One of the most promising approaches for reliable identity verification is biometrics, because it identifies users based on something that they are – an innate biological characteristic – not something that can be shared or stolen like a card, a password or a PIN.
Biometrics barriers to entry
The term biometrics can often carry negative connotations. Say the word and a picture immediately forms in the listener's mind – a picture that includes:
- The complex installation of expensive biometric readers at every door, gate, or computer;
- The enrollment of sensitive personal biometric information in a database that the organization must manage and protect; and,
- User frustration with intrusive technology.
Benefits of biometrics
Even with the challenges that a biometrics installation poses, many companies have implemented biometrics to meet regulatory mandates related to security audits and access control. Biometrics provide the robust identity verification needed to support audit trails and satisfy many regulations.
Unlike the use of proxy-type credentials such as cards, passwords or PINs, which can be easily shared or stolen, biometric solutions offer non-repudiable evidence of the user's identity and confirms that the intended user was present for an access transaction.
In traditional approaches, the biometric data itself (such as a fingerprint) has served as the access credential and is transmitted to a back-end system for matching and approval. Hence the need to collect and store user's sensitive biometric information in databases. If we can separate the biometric data from the credential transmission, however, we can envision a more effective model – a model where identity verification is distinct from the credential delivery transaction.
An emerging model is that of personal biometrics. In this model, every user has his or her own biometric reader embedded in a token the size of a key fob. When the user wants to gain access to a protected resource, they simply place their fingerprint on their own token which compares it against the fingerprint template stored in encrypted memory. Only after a successful match does the token release an access credential, i.e., a card ID for opening a door or a digital signature for logging onto a computer. The biometric information is never released.
The personal biometrics model has numerous advantages. Consider the following human factors issues:
Personal privacy. The user remains in full and exclusive possession of their biometric data. It is stored securely on their personal device. Personal privacy is maintained and the user's biometric data is never shared, collected or stored in any external system.
Personal hygiene. Fixed readers mounted at doors or gates are used by large numbers of people and can contribute to the spread of germs. As a rule, people would prefer not to have to touch a device that so many others are touching. With a personal biometric reader this issue is eliminated.
Then there are the organizational factors:
Reduced cost and impact of deployment. If a token can output signals compatible with existing access control infrastructure (proximity and contact/contactless smart card readers, and one-time password systems), the cost and hassle associated with installing new equipment systems can be avoided, thereby enabling a rapid, affordable and non-disruptive deployment. Additionally, eliminating the need to carry multiple access cards or to remember multiple passwords reduces long-term credential issuance and management costs.
Supports convergence. The model of a single token that can communicate with both physical and logical access control infrastructure directly supports an organizations' ability to move to convergence of those previously separate domains.
The Impact on Logical Access
Passwords are universally recognized as a problem – we simply have too many of them in our modern lives. They are difficult for users to remember and for the organization to manage. Single sign-on (SSO) software has been developed to help address this challenge, particularly in a corporate IT environment where passwords must be frequently changed. SSO software acts as an agent for the user to streamline the logon process and simplify the user experience.
But with the convenience of SSO comes a new risk. Before SSO, gaining access to one of a user's many passwords might have given you access to one small part of their life and data. But with single sign-on, one password is now the key to the entire kingdom. As such, we need to insure that the credential used to gain access to the SSO system is highly secure. Biometrics is a logical consideration, but the traditional implementation model would require the installation of a biometric reader at every PC.
The good news is that most IT systems are compatible with another type of credential – the smart card. Typical smart cards are credit card sized cards containing a secure chip that holds data on its rightful owner, and credential information like a personal identification number (PIN). Operating systems like Windows (and others) are designed to accept a smart card as a valid credential for logon in place of a user name and password. The challenge is that most PCs and other IT assets do not have the ability to read the card – an additional piece of hardware, the smart card reader, is required.
The personal biometric approach can address this need as well with tokens that are smart card compliant (ISO 7816 part 3) and contain a USB port. When connected to a PC the token presents itself to the operating system or application as a smart card, but only AFTER the user validates their identity on the token using the on-board fingerprint reader. The result is a biometrically secured smart card, in the form of a personal token, which can be used with standard PCs using only a USB cable – no other hardware or software is required.
Convergence – The end game
IT and physical security systems have historically been managed as separate domains resulting in duplication of identity management functions. Rising costs and complexity related to the management of separate identity environments are causing organizations to face the decision to either keep their physical and IT strategies separate, or merge them into a converged security approach.
Utilizing the same identity solution in both environments enables companies to eliminate redundancies, enhance security, and significantly reduce complexity for both users and the organization.
Personal biometrics introduces a simple solution to this significant challenge, since each token emulates both physical and logical access credentials, and interfaces with existing facility and IT security infrastructure.
Biometrics offers substantial benefits in addressing the need for reliable verification of identity. Combining the power of biometrics with a personal token that can securely carry and deliver the variety of credentials that are utilized by the different systems in today's buildings and IT environments – and only deliver those credentials after a biometric verification of identity – can directly help organizations reduce costs, streamline the lives of their users, and achieve convergence of identity across their physical and logical security systems.
- John Petze is president and CEO of Privaris