Security integrators looking to specify access control authentication systems with elevated levels of security, as well as the safety of low touch, are going to think about biometrics, as well as understanding user feelings around the technology.
In spite of the power of biometrics, not only to enhance the security levels of authentication, but to reduce cost of ownership and streamline system management, there can be pushback against the technology if privacy is seen to be threatened.
The situation is a curious one given so many consumers cheerfully use face recognition in personal devices which are managed by a handful of huge technology companies whose privacy and business practises are utterly opaque.
At the same time, the latest biometric solutions exist at the edge, avoiding storing biometric data where it’s accessible, and often employ the biometric in smart personal devices to add a level of comfort to more or less uneducated users.
According to Gallagher’s Steve Bell, biometrics do have a future in smaller applications, giving high security authentication to low-cost solutions and he argues there are ways to make users more comfortable with the technology.
“Touch biometrics are great on personalised devices such as phones, tablets, and laptops,” he says. “They can also be accepted in domestic situations where there are small groups of people.
“One area of biometrics that makes people uncomfortable is the fact that a person’s biometric is part of their personal data (PII – Personally Identifiable Information). The feeling that some other party is holding this information or has access to it can cause discomfort.”
Bell explains that there are different architectures to the implementation of biometric systems, and each has a differing level of PII that is being held in business databases.
“Firstly, you can have biometric templates on a chip that people carry with them, for example, a smart card, smart phone, or passport,” he says. “Transactions in this architecture are inherently two-factor (something they have, plus something they are). There is an extra inconvenience of accessing the smart card, phone, or passport that prevents fast access.
“In some situations, with this architecture the issuer of the authenticator may also hold the biometric template in their database, as well as issuing it to the chip. In general, this architecture will allow the person to have the most control over their biometric PII.
“Secondly, some vendors of biometric solutions use an architecture where the biometric PII is stored in a central database and the edge device that captures the biometric at time of authentication will securely send the biometric to the central server for identification and authentication decision. These solutions are great when there is a very large population of people to be authenticated.
“Lastly, you have edge-based access decisions where fast throughput can be obtained on a reasonable sized database in the realms of tens of thousands of people with the latest generation of edge based biometric readers. In this situation, the central database will store the biometric PII and distribute a template that prevents somebody who steals it from identifying any users.”
According to Bell, through Gallagher’s integration with IDEMIA biometrics, the company implements an edge-based access decision architecture that securely manages the downloading of templates to the edge-based readers.
“We also implement template on card with most of our IDEMIA integration solutions, should customers prefer the biometric PII wasn’t stored centrally,” he says.
Nirovision’s Jason Allen says that comfort levels with biometrics revolve around the transparency of data handling.
“When it comes to facial recognition technology, organisations have found that being transparent about how data is proposed to be used is a crucial step towards community acceptance,” he explains. “There are useful resources online that may help integrators manage user worries including this discussion of data partnership and this analysis of face recognition myths from the SIA.
“This has been our experience too. If you clearly explain the reasons for using facial recognition, where data will be stored and what safeguards will be taken to protect that information, then people are more inclined to accept the technology.
“It’s also important to know the origin of the algorithms in use as a lot of products outsource the facial recognition component which means the core technology is not under the control of the enterprise that is selling you. It’s best to enquire if proprietary tech is being used.”
#sen.news