How to Use Biometrics in Logical Access Entry
Biometrics is another security technology which is used to confirm the identity of an individual. The tools utilized can do this either by taking a snapshot of one of your physiological traits (such as capturing an image of a fingerprint, an iris or your face) or behavioral traits (such as the way you sign your signature or the way in which you type on a computer keyboard).
It is important to note that these snapshots are also technically referred to as “raw images.”
The Identification Process
First, an individual must have an enrollment template taken by the appropriate biometric device. To make the template, the unique features are extracted from the raw image and converted into a mathematical file.
Let’s take the example of fingerprint recognition. After the raw image of the fingerprint is actually captured, it is then closely examined by the system to extract the unique features. This would include such items as the breaks, deltas and bifurcations that are found in the ridges, whorls and valleys of the fingerprint. An example of this is illustrated below:
Once these have been identified by the fingerprint recognition system, these unique features are then converted into a binary mathematical file:
Contrary to popular belief, it is not the actual raw image that is stored in the database. Rather, it is the above mathematical file. This now becomes specifically known as the enrollment template and is stored permanently in the database of the fingerprint recognition system.
In order to confirm the identity of the individual, he or she then must go through this entire process all over again and have what is known as a verification template created.
Once the latter has been created, both the enrollment template and the verification template are then compared to determine the degree of statistical correlation. If the two templates are deemed to be statistically close to one another, the identity of the individual is then confirmed by the fingerprint recognition system.
However, if the degree of statistical correlation between the two templates is not deemed to be close enough, then the identity of the individual cannot be confirmed by the fingerprint recognition system and he or she must go through this entire process again. If, however, this individual’s identity still cannot be confirmed by the fingerprint recognition system, then another identity mechanism must be utilized.
The Two Types of Accesses in Biometrics
In the world of biometrics, there are two types of accesses in which a biometric device, such as fingerprint recognition, would be used. These are physical access entry and logical access entry. With the former, one can actually do away completely with the traditional key in order to unlock a door.
For instance, in this scenario, the fingerprint recognition device would be wired directly to an electromagnetic lock strike on the door. If the individual’s identity is confirmed via the process as described in the last section, the lock strike will unlock and the door will open automatically by itself. An example of this is illustrated below:
The second type of access is reviewed in the next section.
Logical Access Entry
In the world of cybersecurity today, one of the most sought-after prizes of the cyberattacker is that of the password. Once he or she has this in their possession, they can gain access to all sorts of banking and credit card account websites. As of late, there have been many problems with using passwords and businesses and corporations are mandating that all employees, even those in upper management, create long and complex passwords that are difficult to crack.
Because many employees will probably not remember these passwords, they often write them down on a Post-It note and stick to their workstation monitor. This has been appropriately called the “Post-It Syndrome.” As a result, password managers are now being used, but these software packages also have some security issues. Although they do store passwords quite securely, the caveat here is that in order to access the password manager, another password must be created, and this cannot be stored in the password manager itself. It is the responsibility of the employee to keep this master password safe.
So the use of biometric technology is now being seen as an alternative to the password for logical access types of scenarios in order to gain access to shared resources on the server network drives, and other kinds and types of sensitive information that reside in the business or corporation. So in a literal sense, an individual’s fingerprint becomes their password in this regard. Instead of having to enter their password each and every time in order to gain access to the files and resources that the employees need to do their everyday job functions, just one swipe of the finger or even a quick scan of the iris will gain them logical access entry.
The Biometric Devices Used in Logical Access Entry Applications
For logical access entry applications, there are two primary type of biometric modalities that are used: fingerprint recognition and iris recognition.
Both of these modalities can either can come as standalone devices or embedded into the computer or wireless device itself. In the case of the former, these devices are small enough that they can literally either sit on top of the server or to the side of it. They are connected via a simple USB connection.
It is important to note at this point that the use of biometrics as a means of logical access entry is also referred to as Single Sign-On solutions, or “SSOs” for short.
The glass that can be seen at the top of the device is actually the optical sensor. This is where the employee can place their fingerprint in order to have it scanned and to complete the identification process.
The employee will have to hold this device a few inches away from their eye. From there, the circular component (which is an actual camera) will take images of the iris and convert them over to the raw images so that the unique features can be collected. The unique features that are captured from the iris are the mathematical vector-based orientations of the furrows, freckles and other spots contained within it.
In terms of actually being embedded into a device, it is fingerprint recognition that is used the most. Probably the most popular example of this is the Touch ID system, which is already implemented into the iPhone.
The Use of Biometrics in Two-Factor Authentication (2FA)
As we have reviewed in this article, using biometrics (such as either fingerprint recognition and/or iris recognition) is being viewed as the next, complete replacement for the use of passwords, at least when it comes to logical access-based applications. But it can also be used for the purposes of two-factor authentication, in which more than one credential is supplied in order to gain remote access to the corporate server. This is especially useful in the case of remote login sessions.
Typically, the credentials in these situations must fall into at least two of these categories:
- Something You Know
- Password or a PIN number
- A digital certificate
- Something You Have
- A digital token (such as an RSA key fob)
- A phone number
- Something You Are
- In these instances, it would be either your iris template or fingerprint template.
For example, when an employee remotely logs into the corporate server from their laptop using a virtual private network (VPN), their first credential for secure access could be a PIN number or the RSA token. The second credential to be used could either be the iris or fingerprint recognition device, which is either plugged into the computer via a USB connection or is actually embedded into the computer itself. This is illustrated in the example below:
Also, if the employee wishes to use a secure file transfer program like PuTTY (which also supports Telnet), either iris recognition or fingerprint recognition can also be used as second or even first means of remote authentication.
For example, the employee can login into their computer first with a fingerprint or iris scan, then launch the SSH or PuTTY program after they have been securely logged in. The private key with the respective program is also unlocked using the end user’s biometric.
This article has reviewed how biometrics cam be used for logical access entry applications, especially when it comes to remote logins. It should also be noted that biometrics (especially fingerprint recognition and iris recognition) will have great advantages over using passwords as the primary means for logical access. These include the following:
- Unlike a password, an iris or fingerprint simply cannot be stolen
- The administrative costs for establishing new passwords to replace old ones is quite high – it is as much as $350 per employee per year. With biometrics, this cost is totally eliminated
- There is no need to create long and complex passwords, thus convenience and versatility will be greatly improved. The end result is that employee frustration will be reduced
- Since everybody has a unique fingerprint or iris, they have a much lesser chance of being spoofed versus using a password. This guarantees, to a large extent, the true identity of the employee in question
- Using biometrics is highly scalable – you can add more devices as the security needs of the business or corporation grow into the future
Two-Factor Authentication for VPN Access, NCP Engineering Inc.
Global Information Assurance Certification Paper, GIAC Certification
Biometric VDI and VPN, HYPR
SSH authentication using biometrics, Superuser
M. Rahman and P. Bhattacharya, “Remote access and networked appliance control using biometrics features,” IEEE Transactions on Consumer Electronics