​

BIOMETRICS HAVE BEEN MANDATED IN recent years for use in ports, border crossings, and some high-security agency facilities as a way to enhance access controls by strengthening identification. One program, the Department of Defense-run Common Access Card, which includes a smart card containing a user’s biometric, has issued several million new identifications.

Private industry applications have been limited, especially in the United States. But some end users have seen value in the technology. Japan, for instance, has tens of thousands of automatic teller machines that use vascular, or vein, recognition.

The technology continues to develop in areas such as accuracy and usability. Among the developments are biometrics with three-dimensional imaging, which can significantly improve accuracy and enrollment rates, and fingerprint scanners that provide contactless access, boosting accuracy and hygiene.

A wider assortment of organizations is eyeing biometrics as these technologies become more affordable and user-friendly and as concerns about fraud spotlight the need for stronger security. Growing adoption by companies such as retail stores, fitness centers, and fast food chains may in fact be one of the biggest current biometric trends, says Bill Nagel, a Forrester Research analyst.

Companies in these sectors are also finding biometric technology viable for HR purposes, such as time and attendance, Nagel says. A growing number of them are recognizing how biometrics can curtail policy abuses, such as “buddy punching,” in which two customers or employees share access cards.

Another impetus for adoption is that fingerprint scanners that can be plugged into a computer or terminal have come down in price. Vascular solutions, though slightly more costly, are also winning wider appeal for characteristics including accuracy, high enrollment rates, and their more hygienic, contactless nature.

Biometrics could also be making some modest headway against another challenge: privacy concerns, Nagel says. When smart cards are employed with biometrics, privacy concerns are reduced as users carry the biometric with them, but biometric/smart card solutions tend to be relatively expensive.

Some users become less concerned about other kinds of implementations when they learn that most databases only store an algorithm, or mathematical hash, of physical characteristics. It might contain 20 to 50 data points, Nagel says. “There is no way to reverse engineer [an identity] from so little data.”

Moreover, as employers and consumers have a chance to use biometric applications, they tend to appreciate the technology’s simplicity, he says. In more instances, “the convenience factor is starting to outweigh the cultural [resistance] factor.”

To illustrate how biometrics can be implemented, Security Management looks at two cases, at a fitness club and a fast food restaurant, where biometric adoption appears to be generating security as well as other benefits.

Members Only

St. Louis-based Club Fitness had relied for years on proximity cards for member access to its 16 locations. But in the past few years, perhaps due partly to the economy, it became increasingly clear that customers were sharing cards. “We were seeing a lot of the same people...but not really,” says Rich Quin, director of IT. The club, in early 2008, was also moving most of its centers to 24-hour access, which also created a need for a more secure access solution.

Quin says he had heard for a year or so prior that biometric technology was becoming less expensive and more usable. He started researching solutions, including iris scanners. One product, costing about $12,000 to install per location, was clearly too expensive, Quin says. He also researched some vascular solutions. He knew they could be used by a large diverse group of people. “I wanted a product that worked for the masses,” he says.

Quin also liked vascular solutions’ reputation for accuracy. Among biometric solutions, vein and iris scanners are generally best at avoiding the most false negatives and positives, according to a recent Frost & Sullivan report.

As a part of his research, Quin participated in a Webinar with vascular biometric vendor Identica Holdings of Tampa, Florida. Quin says he was impressed by the speed (or throughput) for users once they were registered. Users could present a hand, have it verified against a back office database, and gain access in under a second, “almost too fast to time.”

Quin says he considered two versions of Identica’s vascular system, called VP-II. One worked with proximity cards that typically grant access with radio-frequency identification technology. Another VP-II version worked with smart cards. The latter had a handful of additional features and enhancements, Quin says, but was considerably more expensive than the proximity card system.

The former cost about $3,400 compared to about $2,400 for the latter. Lower-end smart cards are not appreciably more expensive than proximity cards, Quin says, but it would be expensive to replace Club Fitness’ current proximity cards.

In addition to the reader, the VP-II system consists of Identica software called IONcontrol, which includes a biometric template manager, a time and attendance data repository, and a Web-based management interface. A test showed he could successfully and quickly integrate the system with Club Fitness’ current access system.

Installation. Before installing the readers, Quin started with some back-end configuration. After loading Identica’s software, he began plugging in readers. The software would scan the local network, identifying the device. The brief configuration included assigning each unit an Internet Protocol (IP) address and a name to help with identification.

After labeling individual units, he installed them in 16 locations in about a day. Physically installing the devices, including drilling holes for screws and wires, took about as long as it does with regular proximity readers, Quin says. It was helpful that Identica had been reducing the reader’s size, he says.

Enrollment. Quin first enrolled the centers’ managers. This began with Quin identifying himself to the system. Managers would then insert their proximity cards and present the back of their hand twice. The infrared scanner would capture an image, transform it into an algorithm, and store it on a network server. The process takes about a minute, according to Quin.

Some managers were initially resistant to the use of biometrics. But Quin explained the advantages of the stronger access controls, including better late-night safety.

Quin hoped that once he registered managers, they would then train their staff; center staff would then enroll customers. Identica registration would occur after customers had filled out paper work and received a proximity card.

As the transition to the new system began, a few members voiced privacy concerns, Quin says. Such concerns were reduced, however, when Quin or a manager would describe how Identica stored no actual physical image and also how vein biometrics had no government or other centralized databases.

Many centers kept their Identica systems dormant for a week or two to allow time to register new and existing users. As the system went live, however, many genuine members were locked out, Quin says. Many had not been brought into the new system.

The company solved the problem by giving managers a financial incentive. Senior management explained that lockouts could start to affect the amount of commission managers received.

Results. The system quickly produced positive results. A few weeks after installation, many facilities experienced nonmembers trying to enter in vain. Some said they had the wrong card; some didn’t return; others signed up for a paid membership. The system had successfully helped eliminate freeloaders.

Fast Solution

Tar Heel Capital of Boone, North Carolina, is one of the country’s largest Wendy’s restaurant franchise owners. Like similar establishments, Wendy’s had a policy requiring managers at all stores to approve voids and transaction changes. Managers also needed to approve bank or credit card transactions when two transactions with the same card occurred in quick succession. This rule was aimed mainly at protecting against “double swiping,” in which sales staff can ring an unauthorized charge without customer’s knowledge after ringing the legitimate charge for which the customer has handed over the card.

Managers would approve a transaction by swiping their own card through the terminal. But the company’s managers had magnetic swipe cards that could not be directly tied to each manager, which made the policies hard to enforce. Cards were easily misused because they were left lying around by managers or because they were stolen or intentionally shared. The company was also spending considerable sums replacing lost cards, each of which cost about $1 without shipping.

Tar Heel Capital wanted to address these issues. It also sought a way of better monitoring and enforcing time and attendance among its 2,800 employees.

Rob Ireland, Tar Heel Capital’s IT director, had been hearing about how some similar businesses had been alleviating such problems with biometric solutions. Ireland also says that the company had recently brought on a new top-level executive who had expressed interest in biometrics. Nonetheless, he began looking into the issue with a degree of skepticism, because he thought that any solution would be too costly and complex.

After some initial research, he concluded that fingerprint scanners would be least costly. He looked at some point-of-sale (POS) terminals with built-in scanners, but he found that replacing the company’s terminals would be too expensive. Fingerprint solutions that could plug into terminals via USB would be far less expensive overall.

A technology vendor that Ireland had worked with suggested a plug-in solution called U. are U. from Redwood City, California-based DigitalPersona. One initial DigitalPersona advantage was that authentication could occur merely by having a user place a finger on a reader, Ireland says.

Ireland decided to order several of the readers so that he could test their performance and user-friendliness in one restaurant. In addition to the readers, the system required that Ireland install DigitalPersona software. He says that simply required that he insert a disk into the restaurant’s back-end server; once running, the program automatically installed drivers into the POS terminals. After rebooting the terminals, Ireland was able to do enrollment, which he says was relatively simple, requiring a few finger swipes of a couple of fingers.

Ireland says that after conducting a little online research, he was able to find the readers priced for approximately $100 each; the software came free with the readers, he says.

Quick acceptance. Ireland obtained company approval to purchase the devices and decided to start with an initial rollout of about 40 units total at about 10 of Tar Heel’s approximately 75 restaurants. A slightly larger rollout would follow, with an eventual goal of integrating the units into almost all of Tar Heel’s restaurants.

Once a store was converted, Ireland knew the old cards would no longer function. His backup plan if he encountered any serious problems with the fingerprint system was that he could convert a restaurant’s authentication system to keypad entry. Ireland says he was confident he could revert to such a method without too much difficulty as the company had used a keypad system a handful of years before it adopted the card authentication method. It would be relatively simple to deactivate the card system to the previous method, he says.

Ireland began by calling managers to describe the project; most seemed supportive, he says. He then mailed out units to different stores on a rolling basis. He asked managers to set aside about 20 minutes to speak by phone after the readers arrived.

During calls, he could remotely view the restaurants’ POS terminals. After booting the software, he asked managers to attach the readers and reboot the machines. He then helped them enroll their prints.

While managers were enrolled remotely, Ireland went on location to stores to help enroll staff. Some employees expressed privacy concerns. He says concerns may have been reduced because the company had recently completed an effort to remove Social Security numbers from restaurant databases. The initiative may have given the company some credibility,

Ireland says. Staff seemed more concerned about the Social Security numbers than they did about the fingerprint biometric data, he says. Ireland says he tried to have each restaurant keep at least one spare unit securely in the back as a replacement. All terminals generally aren’t used at once, he says; it is also relatively simple to move readers among terminals.

Since installing units in most of Tar Heel’s Wendy’s, one or two readers have stopped working, but the vendor has sent replacements, Ireland says. In a few cases, some legacy terminals didn’t function with the new product, he says, but those machines were old and are being replaced.

He encountered few installation-related technological problems. One minor issue occurred in the beginning when readers were attached before the software was running; some machines required a reboot.

Ireland says he was half-amused when, during installations, the most common question managers asked was “If I’m not around, can I lend someone my card?” But managers quickly adapted, he says. “Most people just thought the technology was cool.”

Results. Ireland likes the new system and appreciates not having to continually replace cards. The number of voids has decreased noticeably, he says. Food costs have also fallen compared to sales. With the readers, “you know the manager was actually there.” Ireland estimates that the solutions will pay for themselves “in about six months.”

The Wendy’s restaurants, like Club Fitness, are part of a small but growing group of companies that might not have considered biometrics a few years ago. They both say they are glad they did.

John Wagley is an associate editor at Security Management.