and voice recognition are not necessarily the best choice for biological recognition because of the potential for forgery or the use of recorded voice. But systems that use other body parts might also be susceptible to counterfeiting. For example, some early biometric systems allowed an intruder to use lifted finger or hand prints to gain entry. Today's systems are, in general, more sophisticated. Make sure to ask the right questions if you consider using a biometric access control system. When possible, request a demonstration of the system's resistance to counterfeiting.
Reliability
Sensors must continue to operate at a low CER between failures. A gradual degradation in throughput affects user acceptability and organizational productivity.
Data storage requirements
The amount of storage necessary to support a biometric system depends on the data stored. Voice recognition systems might use a great deal of storage; voice files are usually large. Current finger architecture recognition technology, however, stores a relatively small hash value created when a user is enrolled. Whenever a sensor scans the finger again, it recomputes the hash value and compares it to the stored value. Whatever biometric solution you choose, make sure you understand the impact on your storage environment.
Enrollment time
Another factor influencing user acceptance is the time required to enroll a new user into the biometric system. An acceptable enrollment duration is usually two minutes or less per person. This enrollment rate not only reduces employee frustration. It also helps reduce administrative costs associated with system management.
Perceived intrusiveness
Second only to throughput, the amount of personal intrusiveness a sensor presents to your employees is a major determinant when assessing user acceptance. The following is a list of common fears that grow out of biometric implementations.
- Fear that the company stores unique personal information
- Fear that the company is collecting personal health information (retinal scans look at patterns that are also used to determine certain health conditions) for insurance purposes
- Fear that the red light in retinal scanning sensors is physically harmful
- Fear of contracting diseases through contact with publicly used sensors
The best way to deal with these issues is to hold open and honest discussions about how the systems work, the health risks involved, and how the organization plans to use the information. Remember, user acceptance doesn't depend on how you perceive biometric authentication. Rather, it depends on how your employees perceive it.
The geographic location of your facility plays a large role in the level of risk your business faces due to physical threats. Frequent storms, power outages, and a high crime rate are all examples of things to consider prior to selecting a location for your organization. Other issues include proximity to police and fire services. Quick reaction times associated with security events usually equate to reduced business impact.
Hash Value - A hash value is produced by feeding information to a special computer program. The program converts the input into a fixed length value. The same input should always produce the same hash value. In the case of biometrics, a significant amount of information may be gathered by a finger sensor. This information can be reduced to a much smaller hash value. Another advantage of using hash values instead of raw information is the inability of an attacker to derive from the hash value the original input from which it was created.
Proximity detection - Some security devices used for physical or logical access control can detect, without physical contact, the presence of an individual authorized to gain entry to a facility or to log in to a workstation. These are called proximity detection devices. A proximity detection solution normally consists of a reader at the point of entry, or at the workstation, and a badge or other device in the possession of the employee. When the reader and the employee are within a predefined distance of each other, the user is authenticated to an access control system.