Myths About Biometric Access Control and Security

Biometric authentication and identification is the use of fingerprint recognition, facial recognition, iris scanning, voice recognition, and vein pattern recognition for access control, security and people monitoring. The biometrics most in use commercially are fingerprint and facial recognition due to their accuracy, speed, and cost-effectiveness. Tensor provides systems for both fingerprint and facial recognition access control, security and staff management, offering secure entry solutions that are ideal for modern workplaces.

The use of biometrics for identification has been around for centuries (see our history of fingerprinting blog for more) and the technology for fingerprint and facial recognition has been increasingly popularised and trusted over the last several decades, most significantly since 2013, when Apple introduced their fingerprint authentication for iPhones, and then in 2017 they introduce facial recognition with Face ID.

But there are still some frequent beliefs about the technology that are no longer true — if they even ever were. Here are some of the most common, and why they are incorrect.

Biometric data isn't secure and my face scan can be stolen

One of the main concerns about biometric identification is that 'hackers can steal my face!'

Firstly, of course, nobody can actually steal your face — it's attached to your head, and your fingerprints are on the end of your fingers. This is unlike other forms of identification — cards, passwords, keys etc — which can be stolen. In that instance you wouldn't need to be present for them to be used, so anyone could use your password or your access card or key. With biometrics there would need to be a person there with your face or fingerprints for them to work.

The other aspect of biometric data being stolen is that the data is not actually an image of your face or fingerprint. The data is stored as an encrypted code, called a biometric template, with no identifying information, which means that even if the data is hacked, it's not a face or fingerprint that is accessed, so it would be useless to acquire.

Reputable providers of biometric authentication and identification — including Tensor — will have attained ISO 27001, the world's leading standard for information security management systems, which means they manage risks related to the security of data owned or handled by the company to protect sensitive data, reduce cyber threats, and ensure the confidentiality, integrity, and availability of the information.

Biometric scanners can be easily fooled

As noted above, biometrics cannot be stolen — but they can be copied. So, if someone does have an image of your face or a copy of your fingerprints, can they use them to fool biometric readers?

All good modern biometric systems (including Tensor's) have features in place to reduce the possibility of being fooled, including being able to detect live biometrics to ensure the face or fingerprint is part of a real human being, which means a photo of a face doesn't work. Likewise, a real finger is required for a fingerprint to be accepted.

There is concern, however, that with ever more impressive digital cameras and 3D printers, it is possible to create full-face masks that can be detailed to look extremely lifelike — and in an increasingly online world there is ample video footage from which to create such masks. This does require a lot of work and the ability to create and paint them in the necessary detail; there are other, less labour-intensive ways to breach security should anyone wish to try.

Biometric identification doesn't work if someone changes their appearance or as they age

Irises do not change as people age, ensuring eye scans are accurate, and biometric readers utilise several data points when reading a face or fingerprint to ensure a match, usually based around bone structure and measurements of features that do not change in adults. These measurements can also mean the systems can differentiate between family members — even twins.

However, it is considered good practice to use multiple methods of authentication to safeguard against any issues — and as additional layers of security. Biometric scanners are often accompanied by smartcard readers or other means of identification; Tensor's range of products include face, fingerprint and hand identification alongside smartcards, key fobs and PIN codes, ensuring an extra level of reliability and security.

It's an infringement of privacy

Biometric data is considered personal data and therefore protected by data privacy laws such as GDPR, and as such is generally more secure than other types of identification (for example a driver's licence, access card or password, all of which could be lost or stolen).

A concern is that your biometric data will be used to identify you in other situations — for example, that you will be entered into a huge database that can be accessed by other people using biometric identification. This is not the case; each system uses its own database (and some even break the data apart to store it in multiple locations for additional security) and no other system or person can access it.

People are usually asked to consent to biometric data being used, the circumstances of its use, and the duration of its storage— and, as noted above, biometric identification systems don't use an actual picture of your face at all.

In addition, people assume specific facial authentication and general facial recognition are the same, but they are two different things.

General or public facial recognition is where crowds are monitored for surveillance, usually without people's knowledge or consent, in order to see if any specific people are present.

Specific identification and authentication for private use is where you have given your permission for your face (or other biometric data) to be used for access control or security reasons in one particular setting. These systems only recognise people who have registered on the database. Only devices connected to that database will be able to recognise you.

Biometric authentication systems are complicated and expensive

The increased use of biometric authentication on smartphones throughout the 2010s, including fingerprints and face identification, has provided awareness of its ease of use to the point where today it is considered commonplace to use your face to unlock your phone.

It's also less involved and can save time compared to using a password, key or smartcard for access control — someone only needs to position their face or press their finger and access is granted — and you can't lose or forget your face or finger.

As the technology has become more available the cost has decreased, and now biometric access control and security systems are accessible to a wider market. While the initial installation cost can put people off, once it's installed there are no ongoing costs — unlike needing to distribute keys or cards to people, and replace lost or damaged ones.

Tensor's biometric systems for access control, security and time and attendance can be scaled to suit your individual needs and budget — from one office of 20 people up to a multi-site organisation of 100,000 staff. Find out more about Tensor's biometric systems and solutions, and get in touch to find out how your business can benefit.

https://www.tensor.co.uk/time-and-attendance/biometric-time-and-attendance