A
Access Control, Logical
Introduction
Vance Bjorn
DigitalPersona Inc., Redwood City, CA, USA
Synonyms
Logon; Password management
Definition
Logical access control is the means and proce-
dures to protect access to information on PCs,
networks, and mobile phones. A variety of cre-
dential types may be used, such as passwords,
tokens, or biometrics, to authenticate the user.
These credentials may represent something the
user knows (password), something the user has
(token), or a physical trait of the user (biomet-
rics). A logical access control system will imple-
ment a method to enroll and associate credentials
with the user and then to request that one or more
of the user’s credentials be authenticated for ac-
cess to the resource (application, network, device,
or operating system). The logical access control
system may also log all access attempts for use
in auditing who and when someone accessed a
specific resource.
The key used to open almost any door in the
digital realm has traditionally been the password.
This was the natural consequence of the fact that
somewhere someone manipulated data, from a
desktop personal computer (PC), and to prevent
this, using passwords began. Furthermore, from
a theoretical standpoint, a password can offer
extremely strong security since the only place
a password needs to be stored is in the user’s
mind.
In practice, however, the mind is a terrible
place to store complex secrets; people cannot eas-
ily remember complex passwords so they write
them down or reveal them to others, and most
people end up using the same password every-
where. Exploiting the human factors which af-
fect security is increasingly the quickest path
for hackers to break into computer systems. In
addition, there are many automated points of
attacks on password-based security systems. For
instance, a user’s password can be compromised
via insertion of a hardware or software-based
keylogger to trap the keystrokes as they are being
entered. And, as computers gain speed, it has
become easy to reverse a cryptographic hash,
or any other cryptographic representation of a
password stored in the computer, even if the
password is very complex.
S.Z. Li, A.K. Jain (eds.), Encyclopedia of Biometrics, DOI 10.1007/978-1-4899-7488-4,
© Springer Science+Business Media New York 2015
A 2
End users do not want to be encumbered with
complexities and inconveniences that slow them
down while doing their job. On the other hand,
businesses increasingly find out that they must
implement strong authentication to satisfy indus-
try and government auditors. It is fairly straight-
forward for a system administrator to patch a
piece of software or install a firewall, but it is
not trivial to tackle the human factors of secu-
rity. A secure password policy, such as requiring
users to change their passwords every month,
enforces complexity in construction but in reality
makes it more likely that users will find ways
to simplify and recall, such as by writing their
passwords down on a note under their keyboard.
Information technology support costs also go up
as more people forget their passwords and need
to call the helpdesk. In the end, since passwords
are chosen not by the system administrator in
a corporation, but by the end users, the system
administrator must rely on each user to follow
the policy. This typically becomes the weakest
link in network security. Other methods, such
as tokens and smart cards, succumb to the same
challenge – it remains the end user who bears the
responsibility of maintaining the security of the
credential.
The need to move away from password-based
systems can be summarized as follows:
Weak passwords are easy to crack. Most peo-
ple set their passwords to words or digits
they can easily remember, for example, names
and birthdays of family members, favorite
movie or music stars, and dictionary words. In
2001, a survey of 1,200 British office workers
conducted by CentralNic found that almost
half chose their own name, a pet’s name,
or a family member’s name as a password.
Others based their passwords on celebrity or
movie character names, such as “Darth Vader”
and “Homer Simpson.” Such passwords are
easy to crack by guessing or by simple brute
force dictionary attacks. Although it is pos-
sible, and even advisable, to keep different
passwords for different applications and to
change them frequently, most people use the
same password across different applications
and never change it. Compromising a single
Access Control, Logical
password can thus cause a break in security
in many applications. For example, a hacker
might create a bogus Web site enticing users
with freebies if they register with a login name
and password. The hacker could then have
a good chance of success in using the same
login name and password to attack the users’
corporate accounts.
Strong passwords are difficult to remember.
In an effort to address weak passwords, busi-
ness often enforce policies to make passwords
strong, for example, a business may require
that a password is at least eight characters
long, contains at least one digit and one special
character, and must be changed every couple
of weeks. Such policies backfire. Certainly,
longer complex random passwords are more
secure, but they are so much harder to remem-
ber, which prompts users to write them down
in accessible locations such as Post-it notes
hidden under the keyboard, an unprotected
electronic file on their computer, or other elec-
tronic devices such as cellular phones or per-
sonal digital assistants (PDAs), creating a se-
curity vulnerability. Else, people forget their
passwords, which create a financial nightmare
to businesses as they have to employ helpdesk
support staff to reset forgotten or expired pass-
words. Cryptographic techniques can provide
very long passwords (encryption keys) that the
users need not remember; however, these are
in turn protected by simple passwords, which
defeat their purpose.
Password cracking is scalable. In a password-
based network authentication application, a
hacker may launch an attack remotely against
all the user accounts without knowing any of
the users. It costs the hacker almost the same
amount of time, effort, and money to attack
millions of accounts as it costs to attack one.
In fact, the same password (e.g., a dictionary
word) can be used to launch an attack against
(a dictionary of) user accounts. Given that
a hacker needs to break only one password
among those of all the employees to gain
access to a company’s intranet, a single weak
password compromises the overall security of
every system that a user has access to. Thus,
A
Access Control, Logical
the entire system’s security is only as good as
the weakest password.
Password and tokens do not provide nonrepu-
diation. When a user shares a password with
a colleague, there is no way for the system to
know who the actual user is. Similarly, tokens
can be lost, stolen, shared, and duplicated, or
a hacker could make a master key that opens
many locks. Only biometrics can provide a
guarantee of authentication that cannot subse-
quently be refused by a user. It is very hard for
the user to deny having accessed a biometric-
based system.
Biometrics provide the only credential that does
not rely on the end user to maintain its security.
Furthermore, biometric systems are potentially
cheaper to support and easier to use since the end
user does not need to remember complex secrets.
Shrink-wrapped packaged software solutions
are available today to enable the use of biometric-
based authentication to logon to virtually any
consumer and enterprise application, including
Microsoft Windows networks, Web sites, Web
services, and virtual private networks. Since few
applications or operating systems implement na-
tive biometric authentication, the role of many
such software solutions is to map a successful
biometric authentication to the user’s long and
complex password, which is then used by the
application for logon. The end user, however, will
likely not need to know his or her underlying
password or be able to enter it, and thus, a biomet-
ric solution effectively eliminates passwords for
the user. Similarly, a user’s biometric credential
can be bound to the private key associated with
a digital certificate to facilitate digital signing of
data, such as financial transactions, email, forms,
and documents. In addition, to aid compliance the
system administrator can access an event log to
confirm that a biometric match was performed
for access and whether the match was successful
or not.
Fingerprint-based solutions, in particular, have
emerged as the most common method for logical
access control with biometrics. The use of a fin-
gerprint requires the user to declare their creden-
tial with a definitive action, such as a finger press
or swipe for authentication. Fingerprint readers
3 A
have attained the size, price, and performance
necessary to be integrated in a range of logical
access devices, including notebooks, keyboards,
mouse, and smartphones.
It is typical for the logical access control
applications to have only one user per biometric
reader, a reader that may be attached to the user’s
PC or embedded in her notebook or smartphone.
This is unlike most other commercial applica-
tions such as physical access control, time and
attendance, or authentication at point of sale
terminals, where the biometric reader would be
shared among many users. Certain logical access
control application deployments may offer the
biometric authentication as a choice to the users.
A user could chose to use the biometric system
or chose to continue using the passwords. In such
deployments, the intention of the enterprise is to
provide maximum end user convenience while
still availing cost savings by reducing helpdesk
calls. The above properties of logical access con-
trol deployments drive fundamentally different
requirements for the single-user biometric reader
in terms of accuracy, ease of use, cost, size, and
security, as compared to the requirements for the
shared-use biometric readers. Shared-use biomet-
ric readers traditionally focus on ease of use,
durability, and accuracy over a wide demographic
population. Single-use biometric readers priori-
tize low cost, small size, and cryptographic secu-
rity. For fingerprint-based readers, this trend has
manifested itself through the use of placement-
based readers for shared-use applications, and
swipe-based readers for single-use applications.
Most platforms and peripherals that come with
embedded fingerprint readers include software
to access the local PC and applications. These
applications may include biometric-based access
to the PC, pre-boot authentication, full disk en-
cryption, Windows logon, and a general pass-
word manager application to facilitate the use of
biometrics for other applications and Web sites.
Such a suite of applications protects the specific
PC on which it is deployed and makes personal
access to data more secure, convenient, and fun.
Companies such as Dell, Lenovo, Microsoft, and
Hewlett-Packard ship platforms and peripherals
preloaded with such capability. However, these
A 4
are end user utilities with the scope of use only on
the local PC. As a result, they may be challenging
and costly to manage if deployed widely in an
enterprise since each user will need to setup,
enroll his or her biometric, and configure the
appropriate policy, all by themselves. Usually
the user is given the option to use the biometric
system as a cool individual convenience, rather
than enforced by an enterprise-wide authentica-
tion policy.
The other major class of logical access control
biometric application for the enterprise network
is server-based solutions. These solutions typi-
cally limit the flexibility given to the end user and
instead focus on the needs of the organization and
the system administrator to deploy, enroll users’
biometric credentials into the enterprise direc-
tory, and centrally configure enterprise-wide poli-
cies. An enterprise-wide policy, however, drives
stronger requirements for the reliability, security,
and interoperability of the biometric authentica-
tion. If it is a business policy that everyone in
the organization must use the biometric system
for authentication, the reliability of the biometric
system must be higher than a client-side-only
solution where the user can opt in to use the
biometric system just for convenience. A server-
based logical access control solution generally
needs to be interoperable with data coming from
many different biometric readers since not ev-
ery platform in the organization will use the
same model of the biometric reader. Interoper-
ability can be accomplished at either the enroll-
ment template level or the biometric image level.
Lastly, since a server-based solution typically
stores biometric credentials in a central database,
the security model of the whole chain from the
reader to the server must be considered to protect
against hackers and maintain user privacy. How-
ever, unlike government deployments that store
the user’s actual biometric image(s) for archival
purposes, a biometric solution used for enterprise
authentication typically stores only the biometric
enrollment templates.
Biometric systems remove the responsibility
of managing credentials from the hands of the end
users and therefore resolve the human factors af-
fecting the system security. However, the flip side
Access Control, Logical
is that the biometric capture and match process
must be trustworthy. Logical access control for
users is typically accomplished through a client
device, such as a notebook or desktop PC, by au-
thenticating the user to a trusted, managed server.
The root challenge of protecting the biometric
match process is to remove all means by which
a hacker could affect the user authentication by
tampering with the client operating system. This
can be accomplished by carefully monitoring
the health of the client operating system with
adequate virus and spyware software and, in the
future, with the use of trusted computing or, if op-
erating from an untrusted client, by removing the
client operating system entirely from the system
security equation. The practical means to accom-
plish this is by either performing the biometric
match in a secure coprocessor or by encrypting
or digitally signing the raw biometric data on the
biometric reader itself so that the biometric data
is trusted by the server. Of course, depending on
the threats present in a given environment, some
deployments of logical access control may need
to resolve more than just the human factors of
security and will need to use multiple factors of
authentication, such as two factors (biometrics
and password) or even three factors (biometrics,
smart card, and PIN) to protect against active
adversaries.
After many years of fits and starts as a niche
technology, the use of biometrics for logical ac-
cess control has gained a foothold in protect-
ing corporate assets and networks as the cost
of solutions has gone down, and the security
and reliability has gone up. Use of biometric
authentication for logical access control resolves
threats that other secret-based methods such as
passwords and tokens cannot, the main threat
being the human factors that lower security and
are costly and difficult to manage. No security
method is a magic bullet, but biometric solutions
for logical access control can be a reliable tool or
layer to add to a holistic approach to enterprise
security.
Specifically, biometric-based logical access
control has found a home in the healthcare and
financial industries to help satisfy government
compliance directives.
A
Access Control, Physical
Healthcare
Compliance with the security requirements of the
Health Insurance Portability and Accountability
Act (HIPAA) of 1996 accelerated the adoption
of biometric systems in the US healthcare in-
dustry. This regulation does not specify the use
of biometrics explicitly, but it states that ac-
cess to any healthcare data must be restricted
through strong user authentication. Such a re-
quirement made the access to healthcare infor-
mation technology systems and patient data more
burdensome. The healthcare industry turned to
the biometric systems to get a good balance
of convenience, security, and compliance. The
Joint Commission on Accreditation of Healthcare
Organizations (JCAHO) auditing requirements
also contributed to the adoption rate.
it
technologies,
Once the healthcare industry was educated
adopted
on the biometric
biometric systems for other applications as well.
Today the healthcare industry uses biometric
systems in many different applications to reduce
fraud prevalent in the industry and to provide
convenience to medical professional without
compromising their need for quick and easy
access to critical health data. The majority of
initial adoption in the healthcare industry was
in the employee-facing applications. Customer-
facing applications have started getting some
traction recently. Some examples of business
objectives in the healthcare industry that are
successfully met with biometric deployments
are:
Restrict logical access to medical information
systems.
Improve hospital efficiency and compliance.
Improve pharmacy efficiency and compliance.
Reduce medical benefits fraud.
Patient verification.
5 A
security standards
The US Sarbanes-Oxley (SOX) Act of 2002
requires higher
for data
that is financial or confidential. According to
this act, any public company may be liable
if it has not
taken adequate steps to protect
financial
records and data. The government
considers financial records to be confidential
and private. It is imperative that they are secure
and access is allowed only to authorized users.
Many existing passwords and security policies
would not be considered sufficient under SOX.
Compliance with these two acts is contributing to
an increase in the rate of adoption of biometrics
In this
in the financial sector applications.
respect,
somewhat
similar to the healthcare industry – adoption
of biometric systems in both these industries is
being accelerated by government regulations.
the financial
industry is
Related Entries
Biometric Applications, Overview
Transportable Asset Protection
Access Control, Physical
Colin Soutar
Cyber Risk Services, Deloitte and Touche LLP,
Arlington, VA, USA
Synonyms
Biometric PAC; Biometric readers; Physical
access control
Definition
Financial
In the USA, Financial Services Modernization
Act of 1999, also known as Gramm-Leach-Bliley
Act of 1999, mandates high standards of safe-
guarding financial transactions, data, and assets.
The use of biometric technologies within phys-
ical access control systems is one of the most
broadly commercialized sectors of biometrics,
outside of forensic applications. A key issue for
the successful integration of biometrics within a
A 6
physical access control system is the interface
between the biometric and the access control
infrastructures. For this reason, the biometric sys-
tem must be designed to interface appropriately
with a wide range of access control systems.
Also, the usability demands of a physical access
control system are significant as, typically, all
users need to be enrolled for subsequent suc-
cessful usage more or less on a daily basis. The
most significantly deployed biometric types for
access control are fingerprint, hand geometry,
face, and iris.
Introduction
The use of biometrics within physical access
control (PAC) systems is one of the most broadly
commercialized sectors of biometrics, outside of
forensic applications. The requirements for the
use of biometrics within a larger physical access
control system are dependent on the interaction
with existing access control infrastructures. For
this reason, the biometric system must be de-
signed to interface appropriately with a wide
range of access control systems. Also, the usabil-
ity demands of a physical access control system
are significant as all users need to be enrolled for
successful usage more or less on a daily basis.
The most significantly deployed biometric types
for access control are fingerprint, hand geometry,
face, and iris. A more recent set of requirements
for biometric systems for PAC is that it is also
interoperable with logical access control systems
– the most broadly recognized example of this
requirement is defined in FIPS 201 [1] for access
control to federal facilities and computers.
Verification Versus Authorization
As discussed in the introduction, biometric PAC
is one of the most commercially deployed ap-
plications of biometrics. One of the keys to the
success of this application is the capability to
interface with multiple PAC systems and to iso-
late the act of user verification from the more
general PAC system operation of authorization.
Access Control, Physical
Achieving these two factors allows a biometric
device to be seamlessly added to existing access
control systems.
The role that biometric systems serve within
the context of a physical access control system is
generally to provide evidence (herein referred to
as “verification”) that an individual is who he/she
claims to be. This claim is based on an established
persona or user that the individual has within the
PAC system. It is important to distinguish be-
tween the individual’s identity, an identifier (see
[2]) by which they are known to a security system
– in this case, the PAC system – and the veri-
fication process which simply verifies that they
are the valid owner of the identifier. It is also im-
portant to distinguish between authentication (ac-
complished here via biometric verification) and
authorization. Authentication verifies the individ-
ual’s identity, and authorization permits them to
continue with access to the building or facility,
based on their status within the PAC system.
As background, consider the various steps
comprising the registration of a new user within a
PAC system.
An administrator of the PAC system will es-
tablish the unique identity of the individual.
This is typically achieved through the use
of so-called breeder documents such as em-
ployee records, driver’s license, passport, etc.
If the individual is identified as unique, the
security system will establish the individual
as a new user of the system and assign a
unique identifier by which they are known to
the system. An example of an identifier would
be the Wiegand data string for physical access
control.
The individual will be instructed to enroll
their biometric, and the biometric system will
create a biometric template that is associated
with the user.
The template will be bound to the identifier,
either by physically storing them in related
locations in the biometric or security system
or by binding them together using encryption
or a digital signature mechanism, to create a
user record (see Fig. 1).
Subsequently, when the user requests to access
a facility, the following steps are undertaken:
Access Control, Physical
7 A
A
Access Control, Physical, Fig. 2 Separation of biomet-
ric authentication and system authorization
PAC system where the user is authorized, to
rights and privileges according to their PAC
security system.
This separation between the authentication of
the individual and the authorization of the user
is critical for successful integration of biometric
systems into general PAC systems. It provides
an explicit segregation between the verification
process in the biometric system and the rights and
privileges that the user is assigned by the security
system. This is especially important when con-
sidering issues such as the revocation of a user’s
rights and privileges in a very immediate manner
across a wide area system – i.e., a user can still
locally verify, but no access action will be permit-
ted as the PAC security system has denied access
as a result of the user’s authorization privileges
having been revoked.
Wiegand Format
The most prevalent format for an identifier within
a PAC system is the 26-bit Wiegand format [3].
The 26-bit Wiegand code comprises of 1 parity
bit, 8 bits of facility code, 16 bits of identity
code, and 1 stop bit. These data thus contain
the identifier by which the user is known by a
particular access control system. Note that this
identifier is explicitly unrelated to the individual’s
Access Control, Physical, Fig. 1 User record, compris-
ing biometric template and user identifier
An individual establishes a claim to the system
that he/she is a valid user of the system.
This is usually achieved either by inputting
the username associated with the user or by
presenting a card or other credentials to the
system to make the claim.
The security system ensures that
the user
record of the claimed user is available to
the biometric system (either by transmitting
it to the biometric system or by selecting it
within the biometric system), where it will
be unbound to produce the template and
identifier. Note that as part of the unbinding
process either the PAC security system (see
Fig. 2) or the biometric system (or both) may
verify the authenticity of the user record, by,
for example, checking a digital signature.
The individual is requested to verify that they
are the valid owner of the user record, by
comparing a live biometric sample with that
represented by the template in the user record.
If a successful match occurs, the identifier that
was stored in the user record is relayed to the
A 8
Access Control, Physical
biometric, as described in the previous section.
Other formats for identifiers include federal iden-
tifiers such as CHUID and FASCN.
of the above biometrics in a combined multi-
biometric system.
Typical Biometrics Used for Access
Control
Biometrics that are typically used for PAC are
those which can provide excellent enrollment
rates, throughput rates, and low false rejection
rates. The false accept rate is typically set at a rate
which is commensurate with the PAC security
system requirements, and the false reject rate is
thus set by default. Typical biometrics used for
PAC are fingerprint technology, hand geometry,
iris technology, and facial recognition (Fig. 3).
Traditionally, fingerprint and hand geometry have
been the main biometrics used for PAC. As the
performance of facial recognition systems im-
proves, for example, via dedicated lighting or
by using 3-D surface or texture, this biometric
modality is becoming more popular for PAC
applications. Similarly, as the cost decreases and
the usability (via verification on the move) of
iris recognition systems improves, this modality
is also becoming more popular for PAC. Further-
more, systems have been deployed using several
Access Control, Physical, Fig. 3 Examples of finger-
print and 3-D facial biometric devices for physical access
control
Interaction with Logical Access
Control
As the number of users enrolled in a PAC system
that are migrated over to the use of biometrics in-
creases, there is a desire to have the PAC systems
interoperable with logical applications systems.
This interoperability has several aspects: template
interoperability (i.e., it is preferable that the user
need not reenroll for different systems), identi-
fier interoperability (this is especially important
where the rights and privileges of the user should
span both physical and logical access applica-
tions), and event synchronization (e.g., a user
cannot be granted access to a computer in a room
for which they are not authorized to enter). These
requirements are more recently being designed
into biometric PAC systems, as such PAC systems
are required to be a component in a converged
physical and logical access control system. A
particular example of such system would be a
US Federal system based on HSPD-12, which, in
2004, mandated the establishment of a standard
for the identification of federal employees and
contractors, subsequently defined by the Federal
Information Processing Standard Publication 201
(FIPS 201), Personal Identity Verification (PIV)
of Federal Employees and Contractors in Febru-
ary 2005 and Biometric Data Specification for
Personal Identity Verification, NIST Special Pub-
lication 800-76 (SP 800-76). SP 800-76 describes
the acquisition and formatting specifications for
the biometric credentials of the PIV system and
card. In particular, for fingerprints, it calls for
compliance to the ANSI/INCITS 378 fingerprint
minutiae data interchange format standard for
storing two of the captured fingerprints (the left
and right index fingers) on the card for use in
user verification. This process enables the tem-
plate interoperability required for a converged
physical and logical application. In addition, a
unique number stored on the PIV card, known
as the CHUID (CardHolder Unique Identifier),
is used as the single identifier by which the user