John Laws, Regional Sales Director at IDEMIA outlines the important selection criteria for a successful deployment of biometrics for access control.
Many security directors have now understood that they cannot rely exclusively on access credentials and CCTV to fully and efficiently protect the security of their employees and businesses. Whilst both tools are must-haves, cards can easily be cloned if they are based on old technologies and can also be stolen. Moreover, CCTV only displays people, not identities.
Only biometrics – which can be described as unique, human, physiologic and unforgeable characteristics – guarantee that the persons entering a building are genuine, authorised employees and visitors instead of intruders.
The biometric terminal offering nowadays is plethoric, with many new entrants to the market using all kinds of superlatives to promote their products. When starting a project therefore, it is important to consider the key criteria to satisfy stakeholders such as security departments, HR, contractors and trade unions. In doing so, you can reach your primary goal of raising the security bar to its highest possible level.
Asking the necessary questions
Basing the topics discussed in this article on the “voices-of-customers” following a recent product launch – before which end-users, system integrators, consultants and installers had shared with us what they expected from a biometric terminal – a first identified key criteria was obvious: ensuring the security and accuracy of biometric algorithms used in terminals. Not only is this factor crucial to avoiding possible False Rejects (FR), such as blocking a genuine employee from gaining access, above all, it also determines the number of False Acceptance (FA) occurrences.
Contrary to many industries where vendors and products have to obtain certifications to prove a level of performance, this does not yet exist in the security industry. Moreover, despite many vendors engaging in a race to promote claimed FA/FR levels, they are not backed by any neutral, third-party measurements. The only accuracy evaluations on such criteria are those performed by the NIST1 and DHS2 in the US and indeed very few terminal vendors submit their algorithms.
The same applies to anti-spoofing as it would be catastrophic to deploy biometric terminals that can be easily fooled by simply presenting a picture of a genuine employee, either printed on a sheet of paper or on a smartphone screen. Apart from conducting their own empirical spoofing tests, which is highly recommended, security directors should also look for vendors that have obtained the iBeta3 certification; the iBeta3 is the industry reference for this domain.
Needs and requirements
Surveyed customers also indicated that, although security is their primary goal, user experience should not be impacted too much; employee adoption is indeed a critical factor for a successful deployment and it is greatly influenced by many factors surrounding the following questions: Is the biometric technology intrusive? Is the terminal easy to use and ergonomic? Is it working efficiently in all light or weather conditions? Does it adjust automatically to users? Is it fast or will it create queues in the entrance hall? A live test is better than dozens of marketing datasheets as this helps you and your employees to form your own ideas on these parameters.
Key to employee adoption is also data privacy protection and compliance with regulations like GDPR. Biometric data is rightly considered as sensitive by regulators who, with user privacy protection in mind, require thorough administrative processes; biometric deployment and related measures implemented to collect, process and protect user data have to be justified and explained with many details in a DPIA form (Data Protection Impact Assessment). To avoid this step you should therefore select a vendor who has integrated requirements from the design step of its products.
For instance, does the terminal catch faces all around, up to several metres, including people who have not given their consent or are mechanisms implemented to prevent this? Has the terminal successfully passed penetration tests to efficiently protect data it stores and processes? Can it read access badges and retrieve biometric data efficiently in the scope of a two-factor configuration? It may also be wise to select a vendor that can support you efficiently in this DPIA administrative process itself to make you save time and money.
It is also important to remember that an HR department has its word in a biometric deployment that must be inclusive. It is out of the question, for instance, to experience racial bias with employees if a facial recognition terminal is installed. In the current context surrounding the COVID-19 pandemic, terminals presented as touchless should really ensure that employees do not touch any part of them in normal usage conditions.
Moreover, facial recognition terminals must also be fully efficient with sanitary facemasks worn in recommended positions – the best biometric algorithms in this domain are found in the US’ DHS evaluations. Finally, a face detection functionality may also be quite useful to enforce health policy by only allowing in employees wearing a facemask.
Important things to consider
Other aspects raised by surveyed customers are very practical and relate to the project deployment itself. Apart from installations in new buildings, in most instances, the PACS platform and turnstiles or speedgates are already in place and will not be changed just because biometric terminals are to be installed. Choosing a vendor whose terminals are already fully integrated and supported by both hardware and software environments will allow you to save time and, as a result, money.
Other hidden costs can arise from the installation step itself and whether a terminal can be mounted, plugged in and setup easily; this can significantly impact the time spent on this step and can subsequently impact the overall cost.
The number of PACS integrations is correlated to the manufacturer’s history, experience and investment capacity. Whilst there are manufacturers who have been around for a long time, with decades of experience, there is also a host of more recent players. Disruptive technologies – in particular, software ones – are certainly of interest for many topics. In the security domain however, reputation quality and stability are of utmost importance.
Question marks can be raised surrounding how much your manufacturer is, or is not, in full control of the design and production of its terminals and whether the biometric terminals deployed are a one-off project that ends the day that they are installed. These are important factors to consider, particularly when thinking about whether or not the manufacturer is able to support you during the entire lifecycle of your terminals – will they be able to provide maintenance and repair services? A wrong initial choice may equally bring with it a range of many unexpected costs in the future.
Cost has been mentioned several times. Not only is there an initial cost of the terminals themselves, as we have seen, this is something that is greatly correlated with the performance in general as well as accuracy, user experience and privacy. In addition to this, there is also many hidden costs linked to the deployment and installation steps as well as the DPIA process. It is therefore very important to consider the total cost of ownership and avoid compromises purely based on price, especially as biometric terminals are primarily deployed to protect your employees and the overall security of businesses and organisations. These will also be installed for several years on walls or turnstiles.
Hopefully, you will never face a severe security breach due to an intrusion but, if you do, with severe consequences, your top management will not remember your few thousand pounds savings at the time of purchase of the terminals, but will instead demand to understand why you did not select the most efficient technology available on the market at the time, for what is indeed, rarely, a six-digit investment.
Whilst deploying a biometric access system will have a cost, ensuring that you maintain the security of your employees and company is priceless.
To find out more information about IDEMIA, visit: www.idemia.com
This article was originally published in the October edition of Security Journal UK. To read your FREE digital edition, click here.