Access Control and Biometrics
Authentication (proving that a person is who they say they are), authorization (access permissions allowed to each individual) and accounting (tracking authentication, authorization and activities associated with each) are essential components of security. Weaknesses in current authentication techniques have led to the evolution of new identification technologies in the form of biometrics. Prior to the use of biometrics, authentication methods included using what an individual knows (such as a password) or what an individual has (such as an identification card) as a means of authentication. Biometrics adds another, stronger dimension to security authentication by introducing the validation of what an individual “is” (referring to some aspect of an individual’s physical person that is universally unique). Biometric systems first capture and store a template of the unique individual attribute (such as a iris pattern or palm vein pattern) that is being used for authentication. When an individual authenticates with the biometric system, a second sample is captured and compared to the first sample (template) of that individual that is stored in the system database. If the template and the current sample match, then the individual is authenticated and allowed access. If the template and current sample do not match, the individual is not authenticated and is denied access. Each system is designed to account for some individual variation over time to decrease the chance of a false positive or negative, which adds somewhat to the complexity of this type of authentication technology.
Amazon Price: $64.95 Buy Now
(price as of Sep 28, 2016)
Fingerprint Analysis and Finger Vein Maps
Two types of biometrics commonly in use today include fingerprint analysis and finger vein maps. Both methods use characteristics that are, for the most part, universally unique to each individual. However, there are some significant differences between the use of fingerprint analysis and finger vein biometric technology. Fingerprint analysis technology relies upon the unique, fine ridges that are formed at the end of each individual’s fingertips. Fingerprint technology has been used since the turn of the 20th century and has now been incorporated into computerized electronic identification systems. In contrast, finger vein technology is relatively new, being commercially available only during the past decade. Finger vein technology relies on the unique pattern of vein networks that exist within each individual’s finger.
Fingerprint samples are captured when an individual places a finger tip on a biometric scanner surface where the system takes a snapshot of the fingerprint. Fingerprint analysis biometrics increase reliability by stepping through a series of refinements after capture. A unique fingerprint is then stored in the biometric system database. Authentication follows the same process except that the fingerprint that is captured from a subject is compared to a database of fingerprints in order to find a match. If a match is found the individual is authenticated.
Finger vein patterns are captured by either transmitting or refracting near ultraviolet light through the finger and then taking a snapshot of the vein pattern. Refinements to cancel out light noise and other artifacts are then performed and a template of the finger vein pattern is stored. Authentication then follows the same routine steps as fingerprint recognition biometrics, where the individual is required to provide a sample and the captured sample is compared to a database of individual finger vein templates. The individual is authenticated if a finger vein match is found in the biometric database
To properly compare fingerprint analysis and finger vein biometric technologies it is necessary to first consider present authentication methods and their impact on the organizations that use them. Magnetic card reader technology is a mature form of authentication technology and relies upon something possessed by an individual rather than what they are or what they know. Factors to consider when determining whether or not an access control technology is sufficient include convenience, reliability and acceptability.
Amazon Price: $699.99 $319.66 Buy Now
(price as of Sep 28, 2016)
Magnetic card readers require a database of identification numbers stored in a central location. New members of an organization can be added to the database simply by creating a new personnel identification number and card on location. Unauthorized persons that do not carry the organization's magnetic strip card are not granted access. Swiping a magnetic card for authentication takes only a couple of seconds (especially important during the morning and lunch time rush). However, magnetic cards can be lost, stolen or forgotten. If the card is lost or stolen, the organization relies heavily upon the employee to notify the organization that the card is missing. If the organization is not notified quickly, a person that finds the card could gain unauthorized access to the organization's facilities. If an employee forgets to bring their magnetic stripe card with them, time is lost while the employee runs home to retrieve the magnetic card or worse, the employee “borrows” a card from another employee, a practice that thwarts the organization’s ability to track those entering and leaving sensitive areas. So organization's that use magnetic strip cards must have security personnel trained to create new identification numbers and cards, and deal with how to respond when a card is lost, stolen or forgotten. In addition, systems such as CCTV video recording at each card reader station are required if the organization wants to ensure that the person swiping the magnetic card is the person authorized to use the card (increasing system cost, complexity, and security staffing).
Fingerprint readers and finger vein readers require installation efforts similar to magnetic card strip readers. Both fingerprint readers and finger vein readers require enrollment; an inconvenience that requires employees to take a couple minutes for a fingerprint reader to capture a sample fingerprint or 30 seconds to capture a sample for a finger vein reader. In addition, enrollment can fail, adding to the inconvenience. Biometric enrollment can be an inconvenience that takes time out of the employees work day and requires a higher level of training for the biometric system operator. Fingerprint and finger vein scanning does however, offer significant advantages in authentication security over magnetic card strip readers. First, the authentication method cannot be lost or stolen or left at home. There is also no need to train security personnel on how to create new identification numbers and cards. However, fingerprint and finger vein scanning techniques do take longer than magnetic cards when presented for authentication (both require a few seconds for scanning). As for error rates, magnetic strip cards do wear out and cause false non-authentications. Magnetic card strips can also be inadvertently erased by magnetic fields in department store EAS systems, airport security systems, and even magnetic toys. Biometrics however, may have false non-authentications for which the only remedy is re-enrollment (adding to the inconvenience of both the organization and employee).
Magnetic card strip readers are highly reliable and rarely fail to authenticate a card unless the card is worn out or demagnetized. However, malicious social engineering techniques can erode magnetic card reader reliability because there is no guarantee that the individual presenting the card is the same person authorized to use the card. Lost and stolen cards contribute to decreased reliability and additional expense.
Fingerprint scanning and finger vein scanning both deliver high reliability however only when calibrated to properly balance their false match rate or FMR with their false non-match rate or FNMR to arrive at a performance level acceptable to the employer. Error rate calibration is essentially a decision between the cost of false matches (that allow unauthorized personnel into company facilities) and the cost of false non-matches (that detain employees from their jobs until the issue can be resolved). There are two important differences between fingerprint and finger vein scanning that favor finger vein scanning as more reliable. First, fingerprint scanning requires contact with a surface in order to perform a scan. Requiring contact with a surface means that the surface must be cleaned regularly to keep the surface free from dirt, oil and other debris that may interfere with the capture process. Second, fingerprint scanning relies upon external body rather than internal body characteristics. External body characteristics afford greater opportunity for forgery such as lifting fingerprints and using them to pass authentication or removing the fingers from authorized personnel to use in passing authentication (both have been done successfully in live fingerprint systems). So in terms of reliability, finger vein scanning provides superior reliability over fingerprint biometrics.
Magnetic card readers are accepted by both organizations and employees because they are quick to authenticate, and they have an extremely low false non-authentication rate.
In contrast, biometrics has long been the subject of invasion of privacy discussions. Both fingerprint and finger vein scanning technologies require enrollment of personal body characteristics into an organization’s database. Both are slower than magnetic card readers to authenticate, causing lines to form at employee entrances. However, fingerprint scanning also requires each individual to touch a scanning surface which creates a hygienic issue that is objectionable to some individuals and means additional maintenance is needed at each scanning station. Since finger vein scanning does not require contact with a surface, hygiene is not a problem with biometric finger vein technology, nor does it require the employer to pay for additional maintenance to keep the scan stations clean. Hence, when comparing the two, finger vein biometrics is less objectionable than fingerprint scanning.
Finger vein biometric systems are superior to fingerprint biometrics and in combination with another form of authentication (something you know, such as a password or something you have, such as a smart card) would provide an organization with an extremely reliable and acceptable, strong two factor authentication method. Finger vein biometrics have never been forged, providing a much higher level of security. Finger vein biometrics also have a lower level of FNMR (False Non-Match Rate) and FMR (False Match Rate) than fingerprint biometric systems. And while the initial cost of a finger vein biometric system is higher than finger print scanning technology, an organization can recoup additional cost by eliminating the need for hygiene maintenance that would have been required with a fingerprint biometric system.