The airline industry is undergoing major changes as higher capacity airplanes are built, flights along major routes increase, and both new and existing airports are building to accommodate more passengers. But as domestic airports prepare for more travelers, recent security breaches have heightened the need to improve airport security and address concerns about domestic threats. These incidents are also leading a push for more secure employee access control processes and technologies.
For example, Rep. John Katko (R-NY), chairman of the House Committee on Homeland Security Subcommittee on Transportation Security, and ranking member Kathleen Rice (D-NY), introduced the Airport Access Control Security Improvement Act of 2015 (HR 3102) to address perceived vulnerabilities with airport employee screening and access control. If passed, the legislation would require the Transportation Security Administration (TSA) to develop a risk-based, intelligence-driven model for screening employees at airports, which would take into account factors such as minimizing employee access points.
Many airports are looking to technology to adjust for more active airports. Stakeholders throughout the airport security process are increasingly turning to biometrics as a solution for secure passenger flow and employee access control.
On the passenger side, airports are deploying more e-gates and kiosks. According to Acuity Market Intelligence, the global number of e-gates will grow from 1,490 in 2014 to over 6,780 by 2019 which is over a 20 percent compounded annual growth rate (CAGR). Airports are also re-evaluating their employee access control operations.
Moving beyond today’s access control technology
For employee access, domestic airports use a variety of methods to secure facility access—from security officers to radio frequency identification (RFID) cards, PINs, key badges and electronic locks. Card readers and PIN code access are the primary methods; if a TSA or airport employee wants to access a secure area, they must have their card or an access code.
Traditional access control approaches are not meeting increasingly complex and multi-faceted airport security challenges, however. Codes and cards are easily lost, forgotten, stolen or shared. Estimates vary, but simply resetting or replacing passwords and cards can cost between $150 and $200 per employee per year. In addition, outdated, vulnerable and limited employee access systems expose an airport to insider threats.
Traditional access control methods also do not provide certainty that the individual associated with the access product is the one in fact using it. In other words, these forms of access control authenticate the “things you have” (e.g. card, PIN code, key) instead of “things you are” (e.g. biometrics such as fingerprints, voice and iris patterns). Another person can gain access if he/she has your card or PIN code, but it is far more difficult to spoof fingerprints, irises and voice patterns.
A complex challenge
TSA requires all airport security to include access control access to sterile areas, which TSA inspects to ensure compliance. Controlling access to the sterile side of an airport, or the area beyond the TSA screening checkpoint, requires the right balance between security and airport business operations.
Airport operators must maintain accountability and control of airport-issued identification media such as Secure Identification Display Area (SIDA) badges, and ensure integrity of access control. All airport employees working inside the Secure Identification Display Area of any airport facility must have a SIDA badge to access secure areas such as baggage loading areas, taxiways, runways and boarding gates. And before a badge is issued, employees must meet both TSA background check and local airport requirements. New directives are increasing the number of random checks as well.
Iris recognition gaining traction
Airports can increase throughput and security with biometrics. Among biometrics, iris recognition provides exceptional accuracy and reliability. Practically impossible to change, and almost as difficult to duplicate, human iris patterns are certain and enduring—more than fingerprints, voice, face or gait. Iris patterns remain stable from an early age, and each iris has more than 250 points of identification, resulting in one of the lowest false accept rates of any biometric.
This reliability provides a necessary foundation for the evolving and complex access control requirements of airports at access points and via random screening. Emerging biometric solutions ensure accuracy will remain unmatched relative to other forms of access control—even as irises are scanned outside an individual’s “personal space” while people are in motion or in unfavorable lighting conditions.
Iris recognition and multimodal biometrics
Multimodal biometrics, which involve systems that capture multiple physical (fingerprint, iris, voice, etc.) or behavioral (keystroke or typing recognition, etc.) characteristics for verification or identification, is optimal to meet pending legislative directives calling for the use of biometrics alongside card readers and PIN codes. An additional benefit of multimodal biometrics is that it facilitates a deeper level of information sharing between TSA, other government entities, airports and airlines. As a result, it can ease development of a common database.
Biometrics can also meet the challenges of employee screening. It’s estimated that approximately 950,000 airport employees have authorized access to 450 US airports, but do not undergo routine screening. These are employees of airlines, airports, vendors, concessionaries and even the regulators themselves. Budgets are strained and must account for 18,000 access points across hundreds of US airports.
Employee credential management is not trivial. It requires an enterprise approach to create a secure, cost–effective, scalable solution that must work for small airports with fewer than 1,000 badge holders, as well as larger airports with more than 40,000 badge holders.
Analysis
Mobile biometrics solutions can address the need for employee spot checks and greatly enhance randomized employee screening by confirming at any given time that an individual with access credentials is exactly who they say they are and is authorized to be there. Extending employee security procedures beyond fixed access points with employee screening strengthens an airport’s overall security posture and contains the emerging insider threat.
Government agencies and airport security operations face a multi-faceted and evolving security challenge every day. Putting in place sound employee access control processes and technologies should be an immediate and critical component of these efforts.
Mark Clifton is president of SRI International’s Products and Solutions Division, and vice president of SRI International.
