Why biometrics should ‘factor’ in every CISO’s strategy
CISOs must move fast to address the changing demands of physical and cybersecurity, says Antonio Santos at Zwipe. Biometric access control cards work with existing readers to offer a familiar, easy-to-use and cost-effective way to keep bad actors at the door.
When weighing their data security strategies, too many Chief Information and Security Officers (CISOs) still overlook the critical importance of physical access control. According to a Verizon report , 82% of cybersecurity breaches involve a human element; with many being linked to insider threats and physical breaches. With the number of physical security incidents projected to grow throughout the 2020s, together with the increasingly sophisticated approaches taken by bad actors, it’s time for physical and logical access control to be accepted as two sides of the same coin.
Why? Because the world is not the same place it was just five years ago. Digital transformation, accelerated by the pandemic, has turned the world of access control on its head. Today’s workers expect maximum flexibility over how and when they come and go, which leaves the doors in and out of secure zones on constant rotation. To compensate, a higher grade of physical access control is required.
Biometric access control card solutions offer an elegant way to incorporate an extra security factor into existing RFID-based infrastructures, and mitigate the increased risk without excessive onboarding, or the costly need to rip and replace existing systems.
Weighing options: what makes biometric access control cards attractive?
The decision to update security infrastructure is always informed by the perceived risk. This is calculated by considering the susceptibility of existing measures against the value of the assets they protect. The bigger the perceived risk, the more secure counter measures need to be.
While traditional access control solutions have used measures such as passcodes or even physical enforcement personnel, these all follow the age-old rule: low cost, high convenience and high security. Choose two. You can’t have all three.
Biometric access control cards, however, don’t conform to this rule. They offer a bona-fide, cost effective alternative which dramatically raises security without compromising ease of use.
What is biometric authentication?
Security solutions face one fundamental question. How do you authenticate that a person is who they say they are? PINs and passwords have long been a staple of access control solutions; however, these can be easily compromised through loss, negligence or theft, and then exploited. Alternatively, ID cards that are then visually checked by security personnel give enhanced assurances that the correct person is using the credentials offered, but can be undermined by counterfeits and human error. Furthermore, both options create friction for users, making the process of authentication a slow and laborious process.
Enter biometric authentication
These solutions, including Zwipe’s biometric access control cards, offer a way for a user to authenticate themselves using unique physiological or behavioural identifiers including, but not limited to, their fingerprint, iris, face, or voice. These battery-less cards are also fully compatible with existing market-leading card-based access control architectures. On placing the card near a reader, the access control application on the card invokes the biometric cardholder verification function to perform cardholder verification. An access code is only computed if the biometric verification is successful.
Many factors to consider
High security facilities such as power plants, airports and data centres, need to ensure that everyone accessing the facility is, without question, who they claim to be. In these environments, industry best practice calls for a multifactor approach to authentication; verifying a person’s identity based on:
- Something you have
- Something you know
- Something you are
While the first two of these tenets have long been pillars of most automated security solutions, be it through personal smartcards or passwords, validating the person in possession of the credentials has commonly required a physical staff presence.
Allowing users to authenticate themselves using physiological or behavioural characteristics, biometric solutions facilitate enhanced multifactor authentication by comparing the probe template (which is derived from the biometric data) against a previously recorded enrolment template. The result is that access can only be granted to those able to present their uniquely registered biometric data.
This system of biometric multifactor authentication has recently been trialled at Richmond International Airport (RIC) - a Transportation Security Administration-approved Airport Innovation Forum member in the USA. Here, biometric access control cards have been issued to authorised personnel, and are fully compatible with existing RFID card readers, allowing the facility to implement biometric multifactor authentication without additional investment in upgrading the existing hardware. This has created a cost-efficient, scalable, and robust access control solution that provides a frictionless and secure authentication journey.
Protecting data privacy
As a security factor, the uniqueness of an individual’s biometric data is both its greatest asset and its biggest challenge. Due to the sensitivity of such personal data, an individual’s biometric identifiers are far more valuable than any password or PIN.
The best biometric access control card solutions store each user’s biometric data on the chip of the card itself. These biometric system-on-card (BSoC) solutions mitigate many of the risks associated with the centralised storage and transmission of the biometric data across networks. When the credentials remain solely on the authentication device, the organisation never has access to the biometric data and, therefore, also has no need to manage it. And if the user loses their card, or it is stolen, the multifactor approach renders it unusable. It can simply be deactivated remotely and another issued.
What’s next for biometric access control?
The next step for biometric access control solutions is mass deployment globally. The enriched multifactor approach provides the much-needed boost to security, and user familiarity gained from smartphone usage means the technology will be easily adopted.
Card-based biometric solutions can also be integrated within many existing access control architectures. The physical and logical security industries are already heavily invested in RFID card-based infrastructures and are seeking ways to continue leveraging this investment for years to come, without having to install readers and back-end biometric algorithm. Card-based biometric solutions that securely store and compare all required data on the card itself enable them to do just that, but utilising the same proximity technology that legacy terminals are built on.
Biometric solutions offer a seamless, cost-effective way to provide enhanced security while also providing an intuitive user experience. Successful deployments provide an excellent proof of concept for biometric access control at high security facilities; something that will soon become commonplace. And not a moment too soon; if CISOs are to address the ever changing demands of physical and cybersecurity, adopting a holistic strategy is their only option. And if they want to enact that strategy cost-effectively, biometric access control cards are the obvious choice.
To find out more about Zwipe’s advanced biometric smart card solution for access control, visit www.zwipe.com/access