Article by Mark Clifton at Soucesecurity.com
Perhaps I’m sensitised to the term, but it seems to me that I’m hearing the word “identity” a lot lately.
In truth, I’m happy for the increased awareness of the importance of identity, because in a general sense, identity is a foundational concept for the entire security industry – perhaps even for the entire concept of security. And accurately confirming a person’s identity is one key to improving security for our workplaces, communities, and our nation.
The importance of identity
The concept of identity is a security fundamental – and affects almost every facet of the topic. Who is allowed into our country? Individual citizens, and individuals with permission. Who is allowed into a building, or controlled area? Authorised individuals. Who can give that permission or authorisation? Again, individuals with the authority to do so. Who can access a computer network, or specific stored information? Once again, individuals with permission. In every case, physical and electronic security in a general sense depend on the ability to connect authorities and permissions to the particular individual or individuals who hold them. This connection between identity and permissions is critical for triggering real-world actions: opening a particular door, allowing visitors, issuing keys, accessing money or materials, etc. So, maintaining security depends on correctly identifying the individual and matching them with the correct authorities and permissions. This is exactly why identity recognition in security systems is so important.
Consider access control, for example. Many, if not most, access control systems for retail and business facilities today use card readers to enable access. In a real sense, these systems are using the card as the confirmation of the identity of the person carrying the card. Fairly obviously, this represents a very low level of identity verification, and thus translates into a low level of physical access security. This is because the link between an access card and the true identity of the individual who is carrying that card is both tenuous and vulnerable. These facilities made the determination that the relatively low level of security that can be achieved using card readers was sufficient for that facility. For these organisations, the truth is that every member of their staff is a potential weak link for criminals to gain entry.
|Security confirmation of an individual’s identity is based on something they have, something they know, or something they are|
Confirming visitors’ and employees’ identities
How can a person’s identity be confirmed? In a general sense, there are only three ways that have been used to confirm the authorisation – and the identity – of a person for security purposes: something they have, something they know, or something they are.
The card reader mentioned above is an example of “something they have” – in that case, an access card. Other examples commonly used in security systems, and particularly automated access control systems, include a company badge, proximity tokens, and even garage door openers. For guarded (staffed) lobbies and checkpoints, documents such as driver’s licenses, and passports are used. The weakness of each of these items is that they can be lost, stolen, or loaned to another person.
To reduce the chances of loss and theft, other security systems use “something you know” as a confirmation of identity and authorisation, most commonly a password or passcode. In some cases, the answer to security questions can also be used. These codes are harder to misplace in such a way that they can be used by thieves, but they are vulnerable to guessing or hacking, and they can be easy to forget – particularly if they are strong passwords. And, they remain easy to ‘loan’ to another person just by telling them.
Biometrics is based on “something you are”
The third approach, “something you are” is now more commonly known by the term “biometrics”. Common examples here include fingerprints, palm veins, facial features, and one or both irises. Biometrics have two great security advantages; they can offer higher accuracy and security than the previous methods, and they are much more difficult to lose, steal, or lend.
Of all these approaches, the category of biometrics has the strongest link to an individual’s actual identity. It is difficult if not impossible to falsify your biometric information. In our daily lives, we almost always confirm the identity of the people that we know using a version of biometrics – we recognise the face, the body size and shape, and the voice of our friends, family and coworkers. It is only for those people we don’t know that we shift to other methods; for example, airport security screeners look at your driver’s license or passport. But even in that case, only the photo versions of these documents are accepted, because it includes near-biometric information – your photograph – that allows the screener to link you to the document.
|Biometrics offer higher accuracy and security than tradition verification methods, and they
are much more difficult to lose, steal, or lend than cards or passwords
Challenges facing biometric security
If we know that biometrics work better than any other type of identity verification, why are they not the standard? Implementing more accurate identity readers would increase the level of security at any facility or secure location, including workplaces, medical facilities, and borders. The challenge has been that the higher accuracy readers also came at a higher cost, and in the past, the general security posture of most firms was lower than it is today.
Until recently, the affordability and basic effectiveness of card readers and keypads were considered “good enough” for most applications. The higher cost and complexity of the available biometric readers, which deliver a higher level of security, were reserved for high-security facilities, such as nuclear plants or classified work.
Now, improved technologies have made biometric identification much more available at competitive costs. Even consumer-level devices such as tablet computers and mobile phones are available with biometric sensors (fingerprints, for example) for authorising access. With many organisations now giving more attention to managing risk, cost effective biometric readers are starting to be implemented in a growing number of security systems, displacing card readers and keypads, to provide a higher level of security.
Iris recognition next big thing in identity verification
Among all the available biometrics, the one most rapidly gaining ground is iris recognition. It is as fast, simple and safe as taking a selfie, and does not require any physical contact with a sensor. And, it has the highest accuracy among all biometrics –approximately 1000 times more accurate than fingerprint sensors. An iris cannot be shared or stolen, and iris readers cannot be fooled by makeup, hair or clothing changes. Some can even read through eyeglasses and sunglasses, in diverse weather conditions, outdoors or inside. With all these advantages, it is easy to see how iris readers could be the next big thing in access control and identity verification.
Real security improvements
Improved security does not need to be a burden or barrier. But current identity devices may be giving a false impression of security – by not actually providing the level of protection that users are expecting. Upgrading low-accuracy identity devices such as card readers with higher-accuracy biometric identity devices would deliver a significant real increase in security without adding any burden to users, and result in a safer environment for all.