Archive for June, 2009

Access Control in the Real World Part 3 – T&A and Membership

Thursday, June 4th, 2009

In the HR arena, there’s a very strong requirement to know who is working and who is not, so that you can pay them accordingly. This is where time and attendance systems come into the frame, and it’s very important with these systems to positively identify the user with a high degree of accuracy. “What you know” and “what you have” aren’t very valuable as authentication factors because I can give these to my buddy and he can sign me in while I stay in bed. So “what you are” in terms of your fingerprint, your palm print or your palm geometry has become very popular with T&A vendors. The comparatively high cost of these technologies is less of a problem than it might be in a physical access control system with hundreds of controlled doors throughout a building, because even the biggest offices only need a small number of “clocking in” points for the staff. There are issues with some of these technologies when used in more “industrial” environments or where hygiene is a particular issue, but for many office and light industrial applications they have proved to be effective.

I think there’s also a case to be made that the people who’re looking at the company balance sheet all day trying to see where money can be saved tend to be able to make the simple quantitative cost:benefit decision that often motivates the company to purchase this technology quite ruthlessly. Security managers would probably quite like to deploy biometrics all over the place too but it’s not really so easy to see where the cost:benefit balance sits, because the math is based on risk, and that’s a highly unquantifiable element unless you have specific finger-burning experience (if you’ll pardon the sort-of pun there).

It could be argued in these times of economic “concentration” that unless an office worker is in his cube counting beans then maybe he or she isn’t working at all, and this should have some influence on how they get paid too, and this is another place where we see an opportunity for convergence back to logical access control and the use of one authentication scheme to do more than one job.

Perhaps with the spread of networked appliances into the field we’ll eventually see a builder have to logon to his wheelbarrow before he can use it or safety helmets with built in biometric authentication systems that wireless-ly tell the foreman what crews are on site and how many cups of tea they’ve had.

It’s hard to make solid authentication systems work in difficult environments at low cost. I’ve been asked to look at systems for checking construction workers on and off buildings sites a few times in the past and it’s really hard to come up with a robust scheme that’s not costing more money to implement than the client is losing in absentee workers’ time on site. There are systems out there that claim pretty clear RoI cases but at the end of the day you’re asking a construction company to make a capitol investment with an associated ongoing operating cost, and just think how keen they’re going to be to do that right now, or any time soon.

There appears to me to be a market for pre-fabricated turnstiles units with built-in T&A systems that come in the form of something like a shipping container that a building company might lease, and have dropped on site for the duration of the contract. You need to combine the authentication scheme with things like turnstiles to be clear about who is on site and who is not, because these guys are going to be lazy or they might just be forgetful, and when there are 10,000 guys to manage in and out every day it gets to be a bit of a problem.

Clearly you can see that there might be a very close relationship between T&A and physical access control, because you can’t get into the building without using the PAC system to open the door, but there are problems here. You need to know when people are leaving as well as when they are entering, and you really need to prevent people from “tailgating” (i.e. one person opening the door, then ten people exiting all at once). These are problems that can be overcome, but it costs money. Reader-in/reader-out arrangements almost double the cost of the access control technology, and although they are very nearly 100% effective at preventing tailgating, turnstile/hidden gate systems are also very costly and simply won’t fit in many workplaces.

When it comes to the software associated with operating time and attendance we also hit a few speed bumps. In a straightforward nine-to-five operation with everyone working at a desk in the office and nobody working shifts things aren’t too complicated, but in the environments where these systems are often most beneficial you may have very large numbers of employees, perhaps working overlapping shifts, perhaps coming and going from the premises as part of their work patterns. A substantial organisation will probably operate a computerised payroll system sitting on an Oracle or SQL database, and the information from the T&A system needs somehow to get in there in a format that’s useable. Complexity ensues.

Most of the T&A system vendors actually provide physical access control “add-ons” for their systems, but they’re generally not nearly as powerful as mainstream access control systems that the security manager is going to want to secure his multi-billion dollar industrial complex. Likewise, all of the major PAC companies provide T&A features within their software, but again they’re often not up to complex situations, and the sensible guys have chosen instead simply to integrate to mainstream third-party T&A systems, and provide the integration links for hooking into the HR payroll system. But there’s a heavy reliance on some quite detailed integration during the setup phase, with the PAC company needing to have the ability to noodle around with the HR system database.

Time and attendance integrated with physical access control is very achievable, but it’s not for everyone depending on the scale of your operation or your working patterns, and depending on how much money you think it’s going to save you. You’re going to want to have a solid RoI case to back you up when the board is asking why you want to spend all that money on hidden gates and reader-in/reader-out arrangements and cameras overlooking the area to prevent “jump-overs” and “buddy” sign-on.

In a similar vein to T&A you have membership management. This industry has grown up alongside the explosion in sports and leisure clubs over the last couple of decades, and features some of the same issues as a T&A system, in that it wants to positively identify each individual to make sure the person coming in is definitely the person paying the membership fee, and it wants to make sure it records when you use the facility because it wants to know how much it can charge you for the privilege.

Turnstiles are quite acceptable in these applications to prevent tailgating, and because the vast majority of club locations have the entrance at a reception desk there isn’t such a requirement for the system to be particularly physically secure, because there is likely to be a receptionist present at the entrance location.

Once again, most membership management systems offer a physical access control add-on to control the entry turnstile or door, but they tend to be primitive, because membership management systems aren’t really designed to be distributed over a wide area, as are physical access control systems.

Physical access control systems don’t tend to be geared towards membership management either. In the majority of club scenarios there could be a very large number of members and perhaps just a single entrance. The credentials need to be cheap, because you don’t want the cost of the card to have to be factored into the cost of membership, so they frequently use optical barcodes in plain (photocopy-able) black and white on the membership card, and the barcode readers often plug directly into the same PC on the reception desk that’s running enrolment and creating the members’ invoices and all the other good stuff that reception desk PCs do (i.e. playing minesweeper and solitaire!!).

One of the things that I’ve found a little strange is that none of the hotel card access control companies have switched on to the fact that a significant number of hotels (in Western Europe, at least) now have a leisure centre or spa that offers membership to outsiders as well as providing the facilities to guests. These premises nearly all have membership management system as a result and have to put in horrible side-by-side credential readers to accommodate both the hotel guests and the club members (and sometimes they have yet another system for employees, but we’ll get on to the hotel rant later in the series).

Although these membership management systems generally offer some sort of data “import” facility, where you can export your database of club members in CSV format from one application and drag it into the membership database, they’re not really designed for integration – certainly not live integration, where you’ve got two databases communicating with one another.

I’m going to get on to biometric reading technologies later in the series and take a look at how they’re handled by the typical system – it’s not as straight forward or as sophisticated as it might at first appear…

Ok, so technologies of interest in this particular sector include :

The HandPunch palm geometry reader is very popular and really quite robust : http://www.handpunch.com/ and it’s available as a complete system-in-a-box T&A solution. If you want to look at it back at the mothership then it’s actually produced by Schlage http://recognitionsystems.schlage.com/.

Probably the most used fingerprint reader for access control is the Bioscrypt range from L1 http://www.l1id.com/pages/387-fingerprint-readers.

In the UK and Ireland, Mitrefinch are a very popular supplier of T&A systems http://www.mitrefinch.co.uk/.

Many of the larger physical access control companies choose to just offer strong integrations to third party systems – overall, not a bad idea. http://www.lenel.com/utcfs/Templates/Pages/Template-57/0,8066,pageId%3D8542&siteId%3D464,00.html

A number of companies are currently investigating vein reading technologies, and so far the ones I’ve looked at work quite well. Hitachi have launched a desktop reader that reads the veins in a finger http://www.hitachi.com/New/cnews/070720.html but they’re really just looking for people to buy and productize the technology.

Identica have a vascular reader that reads the veins in the back of your hand http://www.identicacorp.com/ It seems to work quite well, but I’m not sure it’s really ready for use in industrial environments.

I’m going to look at some of the more esoteric identification technologies later in the series too, so don’t be disappointed if I’ve missed your favourite.

Next time I’ve going to look at personal and vehicular entrance management systems and how they relate to this technology.