Education and training remain your allies with deploying a new technology, particularly one that has some thorny privacy issues attached to it. You and your HR department will have to decide what to do if someone refuses outright to be enrolled, but generally a detailed briefing and documentation on how collected biometric data will be protected can go a long way to allay concerns. You should also let employees know about any differences they’ll notice between biometrics and your previous access control system, recommends Ahrens. For example, biometrics may cause momentary delays as it takes a few more seconds for confirmation.
Another factor to consider is how high you want to set the false acceptance/rejection metrics for your system, Ahrens notes. You actually have control over how sensitive the system is. For example, using fingerprint scanning at 100% matching would reject a person who has dirty fingers. You may not need verification to be quite as fine-tuned so a slightly lower percentage may be suitable. Too low, however, and in certain instances the system is at risk of verifying multiple people off of a single credential.
The effectiveness of matching can also be affected by environmental factors, adds Ahrens. Particularly if the system is located outside, its sensors can be vulnerable to moisture, debris and temperature fluctuations. The same is true for users who have job duties where their fingers or hands would be dirty on a regular basis, such as those in the contractor trades or who are based at an industrial facility or a high-security construction site. Make sure you thoroughly vet any biometric system, such as having a trial reader installed and testing it with a sample of your population.
Don’t forget that ADA applies to your access control system too, not just paths of egress. Most systems can recognize a person with a disability or medical condition that affects the given biometrics (like bulging eyes from Graves’ disease or congenital hand deformities). Only in highly specific instances would you need to find a biometric workaround (such as for someone with an artificial eye or prosthetic limb). However, many biometric systems require the individual to be scanned at a particular angle or height, Ahrens explains. For example, someone in a wheelchair is limited in how they approach a reader or they may be too low to reach it in the first place. Take precautions during installation to minimize accessibility issues.
You should also confer with your IT colleagues about how to securely connect the biometric reader. Some systems store templates locally within the reader while others must communicate with a server – both need data support. Particularly as the system is considered a point of presence on your network, it should be installed with care to ensure it doesn’t become a backdoor for a hacking attack, notes Ahrens.
Lastly, any system needs checks and balances, says Penzone. Even though biometrics offer a higher degree of individuation than other measures, they still need to be protected by the same protocols and redundancies as any other access control system. This includes oversight of who is responsible for enrollment, having a process to revoke credentials, and creating procedures if someone’s credential is no longer generating a match. You should also audit the system frequently, particularly for instances of rejections and false positives and negatives.
With these smart policies in place, biometrics will harden your access control and reduce the likelihood of a breach.
Jennie Morton firstname.lastname@example.org is Senior Editor of BUILDINGS.