Articles by Phil Scarfo
What is it about biometrics that triggers so much worry? Initial resistance gives way to mainstream acceptance when biometric technology allows convenient and secure access to healthcare, banking services, amusement parks, office buildings. What is it about biometrics that triggers so much worry? In the past, concerns seemed to have their foundation in the use of fingerprints in law enforcement; the association between fingerprints and criminality was strong. Phil Scarfo, Senior Vice President of Sales & Marketing at Lumidigm (part of HID Global) explains that today’s objections seem to be more related to fears that we are handing over our identities to government and commercial organisations, that we are being watched. While the adoption of biometrics has never been more widespread — highly successful security- and privacy-enhancing applications have been deployed worldwide, across all industries — the general public narrative remains focused more on the risks rather than the benefits. Concerns about user privacy, reliability, performance and even personal safety often dominate many of today’s articles and discussions involving biometrics. While all of these concerns merit debate, the industry finds itself in the position of having to correct a wide range of misconceptions and myths while a discussion of the very real benefits of biometrics is left by the wayside. In some developing countries where access to government programs are limited biometrics identification can make the difference between citizens getting access to food Who is it? (It’s personal.) Perhaps the reason is because biometrics is so… personal. The irony is that, if other industries trading in identities were measured on an equivalent risk-only basis, companies like Google, Facebook, and Amazon wouldn’t be the household names that they are. These and other companies thrive because, despite the very credible risks they pose to user identity, privacy and security, they also offer significant and measureable benefits that both users and providers value and, indeed, seek. The level of personalisation and services that can be provided based on user identity is highly desirable. Shoring up that user identity with biometrics allows for a higher level of security, privacy and convenience. The risks of user authentication in transactions are already generally accepted; the benefits of biometrics are substantial. With biometrics, there is no form of user authentication that is more democratic, more inclusive or more tightly linked to personal identity. There are no language, literacy, race, gender or age barriers limiting the use of biometrics. All other user authentication methodologies, including passwords, cards, tokens or other physical credentials, have the same risks as biometrics but are far more difficult for users to understand, use, remember or deploy. And, only biometrics definitively say “who” is transacting. Value of biometric technology in everyday lives Biometrics allows for a higher level of security, privacy and convenience Automating biometric authentication such that it’s a fingerprint sensor (for example) that recognises the customer, not a clerk, allows for many desirable benefits. Banks in Brazil, Argentina, South Africa and elsewhere are showcasing the utility of biometrics. They have demonstrated that customer security is enhanced with biometrics. Equally important, services are made more convenient and secure. Customers welcome the simplicity of biometrics. They see biometric authentication as a more convenient way to transact business and a significant benefit that is being offered by their provider. Banks also see this as a way to lower the risk of identity theft and fraud while allowing them to offer more tailored and enhanced services. This more holistic view of “convenient security” makes them better able to retain existing customers and to grow their businesses. Biometric authentication is used at over 50,000 ATMs in Brazil; the use of biometrics is quite routine for millions of bank customers there. In healthcare settings, providers, payers and patients all benefit from having strong authentication via biometrics. Knowing “who” with a greater degree of certainty helps both user and provider ensure that services are being delivered to the proper individual. Fewer medical mistakes and greater efficiency is realised. This ultimately helps to lower costs and improve patient care. Additionally, compliance requirements like those imposed in North America by DEA to manage Electronic Prescription of Controlled Substances (EPCS) are also made simpler by the use of biometrics. Doctors no longer need to reach for a physical credential or one-time password (OTP) to meet compliance requirements or to do their job. A simple “touch and go” approach to workflow in the hospital enabling secure identification at a shared user workstation provides tailored, personalized and secure access to medical patient records. This is an enhancement in both cost efficiency and administrative relief. In some developing countries where literacy or access to government programs are limited and where there are real and compelling challenges, biometrics identification can make the difference between citizens getting access to food, benefits or critical services. Patients in a nationwide Mexico healthcare system can biometrically identify themselves and ensure that the person getting treatment is who they claim to be and not someone pretending to be that individual or an identity thief. Small children in Africa who are desperately in need of life saving vaccines have demonstrated that the use of biometrics by medical staff can keep track of those who have been treated, ensuring that more children are protected and fewer vaccines are wasted. Fewer medical mistakes and greater efficiency is realised with Biometrics And, more recently, biometrics are now being used in consumer applications and on smart devices and cell phones to protect private and sensitive information that otherwise might be vulnerable simply because users value convenience over security. Although the risk of spoofing is legitimate, is that risk really greater than not locking their personal devices for lack of convenience? Benefits of biometric technology The use of biometrics in every one of these applications provided one or more of the following benefits: more security, more certainty about who was transacting, more privacy, more ease of use, more regulatory compliance, more cost savings, more convenience, and on and on. In short, whether the application or use case is a serious commercial enterprise application, civil program or just a personal security assistant, the value and benefit of biometrics is and will likely continue to be compelling. We live in a complex digital world where our digital identities have become increasingly important and where we will constantly face threats. Risks are an inescapable reality and must, therefore, be considered. But it is also short-sighted to overlook the benefits as these may often far outweigh the risks. Many people will continue to focus what’s wrong with biometrics. However, expectation is that as people better understand what’s right with the technology and the benefits offered, biometric authentication will become even more accepted and mainstream.
Important biometric capabilities include multispectral imaging, superior liveness detection, and tamper resistance Technology developments are enabling a range of new functionality for biometrics in the security market. Early biometrics solutions had poor performance (high failures during enrolment or acquisition that meant significant percentages of users could not use biometrics), says Phil Scarfo, VP worldwide marketing, biometrics, HID Global. Early solutions were not able to distinguish live fingerprints from fakes, thus stoking fears that we face a new and more dangerous form of identity theft if someone can steal and use a digital version of person’s unique biometric. Lumidigm biometric sensors – spotting fake from real Today’s technology is much improved compared to earlier generations. For instance, HID Global's Lumidigm biometric sensors with multispectral imaging technology increase performance through improved fingerprint data collection, can identify real human tissue as authentic and detect fraudulent materials within a fraction of a second. The latter, liveness detection capability is built from advanced machine learning algorithms, and its spoof-detection algorithms can be updated as new threats and spoofs are identified, enabling the sensors to very quickly respond and adapt to new vulnerabilities. Unlike any other fingerprint technology, this “learning” capability allows Lumidigm fingerprint sensors to keep up with new threats. Additionally, HID Global’s Lumidigm biometrics solutions are increasingly being deployed using intelligent encryption-enabled and tamper-resistant devices that further strengthen secure authentication and protect user privacy. Multispectral imaging Important biometric capabilities are multispectral imaging, which improves performance by collecting more relevant fingerprint data than other technologies, and superior liveness detection. Another important development at HID Biometrics is biometric devices that are encryption-enabled with various tamper resistance and detection capabilities that protect the integrity of the sensor as well as communication between the client and the sensor. These devices can increase security for banking and other sensitive applications by connecting to the institution’s systems through a cryptographically secure channel protected by hardware tamper detection and response, which establishes trust between the device and the institution’s systems independent of intermediate systems and networks. Half of all deployments of the company’s biometric solutions use this increasingly popular biometric systems architecture, and more are sure to follow. Some of these customers have even taken advantage of this architecture and Lumidigm liveness detection technology to enable secure self-enrolment at the ATM, since spoofs are checked with every finger placement. HID V371 biometric reader for identity verification HID Global’s latest biometrics solution is the V371 reader – the first HID Global offering to integrate Lumidigm technology. It combines the company’s high-performance biometrics sensors with its contactless reader technology to simplify identity verification while improving fraud protection compared to other card-and-fingerprint readers. Other anti-counterfeit methods have been used to combat card fraud, but only the V371 ensures authenticated users are the same people that were issued the cards. ZKTeco provides door access without having to carry on a physical credential or memorise a PIN code More means of authentication, better security Biometric manufacturers will argue whose “sensors” are more reliable/accurate, which can be difficult to prove, says Larry Reed, CEO, ZKAccess, another biometrics company. At the absolute minimum, a biometric device must have a least two means of identifying users, he says. “ZKTeco is unique in that we offer customers up to four means of authentication,” says Reed. “For instance, our model Multi-Bio 700 can read a user’s face and/or fingerprints (up to all 10) and/or ID badges and/or PIN codes … or any combination. And the latest model FV350 is a multi-biometric that replaces face with finger-vein pattern technology. With ZKTeco, authorised users can gain door access without having to carry on their person a physical credential or memorise a PIN code (either of which can be lost, forgotten or stolen). Another new introduction is ZKTeco’s access control camera model BioCam. BioCam can release a door lock upon recognising an authorized user’s face up to 12 feet away. As with MB700, FV350 and most all ZKTeco access control models, BioCam is completely standalone. It does not require a computer for programming or a separate access controller. In most cases, ZKTeco models (including BioCam) require only an electric door lock and power (option to connect ZKTeco or third party panel via Wiegand).
A number of misconceptions exist about the capabilities and technology ofbiometrics, perpetuated in popular culture by films and TV Like many categories in the security marketplace, the biometrics market suffers its share of misconceptions, ranging from misunderstanding of the technology to underestimating its utility for a broad range of uses. Misunderstandings created by pop culture Contributing to the problem of understanding is the popular culture. “Popular movies such as James Bond and Mission Impossible have created many misconceptions and misunderstandings regarding biometrics,” says Robert Fee, Director of Sales, Access Control, Zwipe. “We all see them create perfect copies within minutes, and enter buildings or highly secured areas. If it was that easy, there would not be a multi-billion-dollar-a-year industry.” Another misconception that comes up is that a fingerprint template stored on one device works exactly the same with any other biometric device, says Fee. There is also a misconception that someone can steal and use a digital version of a person’s unique biometric, says Phil Scarfo, VP Worldwide Marketing, Biometrics, HID Global. “Some of the more advanced technologies like multispectral imaging [from HID Global] can identify human tissue as authentic, quickly detect fraudulent materials and respond and adapt to new vulnerabilities with a ‘learning’ capability that keeps up with new threats,” he says. Another misconception is that all biometrics devices and solutions are created equal. “What may be right for a mobile device and consumer application is not sufficient for commercial or enterprise applications,” says Scarfo. While there is the fear by some that biometrics poses a threat to personal privacy or a potential permanent loss of digital identity if it is stolen or compromised, it is far outweighed by the measureable benefits, he says. Ironically, the focus historically has been more on the potential risks rather than the benefits, adds Scarfo. Biometrics binding digital identities to individuals Most people don’t fully appreciate the critical importance of biometrics in an increasingly complex world of digital identities and ever-expanding ecosystem of ID cards, phones and other devices, says Scarfo. Biometrics is the only true means of linking or binding digital identities to the individual, determining who is actually using the system, and verifying whether he or she is a legitimate user for a myriad of new mobile and on-line applications. “The ability to securely link or bind digital identities to ourselves will simplify life and make it more secure,” says Scarfo. “Intelligently coupling what we have with who we are is a much better way forward in today’s complex digital world.” Misconceptions also persist around cost and ease of use, according to Steve Perna, Executive Director, Products and Solutions Division, SRI International. “Today’s biometrics systems are reliable, cost-feasible (particularly from a lifecycle cost perspective), and deliver ease of use,” he says. “Costs are being driven down across all aspects of the biometrics ecosystem, from underlying technologies and platforms to the devices themselves.” As prices reduce, functionality and features improve, and technologies become more mobile, biometrics is becoming an increasingly attractive form of security Misconceptions related to privacy There are also misconceptions related to privacy. People are apprehensive about sharing their biometric information out of fear of how their information can be exploited maliciously, says Arie Melamed Yekel, CMO, FST Biometrics. “However, these concerns are unfounded.” Much of an individual’s biometric information is already available publicly, whether registered through a governmental database, or facial/body/voice images and videos available on public social media profiles, he says. “In fact, entering one’s biometric information into a system such as FST Biometrics’ is much more secure since we take care to encrypt our data and protect our users,” he says. ZKAccess sees a big misconception is that biometric devices capture the actual image of a person’s fingerprint or face when enrolled. This creates a privacy concern for users that their fingerprint/face image can be compromised and subsequently used or shared without their permission, resulting in personal and/or financial harm to them. Biometrics do not capture live images. "Biometrics and fingerprinting are not the same,” says Larry Reed, CEO, ZKAccess. The commonly observed method of “fingerprinting” (seen on television and in hospitals/government facilities) is also known as an AFIS (an Automated Fingerprint Identification System, which uses digital imaging technology to obtain, store and analyse fingerprint data and originally used by the U.S. Federal Bureau of Investigation [FBI] in criminal cases). However, commercial biometric systems do not store/match actual images. Instead, biometric devices capture and store only a few dozen minutia points on the finger or face, apply proprietary mathematical algorithms, and convert those minutia points into binary code (i.e., a series of zeros and ones). “If you were handed a pencil and told to draw someone’s face by using 40 to 50 dots, would anyone recognise the face you drew?” Reed asks. “This is how biometrics capture, store and match templates. Only binary code is used.” Early adopters of fingerprint readers Some misunderstanding of biometrics stems from suboptimal experiences of early adopters of fingerprint readers for access control, says Steve Perna. “But the truth is that, in most cases, organisations didn’t try and abandon biometrics,” he says. “More likely they never adopted it due to stories they heard that impacted public perception. In other cases, higher prices dampened enthusiasm.” However, Perna says these impediments to adoption continue to fade, as prices come down, functionality and features improve, and as biometrics become inherently mobile and can deliver benefits beyond access control, such as time-and-attendance tracking, inventory management and logical access to other applications.
Biometric solutions are replacing PINs at physical ATMs and providing a more fool-proof form of identification for banking security Biometrics is seeing especially rapid adoption rates throughout the worldwide banking infrastructure, particularly at the ATM and teller counter, says Phil Scarfo, VP worldwide marketing, biometrics, HID Global. “There are also opportunities for biometrics to improve security by enabling transaction-based authentication for online and mobile banking”, he says. Apart from the usual video security and CCTV solutions that are being widely used, biometric authentication ensures enhanced protection for banks. Interoperable biometric authentication devices for payments & mobile banking Popular use cases include a) PIN replacement at physical ATMs; b) proof-of-presence (such as pension benefit distribution) that requires liveness detection; c) more easily authenticating multiple transactions during a single ATM session; d) incorporating biometric information directly into a smart device; and e) the ability to leverage investments in biometric enrolment databases across multiple applications. An example of the latter is when fingerprint authentication on mobile devices used for payments and secure mobile banking is also used in conjunction with enrolled information for authentication at an ATM. The availability of interoperable authentication devices would permit cross-bank usage and pave the way for many new applications in the future. When multi-spectral fingerprint technology is combined with a trusted biometric authenticator, it can enable new user experiences that are highly inclusive, non-intrusive and secure, says Scarfo. In one example, a financial institution has enabled customers to enjoy card-less processing, which improves security by eliminating the need for PINs while offering the convenience of making their finger the only required personal “key” or “wallet” for accessing cash and conducting other transactions at an ATM. Users simply enter their account number and confirm the transaction with a fingerprint. The bank that took this to market established a competitive advantage over its peers who did not offer the service, which resulted in the successful acquisition of new customers who made the switch specifically for this reason. Biometric solutions on smart devices combine security and convenience for theuser, removing the need for bank cards to make cash transactions Biometrics identity-proofing reduces risk of fraud & identity theft Scarfo says many countries use biometrics to strengthen the chain of trust across many different types of transactions – from banking to citizen ID applications like pension delivery and public healthcare services. By enrolling a citizen’s fingerprints and then creating an ecosystem in which these transactions are strongly tied to that individual’s biometrics, the potential for fraud and identity theft approaches zero, says Scarfo, and the process is simple and convenient for users. The biometric for identity-proofing each transaction must interoperate with trusted devices at each verification point (including PCI-compliance readers and mobile devices bound to their owners), and there must be adequate liveness detection and identity proofing across all transactions. Scarfo says HID Global’s Lumidigm biometric authenticator exemplifies this approach for creating a device-independent, trusted physical identity verification process. It connects to an institution’s systems through a cryptographically secure channel protected by hardware tamper detection and response, establishing trust between devices and the institution’s systems independent of intermediate systems and networks. The device performs a finger scan with best-in-class liveness detection to ensure the person transacting is the one that enrolled the fingerprint. Extending this concept, if a card, smartphone, PID pad, or other form of authentication is then presented for authentication, each is also confirmed by the biometric to ensure true identity verification was performed in a trusted manner.
The universe of biometric authentication applications is expanding rapidly invertical markets such as healthcare and retail Once used mostly to secure high-value government facilities, biometrics are now a basic tool used in a variety of vertical markets. This article will look at some of those opportunities. For healthcare organisations, for example, biometric authentication is being used for secure medical dispensing to streamline workflow and control drug diversion, and for securing access to electronic medical records, e-prescriptions, and patient registration. “These are just a few of the many examples of today’s rapidly expanding universe of biometric authentication applications,” says Phil Scarfo, VP Worldwide Marketing, Biometrics, HID Global. “We are seeing the transition of biometrics into broader markets,” says Steve Perna, Executive Director, Products and Solutions Division, SRI International. “By making biometrics easier to use and implement, we see changing public perception and adoption spreading to mass market applications such as financial/banking account access control, personalised healthcare, mobile payments, as well as residential market access control.” Biometrics-embedded tablet devices In terms of market potential going forward, Perna expects to see consumer applications grow substantially because prices are going down, while performance and ease of use are vastly improved. An example of this is increased activity around biometrics-embedded tablet devices, which can provide the mobility and flexibility to be used for numerous applications beyond access control. Tablets are also accelerating the shift of consumer/employee access control from passwords (weak) to iris recognition (strong), while ensuring an individual is accessing information over a network – or a company is providing information to individuals – that only they are entitled to see. “We’re really talking about security in general,” Perna says. “Biometric-embedded tablets can make guard tours easier to track and monitor, and enhance data communications instantly in both directions.” Iris recognition guarantees that the person checking in is the right person at each station. With the SRI tablet, they can access real-time surveillance video or other information as they respond to an incident. For routine maintenance reporting, a broken pipe or burned-out bulb can be recorded on the spot – automatically triggering maintenance processes. These activities are typically conducted, with no authentication, through handheld data loggers and other devices for future download. Performing these functions on one tablet eliminates multiple steps and increases accuracy. Biometrics-enabled tablets and devices provide mobility and flexibility applicationsfor users across multiple markets Perna points to the use of SRI’s biometric computing platform in a warehouse scenario. Warehouse access – as well as any secure areas or cages within – can be controlled by the same device that interfaces with the inventory management system. Picked items could be instantly recorded for a precise audit trail that limits theft. Usually this is done with a combination of cards or PINS, handheld devices, remotely managed systems and even paper pick lists. With the integration of security and businesses processes you know exactly who is at the location and exactly what they’re doing while they’re there. FST Biometrics In-Motion Identification (IMID) FST Biometrics reports the company’s In-Motion Identification (IMID) is being deployed in greater numbers by large corporations and residential buildings to secure facilities that are used by thousands of people daily. However, FST Biometrics’ solutions provide benefits beyond security. The IMID product line also saves time and money, says the company, by shortening the time it takes to enter and exit an access point and eliminating the need for keys and cards – and the replacement costs associated with them. “In addition, we are starting to see FST Biometrics’ solution being used in consumer loyalty programmes as a way to provide better user experiences and services,” says Arie Melamed Yekel, CMO, FST Biometrics. “We believe there is a huge potential in this space for biometrics.” An application that illustrates the use case is a customer who has enrolled in the loyalty programme of a coffee shop chain. Upon entering a location in the chain, the customer’s identity is verified via the IMID system. Without having to present any card, the customer is offered his regular coffee and promotions tailored to his/her preferences and previous purchases. Once the customer makes a purchase, payment is applied to a previously registered account, to which relevant discounts are applied. The company has experienced growing sales and increased interest in the last few years.” The products’ newest generation includes integration with C-Cure by Software House (Tyco), a major physical access control system. In-Motion scanners can also be applied in retail markets to scan customersand access their loyalty scheme account ZKTeco fingerprint readers Hundreds of ZKTeco’s IP68-rated fingerprint readers protect passengers and crew from unauthorised access to hundreds of doors on a few multi-million-dollar super yachts. “We also protect chickens (livestock) from dangerous predators/poachers and environmental conditions that exist if their enclosures are not protected,” says Larry Reed, CEO, ZKAccess. “We protect the homes, parking garages and wine cellars of some rich famous celebrities. And we protect the outhouses (bathrooms) of a campground proprietor wishing to discourage non-paying patrons from using/vandalising the toilets.” ZKTeco has been in business over 20 years and has tens of thousands of customers; therefore, it’s difficult to specify a single solution, says Reed. “In very modest terms, we simply make ‘electric switches’ that only operate once the authorised user first presents for identification their fingerprint, face and/or more recently, their finger vein,” he says. “Our ‘switch’ has been used to control doors, gates, fences, elevators, computer server cages, trash compactors, balers, forklift trucks, medical and gun safes, motorised robots, students’ locks and key locks. Our biometrics are used to control anything that is protected or operated by a low-voltage electric motor. The obvious benefits are improved security, added convenience, and avoidance of regulatory fines.” Call for CIPS-006 compliance There has been strong biometrics demand from organisations required to comply to NERC Critical Infrastructure Protection, specifically CIPS-006: Physical Security of Critical Cyber Assets. The standard specifies two-factor authentication, which typically means, replacing existing readers and running new cabling. Zwipe eliminates that need and locks the card to a single card owner, says Robert Fee, Director of Sales, Access Control, Zwipe. “Zwipe devices cannot be borrowed or loaned to anyone, and issues related to lost or stolen credentials are greatly reduced,” he says. “Plus, if an organisation wants to use a biometric reader with on-reader template storage, that device becomes a critical device requiring additional physical security protection.”
HID Global’s Lumidigm biometrics solutions combine convenience with security by using patented multispectral imaging technology HID Global®, a worldwide leader in secure identity solutions, recently announced it will showcase its Lumidigm® biometrics solutions for banking, healthcare and citizen ID applications in booth #200 at the connect:ID Conference, from March 23-25, 2015 in Washington D.C. Four company executives are participating in the conference program, where they will deliver the opening remarks, speak at the evening reception, lead a panel discussion on the future of identity, and speak on topics including assured authentication in healthcare and the privacy implications of facial recognition. connect:ID will be held at in the Walter E. Washington Convention Center. HID Global executive participation during the conference includes: Robert Harbour, IBIA Chairman and executive director, Biometrics with HID Global will provide opening remarks to welcome delegates. Phil Scarfo, vice president Global Marketing, Biometrics with HID Global: Scarfo will lead the conference’s opening panel entitled “The Launchpad: Identity in a Brave New World,” on Monday, March 23 at 12:40 p.m. Greg Sarrail, vice president Solutions Business Development, Biometrics with HID Global: Sarrail will be speaking on how to use assured authentication in healthcare to secure access for patients and providers. His presentation will take place on Tuesday, March 24 at 11:30 a.m. Kathleen Carroll, vice president of Corporate Affairs with HID Global: Carroll will speak at the conference evening reception on Tuesday, March 24, from 5:45 p.m. to 6:45 p.m., and participate in a spotlight panel on facial recognition that will take place on Wednesday, March 25 at 1 p.m. HID biometrics HID Global’s Lumidigm biometrics solutions combine convenience with security by using patented multispectral imaging technology to make fingerprint authentication and identification more robust, more inclusive, and more reliable than other fingerprint sensor alternatives for mainstream applications including verifying identity at bank tellers and ATMs. The technology uses multiple light spectrums and advanced optical techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin, ensuring there is enough detail, even under less-than-optimal environmental conditions, to deliver reliable biometric authentication.