This is the year for biometrics, but that been the mantra for a decade or more.
It’s obvious to many security professionals that biometrics is on a new, higher level of technology tools, if only for special applications or locations, at least today.
You can credit Juan Vucetich, back in 1891, who kicked off personal identifiers – the heart of biometrics – by being first to catalog fingerprints. Since then, and mostly thanks to computers and video, along came palm veins, face recognition, voice, palm print, hand geometry, iris recognition and retina scans, to name the most used. There are the odd, developing or impractical approaches ranging from behavior – personalized keyboard patterns and gain analysis – to body odor. The ultimate? DNA, the most accurate identifier; but staff cheek swabs seem a bit much for staff enrollment and processing takes time and effort.
However, what makes biometrics more attractive today is what made security video move from the expensive and big-sized tube cameras to cheaper CCD and CMOS chips in smaller camera packages. It’s called consumer impact – the camcorder as a security video example – on cost, size and accelerating advances.
Media Makes It Attractive
On the biometrics side, movies (James Bond, for example), television programs (“CSI” or “NCIS”), but most importantly consumer use ranging banking transactions to iPhone access, are making biometrics less intrusive and more accepted.
And more focused for optimum use based on location, user and sensitives.
For example, it turned out to be a perfect fit, according to Devon Streed, security department head for PacifiCorp, one of the American West’s leading utilities, serving approximately 1.8 million customers in six states. The “It” is a unique biometric authentication engine that can perform full ID verification without use of batteries or fixed power supply.
A subsidiary of Berkshire Hathaway Energy, PacifiCorp consists of three business units: Pacific Power, which delivers electricity to customers in Oregon, Washington and California; Rocky Mountain Power, which delivers electricity to customers in Utah, Wyoming and Idaho; and PacifiCorp Transmission.Streed covers all three units.
Critical Infrastructure Needs
The company has a crucial mission; it is one of 14 sectors identified as “critical infrastructure,” a term used to describe assets that are essential for the functioning of a society and economy. For example, the not-for-profit NERC – the North American Electric Reliability Corporation – develops and enforces reliability standards including Critical Infrastructure Protection (CIP) reliability standards, among its duties and they are one focus of companies such as PacifiCorp.
Streed, PacifiCorp’s physical security and CIP subject matter expert, has developed and implemented many physical security programs, sharing his expertise with colleagues through speaking engagements such as his recent talk on “Cyber Security — Physical Security of Critical Cyber Assets.”
It’s obvious that the PacifiCorp manager must, as part of his job, assess security technologies. “One thing that I keep in mind, whatever is evaluated should protect against the broadest range of threats,” he points out.
So when gauging various biometrics approaches, what attracted him to a “perfect fit” solution? “That there is two-factor authentication” (identification of users by means of the combination of two different components) and “compatibility with our existing access controls. There’s no need to change out the infrastructure,” says Streed. His pick? Zwipe ID, a card with fingerprint authentication capabilities for physical global access control with the same format as a standard card. The card was launched at ISC West 2016. “Authentication is on the card itself” and fingerprint is the simplest of the myriad biometrics out there, he adds.
Anywhere Fingerprint Enrollment
Among other business advantages, according to Streed: “If there ever is an issue with a card, it affects just one person. There is also redundancy and resilience.” Enrollment with cards is simple, he contends. While employees need to come to a badging station at first, they can fingerprint enroll from anywhere.
Not everyone at PacifiCorp needs or issued the biometrics-enabled card. Streed explains, “We divide access into different categories” with those requiring one are issued the unique credential. “We use biometrics to badge by people rather than location,” allowing a more secure and useful drill-down as compared traditional access control cards. “There is a learning curve,” but employees can practice at their desk.
Streed agrees that, most anywhere, there is initial reluctance to biometrics but fingerprint is perceived by many as less intrusive compared to others. “Technically we don’t store fingerprint images at all, even on the card. A digital hash based on a template is stored on the card, and fingerprints are only stored on fingers.” He points out, “That like every technology, it takes training, practice and acceptance from the workforce to be effective.”
With his Zwipe cards, Steed sums up that users authenticate themselves directly on the card without having to add biometric readers to an existing contactless access control system. The technology supports 125 KHz and 13.56 MHz proximity, enabling fingerprint authentication within existing
proximity-based environment.
More enterprise security professionals, law enforcement and businesses are jumping on the biometrics bandwagon, whether for physical, computer or transaction security or, on the other hand, for convenience.
Call Them Identity-Based Solutions
A growing number of enterprise security executives and systems integrators see a wider biometrics tent, called by some identity-based solutions that streamline and safeguard access to facilities, networks and the cloud for employees and other authorized users. When it comes to law enforcement and corrections, the technology better or faster identifies perpetrators, inmates or even traffic scofflaws.
And use is worldwide. For instance, earlier this year, researchers at the University of Electronic Science and Technology of China’s Police Equipment Joint Research Lab developed a police vehicle equipped with facial recognition that picks suspects out of a crowd. The SUV has a 360-degree rooftop camera that scans faces within a 197 foot radius. In the Abu Dhabi Police Department, its 250 patrol cars are also able to read faces at high speeds.
But there are biometrics downsides such as the perception of intrusiveness as well as a person’s desire to protect his or her privacy, however defined. And that’s in addition of such tech specs as accuracy, throughput and ease of enrollment. Then there’s the cost.
So it is natural for makers of biometrics-based solutions to believe that consumer acceptance and use will diminish worries of in security applications. And that’s what is happening.
The big doorway to acceptance of biometrics is the popularity of Apple’s Touch ID fingerprint sensor on the iPhone and iPad.
But the banking industry is one area of growing acceptance, too. Known for financial products and services to the military community and their families, USAA began offering facial and voice biometrics more than a year ago. Last year, banking giant Citi launched voice authentication for credit card holders with more than a quarter of million opting in. And last October, in collaboration with Diebold, Citi was said to be designing an iris-scanning ATM. At a financial professionals’ conference late last year, Wells Fargo showed off biometric authentication options aimed first at corporate customers. Their approach includes Eyeprint ID along with face and voice biometrics.
Like some big banks, Wells Fargo’s Commercial Electronic Office portal, which allows access to bank transactions, requires a user name and password as well as a token that includes an ID number that changes every 90 seconds. This year, the bank expects simplicity and security through its iOS-running mobile app with access by eyes, a combination of face and voice biometrics or through an old fashioned password. Showing the advantages of biometrics to C-suite executives will make them and their enterprise security executives more comfortable with the technology.
Heartbeat Away from Your Money
There’s even more “Buck Rogers” biometrics that banks now use or under development.
One example: In a pilot program, special sensors in branches or ATMs detect unusual heartbeats and body heat patterns that may indicate factors such as stress, fear, criminal intent or a person under unusual pressure.
The sports and entertainment sector is also starting to see value in biometrics. For example, Busch Stadium, where MLB’s St. Louis Cardinals play, now has iris recognition access control to the team’s clubhouse doors to identify players and staff. On the fan side of sports, San Francisco Giants at AT&T Park, Colorado Rockies’ Coors Field and Yankee Stadium use biometrics to allow fans to bypass security lines by scanning their fingerprint.
Colleges and universities are getting cozy with biometrics, too.
For instance, Georgia Southern University uses iris recognition for identification access to its campus recreational center as well as an opt-in at campus dining halls. And Virginia Commonwealth University uses iris recognition as part of its dining hall program.
Homeland security concerns make the case for biometrics. One area of contention centers on visitors to the United States. Chuck Schumer, the ranking Democrat in the U.S. Senate, points out that there is no process in place to match exits to entries by routinely collecting biometric information such as fingerprints, iris scans or photographs for facial recognition from people leaving the country. Many years ago, the 9/11 Commission recommended that the Department of Homeland Security complete an entrance and exit biometric system “as soon as possible.”
No doubt, nothing is perfect. Just late last year, hackers stole 5.6 million federal employees’ fingerprint images. According to government investigators, some biometrics-based security systems transfer images over a network and store them in databases, both potentially attack surfaces. Encryption can make that process more secure, but not totally.
Biometrics can also play a significant role in politically tangled challenges. Mobile DNA analyzers and iris recognition systems are among the tools under consideration or recently deployed to verify thousands of individuals escaping Bashar al-Assad’s Syrian regime and to keep out terrorists.
The Flipside of Biometrics
Advancing biometrics can be a two-way street. Especially in the brick-and-mortar retail sector and especially with facial recognition, the technology is not so much for identification but as a way to let retailers identify things like a customer’s age, gender and race while tracking emotions and gaze as a person moves through a store. In some applications, cameras and software can recognize specific people and cross-reference with other shopping data. Such solutions, of course, need not be as accurate as biometrics for security access, identity and authentication.
When it comes to online retail, where there are significant and growing sales, it is trickier but there are biometrics-based solutions. MasterCard Identity Check lets cardholders make online purchases. In an online podcast, Bob Reany, senior vice president of identity solutions at MasterCard, said, “The current implementation that was through the pilot had features of voice recognition, facial recognition, and accepting a fingerprint reader on a certified phone.” Coming down the MasterCard road is an authentication solution using wearable technology.
According to Tim Klabunde, director of solutions marketing for government at Entrust Datacard, identity comes first with identity-based solutions that streamline and safeguard access to facilities, networks and the cloud for employees and other authorized users. The bottom line, he says, are more secure transactions and trusted identities. There is need for closer association of a card to a person, he contends, with biometrics being a solid tool. His firm provides card-to-envelope solutions for high-volume card issuance, personalization and delivery systems.
Mobility and Biometrics
Mobile desktop access is another area of security concern that can be mitigated with biometrics, Klabunde says, adding that specific gateways will require a password and PIN or biometric, often multi-factor.
Such mobility lends itself to biometrics to gain entry to the device as well as use of the device to authenticate a person so he or she can gain entrance to a network or conclude a trusted transaction.
This is true of Millennials and, interesting enough, seniors. A recent study by Zogby Analytics found that 42 percent of Millennials make decisions on where to spend money or switching workplaces based on what organizations allow them to accomplish with a mobile device. For seniors, research by banks has determined that many prefer biometrics instead of remembering and using a password and PIN.
Based on the survey, Mitek says that mobile is set to become the primary avenue for account registration, overtaking the desktop route. Mobile biometric authentication will see mass adoption, with the technology being used for half of all mobile transactions, thanks in part to Apple’s Touch ID by establishing fingerprint scanners as a standard feature on high-end smartphones, for some, shifting to eye-based biometrics authentication, thanks to front and back viewing smartphone cameras.
ABI Research, specializing in transformative technology and innovation market intelligence, forecasts very strong growth of biometrics overall. The global biometrics market will reach more than $30 billion by 2021, marking an impressive 118-percent increase from 2015.
Earphones On; Doors Open
Tokyo-based NEC Corporation, working Nagaoka University of Technology, discovered that the shape of a person’s earhole could be another biometric tool. It produces a unique sound echo with an earpiece containing a speaker and microphone.
When physical or computer/network access is requested, several hundred milliseconds of audio signals go into the ear via the speaker part of the headphone. Travelling though the external auditory canal, eardrum, middle ear and internal ear, the microphone registers the reflected audio signals, which are unique. If the two match, which takes less than a second to determine, then the person wearing the earphone is verified.
NEC has been quoted that it intends to offer the ear biometric commercially in 2018 with access control as an initial focus.