Locks and Security News: your weekly locks and security industry newsletter
4th September 2024 Issue no. 719
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
The basics of biometric access control: what you need to know
Biometrics means different things to different people. Maybe your first thought is about how impressive and advanced this technology is. Or maybe your instinct is concern or worry about privacy. Whatever your initial impressions, we’re here to break this complex topic down and give you the real truth about biometrics.
Research in the USA shows that 58% of businesses are planning to replace traditional passwords with biometric solutions in the workplace. That’s more than any other identity validation method. So biometrics is here to stay, and it’s more important than ever that you understand how it works, its benefits, and its risks.
What is biometric access control?
Biometric access control is a means of verifying people’s identity using their unique physiological features for the purpose of restricting access to locked areas. Access control in general ensures that only authorised individuals can enter certain rooms or zones. Biometrics simply adds the aspect of using human features to verify the identity of people before granting them access.
Types of biometric access control
The term ‘biometric access control’ is a catch-all for a variety of different identity validation methods. The human body has a range of physiological features which are completely unique to individuals. Perhaps the most commonly known is fingerprints. The patterns in the lines and ridges on your fingerprints are yours and yours alone. That’s why they can be used to verify your identity for the purposes of access control. The same is true of palm lines and patterns, but this is a much less common method of biometric identification.
Two other methods which are growing in popularity are facial recognition and iris scanning. The size, shape, and relative locations of your eyes, eyebrows, nose, lips, and ears can be mapped into a unique digital template to identify you. In the case of iris scanning, it’s colours and patterns in the pigmented part of your eye that the camera is analysing.
Finally, a method which is particularly common in the banking industry – voice recognition. For organisations like banks, which often interact with customers over the phone, this is a useful technology for security.
How biometric access control works
Regardless of the method of biometric access control in use, the steps taken by the system in operation are fundamentally the same.
Data capture
In this step, the system gathers biometric data from the user. That could be done by scanning a fingerprint or iris, taking a photograph of a face, or recording a voice. Not just anyone can do this though – you need specialised equipment to capture the detail required for biometric access control.
Once the data is captured in raw format, it is converted into a digital format that the system can utilise more effectively. Usually, this consists of identifying key datapoints such as particular features of the fingerprint and laying them out into a digital ‘map’. Algorithms are used to process the data and create a unique digital template.
Data storage
Once generated, the digital templates are saved in a secure database. It’s important that the raw biometric data is discarded and not saved anywhere in order to ensure that it cannot be hacked or stolen. Where the digital templates are stored depends on the system in question. Sometimes it’s locally on the device, sometimes it’s on a separate memory storage device, and sometimes it’s in the cloud. Many systems utilise additional security measures to protect saved biometric templates, such as encryption.
Data comparison
In this step, the newly-generated digital template is compared to saved templates to establish whether there is a match. There are two types of biometric matching: they’re called 1:1 and 1:N. In 1:1 mode, the system has a single stored template that it is comparing entry attempts to. For example, the fingerprint scanner on a smartphone is generally using 1:1 matching.
Conversely, in 1:N mode, the system is comparing the new digital template to a larger database of stored templates, looking for any match. This is much more common in physical access control systems. For example, in an office building there might be 100 users who all have their fingerprint data saved in the system. When a user presents their finger to the scanner, the system is comparing it against all 100 user templates to identify if a match exists.
Decision-making
Matches are determined based on pre-defined criteria for accuracy. It is rare that a biometric access control system will require 100% of the captured datapoints to match exactly with a saved template. This is because human bodies and physiological features are not fixed. Factors like recently washing your hands or applying cream, or if you have a small cut on your finger, affect the template captured by the scanner. Error margins take this into account. However, it’s important that the threshold for match acceptance is still very high. Otherwise, unauthorised users might have a chance of illicitly gaining entry to locked zones.
Finally, once a user has been matched and accepted, the system must determine whether they are allowed to access the restricted zone. Access control systems assign users access permissions to certain doors, rooms, areas, or floors. These are pre-determined based on factors such as, for example, which floor you normally work on, or what role you have in the organisation. If the scanned and accepted user does indeed have the appropriate permissions for that door, the system grants them access.
Benefits of biometric access control
Better security
Access control solutions that utilise biometric data are equipped with an inherent extra layer of security. Where other more traditional credentials such as swipe cards or PIN codes could be lost, stolen, or cloned, biometrics are resilient and convenient. It is extremely difficult to convincingly clone biometric data. And in any case, many systems are prepared for this eventuality. For example, ievo fingerprint readers utilise liveness detection technology to check for live blood flow in the scanned finger.
Greater convenience
As well as being inherently more secure, biometric credentials are so much more convenient. Users don’t need to remember anything or bring anything to operate the system. Their biometric features are simply part of them – just showing up is all that’s needed. There’s a reason why more than half of smartphone users choose biometrics to unlock their phone [1]. It’s just easier.
Long-term cost-effectiveness
At an organisational level, biometric technologies represent a long-term cost-effective investment. While setup costs can be higher than more traditional systems, the long-term savings can be significant. With no physical cards or tags to continually replace, and no PIN codes to regularly change, the admin around biometrics, and the associated cost, is reduced.
Challenges and things to consider
Privacy concerns
Lots of people are worried about the privacy of biometric data. And that concern is justified. After all, once your biometric data is stolen, it can’t be replaced or changed. However, while it’s a reasonable fear to have, the reality is that the risk is incredibly minuscule. Always do your research on the access control system in question, but many have a wide range of built-in security features to keep data safe. For example, in ievo fingerprint readers, the digital template created when a fingerprint is scanned cannot be used to recreate the original in any way. That means that even in the extremely unlikely case that the template data was stolen, it would be useless the the intruder.
Find out more about misconceptions about biometric data security
Accuracy and error rates
As we discussed earlier in the section about decision-making in the biometric access control system, a 100% matching threshold is rare. This would result in a lot of false rejections – when a legitimately authorised user is rejected by the system. This error is somewhat less serious. The bigger problem is a system’s false acceptance rate (FAR) – when an unauthorised person is mistakenly granted access to a restricted area.
Most systems must find a balance between security and usability for biometric access control. Obviously, it is essential that only authorised people are granted access to locked zones. However, if the matching threshold is set too high, then it might take multiple attempts for each legitimate user to be accepted by the system. The knock-on effects of this include lost working time, frustration, and foot traffic build-ups at entry and exit points.
Learn more about this balancing act
Implementation costs
Some organisations are put off biometric access control because it comes with a higher initial price tag than traditional swipe card or PIN code systems. And that’s understandable at first glance. However, looking at biometric systems requires a more holistic view, as well as thinking ahead into the future. Initial costs might indeed be higher for biometric systems. But with less admin and no ongoing costs for replacing lost or damaged cards, tags, and fobs, it’s often more cost-effective in the long term. And that’s not to mention the unmeasurable benefits of the improved security that comes with biometric access control. What would be the real cost to your organisation of a serious security breach?
Summary
In summary, biometric access control offers organisations greater security and more convenience for users. Biometric systems capture and convert biometric data into digital templates, before comparing to a saved database to find a match. Once a match is found, the access control system determines whether that person has the right permissions to access the restricted area. If they do, they’re granted access accordingly. Setup costs can be higher for biometric systems than traditional systems, but long-term savings in admin costs and improved security often make up for it.
4th September 2024