I recently got an e-mail from a colleague asking a question about my thoughts on increasing access control at a site he was tasked with reviewing.

The site has no real history of access problems, so there was no real reason to increase the existing level of security. His point was that with the current state of world affairs – there is no real reason NOT to increase the level of security and access control.

This brought up a series of questions and debates among my staff – when is a good time to increase the level of security by increasing the level of access control? The consensus was that a client or end-user is often unwilling to increase security without justification – not so much that there is a reluctance to increase security, but almost always an increase in security involves significant cost. The reluctance is in spending money, not in increasing security.

The most vivid statement defining security funding is “money flows when blood flows.”

Making the Upgrade Move

So when do you increase security? Generally speaking, security is increased after a problem or “event” (generally involving injury or loss), or at a well defined increase in threat.

The most common increase in security involving access control is the addition of biometrics to an existing system. Biometrics-based systems are generally understood to be very secure, and existing technology is both very accurate and very effective. As with any change, it is important to address all of the issues facing the user. But there are issues to consider.

Acceptance -- A critical factor in the success of a biometrics-based system is user acceptance of the biometrics device. There are several factors that have an impact on acceptance. The concept may seem frightening, especially devices using the eye to verify identity. A successful device must not cause discomfort or frighten the user, and users need to know what the system does, and doesn’t do. There is a story circulating of a bored security officer telling users that the retina scan system at a facility could “read your thoughts” when using the system. If people are afraid to use a device, they will probably not use it properly, and will probably not be granted access. Biometrics must also be easy to use. People better accept things that are simple.

Biometrics (like all access systems) will accomplish one of four tasks. The four possibilities are: 1) You are allowed access and you get in (this is Good), or 2) You are not allowed access and you don’t get in (this is also Good). The other two possibilities are: 3) You are allowed access but you don’t get in (this is bad, but we can fix this) or 4) You are not allowed access, but you get in (this is VERY BAD). The chance of one of these last two problems occurring is defined by the False Accept and False Reject error rates.

False Rates and Throughput

False Accept Rates – This is the probability of allowing access to an unauthorized person. This error rate must be low enough to present a real deterrent for a given application. False accept rates in current biometrics-based access systems are generally less than 0.1 percent. Remember that the only way a false acceptance can occur is if someone tries.

False Reject Rates – This is the probability that the biometrics does not recognize an authorized user and denies access. False reject rates for currently available systems are generally less than 1.0 percent. A low false reject rate impacts user acceptance. What is acceptable depends on the application. A false reject usually results in the user being sent to a security or access control officer to verify current authorized access. While inconvenient, the user ultimately gains access. Given a choice, we would always rather keep someone out that is authorized access, than let someone in who is not allowed access.

Throughput – It’s the time it takes for a person to manipulate the device until access is allowed. When a person uses a biometric reader, he or she sometimes enters a PIN number on an associated keypad. The reader then prompts to position a hand, finger or eye where the device can scan physical details. The elapsed time from presentation to identity verification is the “verification time.” Most readers verify ID in less than two seconds. Throughput time includes the total time it takes a person to use the system, including the time it takes to enter the PIN number and the time necessary to be in position to be scanned. If PIN numbers are used, they should be kept as short as possible. Some systems obtain the number by reading a card that has the PIN number embedded in the card code. Faster throughput generally equates to higher user acceptance.

Once extraordinarily expensive and only used in the highest of security applications, biometrics-based access systems are no longer the “super high tech” answer to access control. They are more widely used, effective and efficient.