Is your facility’s physical security at risk for breaches? Maybe you’re fed up with lost keys, ID swapping and tailgating. Perhaps your risk profile has shifted and you need to restrict access in ways you never had to before. Consider biometrics if it’s time to beef up your credential system. You can add a higher level of authentication by requiring occupants to present their hand, fingerprints, face or eyes to gain entry.
Specify with Purpose
Security risks morph over time, requiring that you stay on top of threats your facility could experience. Adding biometrics should be driven by a verifiable security need. Companies that use one of these robust systems routinely cite concerns such as international and domestic terrorism, theft, data breaches, and occupant safety, says Paul Penzone, Managing Director of Operations and Program Development for ABM Security: “It comes down to protecting people, product, and property.”
Consider what goal or objective a biometric credential will satisfy for your building. Deploying this technology can improve security in numerous ways:
- Use identification that cannot be forgotten by the carrier
- Require a token that is expressly difficult to duplicate
- Eliminate manual badge checks
- Remove the possibility that a credential can be passed to another person
- Add a secondary level of identification
- Reduce costs associated with keys and cards
- Limit access to a select group of occupants or areas within your building
- Minimize your security risk profile
- Enhance corporate accountability
A biometric ID can also serve as a master credential. Consider that an average employee may be issued a key, a photo badge, a PIN code, and a smart card. A single occupant could have up to four methods to gain access, not including guards at any checkpoint.
“Biometrics provide an opportunity to standardize a credential methodology that spans multiple access systems,” says Sean Ahrens, Global Practice Leader for Security Consulting and Design Services with Aon Global Risk Consulting.
You also need to decide if your biometric system will verify or identify enrollees, Ahrens adds. A one-to-many match means that a presented credential will be compared to all of the other templates on file, essentially identifying the individual and giving them access according to the permissions associated with their profile. A one-to-one match will simply verify that the presented credential is confirmed for entry.
If you aren’t sure whether biometrics should be used for your entire population or a subset of employees, refer to your security risk assessment. You need to decide which threats your organization can tolerate and those that are necessary to address, says Penzone. Look for ways biometrics will minimize inherent risks as well as create efficiencies and cost savings.
Establishing the impact of adding biometrics will also help you justify the upfront expenditure required.
“Weigh the investment in this advanced form of security vs. the detriment of not having it,” advises Penzone. “Beyond the immediate impacts of an act of violence, how would an event affect your company’s bottom line in terms of reputation and long-term stability?”
As you forecast your budget, make note that any biometric option will need to be upgraded after five years, Penzone adds. Continual refinement of the technology will surpass previous systems in their matching capabilities within a matter of years.
Ensure Successful Enrollment
Biometrics can present a small learning or culture acceptance curve with employees. Many organizations select fingerprints because the public already has a basic understanding of how they work and has more confidence in its track record than other biometrics that have only recently been commercialized, notes Penzone.
Hand geometry may also be easier to transition to than others. People’s hands are readily visible at all times and this form of identification may be viewed as less intrusive than other forms. However, hand geometry doesn’t have the same degree of individuality as other biometrics – a person’s hand could swell from something as basic as retaining fluids after a salty meal or conditions such as arthritis or pregnancy, much less an injury, Penzone says. He suggests pairing hand geometry with another layer of verification such as a PIN pad, photo ID, or card reader. Ahrens adds that at the very least, have every individual enroll both hands so they can still have access if there are any minor changes.
Education and training remain your allies with deploying a new technology, particularly one that has some thorny privacy issues attached to it. You and your HR department will have to decide what to do if someone refuses outright to be enrolled, but generally a detailed briefing and documentation on how collected biometric data will be protected can go a long way to allay concerns. You should also let employees know about any differences they’ll notice between biometrics and your previous access control system, recommends Ahrens. For example, biometrics may cause momentary delays as it takes a few more seconds for confirmation.
Another factor to consider is how high you want to set the false acceptance/rejection metrics for your system, Ahrens notes. You actually have control over how sensitive the system is. For example, using fingerprint scanning at 100% matching would reject a person who has dirty fingers. You may not need verification to be quite as fine-tuned so a slightly lower percentage may be suitable. Too low, however, and in certain instances the system is at risk of verifying multiple people off of a single credential.
The effectiveness of matching can also be affected by environmental factors, adds Ahrens. Particularly if the system is located outside, its sensors can be vulnerable to moisture, debris and temperature fluctuations. The same is true for users who have job duties where their fingers or hands would be dirty on a regular basis, such as those in the contractor trades or who are based at an industrial facility or a high-security construction site. Make sure you thoroughly vet any biometric system, such as having a trial reader installed and testing it with a sample of your population.
Don’t forget that ADA applies to your access control system too, not just paths of egress. Most systems can recognize a person with a disability or medical condition that affects the given biometrics (like bulging eyes from Graves’ disease or congenital hand deformities). Only in highly specific instances would you need to find a biometric workaround (such as for someone with an artificial eye or prosthetic limb). However, many biometric systems require the individual to be scanned at a particular angle or height, Ahrens explains. For example, someone in a wheelchair is limited in how they approach a reader or they may be too low to reach it in the first place. Take precautions during installation to minimize accessibility issues.
You should also confer with your IT colleagues about how to securely connect the biometric reader. Some systems store templates locally within the reader while others must communicate with a server – both need data support. Particularly as the system is considered a point of presence on your network, it should be installed with care to ensure it doesn’t become a backdoor for a hacking attack, notes Ahrens.
Lastly, any system needs checks and balances, says Penzone. Even though biometrics offer a higher degree of individuation than other measures, they still need to be protected by the same protocols and redundancies as any other access control system. This includes oversight of who is responsible for enrollment, having a process to revoke credentials, and creating procedures if someone’s credential is no longer generating a match. You should also audit the system frequently, particularly for instances of rejections and false positives and negatives.
With these smart policies in place, biometrics will harden your access control and reduce the likelihood of a breach.
Jennie Morton firstname.lastname@example.org is Senior Editor of BUILDINGS.