Oct 07 2008

Security Without Contact

Arizona secures its campus with contactless card technology.

Access management is a critical topic for colleges and universities involved with research and for schools looking to modernize physical security overall on campus.

Implementing a facilities access security program that uses new technology and biometric fingerprint information can present some unexpected challenges. The University of Arizona (UA) implemented contactless biometric smart-chip identification card technology to better secure areas on campus, but while doing so, moved cautiously to address concerns among management, faculty and students. Here are some things UA learned about considering upgrading an access system to include additional protection.

Find a flexible technology that can accommodate legacy systems. Within the next four years, all UA facilities will be able to upgrade their door access readers using new radio frequency cards equipped with fingerprint (biometric) identification capabilities stored on the card. The university’s old magnetic striped cards typically contain a contact smart chip that held $100 worth of credits for student incidentals such as laundry, printing and copying, but more limited security information.

The new cards have a magnetic stripe, a contact chip and a contactless smart chip with an embedded antenna. The contactless chip accesses facilities with appropriate readers, which are typically more secure locations on campus. Their magnetic stripe can still be used for access into buildings that have magnetic stripe readers. Both magnetic cards and contactless chips provide only the individual’s 16-digit ISO number, so both cards are transparent to associated databases.

The program was implemented to provide a higher level of security to meet requirements for research projects. Its implementation also resulted in some savings too. The new contactless cards don’t suffer as much wear and tear, and reduce costs associated with cards and readers. Concerns about biometrics and privacy were alleviated through an extensive, 18-month marketing, education and communication plan with end users that showed how the information was used and stored. The university is in the process of issuing all cards with contactless technology.

Get high level support before beginning. Implementing such a wide-ranging plan affected so many people required top level support, not just technical know-how. The university’s budget director had always been a huge supporter of our campus one-card system, so he made the case to the university’s leadership on our proposal, using layman’s terms to describe the technology, outline associated costs and a listing of all departments and/or individuals who would be affected.

Understand and address concerns. Because the biometric fingerprint information is used as the key to the security, there were concerns about how and where that information would be used and stored. We explained that fingerprint information is actually not stored on the smart chip or in a database. A bioscrypt algorithm is created and stored on the smart chip by combining a digital key with specific points taken off of the finger. The authentication at the door reader reverses the authentication by combining the bioscrypt with the points of the finger to recreate the original digital key.

Through education and communication, we were able to dissipate this concern among a target population of more than 1,500 people. We also revisited and tightened the business rules associated with authorizing access within departments. We also addressed how to deal with individuals with disabilities and/or those who could not enroll their fingerprint. We coordinated with the attorney’s office, the human resources department and the disability resource center to create business rules to address these issues.

In my opinion, 90 percent of a project’s success is embedded in the education, communication and marketing plan. Although this could take a considerable amount of time, it is imperative that all stakeholders are on the same page. Issues, challenges, complications and resistance all need to be addressed as they surface in order for the project to positively move forward.