Overview of the Last Article
Our last article examined another behavioral Biometric, known as Signature Recognition. This modality is very different from the others in the sense it has a legal aspect to it. This simply means that as the individual signs his or her name onto the writing tablet, the signature becomes legally binding, whether it is being used to authenticate business documents or to initiate an E-Commerce transaction.
The common belief amongst the public is that it is the actual signature image which is compared to confirm the identity of an individual. However, this is far from the reality of this modality. It is not the actual signature which is compared, but rather, it is the unique mannerisms in which a name is signed which is captured.
As a Biometric Modality, Signature Recognition does possess some key advantages. For example, it is very easy to use, has a very low cost of procurement and implementation, and it can be embedded very easily into legacy security systems as a Multimodal solution. But just like Keystroke Recognition, it too suffers from a lack of wide scale market adoption.
On this note, previous articles have touched upon some of the applications of Biometrics. We now examine these applications in much further detail.
The Applications of Biometrics
There are numerous applications for the use of Biometric Technology, but the most common ones are as follows:
- Logical Access Control;
- Physical Access Control;
- Time and Attendance;
- Law Enforcement;
Logical Access Control
This market application refers to gaining access to a computer network either at the place of the business or corporation or via a secured remote connection from a distant location.
The security tool that is most commonly the traditional username and password. Although this combination may have worked effectively in the past, it is now definitely showing signs of severe weaknesses, by being a primary target for Cyberattacks.
Usernames and passwords can be very easily compromised and hijacked via a Denial of Service or a dictionary style attack.
Because of the frequency of these types of attacks, many organizations are now requiring their employees to create long and complex passwords. They have to contain a combination of upper and lower case letters, punctuation marks, spaces, numerals, and other types of special characters.
Because these are so difficult to remember, employees are literally writing their newly created passwords on Post-It Notes and attaching it to their workstation monitor. This phenomenon has become known as the “Post It Syndrome.”
To combat this and the other security weaknesses posed by using passwords, the use of Biometric Technology has been called upon to replace it in its total entirety.
In this regard, the two modalities which are used the most are that of Fingerprint Recognition and Iris Recognition. With one swipe of the finger or one scan of the iris, the employee can be logged into their workstation within just one second.
Because of this “one scan” capability, these modalities have also become known as “Single Sign On Solutions.” These devices can be connected to the workstation via a USB connection, or the sensor can be embedded into the computer or wireless device itself.
An example of a Fingerprint Recognition SSO is illustrated below:
An example of an Iris Recognition SSO is also illustrated below:
The use of a Biometrics based SSO possesses key strategic advantages over the traditional password which are as follows:
- An individual can be logged into a network just a matter of two seconds or less, versus the number of minutes it can take with a password;
- An individual’s unique physiological or behavioral traits cannot be stolen or hijacked, unlike a password;
- The financial expenses of password resets can be as much as $300 per year per employee. By using an SSO, this burden is totally eliminated.
Physical Access Entry
Physical Access Entry refers to giving an employee of a business or a corporation access to a secure building, or even a secure office from within it. Traditionally, keys and badges have been used. However, the main problem is that these tools can be very easily stolen, lost, replicated, or even given to other employees who do not belong in those secure areas.
Smart Cards have been used to help alleviate these security weaknesses, but they too have their own set of limitations as well. Fingerprint Recognition and Hand Geometry Recognition are used in this application the most, along with Vein Pattern Recognition. In these instances, one of these Biometrics is hard wired to an electromagnetic lock strike.
Once the identity of an individual has been confirmed by either their fingerprint or through the shape of their hand, the lock strike will, within seconds, open the door to the secure area. The primary advantages of using Biometrics are as follows:
- No more lost, stolen, or fraudulent use of keys and ID badges;
- Only legitimate employees whose identity has been 100% confirmed will gain access to any secure areas for which he or she needs entry to.
In Physical Access Entry scenarios, the Fingerprint Recognition device or the Hand Geometry scanner can either operate either in a standalone or a client-server mode. The advantages of the latter are as follows:
- Greater Biometric Template storage capacity;
- Larger applications (such as physical access to multiple buildings and multiple doors) can be much better served;
- All of the Biometric information and data can be stored on a central server for the efficient processing of the Verification and/or Identification transactions;
- The Biometric modalities which are wired to each and every door in an organization can be centrally administered at the server level, without having to perform these same functions separately at each device.
Fingerprint Recognition devices and Hand Geometry scanners can also work together to create a Multimodal Biometric solution (either in a synchronous or an asynchronous format) and even operate with other non-Biometric security systems as well. In fact, Fingerprint Recognition devices can also be installed into a doorknob itself, thus alleviating the need for any electromagnetic lock strike. This type of example can be seen in the illustration below:
Time and Attendance
Businesses and corporations, at all levels of industry, served, have to keep track of the hours their employees have worked. However, using manual based methods (such as a time card or a spreadsheet) have proven not only to be a gigantic administrative headache, but there are also many security vulnerabilities associated with it as well, such as that of “Buddy Punching.”
This is where one employee fraudulently reports the time worked for another employee when they did not show up for their required work shift, and he or she still gets paid for it.
The use of Biometric Technology can play an integral role in Time and Attendance based applications, by combatting the weaknesses mentioned above. Just about any kind of modality can work in these situations, but it has been Hand Geometry Recognition and Fingerprint Recognition which have been used the most.
Vein Pattern Recognition and even Iris Recognition are starting to gain traction, because of their non-contactless nature. These technologies can once again operate in either a stand-alone or client-server mode, depending upon the specific requirements of the organization. But, it is the latter selection which offers the most advantages.
For example, there is centralized control and administrative functionality from within one location (namely the server), and all of the administrative tasks associated with processing payroll can be fully automated.
Also, all of the clock in and clock out times of each and every employee is electronically recorded, thus resolving any issues of the actual shift worked. As a result, the security threat posed by “Buddy Punching” is totally eliminated.
An example of a Fingerprint Recognition device being used in a Time and Attendance application can be seen below:
Law enforcement agencies across all levels of the Federal Government are also starting to use Biometric Technology to confirm the identity of any suspects or wanted felons. It has been traditionally Fingerprint Recognition which is the most widely used modality. Iris, Facial, and even Vein Pattern Recognition are starting to make their entrance into this market application, but they are being used as a supplement to Fingerprint Recognition.
The only way to truly identify the suspect is by taking their fingerprint and running that image through a massive database known as the “Automated Fingerprint Identification System,” or also known as “AFIS” for short.
This is a huge database repository that contains all of the fingerprint images of known suspects and criminals not just here in the United States, but worldwide as well. It is currently administered and maintained by the FBI.
To upgrade the current AFIS processes, a new database is known as the “Integrated Automated Fingerprint Identification System” (also known as the “IAFIS”) has been introduced. It possesses a number of key advantages over AFIS, which are as follows:
- The fingerprint images (as well as other metadata) on some 55 million plus suspects and criminals are now electronically connected to all of the law enforcement agencies in all fifty states and through INTERPOL.
- Results from criminal searches can be sent to the requesting law enforcement agency in less than 24 hours.
- Latent fingerprint images which are collected from a crime scene are also stored into IAFIS databases.
- Highly digitized criminal photographs are available immediately upon request, 24 X 7 X 365.
- The IAFIS databases also support remote connectivity. For example, law enforcement officers in the field can now connect to a specific database via a secured Wi-Fi connection from their handheld Fingerprint Recognition scanner.
The use of an IAFIS database can be seen below:
Ethical Hacking Training – Resources (InfoSec)
Surveillance is simply keeping tabs of a large group of people, and from there, determining any abnormal behavior from an established baseline. In this instance, it is Facial Recognition which is used the most, and in fact, is the most feared amongst the American public. The primary reason for this is that this modality can be secretly deployed into CCTV cameras, in order to positively identify any known criminals or suspects.
At the present time, there are five current Surveillance techniques which can be used:
The public, as well as businesses and corporations, know that they are being watched, whether it is directly disclosed or it is perceived. The primary goal of this type of surveillance is to prevent and discourage unlawful behavior in public settings.
Individuals and organizations have no knowledge whatsoever that they are being watched or even being recorded. This is where Facial Recognition is the most widely deployed.
Tracking individuals on a watch list:
The primary objective is to find an individual whose identity can be confirmed, but their whereabouts are completely unknown. A good example of this are the so-called terror watch lists used at the major international airports worldwide.
Tracking individuals for suspicious behavior:
The goal here is to question individuals whose behavior tends to be very erratic, abnormal, or totally out of the norm. This is considered to be a macro type of surveillance because the intention is to filter out the undesirable behavior of an unknown individual, or even a group of people.
Tracking individuals for suspicious types of activities:
With this, the CCTV camera (coupled with Facial Recognition technology) is looking out for suspicious activity either amongst an individual or group of people. In this fashion, the CCTV camera will capture the video of the suspicious behavior, and from there, it will be the Facial Recognition system which can then identify the individual(s) in question.
As these applications continue to grow regarding using Biometric technology, there will be one theme that will be prevalent. That is the movement towards using the non-contactless modalities. As it has been stated in this and previous articles, one of the key drivers for this trend is that of hygiene related issues.
Although there is no scientific proof of an end user actually contracting a serious illness, this fear is expected to persist well into the future.
As a result, it is forecasted that Vein Pattern Recognition and Facial Recognition will become the dominant technologies for the applications reviewed.
However, the latter will primarily serve the Surveillance based applications, and the former will be involved with all of the others, because of its versatility and low cost of deployment.
In the end, there are three levels of access control which must be met in order to fortify any type of application truly. These are as follows:
- What a person has (such as an ID Badge or a related Smart Card);
- What a person knows (such as a PIN Number or a password);
- What a person is (their unique physiological or behavioral traits).