Biometrics Pros and Cons For Electronic Access Control

By: Brian Rhodes, Published on Jun 26, 2017

Biometrics has been long sought as an alternative to the security risks of cards, pins and passwords. While biometrics has improved somewhat over the past decade and has some clear advantages, other problems or limitations remain. In this post, we compare the key pros and cons of biometrics.

The Pros

Advantages of biometrics have key value is some access applications. While manufacturer marketing often blurs the claims and overstate the advantages, biometrics can offer:

  • Credentials Always Available 
  • User Identity Verification
  • High Credential Validity
  • Tough Against Passback 

The Cons

On the other hand, there are operational weaknesses or risks that are not commonly realized before deployment. Some of those are:

  • User Unwillingness & Distrust
  • User Biometric Incompatibility
  • User Removal of Clothing
  • User Positioning
  • Injuries & Biometric Stability
  • Lengthy Authentication Cycletimes
  • No More Picture IDs
  • Myth: Biometrics Are Distinctive

Inside, we explain and examine each one.

********** *** **** **** ****** as ** *********** ** the ******** ***** ** cards, **** *** *********. While ********** *** ******** somewhat **** *** **** decade *** *** **** clear **********, ***** ******** or *********** ******. ** this ****, ** ******* the *** **** *** cons ** **********.

The ****

********** ** ********** **** key ***** ** **** access ************. ***** ************ marketing ***** ***** *** claims *** ********* *** advantages, ********** *** *****:

  • *********** ****** ********* 
  • **** ******** ************
  • **** ********** ********
  • ***** ******* ******** 

The ****

** *** ***** ****, there *** *********** ********** or ***** **** *** not ******** ******** ****** deployment. **** ** ***** are:

  • **** ************* & ********
  • **** ********* ***************
  • **** ******* ** ********
  • **** ***********
  • ******** & ********* *********
  • ******* ************** **********
  • ** **** ******* ***
  • ****: ********** *** ***********

******, ** ******* *** examine **** ***.

[***************]

Biometrics ** **** **** ************

*** ** *** ************ misconceptions **** ********** ** the ***** ****** ** technologies **** *** ********** assumed ** ****** *** same ******* ********* *** weaknesses.

** ***** *** **** common ********* **** ** our *********** *** ****** ******* ****, *** ***** ****** but ******** ************ *******:

  • **** ******: *** ***** layers ** **** **** a ******** ********* ** a ******* ****** ** fingers.
  • ******/ **** *****: ****** than **** *** ***** layers ** ****, ***** sensors ***** *** ***** layer ** *********** **** under ****** ** ****. These ***** ***** *** patterned ** * ****** way, *** *** ****** tissue ** **** ***** to ******* ****** ** contaminants.
  • ****/******: **** **** ** reader ***** ** ***** of *** ****** ** user ****. **** ****** and ******* *** ** used ** *********** ***********.
  • **** ***********: ****** ** image ** * **** and ********* *** **** and ********* ******* ****, nose, *****, *** ***** identifying ******** **** **** accuracy *** ********* ** becoming **** ******.

*** ***** *** * myriad ** ****** ****, but ***** '**** ******' biometric *****. *** ****, catch *** ******** ********** ****.

Biometric ********

** *** ******** *****, we **** * **** at **** ********** ** biometrics.  ***** ********** ******* and ******* *** ***** distinct **** ******** ** others, ********** ** * general ******* ***** **** or ******** *** **** of ***** ********** *****:

Credentials ****** *********

**** **********, *** **** themselves *** *** **********, and ********** * *** or ****** * ***** is ****** *** * risk. ******* ************* ******** are ****** **** ** verify *****, ********* *********** are ********* **** ****** and ***** ******** ********** management ** *********** ***, cards, *** ***** **** can ** ********* ** forgotten. 

User ******** ************

******* ***** ****** **** or **** *********** *** others ** ******, ********** are ****** ** ******* users *** ************ **********. Just ** ***** *** share ***** ** ****, they ****** **** ** fingerprints ** ******, ********** the ********** **** **** authorized ***** *** ******** an ****.

High ********** ********

****** ****** ********** ***** vulnerable ** ******* ** spoofing ******* ****** (**** **** ****** ******* With **** $** *** 125kHz **** ******), ********** ********* ******** *** problem. ***** ******* **** the **** ***** ****** be **** ** **** biometrics:

***** '*******' *** ***-******* biometrics ****** *** ** vulnerable ** ***-***** ******, the ***** **** ** access ********* ****** *** or ******* ****** ** ******** ********* ********** ** ***** ********* technology **** ***.

Tough ******* ********

********** *********** ********* *** risk ** ********** ******* as ***** ****** ****** hand *** ***** ********* identifiers ** ******* ** coworkers. ** ******* ** our *** ******** ******* ****, *** ******* ** not ****** ****** **** other ********** ******* *** often ******** ******** ****** configuration ** ****. ********** often *** **** ********* to ********* *** *** less ******* ** *********.

Biometric **********

*******, ***** ********** *** solve **** ********, **** amplify ** ****** ******. In *** ******** *****, we ****** ***** ****** issues **** *** ** showstopping ******** ** *** recognized **********:

User ************* & ********

*** *** ***** *** comfortable *** ******* ** have ********* ****** **** as **************.  * ****** of ********, *********, *********, or ******* **** ** trust ** *** ********** agency ** ********** ** use *** ******* ********* information *** ** * factor. 

********* ** '*** **********' in ********** *** ** identify ******** ** *** common ****** ** ****** that ***** ******* **** private ******* ** ****. The ***** ***** ** from ******* ******** ** *******:

User ********* ***************

***** ******, *** *** users *** ****** ******* or **** ************ ******** of *** ******** ********* trait **** ** ****** identity.  **** ***** *** lack *** ******** ******* outright, ***** ****** *** experience * '*********' **** of ******* *** ** injury ** *********. **** a ********* ** ****** as ************ ****** **** all ***** **** *******, healthy ******* ** ************ on, *** ***** ******* of *********** **** ** provided ***  **** **** do ***.  **** ********* results ** ***** ******** credential ******* **********. 

User ******* ** ********

******* *** ********* *** biometrics ** *** ********** the *********** ** ******** they *** **** **** experience ** **** ********* in *** ********* ***** being ********. **** ** often *** *** ****, as ********* ** ****** as ***** ******* ****** in **** ******* *** be * ***** ****** to ****** *** ************, or ********** *** ****/****** scanners, ** **** ** rain, *** ** **.

User ***********

*** *** ********** *** suitable *** *** ** every *********, *** *** often **** ******** **** 'traditional' ****, *****, ** PINs. *** *******, ******* fingerprints ***** ***** *** seated ** ******** ** highly *********** *** ** the ******** ******** *** hand *********** ******, ***** simply ******** * *********** card ** **** ******.

********* ************** ****, *** *** Access ******* *** ** ********* ** adapt *** *** *****, especially ***** *** **** mobility ** ********** ******.

Injuries & ********* *********

******* ******* ** * biometric ***** *** ** shortsighted *** ******** *******, when ************* ******* *** to ***** ** ****** are ******. *** *******, collagen ********** *** ******* degrade **** ****, ** even '******' ******** **** fingerprints ****** **** *** course ** *****, *** sometimes **** ********* ** become ********** ** ****. Other ******* **** *** mobility, **** ********, ** even ****** ********** *** change **** ****.  **** enrollment ** ********* ******** is ***** * *********, if *** ******, ****.

Lengthy Authentication **********

***** ****** * ***** or ******** ** * PIN *** **** *******, properly *********** * ********* can **** **** ******, even * ****** ** longer ** ******* *** needed.  *** ****-****** *********, multiple **** ****** ******** can ****** ******** ** users *** ****, *** a ********* ****** **** fingerprints *** ****** * fraction ** *** ****** total ** ***** **** must ******* * ******** digit ** * ******** way ***** ****.

No **** ******* ***

*******, *** ****** *** typically ******** ** ***** other ** ******* *** given ** ** ******** biometrics. ***** **** ***** picture ** ******** *** often ******* ** *** same **** ** * contactless **** *** **** subsequently ******* ****** **** necks ** ******** *** quick ****** **************, **** media ** ********* **** adopting ********** *** **** be *********** ********.

Myth: ********** *** ***********

*** ** *** ******* errors ***** **** **** adopting ********** ** ******** all ***** **** ** enrolled ******** *** ** one **** ** ******** for ******* ****. **** often ******* ** ********* surprises, ******* *** ********* is **** ** '******' as *** ****** ** sampling ****** ********* *** used.

*** *******, ***** * fingerprint ** **** *** indeed ** ******, ** make **** ****** ** more **** ******** ****** before ** ** ********** as '********' ** * database. ***** ***** *** have ******* ********* **********, with *** **** ******** between ******** ** ******* (but *** *****) ******** traits, ********** ** ***** user *********.

** **** *****, *** 'confidence ********' ** ******* biometric ******** ** ****** requires *********** *** ****** or ****** ** ***** more **** ********** ****.  The ********* **** **** can ******* ****** **** efficiency *** **** **** user ******* ******* ******* an *******, *** **** gather **** *********** ***** the ****, ********** *** 'distinctiveness' ** *** ********* credential.

Comments (11)

We have a few customers that use biometrics but most of them don't. Two reasons typically are cost of the system for biometrics depending on the solution and also the inconvenience. Typically we only suggest for high secure areas like server rooms and pharmacies. One solution we have deployed that works flawlessly though is StoneLock. Although it is fairly expensive per door it works really well. The enrollment time is less than 30 seconds and their rejection rate is almost non-existent and you don't have to put your finger or palm on a device. 

Biometrics are a very long .... but very static password that you either leave behind on coffee cups or have on full display almost all the time. At best it is "something you are". Good security will want you to add "Something you know" and "Something you have".

Have a great day.

 

I followed the link above on Fingerprints for Access Control and the issue of unreadable prints is mentioned but some negative considerations need to be spoken to a bit more.

 

I have experience working for an AFIS Automated Fingerprint Identification System provider.  Capturing fingerprints electronically for submission to an identification authority.

Big issue is that globally anywhere from 2 to 5 % of your population have fingerprints that are are highly difficult to scan.

Factors are:

Age - Older population the ridges are no longer as pronounced as they used to be.  In Florida for example, persons wishing to volunteer to work with children must pass a background identification check including prints.  Having a fairly large base of retired persons who are eager to volunteer their time, when it comes to electronically capturing the fingerprints the yield of successful captures is quite low.  One of the tricks of the trade is to use "Huskers Oil" on the hands to help plump up the ridges, which helps but the yields are still low.

For this population segment the reject rate is quite high.

Occupation - Persons who work with their hands and handle coarse or caustic material will also have low read rates.

Included here are the individuals who does home improvement work and really roughs up their hands

Tellers - Secretaries - Accountants - persons handling money or paper frequently may also have unreadable prints.

Injury - Cuts - amputations - etc...

 

Point is, depending upon the mix of your population, using Fingerprints for a single factor identification may be quite challenging.

 

 

 

I'll state up front that I work for a biometric provider.

I'll also note that there certainly are some fingerprints that are difficult to read. For example, years ago I attended an IAI presentation by Gary Bender in which he noted a technical challenge that one provider faced: the fingerprint readers were located near the doors of grocery stores in the Midwest, and the people who used the service tended to be older. The combination of cold temperatures and elderly fingerprints made reading particularly difficult. And in this case, unlike a background check, the fingerprints were being captured on a regular basis. Technology has improved since then, but you're never going to get 100.00000% capture rates.

One potential solution (among several) to the issue of unusable fingerprints is to capture multiple biometrics - if there is difficulty in capturing one biometric, another may be used. Of course, that increases the cost of the system.

(snarky quick version)

A biometrics system that turns around and spits out a 26 bit wiegand value into a panel is not necessarily secure.  It can be spoofed. the biometrics subsystem likely has a cloned out of date poorly secured copy of your cardholder database.  Integration with your PACS is probably janky and rev-locks you 1-3 versions back.

(longer convergence engineering version)

Embarassing questions for biometrics vendors:

Can they answer the "tell me about your science" question. 

Is their copy of the cardholder data secured.

Is the interaction with the network secured (usually there's an ethernet cable along with the janky 26 bit wiegand wire.)

Can your PACS handle multiple vendors and/or multiple technologies.

Do the use (do they even know of) relevant standards.  See if they know what CBEFF is.  Or OSDP biometrics.  Or Mifare Plus/DESFire.

Do they have any collateral credential format limitations (like the units that require an integrated card reader and only do Prox...)

I am looking for a biometric reader which is not connected to the network, for network security reasons. 

Happy to get some recommendations.

Hello Gabriel:

Can the reader be temporarily networked during enrollment, but not operation? (The majority of time?)  The reason I bring this up is because when a new user is enrolled, pushing the new template to all readers is easier/quicker than enrolling in each reader separately.

For the question, there are many examples of readers that operate in 'standalone' (not networked) mode.  Brands like ZKAccess/ZKTeco, Suprema, or Morpho all have units that do not need to be ethernet networked to operate, and can connect to a standard access control system controller via Wiegand, or in some cases OSDP.

Take a look if those help.  If you have other questions, please ask!

Hi Brian, 

Thanks for the info. 

The reader will placed quite far from the enrollment center, so enrolling at the reader itself is not an option, but i still can't use network connectivity.

is there another solution? what about storing the template at the card side?

Got it.  The common method/term used when storing the template on the card is called 'verification mode', or 1:1 or similar.

This mode essentially stores the biometric template on the smartcard (iClass or similar), and when the card is scanned, the biometric template is transferred to the reader along with the card number details.

In order for the card number details to be sent by the reader to the system, the biometric (fingerprint) scan has to match the template stored on the card.  If the reader cannot verify the user as the one the card issued to, the reader does not send card details and the door remains locked.

I'll need to investigate specific models that support this type of 'verification mode' some store it in the reader first, but it is not difficult to find and is relatively common.

The main difference here is that it requires all users to carry and scan a card first, which is not need if biometrics are used as a primary credential.

You might also find Zwipe's Fingerprint Card interesting, as it requires a valid fingerprint to activate the card, but is otherwise a standard card for a non-biometric access system.

We use 1:1 method for achieving better FRR, without storing the actual bio template on the card itself. 

If I understand correctly, the bio readers can read the template from the smartcard. If so, I believe that would be a good solution.

I'll checkout the Zwipe's card, that also could work.

To make this more complicated, it all has to be integrated to an AMAG system.

Thanks Brian! I'll update you.

 

Hello Gabriel,

In the case that you parameter the installation to be a 1:1 with AoC (Access on Card, fingerprint template and PAC data being stored on card) then you do not need the Biometric readers connected to TCP/IP.

This can be done with fingerprint (because templates are not big but accurate 300~384 bytes). That's impossible with Face and difficult with Iris because you need more information in order to really differentiate users.

Cards that can accept to store fingerprint information are from less to more secured:

- Mifare 1K, 4K

- Mifare Classic

- HID iClass SE, Mifare DesFire EV1 (4k, 8K)

- HID Seos cards (with correct ADF structure), for example, Seos 8K + Prox = Part Number 5106RGGMNM-ES (where ES means it's ready for Biometrics)

 

Below pic is taken from an old presentation that I did in 2015 (not updated but still valid)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

HID Releases Lower-Cost Signo Readers on Mar 06, 2020
HID Global is releasing a new line of readers called Signo they claim read farther, are mobile-ready, and automatically adjust for better reads on...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including form factor, can be a difficult task. Knowing the limitations and...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
Mobile Access Control Guide on Aug 28, 2019
One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards. But how does this...
Mobile Access Control Shootout - Farpointe, HID, Openpath, Nortek, Proxy on Jul 29, 2019
One of the biggest rising trends in access control is using phones as credentials but which offering is best? IPVM has tested five of the...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...
HID Mobile Tested on Jun 21, 2019
HID Global is one of the largest access brands, but their mobile access has had challenges. Indeed, the company has already restructured their...
Farpointe Data Conekt Mobile Access Reader Tested on Jun 13, 2019
California based Farpointe Data has been a significant OEM supplier of conventional access readers for years to companies including DMP, RS2, DSX,...

Most Recent Industry Reports

Athena CEO Criticizes 'Deplorable' 'Nitpicking', IPVM Refutes on Mar 27, 2020
Athena Security's CEO Lisa Falzone has strongly objected to IPVM's reporting on Athena, calling it 'deplorable' and repeatedly criticizing IPVM's...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights abuses, the company is now admitting a significant impact in a new PRC...
New Axis M30 Cameras Tested on Mar 26, 2020
Axis has released a new generation of, for them, relatively low cost M30 series cameras, claiming to deliver "sharp video quality even in poor...
Coronavirus Shuts Down ADT Door Knockers on Mar 26, 2020
Coronavirus has another victim - this time, alarm giant ADT has stopped all door to door sales. Door knockers are a critical but controversial...
Access Control Course Spring 2020 - Save $50 Last Day on Mar 26, 2020
Register Now - Spring 2020 Access Control Course. Today, March 26th is the last day to save $50. IPVM offers the most comprehensive access...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major move to handle the impact of coronavirus, with cuts across the...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud video. But what does it mean? How does it all work? Inside this...
TVT / InVid Facial Recognition Tested on Mar 25, 2020
Facial recognition is frequently sold for thousands of dollars per channel but some China manufacturers are offering full facial recognition...
IPVM Launches On-Demand Courses on Mar 24, 2020
For nearly a decade, IPVM has been a leader in online live courses. Now, we have added on-demand versions for all courses. The same course...