First, of course, you want the measurements taken to be unique to an individual. While many (not all—think body weight) biometric tools will succumb to impersonation by an identical twin, uniqueness of the measure is important. After all, depending on the precise nature of the tool, you may find yourself with a degraded reading. Fingerprints can smudge, voice recordings may have a lot of background noise, and poor lighting or infrared interference may cloud a photographic record. A good biometric will have the attribute that the copy to be compared to the registered base will vary minimally and predictably as it degrades in quality.
Consider, too, that it is not only the measurement taken for comparison that may be degraded. Fingers, palms, and faces may be scarred by accident (or, alas, intentionally). Aging, illness, and injury must all be anticipated and compensated for. Sometimes, this may include having to redo the reference measurements.
Another factor to consider is the accessibility of the part of the body that must be registered. It is not a coincidence that fingers, at the end of our extensible arms, were employed as the first widely used biometric.
Further, one wants biometric measurements to be noninvasive, passive, and safe. Individuals to be vetted will vary in general health; in dexterity; in their ability to see and hear; in their alertness and the ability to follow instructions; and in their physical and psychological tolerance to being prodded, scanned by various rays, or enclosed in an examination compartment. Many individuals will be concerned about electromagnetic irradiation. Some women to be authenticated by your biometric device may be pregnant at the time or may become pregnant later. All of these individual conditions should be anticipated and respected with due concern for the examined individual's health, well-being, privacy, dignity, and legal rights.
As with all security measures, when selecting a biometric for deployment in your enterprise, you must consider the cumulative costs of setting up the system, registering each person, taking each measurement such as a fingerprint, and storing and retrieving the candidates' measurements.
Note that biometric sensors can produce data that indicates the subject may be suffering from a variety of illnesses, injuries, substance abuse, or other medical conditions. Depending upon the technologies you're using, the data you collect may cross the fuzzy boundary between what is personally identifying information (PII), nonpublished personal information (NPI), and protected healthcare information (PHI). Each category, of course, comes with its own compliance and regulatory requirements for data protection. As medical technologists discover even more ways to use noninvasive sensing to learn more about the condition of their patients, this frontier between identification and medical data will only become more complex to navigate.
Finally, be sure to consider the likelihood and effectiveness of antibiometric tactics by potential attackers.
If you are using facial recognition, attackers might wear masks.
If you rely on fingerprints, you had better anticipate and test the effectiveness of fake finger casts made out of silicone, rubber, or even ordinary wood glue. Japan's National Institute of Informatics even found that fingerprints can be copied by a digital camera from 10 feet away and then easily reproduced with simple technology. Depending on just how low you need to drive down the false acceptance rate, you might want to select a vendor for fingerprint sensors that can supply “liveness detection,” sensing temperature, pulse, and even body capacitance as a means of detecting fake fingers.
In the age of 3D printers, security architects need to think creatively about the technology relied upon by their biometric tools.
New Factor Type: Somewhere You Are
For some time now, access control systems have been able to check whether the IP address, origin URL, or information about the physical location of the subject is in fact within allowable limits. These constraint checks are usually expressed as attributes as part of an attribute-based access control system. Some systems can even use a soft token app to interrogate the location services within many smartphones, phablets, and laptops, and return that location information to the access control system to see whether the user-subject is where they are authorized, expected, or claim to actually be. Many mobile phone systems already provide this as part of their processing of calls to emergency service numbers, making GPS or other high-accuracy location information available to service dispatchers within seconds of a call being placed to their systems. Extending this to more mundane, nonemergency circumstances is worth considering if your organization needs to restrict access privileges or take other actions based on where you (and your soft token device) happen to be connecting or initiating an access attempt from.
Accountability
Accounting, you recall, is one of the “big three” functions of access control (the other two are authentication and authorization). Having strong, effective accountability as part of your information systems architecture supports three main objectives that most (if not all) organizations need to achieve.
Resource utilization, monitoring, and chargeback: In all but the smallest of SOHO environments, organizations need to plan and budget for IT resource usage by the organization. Budgets can and should allocate resources not only to departments or work units but also to objectives, goals, projects, and initiatives. Once a budget has allocated IT resource use in this way, accounting functions track actual usage so management can control usage and investigate budget variances (usage over or under predicted and budgeted amounts). In this way, resource usage accounting can also identify the need to scale or resize the organization's IT resources in more deliberate ways.
Individual accountability: By providing detailed records of each individual's accesses to systems resources, management has an informed basis upon which they can hold individuals responsible for their actions and decisions. This type of digital forensic evidence can play a vital role in supporting any corrective actions management needs to take, such as counseling or admonishing an employee; it also can support litigation if required.
Information security monitoring, analysis, and incident characterization and response: At each step of the access control process, detailed information can and should be generated about: which subjects, under what conditions, attempted what kind of accesses to which objects; what decisions were made as to granting or denying access; and what outcomes if any resulted from these access attempts. Authentication or authorization rejects can send alarms to systems security reporting and monitoring functions, including to the watch-standers in the security operations center (SOC) or network operations center (NOC). Accounting information can provide the diagnostic and forensics data that may be needed in analyzing and characterizing the event, as well as supporting decisions about containment and other required responses. Accounting data as part of access control also can provide important trending data, which may reveal whether the access control system is doing its job effectively enough to provide the required level of security and protection. After a security incident, this data may also help identify changes to sensitivity settings, constraints and conditions, or alarm filtering levels as part of providing better protection before the next incident occurs.
Taken together, this means that the data your accounting functions generate must be reliable and verifiable as to its accuracy and completeness. Data that cannot unambiguously identify the subject or subjects in question and precisely identify the actions they took or attempted to take are of little value to the troubleshooter or the litigator.
You must also take actions to protect the accounting data and related information in various systems or applications log files from inadvertent or deliberate damage, alteration, or loss. This not only protects the chain of custody of such data as forensics evidence but also provides another opportunity for early detection of an intrusion or unauthorized access or usage attempt. For example, by routing all security-related event notifications and supporting data to a separate logging agent, which is protected by separate and distinct administrator credentials, you both protect the log data while providing another source of alarms if some other process (a subject), even one with systems administrator,