301.519.9237 exdirector@nesaus.org
Adobe Stock image by rouda100

4.24.24 – SSI – Bobby Varma

MFA severely limits the possibility of unauthorized users entering a property using a borrowed, stolen, or cloned credential.

Across the security industry, demand for two-factor (2FA) or multi-factor authentication (MFA) is rising.

A decade ago, most considered it appropriate only for high-security and government installations. Today, it’s standard for logical security and software applications. Next up will be mainstream access control.

Independent research predicts the market for MFA solutions will grow by $9 billion between 2020 and 2025.

In a world in which the public feels increasingly vulnerable, MFA not only makes people feel safer; it actually delivers. MFA severely limits the possibility of unauthorized users entering a property using a borrowed, stolen, or cloned credential. It requires individuals to provide at least two of the following to authenticate their identity:

  • Something they know, like a PIN or password
  • Something they have, like an access card or mobile credential
  • Something they are, meaning a unique biometric like a fingerprint, face, or iris

MFA solutions are most secure when one of the factors is a biometric. An imposter may gain access to a user’s PIN and access card, but it’s much harder to fool a security system with a fake biometric. For this reason, regulations require many government entities, utilities, and properties supporting critical infrastructure to use biometrics as one form of identification wherever MFA is required.

How Biometrics Work

Traditional access control stores users’ encrypted credentials in a centralized database. When users present their cards to a reader, they are granted access if the data encoded within their cards identifies them as enrolled users with permission to enter. Each card includes a facility code exclusive to the building or access control system and a complex, arbitrarily assigned user code unique for each person.

When biometrics are used as a credential, the code associated with each user is no longer random. Instead, it’s a mathematical function based on the person. A proprietary algorithm converts a representation of biometric measurements into a long string of numbers called a “hash.”

Unless two people have an identical whatever, each user’s hash will be unique. For example, identical twins may produce the same hash using face biometrics because they look so much alike, but their fingerprints and irises are sufficiently distinct that their hashes would not match each other.

It is impossible to reverse engineer a face, iris, fingerprint, or other biometric from a hash. Even so, when biometrics are used as a credential, either alone or as part of MFA, employees sometimes express discomfort about having their personal identifiable information (PII) stored in a database.

Employers can alleviate workers’ concerns through education about how such systems work or by deploying a solution that allows employees to retain sole ownership of their biometric data.

MFA

Adobe Stock image by THAWEERAT

Decentralized Biometric MFA

For organizations preferring the latter option, here are two ways to implement such a solution.

Biometrics on card: Today’s 13.56 MHz smartcards for access control are designed to hold additional data beyond the facility and user codes, including a user’s biometric hash. When administrators enroll someone into the access control database, they can conduct a biometric scan, create a hash, and load it onto the assigned access control card. Then, they delete the biometric from their system.

The hash only resides on the card, and the company retains no record. The company’s database links users to their cards – not their biometrics.

When a user passes through an access-controlled entryway, 2FA occurs by:

  1. Verifying the credential embedded in the smart card – to which permissions are assigned through a managed database associated with the access control solution.
  2. Matching the cardholder’s biometric to the hash stored on the card.

This approach ensures that the card cannot be used by anyone other than its authorized holder. At the same time, only the cardholder possesses the biometric data used to verify their identity.

Digital wallets: Both Google and Apple now offer the ability to distribute digital employee badges to smartphones wallets. Digital wallet credentials require users to unlock their phones to use the badge – a key difference from popular Bluetooth credentials that work even when phones are locked.

More than 80% of smartphones have biometrics enabled, making them a convenient tool for implementing highly secure MFA. Plus, even those users who choose to use a PIN code to unlock their phones are still making use of a 2-step authentication process.

As with biometrics-on-card solutions, digital wallets allow users to retain ownership of their biometric signature. Employers have no access to the data, but are still able to leverage it as a form of user authentication.

Centralized Biometric MFA

When biometrics are stored centrally by a company as part of an MFA solution, the user experience is similar to when biometrics are stored on each access card. An employee presents their card and person to a reader or readers, and both must match the data for an enrolled user for authentication to occur.

However, from an administrative standpoint, a centralized solution offers some advantages. First, if an employee loses their card, replacing it is easier because there’s no need for a new biometric scan. Second, companies can implement card-free MFA by pairing the biometric with a PIN code or Bluetooth credential.

These options are particularly desirable at companies with a dispersed workforce because a remote HR department can quickly issue new credentials to anyone in the company. Third, it allows the company to use the biometric identity solution by itself for single-factor authentication in situations where it’s appropriate.

For example, MFA may be necessary to enter a building and high-security areas like the data center, but other doorways might only require one form of authentication. Workers may prefer the convenience of a seamless, card-free experience as they move about the building, made possible by biometrics.

How to Proceed

Many OSDP access control systems and some Weigand systems support MFA and offer integration with biometric identity solutions via their API. Ask your preferred access control manufacturer about partnerships they may already have.

Also, consider what biometric modality is suitable for your customer’s environment. Will users be wearing clothing that makes some modalities less practical than others? For example, iris-based systems will be more convenient than face, fingerprints, or palms for users wearing masks or gloves. Will readers be installed in locations with bright, consistent lighting? If not, fingerprints or palms may be preferable.

Finally, consider biometric identity solution manufacturers that offer MFA readers. Users will find it faster and easier to interact with a single device that handles biometrics and other credentials too. Plus, as an integrator, an MFA reader represents one less device you need to install and support.

Bobby Varma is CEO and founder of Princeton Identity. She is a past recipient of the Security Industry Association’s Women in Biometric Award and a Women in Security Forum Power 100 honoree.