Biometrics Pros and Cons For Electronic Access Control

Published Jun 26, 2017 16:13 PM

Biometrics has been long sought as an alternative to the security risks of cards, pins and passwords. While biometrics has improved somewhat over the past decade and has some clear advantages, other problems or limitations remain. In this post, we compare the key pros and cons of biometrics.

The Pros

Advantages of biometrics have key value is some access applications. While manufacturer marketing often blurs the claims and overstate the advantages, biometrics can offer:

  • Credentials Always Available 
  • User Identity Verification
  • High Credential Validity
  • Tough Against Passback 

The Cons

On the other hand, there are operational weaknesses or risks that are not commonly realized before deployment. Some of those are:

  • User Unwillingness & Distrust
  • User Biometric Incompatibility
  • User Removal of Clothing
  • User Positioning
  • Injuries & Biometric Stability
  • Lengthy Authentication Cycletimes
  • No More Picture IDs
  • Myth: Biometrics Are Distinctive

Inside, we explain and examine each one.

Biometrics ** **** **** ************

*** ** *** ************ ************** **** biometrics ** *** ***** ****** ** technologies **** *** ********** ******* ** having *** **** ******* ********* *** weaknesses.

** ***** *** **** ****** ********* form ** *** *********** *** ****** ******* ****, *** ***** ****** *** ******** technologies *******:

  • **** ******: *** ***** ****** ** palm **** * ******** ********* ** a ******* ****** ** *******.
  • ******/ **** *****: ****** **** **** the ***** ****** ** ****, ***** sensors ***** *** ***** ***** ** capillaries **** ***** ****** ** ****. These ***** ***** *** ********* ** a ****** ***, *** *** ****** tissue ** **** ***** ** ******* damage ** ************.
  • ****/******: **** **** ** ****** ***** an ***** ** *** ****** ** user ****. **** ****** *** ******* can ** **** ** *********** ***********.
  • **** ***********: ****** ** ***** ** a **** *** ********* *** **** and ********* ******* ****, ****, *****, and ***** *********** ******** **** **** accuracy *** ********* ** ******** **** common.

*** ***** *** * ****** ** lesser ****, *** ***** '**** ******' biometric *****. *** ****, ***** *** ******** ********** ****.

Biometric ********

** *** ******** *****, ** **** a **** ** **** ********** ** biometrics.  ***** ********** ******* *** ******* may ***** ******** **** ******** ** others, ********** ** * ******* ******* offer **** ** ******** *** **** of ***** ********** *****:

Credentials ****** *********

**** **********, *** **** ********** *** the **********, *** ********** * *** or ****** * ***** ** ****** not * ****. ******* ************* ******** are ****** **** ** ****** *****, biometric *********** *** ********* **** ****** and ***** ******** ********** ********** ** eliminating ***, *****, *** ***** **** can ** ********* ** *********. 

User ******** ************

******* ***** ****** **** ** **** credentials *** ****** ** ******, ********** are ****** ** ******* ***** *** specifically **********. **** ** ***** *** share ***** ** ****, **** ****** lend ** ************ ** ******, ********** the ********** **** **** ********** ***** are ******** ** ****.

High ********** ********

****** ****** ********** ***** ********** ** copying ** ******** ******* ****** (**** **** ****** ******* **** **** $30 *** ****** **** ******), ********** ********* ******** *** *******. ***** gadgets **** *** **** ***** ****** be **** ** **** **********:

***** '*******' *** ***-******* ********** ****** can ** ********** ** ***-***** ******, the ***** **** ** ****** ********* employ *** ** ******* ****** ** ******** ********* ********** ** ***** ********* ********** **** use.

Tough ******* ********

********** *********** ********* *** **** ** credential ******* ** ***** ****** ****** hand *** ***** ********* *********** ** friends ** *********. ** ******* ** our *** ******** ******* ****, *** ******* ** *** ****** solved **** ***** ********** ******* *** often ******** ******** ****** ************* ** stop. ********** ***** *** **** ********* to ********* *** *** **** ******* to *********.

Biometric **********

*******, ***** ********** *** ***** **** problems, **** ******* ** ****** ******. In *** ******** *****, ** ****** seven ****** ****** **** *** ** showstopping ******** ** *** ********** **********:

User ************* & ********

*** *** ***** *** *********** *** willing ** **** ********* ****** **** as **************.  * ****** ** ********, political, *********, ** ******* **** ** trust ** *** ********** ****** ** enterprise ** *** *** ******* ********* information *** ** * ******. 

********* ** '*** **********' ** ********** use ** ******** ******** ** *** common ****** ** ****** **** ***** carries **** ******* ******* ** ****. The ***** ***** ** **** ******* ******** ** *******:

User ********* ***************

***** ******, *** *** ***** *** either ******* ** **** ************ ******** of *** ******** ********* ***** **** to ****** ********.  **** ***** *** lack *** ******** ******* ********, ***** others *** ********** * '*********' **** of ******* *** ** ****** ** infirmity. **** * ********* ** ****** as ************ ****** **** *** ***** have *******, ******* ******* ** ************ on, *** ***** ******* ** *********** must ** ******** ***  **** **** do ***.  **** ********* ******* ** using ******** ********** ******* **********. 

User ******* ** ********

******* *** ********* *** ********** ** the ********** *** *********** ** ******** they *** **** **** ********** ** user ********* ** *** ********* ***** being ********. **** ** ***** *** the ****, ** ********* ** ****** as ***** ******* ****** ** **** weather *** ** * ***** ****** to ****** *** ************, ** ********** for ****/****** ********, ** **** ** rain, *** ** **.

User ***********

*** *** ********** *** ******** *** use ** ***** *********, *** *** often **** ******** **** '***********' ****, cards, ** ****. *** *******, ******* fingerprints ***** ***** *** ****** ** vehicles ** ****** *********** *** ** the ******** ******** *** **** *********** needed, ***** ****** ******** * *********** card ** **** ******.

********* ************** ****, *** *** ****** ******* *** ** ********* ** ***** *** all *****, ********** ***** *** **** mobility ** ********** ******.

Injuries & ********* *********

******* ******* ** * ********* ***** can ** ************ *** ******** *******, when ************* ******* *** ** ***** or ****** *** ******. *** *******, collagen ********** *** ******* ******* **** time, ** **** '******' ******** **** fingerprints ****** **** *** ****** ** years, *** ********* **** ********* ** become ********** ** ****. ***** ******* like *** ********, **** ********, ** even ****** ********** *** ****** **** time.  **** ********** ** ********* ******** is ***** * *********, ** *** annual, ****.

Lengthy Authentication **********

***** ****** * ***** ** ******** in * *** *** **** *******, properly *********** * ********* *** **** much ******, **** * ****** ** longer ** ******* *** ******.  *** high-volume *********, ******** **** ****** ******** can ****** ******** ** ***** *** hour, *** * ********* ****** **** fingerprints *** ****** * ******** ** the ****** ***** ** ***** **** must ******* * ******** ***** ** a ******** *** ***** ****.

No **** ******* ***

*******, *** ****** *** ********* ******** is ***** ***** ** ******* *** given ** ** ******** **********. ***** full ***** ******* ** ******** *** often ******* ** *** **** **** as * *********** **** *** **** subsequently ******* ****** **** ***** ** lanyards *** ***** ****** **************, **** media ** ********* **** ******** ********** and **** ** *********** ********.

Myth: ********** *** ***********

*** ** *** ******* ****** ***** make **** ******** ********** ** ******** all ***** **** ** ******** ******** and ** *** **** ** ******** for ******* ****. **** ***** ******* in ********* *********, ******* *** ********* is **** ** '******' ** *** number ** ******** ****** ********* *** used.

*** *******, ***** * *********** ** iris *** ****** ** ******, ** make **** ****** ** **** **** sampling ****** ****** ** ** ********** as '********' ** * ********. ***** users *** **** ******* ********* **********, with *** **** ******** ******* ******** or ******* (*** *** *****) ******** traits, ********** ** ***** **** *********.

** **** *****, *** '********** ********' of ******* ********* ******** ** ****** requires *********** *** ****** ** ****** to ***** **** **** ********** ****.  The ********* **** **** *** ******* impact **** ********** *** **** **** user ******* ******* ******* ** *******, but **** ****** **** *********** ***** the ****, ********** *** '***************' ** the ********* **********.

Comments (11)
SD
Shannon Davis
Jun 26, 2017
IPVMU Certified

We have a few customers that use biometrics but most of them don't. Two reasons typically are cost of the system for biometrics depending on the solution and also the inconvenience. Typically we only suggest for high secure areas like server rooms and pharmacies. One solution we have deployed that works flawlessly though is StoneLock. Although it is fairly expensive per door it works really well. The enrollment time is less than 30 seconds and their rejection rate is almost non-existent and you don't have to put your finger or palm on a device. 

(1)
(4)
(1)
RL
Randy Lines
Jun 26, 2017

Biometrics are a very long .... but very static password that you either leave behind on coffee cups or have on full display almost all the time. At best it is "something you are". Good security will want you to add "Something you know" and "Something you have".

Have a great day.

 

(5)
MS
Michael Strong
Jun 26, 2017

I followed the link above on Fingerprints for Access Control and the issue of unreadable prints is mentioned but some negative considerations need to be spoken to a bit more.

 

I have experience working for an AFIS Automated Fingerprint Identification System provider.  Capturing fingerprints electronically for submission to an identification authority.

Big issue is that globally anywhere from 2 to 5 % of your population have fingerprints that are are highly difficult to scan.

Factors are:

Age - Older population the ridges are no longer as pronounced as they used to be.  In Florida for example, persons wishing to volunteer to work with children must pass a background identification check including prints.  Having a fairly large base of retired persons who are eager to volunteer their time, when it comes to electronically capturing the fingerprints the yield of successful captures is quite low.  One of the tricks of the trade is to use "Huskers Oil" on the hands to help plump up the ridges, which helps but the yields are still low.

For this population segment the reject rate is quite high.

Occupation - Persons who work with their hands and handle coarse or caustic material will also have low read rates.

Included here are the individuals who does home improvement work and really roughs up their hands

Tellers - Secretaries - Accountants - persons handling money or paper frequently may also have unreadable prints.

Injury - Cuts - amputations - etc...

 

Point is, depending upon the mix of your population, using Fingerprints for a single factor identification may be quite challenging.

 

 

 

(1)
(3)
Avatar
John Bredehoft
Jun 29, 2017
Bredemarket / Incode Technologies

I'll state up front that I work for a biometric provider.

I'll also note that there certainly are some fingerprints that are difficult to read. For example, years ago I attended an IAI presentation by Gary Bender in which he noted a technical challenge that one provider faced: the fingerprint readers were located near the doors of grocery stores in the Midwest, and the people who used the service tended to be older. The combination of cold temperatures and elderly fingerprints made reading particularly difficult. And in this case, unlike a background check, the fingerprints were being captured on a regular basis. Technology has improved since then, but you're never going to get 100.00000% capture rates.

One potential solution (among several) to the issue of unusable fingerprints is to capture multiple biometrics - if there is difficulty in capturing one biometric, another may be used. Of course, that increases the cost of the system.

U
Undisclosed
Jun 26, 2017

(snarky quick version)

A biometrics system that turns around and spits out a 26 bit wiegand value into a panel is not necessarily secure.  It can be spoofed. the biometrics subsystem likely has a cloned out of date poorly secured copy of your cardholder database.  Integration with your PACS is probably janky and rev-locks you 1-3 versions back.

(longer convergence engineering version)

Embarassing questions for biometrics vendors:

Can they answer the "tell me about your science" question. 

Is their copy of the cardholder data secured.

Is the interaction with the network secured (usually there's an ethernet cable along with the janky 26 bit wiegand wire.)

Can your PACS handle multiple vendors and/or multiple technologies.

Do the use (do they even know of) relevant standards.  See if they know what CBEFF is.  Or OSDP biometrics.  Or Mifare Plus/DESFire.

Do they have any collateral credential format limitations (like the units that require an integrated card reader and only do Prox...)

(4)
(3)
GF
Gabriel Faincaig
Jun 27, 2017

I am looking for a biometric reader which is not connected to the network, for network security reasons. 

Happy to get some recommendations.

Avatar
Brian Rhodes
Jun 27, 2017
IPVMU Certified

Hello Gabriel:

Can the reader be temporarily networked during enrollment, but not operation? (The majority of time?)  The reason I bring this up is because when a new user is enrolled, pushing the new template to all readers is easier/quicker than enrolling in each reader separately.

For the question, there are many examples of readers that operate in 'standalone' (not networked) mode.  Brands like ZKAccess/ZKTeco, Suprema, or Morpho all have units that do not need to be ethernet networked to operate, and can connect to a standard access control system controller via Wiegand, or in some cases OSDP.

Take a look if those help.  If you have other questions, please ask!

(1)
(1)
GF
Gabriel Faincaig
Jun 27, 2017

Hi Brian, 

Thanks for the info. 

The reader will placed quite far from the enrollment center, so enrolling at the reader itself is not an option, but i still can't use network connectivity.

is there another solution? what about storing the template at the card side?

Avatar
Brian Rhodes
Jun 27, 2017
IPVMU Certified

Got it.  The common method/term used when storing the template on the card is called 'verification mode', or 1:1 or similar.

This mode essentially stores the biometric template on the smartcard (iClass or similar), and when the card is scanned, the biometric template is transferred to the reader along with the card number details.

In order for the card number details to be sent by the reader to the system, the biometric (fingerprint) scan has to match the template stored on the card.  If the reader cannot verify the user as the one the card issued to, the reader does not send card details and the door remains locked.

I'll need to investigate specific models that support this type of 'verification mode' some store it in the reader first, but it is not difficult to find and is relatively common.

The main difference here is that it requires all users to carry and scan a card first, which is not need if biometrics are used as a primary credential.

You might also find Zwipe's Fingerprint Card interesting, as it requires a valid fingerprint to activate the card, but is otherwise a standard card for a non-biometric access system.

GF
Gabriel Faincaig
Jun 27, 2017

We use 1:1 method for achieving better FRR, without storing the actual bio template on the card itself. 

If I understand correctly, the bio readers can read the template from the smartcard. If so, I believe that would be a good solution.

I'll checkout the Zwipe's card, that also could work.

To make this more complicated, it all has to be integrated to an AMAG system.

Thanks Brian! I'll update you.

 

Avatar
Baudouin Genouville
Sep 05, 2017
SUPREMA

Hello Gabriel,

In the case that you parameter the installation to be a 1:1 with AoC (Access on Card, fingerprint template and PAC data being stored on card) then you do not need the Biometric readers connected to TCP/IP.

This can be done with fingerprint (because templates are not big but accurate 300~384 bytes). That's impossible with Face and difficult with Iris because you need more information in order to really differentiate users.

Cards that can accept to store fingerprint information are from less to more secured:

- Mifare 1K, 4K

- Mifare Classic

- HID iClass SE, Mifare DesFire EV1 (4k, 8K)

- HID Seos cards (with correct ADF structure), for example, Seos 8K + Prox = Part Number 5106RGGMNM-ES (where ES means it's ready for Biometrics)

 

Below pic is taken from an old presentation that I did in 2015 (not updated but still valid)