Until recently, proximity cards and biometrics were as incompatible as oil and water. As a result, organizations that wanted to use fingerprints or other biometric identifiers to fortify security at points of entry protected by prox card systems were forced to go to the considerable expense of replacing their legacy access control infrastructure.

Today, there are a variety of off-the-shelf hardware solutions that make it possible to marry biometric authentication with existing prox card installations at very low cost. With these products, security managers can respond to post-Sept. 11 security concerns without having to put their prox cards out to pasture in favor of costly new technology.

For fixed checkpoints such as doorways, there are now a few commercial biometric capture devices that can be placed next to wall-mounted prox card readers or purchased as one-piece fingerprint/prox card reader units. The two systems can be used in tandem to match the fingerprint of a person seeking entry to the cardholder’s identity.

For added flexibility, there is a new breed of inexpensive handheld identification terminals that can read the cardholder’s live fingerprint, compare it against a template stored either in the terminal’s on-board memory or in a backend database, and deliver a “match” or “no match” verdict to the unit’s display screen.

These handheld terminals can either complement or incorporate prox card readers, and they can be used for stationary identity checks at company doorways as well as on a roaming basis to spot-check individuals walking through a facility. In addition, they can support signature, facial or other biometric identifiers as well as fingerprint templates and other forms of identification such as photo IDs, while offering the advantage of stand-alone operation in the event a network or server connection goes down.

Both kinds of devices overcome the limited utility of serial number identification used by prox cards, essentially giving organizations a way to teach old cards new tricks.

Linking systems

Proximity cards have been the workhorse of physical access control for decades, and they have done the job well for reasons ranging from their consistent read range to a no-battery, no-swipe design that translates into long life. Like today’s newer contactless smart cards, they operate via radio frequency, so there is no physical contact-related wear and tear on either the card or the reader.

The drawback is that prox cards utilize older technology that cannot directly support modern security measures. Each card carries a microchip that emits a serial number when held near a card reader, and that chip is unable to accommodate anything more than the serial number for which it was designed.

The embedded serial number, however, is the key to grafting biometric technology onto proximity card systems. The serial number from a given prox card can double as the biometric record locator, serving as the critical link between the two systems.

To associate cardholders’ prox card numbers with their biometric templates, security managers can either append their existing prox card number database with a new biometric field, or build a separate biometric repository to be used in conjunction with the prox card code database. The choice will depend on the specific hardware solution and the architecture of an organization’s overall security strategy.

Stationary biometric readers may be sufficient for some situations, but do not offer advanced capabilities such as internal memory for storing a local database, the option to operate either in stand-alone mode or connect to a back-end database, or built-in 802.11 or Bluetooth support to enable wireless data and fingerprint transmission for identity search and verification against a back-end system.

The stationary devices currently on the market for use with prox card systems are also limited to fingerprint identification.

Sidebar: Sample application

One organization that has elected to beef up its legacy proximity card system with add-on fingerprint screening is a U.S. nuclear power plant with 5,000 users.

At this plant, security officials capture two fingerprint templates per cardholder, adding that information to an existing database of HID (Irvine, Calif.) proximity card numbers, and using Datastrip (Exton, Pa.) DSVII-SC mobile identification terminals to perform identity checks. Prox card readers were integrated into the units along with a custom Windows CE.NET application that drives the identity validation process. All operations are carried out quickly on one piece of hardware.

As each user waves his or her prox card near the terminal, the device checks to see whether that card number is in the database maintained in the terminal’s on-board memory. If it is not, the display screen on the front of the unit indicates that the user is unknown. When that happens, a screen message prompts the cardholder to place his or her registered fingers onto the device’s built-in fingerprint sensor. The terminal then compares the live fingerprints to stored templates, determines if they match, and displays the results on the screen.

Meanwhile, the portable nature of the terminal offers important benefits during planned spring and fall outages, when roaming crews take turbines offline for maintenance. The 2-lb., battery-operated units are light enough to be carried by security guards and therefore deployed wherever crews are working at different hours and different times of year.

Sidebar: Another Hand Approach

Covenant Aviation Security, a private company that was awarded a Transportation Security Administration contract to protect San Francisco Airport, the nation’s fifth busiest, from terrorism, is using biometric HandReaders to verify employee identities before granting them access to their work areas.

The technology comes from Campbell, Calif.-based IR Recognition Systems, the biometric component of Ingersoll-Rand’s (IR) Security & Safety Group’s Electronic Access Control Division. HandReaders automatically take a three-dimensional reading of the size and shape of a hand and verify the user’s identity in less than one second.