Multiple factors of authentication, including biometrics, can increase the probability that an individual presenting a card to a reader is the same person to whom the card was initially issued. Biometrics authenticates identity by measuring and verifying an individual’s unique physical characteristics, such as fingerprints, hand and face geometry, or patterns found in the eye’s iris. Since these identifiers can’t be borrowed or stolen, biometrics provide identity authentication with a strong degree of confidence.
Until recently, biometric templates such as those for iris recognition were carried on a plastic credential and presented for authentication by holding the card in front of an iris recognition camera. Now, these same templates can be carried inside an NFC-enabled smartphone along with other digital ID credentials for physical and logical access control.
Several trends are driving the adoption of physical and logical access control on smartphones and other mobile devices. The first is the inclusion of NFC technology on smartphones, which provides an industry-standard short-range wireless link for exchanging access control data across a several-centimeter distance so users can “present” credentials carried on their phones to a reader. As the NFC mobile payment model grows in popularity, it drives further demand for NFC phones which can also be used in physical access control applications. Smartphones that do not feature NFC technology can be securely upgraded to this capability by using an NFC-enabled add-on device such as a microSD card.
Additionally, there is now a new type of identity representation that operates within a trusted boundary and uses the NFC-enabled smartphone’s secure element -- usually an embedded tamper-proof integrated circuit, or a plug-in module version called a subscriber identity module (SIM). This setup ensures that all transactions between NFC-enabled smartphones, SIM cards and other secure media devices can also be trusted inside the access-control managed network.
Within this trusted boundary, organizations can provision mobile access control credentials in either of two very secure and convenient ways. One is to connect the mobile device to the network via a USB or Wi-Fi-enabled link and use an internet portal, similar to how traditional plastic credentials are provisioned. The second option is to issue digital credentials over-the-air via a mobile network operator, in much the same way that today’s smartphone users download apps and songs. To do this, the NFC-enabled smartphone communicates with a Trusted Service Manager (TSM), which interfaces either directly to the mobile network operator (MNO) or to its TSM so that a key can be delivered to the smartphone’s SIM card.
The mobile access model offers a number of benefits. It eliminates credential copying, and makes it easier to issue temporary credentials as needed, cancel credentials if a device is lost or stolen, and monitor and modify security parameters when required. The mobile model is also ideal for converged physical and logical access, enabling smartphones to be used for multiple applications including cashless vending, opening residential locks, accessing an on-line physical access control reader, entering a building protected by an NFC-enabled electromechanical lock, logging on to a PC, generating OTP software tokens to log onto network devices, and implementing biometric authentication.
How Biometrics Work
Biometrics verify that a card holder has been bound to his or her card, using something that can only be possessed by the person to whom the card was issued. Biometric data is unique to each individual, and cannot be forgotten, lost or stolen. Because of this, biometric technology offers enhanced security as compared to conventional identification methods. It does not rely on passwords, pin codes or photographic ID, and is too complex to forge. Biometrics are generally used as part of a verification system (which checks a biometric that has been presented by an individual against the biometric in a database linked to that person’s file – also known as a one-to-one system), or an identification system (referred to as one-to-many systems because they are used to identify an unknown person or biometric).
Biometrics has long been used by the federal government, and is a key element of the latest federal identity standards. For instance, the Department of Defense DoD) has incorporated biometrics into the common access card (CAC) that controls entry to DoD facilities and information systems. Biometrics is also an integral part of the latest identity credentials for federal agency employees and contractors. In 2005, the National Institute of Standards and Technology (NIST) released Federal Information Processing Standards Publication 201 (FIPS 201), which defined the identity vetting, enrollment and issuance requirements for a common, highly secure identity credential called the Personal Identity Verification (PIV) card that leverages both smart card and biometric technology. In 2006, FIPS 201-1 further specified that a facial image, as well as fingerprint biometrics, be included on PIV cards.
Many security dealers and integrators overlook visitor management. It doesn’t often carry the high system sales cost of access control or CCTV systems. But the fact is that a modern, professional visitor management system can add substantial value in improved security and operational efficiency as well as enhance the professionalism of organizations that previously used paper-based solutions. By integrating with an access control system, integrators and dealers are able to provide complete, integrated security solutions for employees, intruders, unwanted guests, and temporary visitors. Visitor management is also needed by virtually every type of industry and vertical market, allowing dealers to address a wide audience.
Although many view a paper method of visitor sign-in to be quick and easy, this approach can introduce significant risk to an organization. Paper logs expose visitor names for anyone to see, and they diminish the perceived professionalism of an organization. Frequently, the visitor sign-in names are either illegible or false. In an emergency such as a fire, it would be very difficult to quickly determine who's still in the building, since names can be hard to read and check out times are not always required or enforced.
Visitor management systems typically reside on a PC at the reception desk or other points of entry, and automate the entire process, from registering a visitor to using badge maker software to create and print visitor ID badges. There are a number of key components. The first is a scanner for capturing visitor ID information, which can be a driver’s license, business card, passport, government or military ID, or other form of identification. The ID information can be captured either with an optical character recognition (OCR) scanner, or with a scanning device that can read the magnetic stripe or 2-D barcode on the back of a driver’s license. Ideally, the user should have the ability to scan multiple types of credentials. Optical scanners offer the advantage of capturing the visitor’s photo in addition to name and other information, so it can be included on the visitor ID badge.
Next, the system must capture other information that can’t be gleaned from the ID scan, such as the person that the visitor will be seeing, the reason for the visit, and whether the visitor is a contractor or other special category of guest. For optimal accuracy and convenience, the visitor software should include drop-down menus or check boxes to facility data entry. Users may also want to have visitors acknowledge a document such as a non-disclosure agreement by capturing a signature with a signature pad or taking a photo with a web camera.
After the ID card is scanned and other information is entered into the system, a customized visitor badge is printed. Visitor badges can include any information that was scanned or captured during check-in, and customized to meet specific needs. There are many sizes and types of visitor IDs, including adhesive, clip-on, self-laminating, expiring, and badges that can be inserted into a plastic sleeve. While employee badges are generally hard plastic, visitor badges tend to be more temporary, using paper or card stock. They can also be produced with a black-and-white or color printer. An inexpensive option for black-and-white badges is a thermal printer that does not contain ink cartridges.
For higher-volume applications and/or situations where more permanent visitor badges are desired for frequently-returning guests, there is the option of direct-to-card (DTC) printers. Although these previously were prohibitively expensive for visitor management applications, the latest low-cost monochrome DTC printers offer an economical way to print higher-quality badges than can be created with thermal printers. Monochrome DTC printers combine quality, reliability and ease of use, while providing organizations with a solution that is cost-effective to own and operate and offers a low total cost of ownership.
With these components in place, a visitor management solution should enable a lobby attendant to complete the check-in process and print a visitor badge in about 20 seconds per visitor. Any number of visitor badging systems can be stationed in different locations in an enterprise, including remote field offices, and they can all share a database over the network for centralized monitoring and reporting.
The next element to consider in a visitor management system is analytical tools. Today’s visitor systems include report wizards that enable users to generate customized reports in seconds, and store and disseminate this report data immediately. Leveraging visitor management analytics offers many potential benefits. For instance, users can identify trends and their implications, and assess operational areas where processes may need to be improved. Users may also want to automatically track and compile information about certain types of visitor by location, or they may want to verify contractor arrival and departure times to make sure they are meeting agreed-upon deliverables.
In addition to these basic system elements, there are other considerations for optimizing visitor management solution deployments. The first is integration with access control systems, and how to ensure that both systems operate in concert with each other. This enables lobby attendants to easily and safely provide temporary proximity credentials to guests through the visitor management system, rather than the access control system. Lobby attendants don’t have to be familiar with the access system in order to provide temporary card privileges to visitors.
Federal Information Processing Standard Publication 201 (FIPS 201) has primarily been used for logical access and digital document signing using Public/Private Key Infrastructure (PKI)-based validation. With PKI multifactor authentication, a digital certificate including the user’s public key is placed on a Personal Identification Verification(PIV) card, which leverages smart card and biometric technology (a digitally signed fingerprint template), and also supports multifactor authentication methods. To use a PIV card to enter a building, the PIV card’s digital certificates are checked against a Certificate Revocation List (CRL) which is provided by certificate authorities. Rather than relying on a shared, secret key for authentication, a pair of public and private keys is used and these keys are linked such that information processed with one key can only be decoded or validated using the other key. The Federal Bridge is used to establish trust between cross-certified agencies’ PKIs (i.e., separate and independent infrastructures, each with its own root certificate authority), thus enabling secure information exchange of digital signatures and certificates sent from and between various other participating government organizations. PKI authentication is a highly efficient and interoperable method for both logical access control to protect data, and for physical access control to protect facilities, the latter referred to as “PKI at the door.”
Agencies are taking a phased approach to implementing PKI at the door, as budget becomes available. To ensure that this is possible, they are configuring their infrastructure so that it can be quickly and easily upgraded to PKI strong authentication for physical access control when they are ready. For instance, they are first enrolling all of their PIV card holders into their head-end system, and then simply deploying Transitional Readers as defined by the General Services Administration (GSA), which read the unique identifier from the card and match it with the enrolled card holder without using any FIPS-201 authentication techniques. These Transitional readers can later be reconfigured in the field to support multifactor authentication. This ability to upgrade in the field to FIPS-201 is not possible with Transparent Readers. It’s important to note that GSA-approved Transparent Readers listed on the APL do not, by themselves, constitute an “Authentication System” as defined by the GSA, and do not, in and of themselves, provide the required validation mechanisms.
As an example, HID Global’s pivCLASS solutions are certified as GSA-approved Authentication Systems. By installing the pivCLASS Transitional readers for FIPS-201 compliance, agencies can later add pivCLASS authentication modules that will classify their readers as GSA-approved Authentication Systems that can perform PKI multifactor authentication at the door, without having to replace the readers in order to make this possible. This approach also enables them to preserve existing door controller and panel functionality.
It is expected that PKI at the door will become more widely adopted as FIPS 201 evolves and there are more products available on the market to support it. We also see PIV cards (and, presumably, strong authentication for both logical and physical access control) moving to NFC-enabled mobile phones. FIPS-201-2 specifications are expected to include extensions such as the concept of derived credentials, which will enable a credential derived from the PIV card to be carried in the phone’s secure element, with the digital version providing the same cryptographic services as the card. FIPS 201-2 is also expected to allow the use of the Open Protocol for Access Control Identification and Ticketing with privacY (OPACITY) suite of authentication and key agreement protocols which add two important things: 1) much better performance (by a factor of approximately four for critical tasks), and 2) secure wireless communications, which will enable the use of PIN and biometrics on the contactless interface, further strengthening authentication alongside PKI for both physical and logical access control.