Biometric ACS: About myths and stereotypes.
Biometric ACS: About myths and stereotypes.
The most active implementation of new biometric technologies is taking place in the countries of North America and Europe, which account for 62% of the industry market. In Russia, there is also interest in biometric innovations, there is a positive trend, but there are still many questions and doubts, which are often misleading and prevent one from making a balanced choice of identification technology. We initiated a conversation on this topic in order to try to dispel a number of existing stereotypical ideas about biometric ACS.
Like any identification technology, biometric ACS have their pros and cons. Since this technology is relatively new, the average person, and sometimes even professionals in the field of ACS, who may be supporters of other methods of personal recognition or see biometrics as a direct competitor, have an a priori skeptical attitude towards new products based on biometric personal identification technologies.
Let's look at the most common judgments and phobias.
STEREOTYPE I — «BIOMETRIC DATA CAN BE STOLEN»
The challenges of the modern world and security requirements dictate the need to store user identification information in digital form. In addition, the data must be stored and transmitted encrypted. Modern biometric ACS from leading manufacturers, reading a person's identification data, immediately convert it into an individual digital code, which cannot be used to restore the user's personal identifiers. Thus, information about fingerprints and other individual physiological characteristics remains closed to everyone. If an intruder steals an encrypted template, this will not give him anything, it cannot be used to enter the protected facility or to transfer it to third parties. In addition, in the case when the reader and controller are in different places, when they are disconnected from each other, a subsequent system configuration procedure is required. This is why one reader cannot be replaced by another without the knowledge of the system operator.
STEREOTYPE II — «A BIOMETRIC IDENTIFIER CAN BE FORGED»
In our world, nothing is impossible. Most likely, a person who sets a goal to forge facial geometry or the iris of the eye will achieve his goal. But what will be the price of such a «victory»? Professional biometric recognition systems that perform their functions of providing and restricting access are sufficiently protected from counterfeiting. If we are talking about cheap systems, then here, most likely, we should not talk about counterfeiting, but about errors in the system itself. In any case, it is necessary to judge the possibility of counterfeiting by a specific equipment manufacturer (and there are many of them now), and not by the industry as a whole. There are many solutions that protect systems from counterfeiting. This is achieved at the software and hardware level. There are, for example, systems that read the temperature difference on the surface and inside the fingerprint, and such a system can no longer be fooled by a template.
STEREOTYPE III — «BIOMETRIC SYSTEMS ARE TOO EXPENSIVE»
This is the eternal dilemma of the price/quality ratio. If the customer just needs convenience and is not particularly concerned about security, then he can count on systems priced no higher than ACS based on, say, smart cards. However, if it is necessary to provide not only convenience but also security as one of the components of high-quality ACS based on biometrics, the price of purchasing the equipment and, in the case of some manufacturers, the software for it, may be slightly higher, and sometimes significantly higher (this depends on the technology used). But if we take into account the cost of ownership (operation) compared to the same card systems, then taking into account the costs of manufacturing, constant replacement, recoding, as well as the transfer of cards between employees and, as a result, the employer's losses from late arrivals and early departures of employees, at least make you think.
Here are some interesting figures, announced on the biometrics.ru portal:
• According to the consulting company Nucleus Research, which conducts global payback studies, the implementation of biometric timekeeping systems provides annual savings of up to $1,000 per employee.
• McDonald's, a fast food chain that implemented a biometric timekeeping system in Venezuela, was able to save more than 20 percent of its payroll.
• $929 million was lost by Americans due to payment card passwords falling into the hands of third parties.
• 5 billion euros is the damage caused to Societe Generale by its manager Jerome Kerviel, who used his colleagues' passwords in his fraud
• 90 million euros is the amount that Jagmeet Channa tried to steal from HSBC using stolen passwords.
• According to a sociological study by Unisys, 68% of customers worldwide prefer that banks, payment systems, and government agencies use biometrics for identification instead of passwords and cards.
STEREOTYPE IV – “BIOMETRIC SYSTEMS ARE UNRELIABLE”
Distrust can be divided into two components. Distrust of the hardware of the systems and of the software module.
As for the equipment, you need to consider the manufacturer. The price-quality ratio has not been cancelled yet.
Regarding the software part: one of the first questions asked (true, by end customers, not by professionals in the field of ACS) is what will happen if the power goes out. The answer is obvious — the same as with other electrical devices, the system will not work. Of course, a backup power supply system should be provided, as for «card» ACS. Although in the case of private clients, a lock with the ability to open with a key can be provided. For corporate clients, this is unacceptable, since the presence of a «master key» in the system sharply reduces security.
When talking about protection from vandalism, it is necessary to separate the identification method. In a system based on human contact with the reader, it is unlikely that it will be possible to hide it behind armored glass. Accordingly, there is physical access to the equipment. If fingerprinting and an optical scanner are used, then it is possible to apply such protection, but this will affect another parameter — the possibility of fingerprint forgery. If the reader, for example, in addition to removing individual parameters, detects temperature readings, then direct human contact with the device cannot be avoided. Manufacturers have different attitudes to this problem. Some produce systems with a structure that, even if the reader is damaged, eliminates the possibility of manipulation, since the actuator is located inside the protected object (with limited access to it for persons entitled to access to the premises themselves). When using systems where the controller and reader are in the same «housing», there is a risk of penetration by an intruder. The safest design is when even the failure of the reader does not allow penetration into the protected perimeter. This one looks like a lock with a match inserted into the cylinder.
The criterion for the quality of any biometric system that makes a decision to grant or deny access based on the probabilistic nature of obtaining information are two technical characteristics:
• FAR (False Acceptance Rate) — the probability of unauthorized admission (type I error), expressed as a percentage of the number of admissions by the system of unauthorized persons;
• FRR (False Rejection Rate) — the probability of false detention (type II error), expressed as a percentage of the number of refusals to admit authorized persons by the system.
The values of these parameters vary and depend on manufacturers and technologies. You should also pay attention to the recognition speed. If it is slow, the system will be, at the very least, inconvenient to use.
By changing the sensitivity of the analyzing devices, you can influence the magnitude of a particular error. But you should know that by reducing the magnitude of one error, we invariably increase the magnitude of the second. The most important is the error of the first kind, since it characterizes the system's security from unauthorized access. The error of the second kind mainly affects the throughput and ease of use.
Identification in biometric systems answers the question «who am I?» With a sufficiently large template base, the magnitude of errors invariably increases. If the manufacturer says that 50 thousand users can be registered in the database, it is very important to know the magnitude of both errors before deciding to use such systems.
When using biometrics at facilities with increased security requirements, it is necessary to use them together with additional identifiers. This could be a code, a card, etc. In this case, the employee is identified and then, using biometrics, confirms or authenticates himself, answering the question — «Am I really who I say I am?»
In the case of authentication, the parameters of the biometric system best meet the requirements of increased security.
STEREOTYPE V – “A BIOMETRIC SYSTEM IS A LOCK”
Many people who discuss the possibility of using biometrics for access control equate it with an actuator. Simply put, they believe that the reader is a lock. In fact, this is not the case. Biometrics performs the function of a key (or password — in the case of its application in the field of information technology). It makes two important decisions — whether to grant access or deny it. For example, if the system has recognized a person, but he is prohibited from entering the premises at a certain time, the system must deny him access. The locking function is performed by the actuator. If we are talking about ACS, then this can be a banal lock (electromagnetic, electromechanical, electromotor, electric latch, digital cylinder, etc.), electric gates, wicket gates, elevators, turnstiles, intercom systems, smart home systems, alarms, safes, etc.In some cases, biometrics can be used as a purely logical tool, for example, when recording working hours (although without the implementation of access restrictions, this process depends on the human factor). Employees simply mark their arrival; no physical actions occur. The executive mechanism is simply not present in the system. At the stage of discussing the project with the customer, competent managers should warn him that such solutions deprive him of one of the main advantages of biometrics — the individuality of the identifier in the service of the ACS. After all, an employee who went out on personal business during working hours may not check in at the terminal. To summarize, biometric systems can be called keys.
STEREOTYPE VI — BIOMETRICS CAN ONLY BE USED AT INDUSTRIAL OR MILITARY SITES
Modern systems are so diverse that they can meet the needs of both ordinary people in the private sector and large industries and corporations. Biometric access control and management systems are now installed in schools, universities, industrial buildings, financial institutions — wherever a high level of security and good functionality are required. Moderate cost of systems, their technical parameters, hardware solutions coupled with new methods of data processing and output allow them to be used in medium and small offices. The question is in choosing an identifier.
If the client is a private individual, he/she is unlikely to find the retinal recognition technology convenient, and if there is a risk of heavy hand contamination at the enterprise, then not all fingerprint identification technologies can be used, and hand geometry recognition is quite appropriate. At the moment, the most common technology is based on fingerprinting. It occupies about 60% of the biometric market, and this is absolutely fair. Next comes the “face recognition” technology. Its share, although significantly smaller, will grow.
STEREOTYPE VII – ON THE COMPATIBILITY OF BIOMETRIC SYSTEMS WITH HARDWARE FROM OTHER MANUFACTURERS
Despite the fact that different manufacturers use different protocols for data transmission, it is possible to convert a signal from your protocol to a more common one. And all the necessary information will allow the biometric ACS to be part of, for example, an existing «card» ACS. Approximately the same can be said about the output of information. Now there are no problems integrating one program into another.
And let's not forget about the main and undeniable advantage of biometric ACS — a personal unique identifier that cannot be transferred, stolen, lost or forgotten. This is the fundamental difference between such systems and the usual smart, Proximity cards, keys and passwords. Of course, it will take some time before biometrics becomes commonplace. But the trends of recent years confirm that this is a matter of the near future.
_______________________________
Konstantin Novikov,
Commercial Director of the company
“EkeyRus Biometric Systems”