Our News

Biometrics provides key part of physical security solution

4 May 2018

High-tech security systems should include, but not rely on, biometric technology argues Christopher Barrow of London-based Metropolitan Safe Deposits.

Biometrics literally means the science of measuring physical-biological traits (bio + metric = biological measurements), but now applies almost exclusively to the science of measuring physical characteristics to verify a person’s identity. Its successful role in physical access control, in particular, is attributable to the fact that the individual has unique human characteristics. Its system of authentication is replacing or preferably supplementing “things that you know” (passwords, PINs etc) with “things that you are”.

Biometric measurements can be both visible and invisible. High-resolution images of a fingerprint or face or iris, for example, are surface images which can be measured with an algorithm that compares the physical details. Invisible biometrics usually relies on biological processes (as opposed to outward appearance), such as measuring the unique sound of a human voice. Invisible biometrics also includes behavioural identification, for instance measuring the way a person interacts with a smartphone by profiling the resulting data.

Fingerprint recognition has emerged as one of the most popular and convenient biometric technologies because it is considered more accurate than voice recognition and cheaper than iris scanning. Although biometrics has really only taken off in the past 20 years or so, its history goes back to the late Victorian times when police forces around the world started to catalogue fingerprints of criminals. In fact, the concept of keeping records of distinguishing bodily measurements for identification purposes dates back to ancient Egypt.

Today, many applications for biometric technology are used. Everyday gadgets are increasingly coming equipped with fingerprint scanners, including mobile phones. Doctors are applying the technology to keep patient health records. Airports, schools, offices and banks typically use a range of biometric technologies. Of course, biometrics still helps law enforcement agencies to apprehend criminals.

A good example of the increasing use of biometrics is in safe deposit box vaults. As an integral part of a modern access control system, a new customer is typically required to have a digital template of his/her fingerprint taken, against which all future scans are verified. These digital templates are not images and cannot be used to reconstruct a fingerprint as they are stored as a simple mathematical representation of a fingerprint’s unique characteristics. An understanding of this important consumer safeguard helps to dispel one of the myths surrounding the technology, namely that the fingerprints may be used for other purposes.

With justification, there are fundamental concerns about the widespread use of biometrics in our lives. A key area of concern is privacy, a very topical issue as businesses battle to meet the deadline for regulatory compliance with the EU’s GDPR on 25 May 2018. An example of an unintended consequence of biometrics is the identification of a person who does not wish to be identified. Sophisticated CCTV cameras in public places now routinely recognise individuals, thus wiping out privacy in everyday life. Today’s surveillance systems have the ability to record, store and analyse images of faces cheaply, quickly and on a huge scale. Some argue that the considerable benefits of identifying criminals and criminal activity may not be worth the “cost” of privacy loss and potential discrimination.

Another issue with biometrics is that the technology is not as accurate and secure as many proponents claim. Facial recognition, fingerprints and eye scanners are not 100% reliable. There have been multiple press articles about the ease with which individuals have fooled facial-recognition security systems. Human error is also responsible for many security breaches, such as in access control. The effectiveness of technology can easily be undermined by breaches of policies, process and procedures.

In high-risk environments such as airports, banks and safe deposit vaults, there is no doubt that biometrics has become an indispensable part of a security solution. A key or a smart card can be stolen. Someone can find out your password. Nobody can take away your fingerprint. However, whilst biometrics provides the most effective tool to combat identity fraud, the technology should only be used as an integral part of a comprehensive security system.

It is well-known in the military world that security should incorporate multiple layers of defence, otherwise known as ‘defence in depth’, in order to resist rapid penetration by an attacker. Similarly, the IT industry talks about ‘layered security’ to prevent hackers from gaining unauthorised access to information systems and data. The same philosophy or strategy should apply to high-security facilities, such as in prisons, banks and safe deposit vaults.

Being critical of biometrics for not being foolproof is, to some extent, missing the point. No individual security protocol needs to be 100% effective. In any professional environment, a security system is precisely that – it is a combination of layered security protocols that work together. The cumulative probability is very remote that a key is duplicated, a smart card is stolen, a password is cracked, a biometric fingerprint reader is fooled and a well-trained control room is deceived. That is the point. Biometric technology is not perfect, but it does considerably enhance physical security systems.