A few weeks ago I met with a security steering committee at the headquarters of a global biosciences firm. The purpose of our meeting was to discuss biometric security and to talk through some immediate security requirements the company had.
During the course of the meeting I was astounded when asked: “Are you not concerned at the potential cancer risk introduced with iris recognition by the shining of a laser in the eyes?” This guy sincerely thought iris recognition technology was dangerous, which is, of course, untrue. How had he come to this conclusion? He had been told so by a security installer!
Iris recognition is as safe as someone pointing a video camera at you. The physiological trait we are interested in capturing is the iris; there are no lasers, no scanning and no touching of any part of the eye, just a simple snapshot. The iris capture device, although a little odd looking at first glance, is in effect a specially-designed camera, which uses harmless infrared to illuminate the eye.
Focusing on the biometric access control market as a whole then, there remains a number of issues which need to be addressed before commercial customers have the level of confidence and understanding required to invest in biometric security solutions.
Installer capability and understanding
Naturally, if installers are concerned about their abilities to install a security solution, especially a biometric one, they will not promote it to clients. In certain extreme cases, they may even persuade against the introduction of biometrics – knowingly or unknowingly – on the basis of some horror story which tells a tale of damaged eyes or amputated fingers!
The installation industry must invest in the skills and capabilities necessary to implement technology-based security solutions, including biometrics. Predominantly this happens by understanding what is required to create an underlying technical architecture involving PCs, servers, networks and communications. Indeed, biometrics is not the only area requiring this shift in skills; the same is true of integrated security solutions and IP camera systems.
Once the foundation technology needed to deploy biometrics is better understood, it is then necessary to understand the finer details. The technology means that for first time, a machine is able to positively identify a human-being, rather than trusting this to be the case based on a token, card or password. As such, the specification and deployment of biometrics requires a new approach compared to conventional systems.
As with any new technology, the market requires informing as to the capabilities, strengths and weaknesses of biometrics. Knowing what the technology can and can’t do has equal importance.
Indeed, one of the greatest challenges in the UK and in some other European countries is to remove biometrics from the identity cards debate, and to judge it specifically in the context in which it is to be applied. Unfortunately, the ID cards debate is a political debate, not a pragmatic one. Focus is placed more on the dangers introduced by having a national, centrally-managed database overseeing our activities, as opposed to the technology’s capabilities and value.
Quality and implementation
Biometric solutions really do work, delivering real business value and cost-effective solutions. Many of the problems with systems are due to the quality of the solution deployed, or the way in which it has been deployed.
The most common error is not qualifying the client’s requirements. More often than not, a client will research biometrics on the Internet, decide from this superficial search which biometric is best and then place a request with the installer. Unfortunately, installers often act on this request without questioning the real requirements, especially the deployment conditions and user group make-up.
The introduction of two separate identity repositories – or databases – underpinning a single biometric security solution is one of the biggest mistakes. This introduces two points of failure, two places to enter identity information and two points to administer the system. The reason behind this lies in the lack of understanding and integration: biometric systems manage templates (your biometric data), while a proximity-based system manages card codes. Unfortunately, some installers simply cobble together a proximity system with a biometric system using Wiegand technology as a conduit, adding extra cost and complexity to the customer.
Testing -v- practical deployment
Those with a basic understanding and appreciation of biometric technology will have been exposed to the currency by which biometrics are assessed: FAR, FRR and EER (False Accept Rate, False Reject Rate and Equal Error Rate). Each biometric is assessed based on these key statistics, thereby providing a means by which different biometrics can be compared. However, they also cause considerable confusion and misinform the end-user community.
Clearly, these measurements have their place, especially when assessing a biometric technology to perform searches against 60 million-plus databases, such as those proposed for the UK’s ID card scheme. However, for deployments of 5000 or less – which cover 95% of current biometric security projects – these statistical measurements are misleading. Here are some key points to consider when firmly quoting FAR or FRR statistics:
Too much of the thinking around biometrics is sourced from laboratories or similar institutions, as opposed to practical deployments of the technology in conditions similar to your own.
Take note of the FAR and FRR rates for the various flavours of biometrics, but in no way let this be the biggest factor influencing the technology selection. A better approach would be to work with an installer who has deep understanding and practical deployment experience and, ultimately, has clients who have deployed biometrics in an environment similar to your own.
The search for sophistication
Biometrics is an established technology, but demand in the security sector has only really gathered pace in the past couple of years, as customers look for more sophisticated answers to their security problems.
In the past few years we have experienced massive technology convergence as the introduction, maturity, standardisation or acceptance of different technologies have created an ‘enablement’ environment. The limitations of differing technologies have been overcome with the introduction of other infrastructure or foundation technologies. Arguably, the four key areas of technology enablement are:
Although these areas of change do not directly influence the performance of biometric technology, they do influence the ease with which biometric solutions can be deployed, managed and integrated. As with many security solutions, the true strengths of each will only be harnessed once they are fully integrated with other systems.
Conclusion
In recent times there has been a notable shift from the small-scale ‘toe-dipper’ type opportunity, to full enterprise solutions being deployed and integrated with network environments, creating wholesale ‘doorway to desktop’ security. Now, many organisations, large and small, are benefiting from the introduction of biometric technology for both security and identity management.
Integration with less conventional systems will become the norm as organisations begin to look at physical and logical/IT security as a single concern. Perhaps most significantly, however, organisations will begin to look at the concept of identity management – encompassing the provision, protection and management of identity – with security simply becoming an inherent component of the process. Bring on the future!
Neil Norman is the founder and managing director of Human Recognition Systems, a multi-biometric company in the UK, partnering with biometric vendors including Iridian, Panasonic, BioScrypt, Identix and Recognition Systems. Neil previously worked for eight years at management consultancy, Accenture.
