Biometric technology: It knows who you are
Hand, face, signature recognition systems are as simple to use as they are to install.
As government, public and private organizations search for more secure methods of controlling physical access, biometrics is receiving increased attention.
According to TMC Research (www .tmcnet.com), physical access control will reach annual revenues of $389 million by the end of 2004 and assume most of the biometric application market. While biometric technologies may seem like rocket science seen only in the movies, you may be surprised at just how simple these systems really are.
And simple to install, too. (See "Nothing James Bond-ish about biometric installation, [below].)
"There's a lot of hype and people tend to think that biometrics is James Bond, but it's really not wiz-bang technology," says Bill Spence, director of marketing, Recognition Systems, Inc. (www.recogsys.com). "Dealing with that perception is one of the biggest challenges in the biometric industry."
According to Spence, when it comes to physical access control, biometric technology is nothing more than another type of card reader. In the security industry, the three basic types of verification include something you know (like a password or PIN,) something you have (like an ID card or key), or something you are—a biometric.
Biometrics is the only verification type that cannot be borrowed, stolen, or forgotten, and forging one is virtually impossible. "The chance of getting past an ID card reader is 100%. If I take your card, I will get in," says Spence. "That's where we start to see the real value of biometrics."
Access control via hand scanning technology, referred to as hand geometry, measures characteristics such as the curves of the fingers, finger thickness and length, height and width of the hand, and distances between joints. "Just as people's brains distinguish facial characteristics to recognize a face, our [Recognition Systems] HandReaders recognize hands by their unique characteristics," explains Spence. "The system works simply by shining an infra-red light onto a reflective surface where the hand is placed and then capturing the reflected image of the hand silhouette."
In good hands
Hand geometry has been implemented for low, medium, and high-security access control, including nuclear power plants, airports, universities, and daycare facilities. Another common use of hand geometry is for time and attendance systems. According to Spence, the technology's accuracy and fast throughput (total time required to use the device) is ideal for larger numbers of people. "Some biometric technologies have a failure-to-enroll rate of up to 4%, which isn't a big problem if you only have 50 people using the system," explains Spence. "When you start talking about tens of thousands of people, you need a more reliable technology." According to Spence, hand scanning has a failure-to-enroll rate of only 1 in 10,000.
In every biometric application, a template or code is created based on an individual's unique biometric characteristics. The smaller the template, the easier to enroll large numbers of people, integrate the system with existing access control systems, and use smart cards where an embedded computer chip contains the template. "Hand geometry has one of the smallest templates in the industry with only 9 bytes, and that makes it ideal for storing on a smart card," says Spence. "With a smart card, your hand is matched to the template on the card. If someone gets your card, it doesn't matter because they don't have your hand."
Finger on a chip
Fingerprinting has been around for more than a century, and is widely used and accepted. Among a variety of fingerprint access control devices on the market is the AA battery-powered, all-in-one fingerprint door lock from Adome International (www.adome.net). "It's a very simple device that stores the enrolled fingerprint templates on a chip and connects to the door," says Robert Borden, IT director for Adome. "It's geared towards residential and small office environments." Adome also manufactures sophisticated devices for high-security applications.
Hand geometry is suitable for high numbers of people and often used for time and attendance in addition to access control. (Photo courtesy of Recognition Systems, Inc.)
Fingerprint scanning uses either optical methods or silicon sensors to extract a visual image. "Fingerprint scanning creates a digitized pattern by extracting minutiae points where the fingerprint ridges end and intersect," explains Frances Zalazny, director of communications with Minnesota-based Identix, Inc. (www.identix.com). "The accuracy of fingerprinting really depends on the environment you're dealing with. In a construction environment, you may not want to use fingerprinting because a lot of workers have worn fingerprints, and you may experience a higher failure-to-enroll."
According to Zalazny, optical fingerprint scanners are more durable and provide better image quality than silicon sensors. "With a silicon sensor, you're actually touching the sensor itself, so that in any high traffic area, silicon readers wear out quickly," says Zalazny. "With optical readers, a piece of glass separates the finger from the sensor."
As gruesome as the thought may be, one advantage of silicon readers is the ability to measure blood vessel movement to determine if a finger is a live finger. "Optical readers determine a live finger by looking to see if a fingerprint is a 100% match, because it's virtually impossible to place a finger down the same way every time," says Zalazny.
The eyes have it
Considered the most accurate biometric technology, iris recognition is especially suited for high-security locations, such as border crossings, airports, prisons, government agencies, and medical facilities. "The uniqueness of the iris is magnitudes better than that of fingerprints," says Dr. Jim Cambier, chief technology officer for Iridian Technologies (www.iridiantech.com). "The iris contains a lot of complex variables from person to person, even identical twins. Fingerprinting captures 60 to 80 points of minutiae as compared to iris recognition that looks at 247 different points."
Iris recognition has a typical false acceptance ratio lower than 1 in 1.2 million, so that the probability of false identification is virtually zero. The iris may be the colored circle of the eye, but in iris recognition, the color carries no significance. According to Cambier, a black and white picture is used to create the unique digital code of the iris.
"Glasses and most contact lenses do not affect iris recognition," he says . "The only time iris recognition might not work is when someone wears contact lenses with a printed pattern, has had a unique surgical procedure, or is born with Aniridia—an extremely rare condition of complete loss of the iris."
Many often confuse iris recognition with retinal scanning—a much more difficult process that involves analyzing the blood vessels at the back of the eye. "The retina is not easily measured, and users cannot wear glasses," explains Cambier. "Retinal scanning also requires close contact with the device, making it more invasive. Unlike an iris, a retina can change over time and it's affected by common diseases such as glaucoma."
Iridian supplies the image processing and ID software behind iris recognition, and they partner with several iris camera manufacturers, such as Panasonic (www.panasonic.com). The camera is an integral part of an iris recognition access control system, capturing an image of the eye using low-level infrared from as far away as 30 inches.
"The affordability of the system also has a lot to do with the camera, and as usual, you get what you pay for," says Cambier. "Lower-end cameras designed to work with a PC for network access might run about $200, while a sophisticated access control camera that mounts on the wall can range from $5,000 to $10,000."
At face value
Face recognition and behavioral technologies (voice authentication and signature verification, for example) are also gaining acceptance in the security industry. Mostly deployed for general surveillance in airports, casinos, and public arenas, facial recognition can be used with existing security video cameras.
"Facial recognition looks for features based on the bone structure, such as the eye sockets, cheek bones, chin, and mouth," says Zelazny of Identix. "Using an image of the face, these points are measured in relation to each other, and a mathematical code called a face print is created." The face print is compared with existing images, and the software measures how similar the images are to each other.
While some claim high accuracy rates with facial recognition, government studies have found false positives (wrongly matching people with existing photos) and false negatives (not finding people who actually exist in the database). Unlike hands, fingerprints, and irises, faces change over time. According to many industry professionals, it's possible for a facial recognition system to be fooled by hairstyle, facial hair, body weight, aging, or simple disguises. The casino industry, however, has capitalized on this technology to help catch repeat scam artists.
Millions of calls are made every day to access account information, which makes financial institutions a logical fit for voice authentication. "While we use it here at our headquarters for physical access control, voice recognition is suited more for call centers where it eliminates the need for the often-forgotten PIN or password," says Regina Shmidt, senior product marketing manager for Nuance (www.nuance.com). "The vocal cords, larynx, and mouth shape all work together to create an individual voice print."
Voice recognition has potential for growth because it can be used with existing technology, including plain old telephone systems, cell phones, and VoIP.
Signature verification not only takes into account what a signature looks like, but it analyzes the shape, speed, stroke, pressure, and timing during the act. According to Marc Gaudreau, Forensic Science Division, Canada Customs and Revenue Agency (www.cic.com), behavioral features of signing are virtually impossible to imitate. Although mostly used for computer security and increased document authorization, signature verification also has potential for growth because it is already a common method of identity verification and an accepted technology.
Everything in perspective
As interest in biometric access control grows, so do industry standards relating to file formats and interoperability with existing systems. The BioAPI Consortium (www.bioapi.org) was formed to develop a widely available and accepted application programming interface (API) that will serve for various biometric technologies.
Chosen as the file of choice, the Common Biometric Exchange File Format (CBEFF) describes how information is stored. A list of the many biometric products designed for BioAPI compliance is available from the consortium's Web site.
Each biometric has its application based on cost, demographics, and the surrounding environment. As the shift toward higher security has most people realizing that typical ID cards are no longer sufficient, biometric access control will become more widely accepted.
"We often put technology up on a pedestal, and it's important to keep everything in perspective," says Spence. "When people are hesitant to touch a biometric access control device, I just say to them, 'It's a funny looking doorknob isn't it?'
Betsy Ziobron is a freelance writer covering the cabling industry, and a regular contributor to Cabling Installation & Maintenance. She can be reached at: email@example.com
Nothing James Bond-ish about biometric installation
Most biometric companies that are in the access control market have taken the time to adopt the existing infrastructures and standards of the access control and IT world. Almost every biometric access control device offers standard Weigand and RS-485 input/output connections, and many also have RS-232, RS-422, and Ethernet ports. As the defacto standard for the access control industry, the Weigand data format is the typical interface used to support communications between readers and control panels.
"When we first came out with our HandReader back in the early 1990s, we had a Weigand-compatible output," says Bill Spence, director of marketing for Recognition Systems. "That really helped propel our devices in the access control market at a more rapid pace than typically seen with biometrics."
While central access control panels are often managed via TCP/IP connections, biometric access control devices are frequently daisy-chained together with a typical RS-485 twisted-pair wiring scheme. According to Spence, installing a biometric access control system is not a difficult task—no different than installing any access control system. "The science is in the software, not in the installation. I see your typical security installer, locksmiths, and even end users installing them," says Spence. "But when installing these systems, it's important to establish a good common earth ground. For sensors that are exposed and touched several times a day, ESD can ruin them."—BZ