Adding Biometrics to Access Control Systems

Dec. 2, 2020
A wide variety of technologies, the quality of those technologies and a number of legal issues require security pros to do their homework before installation.

Although biometrics might be described as the “wild west” of startups and technical development with a fast-changing landscape of inventions and shifting markets, it remains a growing component of the access control market. Biometricupdate.com lists several hundred companies in the Access Control category alone. Clearly, a lot of people believe that biometrics might be a fast horse.

This article will focus on technologies, markets, sources of information, ethical and legal issues, and how you can add biometrics to existing access control systems. When considering the use of biometrics, you should do lots of homework. A wide range of products is available. Some will meet your client’s needs, and some budget products will result in constant callbacks. 

Make sure that you select equipment that’s manufactured by a reputable company that has tech support readily available. Your distributor might have some good input.

Biometrics 101

Webster defines biometrics as: “the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity.” Current biometric technologies include fingerprint, voice print, vein, iris and retina scans, facial recognition (photo or near infrared scans), keystroke, gait and DNA. The discipline and quality of the analysis generally determines the value of the results. 

Biometric performance typically is measured by false acceptance (FAR) or false rejection (FRR) rates. Where they intersect is known as the equal error rate. Bias towards FRR or FAR generally is driven by the necessity either for ease of use or for a higher level of certainty.

Readers, sensors and software algorithms can be adjusted to collect more or fewer data points, pixels or resolution within the economic limits of a given application. This creates a Rubik’s Cube of options and solutions.

My computer, for example, contains a small and inexpensive fingerprint reader that delivers erratic results, with about 40% false rejections. It’s far from HID’s Lumidigm multispectral fingerprint technology, which performs like the proverbial mail carrier — through rain, sleet and snow and even grease and dirt.

Friction is an industry buzzword describing ease of use and throughput speed. Complex, slow or intrusive processes will be resisted as less user-friendly, while customers are likely to value throughput, accuracy and cost-effectiveness.

In the Market

Potential markets for biometric access control include commercial, transportation, education, medical facilities, retail, telecom, banking, border control, recruitment, and data access. Actually, biometrics might be used anyplace where a high level of confidence in a person’s identity is desired. Identity verification is becoming particularly critical for access to data and the so-called Internet of Things.

Vehicle lockouts are an area where biometrics will have a significant effect on the existing lock industry. Although biometric technology might replace keys or fobs, power or data failures still will require lockout services.

Access to terminals that control data and critical public infrastructure also are prime targets for biometric verification. Since the advent of the COVID-19 pandemic, touchless and low-touch verification methods have become important issues, as well.

Another emerging issue is the ability to eliminate the plethora of passwords we manage. For example, I have about 80 passwords listed on my computer, many of which no longer work. Biometric verification likely will replace these passwords. Lumidigm multispectral and Hitachi finger-vein readers are available for USB connection to computer terminals.

The banking industry is adding biometric verification to their ATM and credit cards in many parts of the world. Companies such as Oslo, Norway-based Zwipe produce cards that harvest power from near field communication terminals to operate the onboard fingerprint reader. Battery-powered cards are used for standard access control functions where a high level of certainty is required.

London’s Heathrow airport is installing 400 facial-recognition kiosks from dormakaba to speed passengers through that facility. Amsterdam’s Schiphol airport makes extensive use of facial recognition as well. In North America, Delta and Jet Blue use facial recognition to speed passengers through check-in. Facial recognition also is being installed at border crossings around the world. In the United States, U.S. Customs & Border Control is using facial-recognition technology to compare the traveler with passport photos.

Another useful development is the emergence of voice print as a biometric validation for contact center authentication. A recent Biometricupdate.com article explained how the Red Box Conversa voice platform saves about 30 seconds of authentication questions during caller identification.

Getting Technical

As noted, popular biometric methods are fingerprint, iris scan and facial recognition. In each instance, several technologies are in use. Capacitance and vein fingerprint readers are reported to be fairly reliable, while HID’s Lumidigm multispectral technology appears to be the most robust.

Retina scan was popular for years, but “friction” from slower throughput and the necessity to place the eye close to the reader have made it less so. A February 2018 Locksmith Ledger article on biometrics, “Biometric Access Control: Ready for Prime Time?” explains a number of the technologies in more depth. (Read at www.locksmithledger.com/12389346.)

Idemia’s MorphoWave 3-D contactless fingerprint scanner has gained considerable credibility with the demand for touchless identification. This commercial product scored high in FAR and FRR rates during 2019 tests by the National Institute for Science and Technology (NIST). 

Facial recognition is the most controversial method, and it’s undergoing rapid technological, ethical and legal change. Artificial intelligence, improved algorithms, more data points and higher definition and 3-D cameras are improving performance rapidly.

For example, Trueface-ai software reported this year that it’s able to search 100 million templates in less than 1 second using the same basic computer NIST used for standardized tests. Clearly, the technology is accelerating at a rapid pace.

StoneLock’s near infrared scan technology completely avoids image capture or privacy issues, however. The reader sees no facial image at all, only data points that can be compared with a voluntarily enrolled user. Essentially, the system is like a touchless fingerprint of the face. Age, gender or ethnicity have little effect on system performance, which completely bypasses discrimination issues.

Iris-scan technologies from companies such as Princeton Identity and Sekureid are another biometric method that functions somewhat like the StoneLock infrared facial scan. Iris scans can use up to 250 data points, are noninvasive and are unaffected by masks, gender, race or age. These touchless technologies have gained considerable credibility during the COVID-19 pandemic as cost, reliability and throughput have continued to improve.

Connectivity to existing systems generally is accomplished in two ways. Many of the newer products have Weigand and Open Supervised Device Protocol (OSDP) connections. OSDP uses a twisted pair RS-485 connection that has AES-128 encryption, which allows for connections of up to 4,000 feet. Weigand to OSDP modules are becoming generally available from reader and panel suppliers.

Privacy Issues

Legal and ethical privacy issues continue to fuel controversy about biometrics. The result has been a rush by city and state governments to restrict the use of biometrics. Indeed, there is considerable discussion within the industry on how to protect personal privacy while providing a secure environment.

Data protection is a huge issue, particularly when third parties have access to personal information. The fact is, after a biometric record has been compromised, our physical data can’t be changed easily, like a password. There also is considerable discussion on the difference between surveillance versus investigative use of personal data.

From an ethical standpoint, bias mitigation is being addressed with more-representative databases, 3-D cameras and infrared scans. However, legal challenges to biometrics and facial recognition in particular are growing. Illinois, Texas and Washington have enacted privacy laws that cover facial-recognition technology, according to David Oberly of the legal firm Blank Rome. Under the Illinois’ Biometric Information Privacy Act (BIPA), “a private entity cannot collect or store facial template data without first providing notice, obtaining written consent and making certain disclosures,” Oberly notes in an article on Biometricsupdate.com.

Opportunistic lawyers discovered serious money in the BIPA law. In a landmark case, Facebook is reported to have settled a class-action suit for $650 million. Lowe’s, The Home Depot, Rite-Aid, Macy’s, Kroger and others that use facial recognition for loss-prevention have become class-action targets.

Despite legal restrictions, governments tend to be the most prolific users of biometrics. CCTV coverage in the United Kingdom, European Union and other areas are legendary, and their increased use in surveillance and facial recognition is anticipated. In addition to the current border control measures, we’re likely to see a continual growth of various biometric measures by government agencies in the United States.

Oberly advises several prudent compliance tips to avoid litigation. These include accuracy and bias testing, a privacy policy, written notice, a written release, an opt-out option, data security protocols and having discriminatory prohibitions.

When you install biometric identification equipment, carefully review these issues with the client to avoid legal challenges. Employer use might be less restrictive with voluntary enrollment for time and attendance or legitimate business purposes.

Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access industry. [email protected]  

About the Author

Cameron Sharpe

Cameron Sharpe, CPP, worked 30 years in the commercial lock and electronic access industry. Contact him at [email protected].