Levels of Security: 5, Biometric Authentication

Welcome to the fifth, and final, installment in our series on Levels of Security! In this series we are investigating how different ID solutions fit different security needs. As we advise organizations on appropriate badge solutions, we find their needs fall into one of five levels of security. We’ve categorized these by the appropriate solutions: printed PVC cards, barcode & magnetic stripe cards, proximity access devices, contact and contactless RFID cards, and biometric authentication.

biometric authentication is the highest level of access control securityBiometric authentication uses a reader to scan and verify identity using a unique physical attribute. The most common are fingerprints, palm prints, facial scans, and iris scans. New technologies include scans of the shape of the skull and of the interior of the ear canal.

For access control, these methods of authentication are most often used with another method, playing on the security adage that the most secure “key” is “something you have, something you know, and something you are”.  An ID card (of any level) or key serve the purpose of being an exclusive item one has. Biometric markers, which are unique to the person seeking entry, is something they are. Often keypads or password encryption serve as “something you know”. Verifying identity through biometrics prevents security breaches based on theft of cards or other access devices or recreation of credentials using stolen data, as the person who uses the device is as important as the device itself.

Companies also use biometrics to help protect data and to provide appropriate access. Many devices use fingerprints instead of passwords as an unchanging piece of data that restricts access to the appropriate user. This technology provides the option for targeted, instead of widespread, use of biometric authentication. Some programs require the input of a password and verification of a user’s biometric data before allowing access to secure information. This solution can provide an incremental security increase, rather than outfitting an entire facility for biometric scanning.

Certain industries have also begun using biometric scans to store user data. For example, some hospitals have begun to use palm scans to ensure that medical records are accurate and secure. Many school systems have begun using thumbprint scanners to link student lunch accounts. These methods replaced use of a card (which students often lose) or student PIN-code (which students sometimes forget, and slows down the lunch line).

Concerns about Biometric Authentication

The use of biometrics is still controversial. Many people worry about someone stealing or hacking into this secure information, extending the privacy problems that plague technology companies. Companies address this concern in multiple ways. Many do not store biometric information. Instead, they use a computer algorithm to create a unique identifying number derived from the biometric scan. This number is then associated with the user. Others keep the biometric information stored on a device rather than in a database. Banks that use biometric authentication in mobile apps store the user’s information on the device rather than in a database. The same can be done with smart cards. The chip in a contact or contactless smart card has enough storage space to store the data required to verify the cardholder’s identity, which eliminates the need to keep information in a centrally controlled (and thus target-rich) access control database.

Thank you for following along with our series on access control security. As always, feel free to contact one of our experts for more information at +1 704.535.5200.