Image in modal.

Business adoption of biometrics in access control and identification is at a major turning point right now. Big-name companies, major airlines and retailers — not to mention government and law enforcement — are using some form of biometrics, which is raising awareness around how the technology can help end users streamline operations, increase security and ultimately save money.

The growing use of biometrics and biometrics as a service (BaaS) is expected to reach $51.6 billion by 2029, at a CAGR of 12.4 percent during the forecast period of 2022 to 2029, according to analysts Meticulous Research.

A few recent high-profile examples include American Airlines using facial recognition biometrics; Disney theme parks implementing biometric fingerprint scanners; and Amazon incrementally rolling out its Amazon One palm scanning payment technology at Whole Foods retail locations across the country.

“Biometrics have been enthusiastically supported in many consumer applications in which the benefits for security and convenience are clear and adoption is generally increasing,” says Jake Parker, senior director of government relations at the Security Industry Association (SIA), Silver Spring, Md. Recent public opinion research commissioned by SIA finds that more than 70 percent of American adults support the use of facial recognition by airlines, for airport security, banking and financial transactions, and to secure workplaces, he says.

*Click the image for greater detail

The 19th Annual FindBiometrics Year in Review finds face biometrics retained its dominant status in 2021 for most used biometric modality, with 36 percent of survey respondents saying it had the strongest momentum, compared with 38.5 percent the previous year. // IMAGE COURTESY OF FINDBIOMETRICS


On the security side, this may not necessarily translate into increased adoption — yet. But it’s coming, says Lee Odess, CEO, Access Control Executive Brief, Bethesda, Md., a thought leader on access control. “I don’t think the general demand is here yet. I think general awareness is, and we’re still at that early stage, in my opinion,” he says. “At this moment, I believe we are still a ‘cottage industry’ that still focuses on ‘identity and biometrics’ solutions at that high security side (data centers, healthcare, government, etc.). This is currently the pond where integrators fish for these types of projects. Now I will say that the demand in this pond has become larger.”

The key to making biometrics go mainstream hinges on the security industry doing a better job of educating and promoting the technology to both corporate end users and the general public, Odess says. “I’d say that it is dystopia right now because there are no good stories in the mainstream media. … You’ve got to have case studies and storytelling opportunities to tell your end user customer [about biometrics].”


Big Developments Post-COVID

Biometrics aren’t exactly new. A PwC survey from 2016 found that 57 percent of company respondents were already using some form of biometrics for authentication, long before COVID-19 changed the world and technological advances became more sophisticated.

Much of biometrics’ initial use was for time and attendance rather than access control. “We introduced biometric time and attendance systems 20 years ago, which we still sell, with more than 200 software partners; it’s the most commonly used hardware in the commercial space, with millions of employees who use some form of biometrics to get their hours recorded,” says Manish Dalal, president of ZKTeco USA, providers of turnkey identity/access/biometric solutions, Alpharetta, Ga. But now, small to midsized businesses are starting to adopt biometrics for security uses, especially after the pandemic, he says.

While facial and fingerprint recognition are still the most prevalent forms of biometrics, today’s modalities include fingerprint or hand geometry, iris recognition, vein recognition, retina scanning, voice recognition, DNA matching, digital signatures, and behavioral patterns such as typing patterns, gait and gesture recognition, and social media engagement patterns.

“Growing interest has spawned a refresh of the technology,” says Peter Boriskin, chief technology officer at ASSA ABLOY Opening Solutions Americas, New Haven, Conn. “Earlier-generation fingerprint and iris scan devices are being upgraded to technologies like four-finger wave and appliance or server-based advanced facial recognition. These and other detection technologies like gait recognition (GRT) continue to evolve and emerge at a rapid pace.”

For access control, biometrics have two primary applications: facial or other authentication for physical entry, and authenticating a user to log into a device or system, says John Calzaretta, president and chief revenue officer of Sentry Enterprises, West Chester, Pa. This distinction is important because each group has different needs, budget and “innovative tendencies,” he says.

Calzaretta observes a growing trend toward biometrics use within Fortune 500 companies, where IT departments more often control security for physical entry, as they recognize the high level of security biometrics can provide. “I think that it’s important to call out the elephant in the room: the flawed reliance on credentials as the proof of who someone is,” he says. “A credential, whether an ID badge, password, PIN or multifactor code, can be shared, whether by accident or on purpose, and should not be trusted. Peel back virtually every case of fraud or security breach, and you will find a credential failure. Biometrics provide absolute proof of identity, which is why they’re the critical evolution within access control.”

A big part of the growing general acceptance of biometrics is the demonstrated ease of use on our personal devices, says Bob McKee, president, Suprema America, a global provider of access control, time and attendance and biometrics solutions based in Lake Mary, Fla. “When the access control industry showed how using a card versus a key prevented unwanted or unknowing key duplication, the access control industry exploded on the market,” he says. “When it became mainstream, the users and administrators heard the following statements: ‘I forgot my card and I can’t get in.’ ‘I lost my card someplace but I’m sure it will show up.’ ‘Having to pull out my card to get in is a hassle!’ These types of statements don’t exist in a biometrics deployment. You are always bringing you to the destination you desire.”


The Downside of Biometrics

Late last year, facial recognition technology made unwelcome headlines when a lawyer employed by a firm involved in a personal injury claim against the operator of Radio City Music Hall was barred from attending a show there after being picked up by facial recognition technology at the entrance.

Unfortunately, these are the types of stories about biometrics told again and again in the popular press — and the security industry has a responsibility to spread the word about its benefits.

“I think we’ve allowed dystopia to take over in the media allowing bad actors to tell their side of the story, and we haven’t done a good job promoting the positive aspects of why you would want to use AI, identity and biometrics,” says Lee Odess of Access Control Executive Brief. “We can’t say ‘it’s better’ — you need to explain why it’s better. And you can’t shrug your client making them feel, ‘You’re stupid if you don’t understand it.’ And if it costs more, you need to explain the added benefits and the ROI, too.”

Some theorize that the adoption of biometrics would have been speedier if not for concerns about privacy. “To some extent, the adoption of facial recognition for business operational purposes, including security, has been unnecessarily held back where there is legal uncertainty or litigation risk regarding the application,” says Jake Parker of SIA. “Government services and operations are some of the most established use cases, where implementation is often covered by extensive privacy impact assessment and mitigation, such as widespread use of facial recognition for verification at customers and increasing use at TSA security checkpoints.”

When biometrics was first introduced, analysts predicted the technology would explode with “hockey-stick growth,” but this hasn’t happened, says Shiraz Kapadia, Invixium. “However, I do believe we are reaching a new era of acceptance,” he says. “Ever since the introduction of fingerprint authentication and Face ID on the iPhone, people are realizing that biometrics can be incredibly convenient and secure without invading their privacy. This realization is having positive ripple effects throughout the larger biometrics industry, including for access control solutions like the ones we manufacture at Invixium.”

The biometrics technology used by law enforcement, the government, ICE and other entities is completely different from that used for attendance and security, and should be distinguished from what’s used in access control and security, says Manish Dalal of ZKTeco USA. Biometric templates are stored by the government and used for the security of citizens; but Big Tech got in trouble for doing this because they used it for commercial purposes to identify users and target them for advertisements.

“They’re invading their privacy by not getting consent,” he says. “Because of that, biometrics used in commercial industries were put on the same level. However, the technology we use in access control and time and attendance is completely different. We have no access to templates; the information is stored in a reader and used only to identify the user to clock them in or open a door. We don’t have access so we’re not using it for any commercial purposes. … There are many misconceptions in our industry. With the help of groups like ESA and SIA, we’re working to educate consumers about the safe and secure use of this technology.”


Major technological advances for biometrics include deep learning integration that allows for improved speed, accuracy and fake face detection, McKee adds.

Another driver of biometric adoption is the new regulatory requirements for increased cyber and physical security for critical applications and data center infrastructure that include the need for multifactor authentication to deliver stronger identity assurance, says Julia Webb, vice president, marketing & alliance at BioConnect, biometric access control providers based in Toronto.

Cost control is a factor as well. “Many organizations have a mandate to reduce the high recurring costs associated with maintaining traditional credentials like key fobs, cards, hard tokens and transition to mobile credentials that offer a sustainable option to plastic cards,” Webb says. “In addition, many end users have decades-old wall-mounted biometric readers that are reaching end of life and they are replacing those solutions with faster and more efficient biometric solutions available in the market with a preference for the solutions that are available as subscription services.”


Big Benefits for End Users

Biometric access control systems offer a spectrum of benefits for organizations large or small, starting with increased security. “Studies show that 25 to 50 percent of cybersecurity breaches occur due to internal threats, either intentionally or through human error like weak passwords,” says Shiraz Kapadia, CEO and president of Invixium, a touchless biometrics solution provider based in Toronto. “Investing in a highly secure, highly accurate alternative like face recognition mitigates these risks while providing employees and visitors with a fast, easy and touchless way to access your building.”

And although implementing new systems can be costly compared with using traditional credentials for access control, analyzing the total cost of ownership (TCO) between the two methods over a decade — weighing the annual cost of card replacement — ultimately makes biometrics more economical while helping reduce plastic waste for the environment, he says.

*Click the image for greater detail


Although financial services and payments topped the list at 30 percent for biometric adoption, end users from virtually any industry can realize the benefits of replacing traditional access control methods with biometrics. // IMAGE COURTESY OF FINDBIOMETRICS


Today’s biometrics can be easily integrated into new or existing access control infrastructure, McKee says. “The devices communicate via RS485, Wiegand, and even OSDP that most access control panels are designed to communicate to edge devices; this makes it easy for implementation,” he says. “The size of the system will dictate if integration to the biometric software is needed for enrollment. Some biometric companies are access control companies as well and have enrollment built right in the access control card record field to provide a good admin user experience. Smaller systems can have separate systems for enrollment and even using Wi-Fi to communicate to the edge devices.”

Biometrics technology has matured in the last five years, making it easier to implement for mass use, Dalal adds. “There are tools available to integrate [biometric] readers with [end users’] existing infrastructure; you don’t have to rip and replace, and you don’t have to use two different software systems.”

This puts biometrics squarely at the crossroads where it can provide both security and convenience, says Doug O’Gorden, director, digital and media events at FindBiometrics, a biometrics news source based in Toronto. “The pandemic sped our tech lives up by 100 years; when the world shut down we needed to figure out how to survive and live. That was where we began to adapt/adopt and begin to use the phrase ‘mobile, touchless, frictionless, seamless’ access. I don’t see us going back to the old way of doing some things ever. What is happening with consumer adoption of biometrics on our phones will only transfer to the enterprise (corporate) world.”

iDFace

Biometric access control systems make things faster, easier and more secure for end users. Brazilian company Control iD’s iDFace system uses facial recognition technology to identify up to 10,000 faces with face liveness detection. Control iD was recently acquired by ASSA ABLOY. // IMAGE COURTESY OF ASSA ABLOY


Facial Recognition Still No. 1

According to the 19th Annual FindBiometrics Year in Review, face biometrics retained its dominant status in 2021 for most used biometric modality, with 36 percent of survey respondents saying it had the strongest momentum, compared with 38.5 percent in the previous year’s results. Next in line in usage was fingerprint at 18 percent, multimodal at 15 percent, and iris recognition at 12 percent.

There’s a reason why facial recognition still tops the list. The “touchless” aspect helped spur growth during COVID. Law enforcement and other security agencies continue to use face biometrics technology to identify individuals of interest, and border officials are increasing its use at airports and other checkpoints, the FindBiometrics report states.

“The latest biometric technology developments have been focused on face recognition above all else,” says Kapadia of Invixium. “When the pandemic struck, fingerprint and other touch-based biometric solutions fell by the wayside and there was an immediate shift to touchless and contactless technology because suddenly no one wanted to touch shared surfaces. Face recognition became very popular, and in my opinion, it gained almost a decade’s worth of adoption during the pandemic period.”

Facial recognition continues to be popular because you can capture a biometric template of any person in a video feed, or you can have the user on an access control reader, or upload a photo of the user into the software to convert it to a template, says Dalal of ZKTeco.

Dalal predicts that “palm is the modality of the future” because it’s touchless, using the palm is a natural gesture, and its use requires cooperation and consent of the user, which eliminates many privacy concerns.


Regulations & Laws Concerning Biometric Use

Several laws and regulations address the use of biometrics and consumer privacy. The most prominent are:




BIPA

Illinois’ Biometric Information Privacy Act (BIPA), the strictest biometrics law in the country, passed in 2008, ensures that individuals are in control of their own biometric data, which includes retina or iris scans, fingerprints, voice prints, hand scans, facial geometry, DNA, and other unique biological information. BIPA prohibits private companies from using biometric data unless they inform the person in writing of what data is being collected or stored; inform the person in writing of the specific purpose and length of time the for which the data will be collected, stored and used; and obtain the person’s written consent.

Many high-profile class-action lawsuits have come out under the legislation, including Meta and TikTok paying out $650 million-plus settlements. However, “Of the approximately 1,000 BIPA-related lawsuits, most deal with everyday workplace use cases like time tracking, employee verification, and even temperature scanning,” according to FindBiometrics.

Similar, if less stringent, biometric laws are in effect in several other states, including New York, Virginia, Arkansas, Texas, and Colorado, with other states weighing adoption.


General Data Protection Regulation (GDPR)

Passed by the European Union in 2018, GDPR aims to protect personal data by requiring companies to maintain processes for handling and storing personal information. Although the GDPR is a European law, its requirements apply to many companies, nonprofits, and universities in the United States that offer goods or services to Europeans or that monitor Europeans’ online activities.


California Consumer Privacy Act of 2018 (CCPA)

This law gives consumers more control over their personal information that businesses collect about them, including the right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights.

The most well-known of these is BIPA, “a well-intentioned but deeply flawed law that has mostly resulted in frivolous lawsuits that burden small businesses versus protecting biometric data,” says Jake Parker of SIA.

While a few localities in the U.S. have restricted city agencies and police from using facial recognition technology in any way, use has been restored in some cases under special rules governing law enforcement, Parker says. For instance, last year both New Orleans and Virginia reversed blanket bans, and Baltimore’s temporary ban on facial recognition expired at the end of 2022, leaving Portland, Ore., as the only local jurisdiction in the U.S. to currently restrict private sector use of facial recognition, he says.

Biometrics use is typically addressed in statewide consumer data privacy laws, he says. Five states have enacted such laws and the number is expected to grow. “Though most of these laws so far have special provisions that accommodate effective use of biometrics in security, the risk of overregulation is high,” Parker says. “For example, due to uncertainty and litigation risk, many providers simply do not offer products with biometrics in Illinois and several other jurisdictions, despite the fact that such products are not technically prohibited. This industry reaction is logical and something lawmakers should consider in making new policy — whether the intent is to establish sensible rules or end up simply making beneficial technologies unavailable in their jurisdiction.”


“Modern facial recognition, when used to authenticate individuals, is a powerful and convenient tool for access control that is implemented with privacy and data protection in mind while creating an environment that is frictionless and more secure,” says Tina D’Agostin, CEO of Alcatraz AI, Redwood City, Calif. “Simply put, it is the best, most secure way to make use of biometric facial technology while avoiding the past challenges of the biometric in surveillance environments.”

FindBiometrics breaks down facial recognition into four basic categories: smartphone authentication (deployed as software on any device with a digital camera); mobile identity verification (requiring an information exchange, such as requiring the user to upload multiple images to a third party); authentication at work (via cameras and facial recognition software integrated into a business’s access control or time and attendance system); and identification via biometric surveillance — the most concerning to privacy advocates because it does not require consent from the people being monitored.

Part of the reason for facial recognition’s popularity is that it’s fast, says McKee of Suprema. “Consumers witness it every day while using it on their phones,” he says. “When units are verifying as fast as .03 seconds, the users of the system will say, ‘boy, is this fast!’ Also, distant recognition when using face recognition even increases throughput since it is capturing the user face before getting to the controlled portal.


face recognition

Using a person’s face as their credential, the Alcatraz AI Rock system is a frictionless solution that works with virtually all access control solutions as a stand-alone reader or part of a multi-factor authentication system. // IMAGE COURTESY OF ALCATRAZ AI

A Myriad of Uses

A growing list of business verticals are turning to biometrics for access control, according to the FindBiometrics report. Financial services and payments topped the list at 30 percent, followed by enterprise including remote work (17 percent), citizen ID (15 percent) consumer device access (14 percent) and healthcare (12 percent).

But the list doesn’t stop there. Bobby Varma, president of biometric management company Princeton Identity, Hamilton, N.J., names higher education, financial service data centers, healthcare, pharmaceutical labs, medical facilities, surgery centers, oil and gas-related sites, airports, and more. These businesses are “creating efficiencies around access control,” she says. “In the past when we did access control, someone had to be physically present to show proof of who you are through a driver’s license or card,” she says. “Biometrics are now used to circumvent this and create efficiencies. Users can submit an image and a driver’s license and authenticate [their identity] online for seamless enrollment. Once enrolled into a specific platform, beyond access control, you can utilize it for other applications.”


man using facial recognition

Facial recognition biometrics are especially popular on college campuses, eliminating the problem of lost student ID cards. // IMAGE COURTESY OF INVIXIUM


For example, a Princeton customer who added biometrics for access control is now using the same platform to add time and attendance software, and eventually wants to utilize it for point-of-service, using the biometrics as the “backbone” for other applications. This technique ultimately yields cleaner data and creates increased efficiencies for administrators as well, she adds. “Once someone is enrolled in the system, you don’t have to worry about them losing or forgetting a card, such as on a college campus.”


Integrating Facial Recognition With a VMS? Proceed With Caution

For more on facial recognition, including how and whether to integrate it into a video camera system, see this related blog.


Biometric adoption tends to be more common — and sometimes even mandated — at locations that require a high degree of security. Solutions may be combined with a token (something you have) or a password or PIN (something you know) for multi-factor authentication, says Ron Hawkins, director of industry relations at SIA. “Government and military sites in particular are investing in biometrics,” he says. “A 2021 report commissioned by SIA from Omdia also found growth in the healthcare sector, with telemedicine and mobile drug dispensaries among the drivers.”

Kapadia of Invixium sees a steady demand from end users for biometrics, mostly to replace legacy access card or PIN-based access control systems. “But the increase in demand for biometrics that we have experienced is for workforce management applications, where companies are choosing to modernize their existing infrastructure driven by digital transformation initiatives that seek to improve profits, security and efficiency by converting antiquated solutions to modern, digital platforms,” he says. “I think this current trend of transition will continue because it is getting impossible to ignore the multitude of benefits that biometrics bring in terms of security and convenience.”

A huge benefit of biometrics is mitigation of tailgating, either forced or accidental, says D’Agostin of Alcatraz AI. “According to the Infrastructure Security and Resilience (ISR) Forum, the cost of one tailgating incident is between $500,000 to $2 million,” she says. “Security, compliance and business continuity are all at risk when tailgating occurs. Solutions like Alcatraz AI provide the technology to alert and detect tailgating, identify the perpetrator and provide actionable data to enforce compliance with employees and other users. For organizations across all industries, the cost of security breaches, regulatory fines for noncompliance and potential loss from downtime could be devastating.”


Beach club Suprema

This biometrics installation at the Hallandale Beach Club, part of a luxury condominium in Hallandale, Fla., replaced an outdated card reader with a Suprema facial recognition reader, increasing security and eliminating the problem of shared cards. // IMAGE COURTESY OF SUPREMA AMERICA


Flipping the Dystopian Narrative

Biometrics have a lot to offer end users — both a high level of security and convenience, says Lee Odess. But they’ll never realize it until positive biometrics stories enter the mainstream.

This will change as biometrics start entering our everyday lives, starting with “convenience access points” at stadiums, hotels, retail and commercial real estate, and culminating with biometrics bundled with payment, such as Amazon Go.

The challenge lies in recasting the narrative about how bad and scary biometrics use is, he says. “I think we’ve allowed dystopia to take over in the media, allowing bad actors to tell their side of the story, and we haven’t done a good job promoting the positive aspects of why you would want to use AI, identity and biometrics,” he says. “It’s like Apple. I trust them with my privacy and data, whether I should or not. … and I think the general public does, too. If I could summarize it, we just haven’t figured out how to have a mainstream conversation about identity and biometrics. And that’s our biggest problem moving forward.”