The Second Credential

Oct. 2, 2014
Increase security by combining a smartcard with a biometric credential

Greater demands for more secure means of controlling access have brought biometric technology into the professional security vernacular. We use biometrics to confirm the identity of individual for the purpose of granting access, verify they are the designated cardholder, open our Galaxy S5, operate a shredder, or to let us onto an attraction at Disney.

For biometrics, certain obstacles have had to be overcome, and some are yet to be overcome as biometrics come into wider adaptation.

Convenience is a critical factor. Would life be better if we had to prove who we were in the grocery store checkout? I, for one would have to change my ways.

But I was screaming like a scalded cat last year when someone hacked my Paypal account and purchased a $500 camera with MY MONEY. Paypal covered that one, and issued me an encryption key that I have to use for each transaction. Inconvenient? Perhaps, but I’m totally fine with it if it prevents a future ripoff.

So authentication is in our best interests, and when our clients’ safety and finances are at stake, it is our responsibility to advise them with the best information and most appropriate solutions available.

The technology and market continue to evolve, and thankfully it is possible to achieve a high level of biometric performance from reputable vendors at a reasonable cost.

Q&A Lumidigm’s Scarfo

The Locksmith Ledger contacted Phil Scarfo, Senior Vice President, Sales and Marketing, Lumidigm for some of his expert insights on biometrics. Following are Locksmith Ledger’s questions and Scarfo’s answers.

Biometric authentication is a combination of the biometric scanner and the algorithm which processes the scan. TRUE or FALSE?

An image is captured and transformed into a numerical representation called a template which is matched against an enrolled template.

Focusing on biometric authentication for access control (door entry) applications, what do you offer?

Dozens of access control devices that have been built around Lumidigm sensors and technology are available today from our integrator partners. Some devices are built for rugged outdoor use; some have multiple factors built in such as card readers. There is an access control device with a Lumidigm sensor available for any requirement.

Do you see integrating an access control biometric device/database for other purposes?

Absolutely! Why have one identity/credential for physical access and another one (or several) for logical access? Large enterprises have been asking that question, and IT managers have been working with security managers to integrate across systems. Of course the security threats to physical facilities and logical systems are different, so the converged authentication solution must meet the security and convenience requirements of the entire enterprise. Biometrics has a big role to play here because knowing “who” is critical when issuing a credential.

What differentiates your company and its products from other offers?

Lumidigm multispectral imaging technology works where conventional technologies generally fail. Multispectral imaging technology uses multiple spectrums of light and advanced optical techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin. The extra fingerprint data captured allows Lumidigm sensors to perform well even in common conditions that thwart conventional sensors, such as dry skin.

Another thing that differentiates our technology is our ability to discriminate between a real human finger and a fake. This is terribly important in mission-critical, unattended operations where a clever impostor could fool a conventional system with a fake imprint or copy of some other individual's identity.

The third major differentiator is that we are unique in our ability to authenticate both a credential and a person on the very same device. Because our systems are designed with advanced imaging techniques, we can authenticate a genuine barcode or data element on a credential or smart device as well as the person who is presenting it.

Why fingerscan as opposed to hand geometry facial or retinal?

Convenience, reliability and security. Some technologies are robust but not entirely secure. Some are secure but not convenient. Others are convenient and not reliable. We believe that users should not have to compromise and that fingerprint can deliver all three. Additionally, we have found that fingerprint sensors are intuitive and easy to use for most people.

Do you consider single-factor biometric authentication adequate or do you recommend it be used with and additional authentication? Which do you consider is best and why?

Every application has a different set of security and convenience requirements. The iPhone 5s is a good example of a single-factor biometric that is so much easier to use than remembering and entering a PIN. But it’s a phone. Would that same single-factor biometric device provide adequate security at a bank? At that point you start evaluating the relative performance of biometric technologies — some are inherently more secure than others — and introducing a second authentication factor in some cases.

Often, a choice of authentication factor is appropriate or, better yet, the ability to have graded authentication designed to fit the security level. Sometimes a smartcard and a biometric are coupled such that card itself can be authenticated and the biometric data that resides in the card (or on the device) can be compared to the person presenting it. This is an excellent way to raise the level of security and design a system.

How is the efficacy of authentication measured? Is the number of factors (example credential + fingerscan) the basic yardstick? What type of site evaluation or risk assessment is used to determine the appropriate extent of protection?

Efficacy must first be defined within the context of the specific application. Is security most important, or convenience, or both? What assets are being protected? What is the user population? Where is the device being deployed? The same level of performance might be considered successful in one installation and disastrous in another. The world of authentication is not absolute and therefore the question is how statistically confident do you want to be relative to the risk. If the risk is high, clearly the confidence level must be raised. We always recommend scenario evaluations before choosing a biometric system.

 Part 2 of our article is a review of a group of carefully selected biometrics products which present the professional security installer a range of options and solutions for both new systems and the upgrade to existing systems.

Lumidigm M-Series

Lumidigm M-Series fingerprint sensor modules extend the power and reach of its multi spectral imaging technology to a whole new set of industries, applications, channel partners and users. The M-Series modules are designed for those who need a biometric technology or solution that works where other competitive alternatives often fail.

The core benefit of Lumidigm’s multi spectral technology is that it virtually eliminates common real-world problems experienced by conventional fingerprint sensors.

The M-Series design allows easy integration into a growing set of devices and systems. Available as either a self-contained intelligent device or as a Windows® PC-based authentication solution, the M-Series supports multiple modes of operation. This means more flexibility and a variety of choices for integrators.

The M-Series module package is complete with an extensive SDK that simplifies integration. M-Series devices can be configured to deliver high-quality images or ANSI-378 standard templates. The modules can also be designed into either verification (1:1) or identification (1:N) applications. It is a standard, no-cost capability that is packaged into the M-Series modules.

For more information, visit


Zwipe enables the addition of a biometric authentication factor to virtually any credential based access control system. A credential with biometrics is referred to as dual-factor authentication.

Zwipe offers a fast method to add biometric authentication factor to a credential based electronic access control system because implementing Zwipe does not involve replacing readers or installing software.  An additional authentication factor such as a PIN can also be added by using a card reader with a keypad.

Each standard credential is replaced with a Zwipe. Each Zwipe credential is enrolled into the access control system the same way any credential would be. Then each user who is issued a Zwipe enrolls their biometric signatures onto that credential. The enrollment of the biometric signatures is done right on the credential without a separate enrollment station or process. The biometric scan data never leaves the credential and does not reside elsewhere except on the credential. Once programmed and deployed, the credential will only send the credential data when a valid fingerprint has been recognized by that particular credential.

Zwipe uses standard MIFARE® Classic and DESFire® EV1 programming procedures.

For more information, visit

Schlage HandReader

A Schlage biometric hand geometry reader simultaneously analyzes more than 31,000 points and instantaneously records more than 90 separate measurements of an individual's hand, including length, width, thickness and surface area, to verify the person’s identification. In conjunction with a PIN, a registered individual can gain access to the facility.

The size and shape of the hand and fingers is used by a HandReader to verify a person’s identity. Hand geometry evaluates a 3-D image of the four fingers and part of the hand. This was the technology used for the very first commercially available biometric device, which came to market in 1976.

Hand geometry readers continue to be the dominant biometric technology for access control and time and attendance applications. They are predominantly used in high throughput applications, such as at the gates to a factory, access to an airport tarmac or admittance to a college recreation center.

The Schlage HandPunch GT-400  brings the flexibility of a full-functioned time and attendance terminal together with versatile proximity, smart and multi-technology credential reader options, including the popular aptiQ™ smart card series. Employees can now use the same card to clock in and out of work as they use to enter their facilities. With a multi-technology reader module embedded inside the HandPunch GT-400, organizations can read both traditional 125 KHz proximity cards and more secure 13.56 MHz contactless smart cards.

The MTR-G embedded reader module provides compatibility with aptiQ smart credentials, which provides advanced MIFARE® Classic and MIFARE DESFire™ EV1 encryption, to provide greatly improved security. So companies do not have to switch out their installed card readers, the MTR-G also reads HID® proximity, GE/CASI Proxlite®, AWID® proximity, Lenel® proximity and popular 13.56 MHz smart cards. If the organization presently uses proximity cards but wants to upgrade to smart cards, users of the HandPunch GT-400 + MTR-G embedded reader module will not need to make any hardware changes to the hand reader because it is compatible with both. Additionally, if upgrading to aptiQ smart card technology, which is already Near Field Communications (NFC) enabled, users will eventually be able to use their own smart phones as their credentials.

The Schlage GT-400 hand reader looks at the unique three-dimensional size and shape of each employee’s hand. The result of ninety hand measurements, including lengths, widths, thickness and surface areas, is converted into a mathematical template of the hand, which is used for verification. To use the hand reader, users present their proximity/smart cards to the GT-400, which calls up the users’ templates and lay their hands on the platen.

No fingerprints or palm prints are used, ensuring user privacy. The platen, keypad and function keys of the HandPunch GT-400 are also all infused with an antimicrobial agent.

For more information, visit


CANSEC has been in the biometric market for several years, and have refined their technology and market focus based on experience and success in the market. Areas they are finding a market for there biometrics products besides access control, are time & attendance and machine control towards OSHA compliance. I installed one if their units on a sorority house several years ago and is has stood up well to college student use and abuse. 

Zodiac LinkTM is Cansec’s latest addition to its field-proven line of fingerprint readers. Building on the success of the Zodiac 250, three new features have been added. User capacity is increased from 250 users to 2,000. You can now link up to five readers with all user programming done from a designated Master. You can also copy user templates from one unit to the other in case one is damaged and needs to be replaced. No need to re-enroll users.

Just like the Zodiac 250, it can be used to directly control a door or it can be connected to any Wiegand-compatible access control panel. And like the 250, you can upgrade a regular prox reader to biometrics in under five minutes.

For the enterprise, Cansec offers the ZODIAC MAX TM online fingerprint reader. This high performance biometric fingerprint reader for up to 4,000 users eliminates the need for traditional credentials. All template management may be done centrally from the Zodiac Max software. The Zodiac Max software provides an easy, intuitive interface for managing one or many Max readers, supports both serial and Ethernet connectivity, and handles both small standalone applications as well as large networked multi-user enrollment stations.

For retrofits, Cansec recommends upgrading to ZODIAC iclass II. With Zodiac iCLASS II, a user simply presents their 16K bit iCLASS credential to the reader and places their finger on the scanner. The reader compares the live fingerprint scan to the template stored on the credential. If they match, the Wiegand data on the credential is sent to the access control system where it is processed just as if it came from a normal prox reader.

The Zodiac iCLASS II reader allows for an unlimited number of users since each user’s fingerprint template is stored on their credential and not the reader or the system. Standard proximity readers can be replaced with Zodiac readers in as little as five minutes without any wiring changes or changes to existing access control panels.

The Zodiac iCLASS II reader can also be used with existing non-iCLASS cards by adding a 16K bit iCLASS stick-on patch onto the existing cards of users requiring access to the biometrically protected area. And Zodiac iCLASS II works with all Wiegand formats with no special setup or firmware.

For more information, visit