“Who You Are”

Biometric technology is developing fast, getting better and cheaper. High confidence affordable biometric verification — especially fingerprint recognition — is entering the mainstream of security solutions. Many vendors now supply a wide range of biometric devices, and when combined with traditional “what you have” and “what you know” methods, biometrics can complement existing security measures to become best practice for access control.

Biometric identification is typically used not to recognize identity by searching a database of users for a match, but rather to verify identity that is first established by a “what you have” or “what you know” method — for example, a card/PIN is first used, then a fingerprint scan verifies the result. As performance and confidence in biometric technology increase, it may eventually become a standalone method of recognizing identity, eliminating the need to carry a card or remember a password.

There are two types of failures in biometric identification:

• False rejection — Failure to recognize a legitimate user. While it could be argued that this has the effect of keeping the protected area extra secure, it is an intolerable frustration to legitimate users who are refused access because the scanner doesn’t recognize them.


• False acceptance — Erroneous recognition, either by confusing one user with another, or by accepting an imposter as a legitimate user.

Failure rates can be adjusted by changing the threshold (“how close is close enough”) for declaring a match, but decreasing one failure rate will increase the other.

Considerations in choosing a biometric capability are equipment cost, failure rates (both false rejection and false acceptance), and user acceptance, which means how intrusive, inconvenient, or even dangerous the procedure is perceived to be. For example, retinal scanners are generally considered to have low user acceptance because the eye has to be 1-2 inches from the scanner with an LED directed into the eye.