Airport Staff Access Control: Biometrics at last?
Christer J Wilkinson
AECOM
Technology Solutions
Associate Vice President
christer.wilkinson@aecom.com
Abstract— Airport security has always been challenging. But
with the tragic events of September 11th 2001, security was
significantly increased at US airports and other airports worldwide.
Since then there has been a progressive increase in security
requirements to meet new threats.
Most of the new security requirements have been in the passenger
processing areas. But there is another side of airport security, often
not addressed in news reports, namely measures to control staff
access to secure areas of each airport.
Staff access control at airports within the US has also seen
significant changes over the years, with the introduction of more
secure credentials, and more thorough background checking, using
conventional biometrics such as fingerprints for comparison against
government databases.
But surprisingly, the use of biometrics to verify identity as an
operational access control identification factor used each time an
airport staff member processes through an access control portal to a
secure or restricted area has not yet been extensively deployed at
airports within the USA. This is in a marked contrast to the
progressive deployment of biometrics for passenger identification at
airports worldwide.
However, a number of major US airports are now in the process
of deploying biometrics as an additional access control factor and it
is possible that a “Tipping point” in the deployment of biometrics at
airports within the USA has been reached.
This paper evaluates why US airports have previously been slow
to adopt biometrics for access control despite the steady
improvements in technology and public acceptance of biometrics,
examines the operational and cost factors causing a resurgence in
interest in biometrics, and reviews the progress of current airport
implementations.
Finally it reviews the various alternative biometric modalities
against the operational requirements of airport staff access control,
and predicts future technology trends for staff access control at
airports.
978-1-5386-7931-9/18/$31.00 @2018 IEEE
I. INTRODUCTION
The US commercial airport network comprises some 475
airports with regulated air service. Since the 90’s each such
airport has been required by US Federal Regulations to have an
access control system to control unescorted staff access to
secure and restricted areas.
Over the years, with successive security incidents and
increased threats, the level of federal regulation in this area has
been progressively enhanced. Directly after 9/11, the new
agency responsible for security within the USA, the
Transportation Security Agency (TSA), had a plan to require
biometrics at all major airports as an additional access control
factor for airport staff access control systems.
However, faced with the cost and operational impact of
converting many thousands of staff access points across the US
commercial airport network to biometrics, the TSA did not
mandate this requirement. It has not done so since, despite an
initiative in 2008 to develop a technical standard, the Airport
Credential Interoperability Solution (ACIS) which included
biometrics. On completion of this proposed standard, the TSA
decided not to proceed with any pilot programs or
deployments.
Some negative experiences with similar nation-wide access
control system deployments that included biometrics in other
sections of the federal government, and specifically the
Transportation Worker Identity Credential (TWIC), were
reportedly a factor in this decision.
Notwithstanding, a few US airports did decide to deploy
biometrics as an additional factor for staff access control.
Early implementers were Seattle and Boston. However, since
then, contrary to expectations, only a few major airports have
followed up with “full scale” deployments, as opposed to small
pilot deployments which have been undertaken at many
airports, with varying degrees of success.
However, based on an analysis of recent developments at
airports, it is probable that we are now at a “Tipping Point” in
the deployment of biometrics for staff access control at airports
within the USA. Based on reports provided by airports,
previous studies, and press releases, it appears that
developments in three factors:
• Cost
• Perception
• Operational performance
...have combined to cause a resurgence of interest in the use
of biometrics as an additional access control factor and
stimulate deployment, especially at higher threat profile
airports.
II. BIOMETRIC USE CASES AT AIRPORTS
The use of biometrics at airports is commonly
misunderstood. There are four different modes of use of
biometrics at US airports for security purposes:
• The use of biometrics to identify passengers during
the passenger screening process before a flight.
• The use of biometrics to identify passengers in
Federal Inspection Services (FIS) for non-domestic
travel.
• The use of biometrics for the required background
checks for airport staff prior to issuing an airports
security credential.
• The use of biometrics as an additional control factor
for use by airports staff at portals giving access to
secure areas of airports.
This paper is only about the last of these cases.
The biometric discussed in this paper is sometimes called
an “operational” biometric, which is required each time an
access portal is used at an airport at specific access locations,
typically by means of a collocated biometric reader. It is
important to note that this biometric need not be the same
modality as the “identification” biometric used in the
background checks prior to issuance of an airport access
credential.
Purists will point out that there is a difference between the
use of a credential to verify identity and one which controls
and permits access. In practice at many airports these are the
same credential.
At smaller airports one can have an identification credential
and a separate access credential, such as cyber keys or digital
fobs, or even conventional mechanical keys.
III. STAFF ACCESS CONTROL SYSTEMS AT AIRPORTS IN THE
US
Ever since the now infamous PSA incident of 7 December
19871, airports within the United States have been required by
federal regulation to have effective and promptly updated
access control systems to secure and control access to restricted
areas within an airport.
Over the years this requirement has been increasingly
tightened, and now almost any reasonable sized US Airport has
an electronic access control system using credit card sized
credentials (which typically double up as an identity
1
A fired and disgruntled employee, David A. Burke, using airport
credentials that had not been surrendered, high-jacked a plane, shot
several passengers and the cockpit crew dead, and the aircraft crashed
with no survivor.
credential), which permit access to parts of the airport
depending on each credential holder’s profile.
Together with these measures has come an increase in the
regulatory requirements for the background checks required
before each airport staff access credential is issued to an airport
worker. These include verification against government data
bases for each individual applying for such a credential.
IV. RATIONALE FOR BIOMETRICS
But why do we need biometrics at access portals if each
staff member has gone through a background check before
being issued with a credential?
The answer is simple. We need it to verify the identity of
the user of an access credential, to stop it being used when lost
/stolen/ shared. This is one aspect of the popularly named
“insider threat”.
Of course many airport systems deploy a PIN as an
additional access control factor with their airport access
credential to better verify identity, but without a “scramble
pad” or similar device which makes PINs hard to determine, it
does not take much observation to determine an individual’s
PIN. And of course it is also is even easier to share it!
And regrettably some security audits of US Airports, have
found that credential and PIN “sharing” is more common than
one would expect at certain locations. The risk of criminal
prosecution and loss of the right to work at the airport does not
seem to stop such incidents. Airports have a policy of “spot
checking” access credentials which does catch a number of
these, and it a good counter measure, but security staff cannot
be everywhere at all times.
Well, biometrics are now available as an identity verifier on
smart phones, and there are numerous examples of the use of
biometrics in airport passenger processing. So what is the
issue with using it for staff access control at entry portals? To
understand why, one needs to consider the different
requirements for each use case of biometric at airports and
compare these with the requirements for staff access control.
V. BIOMETRIC FOR PASSENGER PROCESSING.
Biometric use in passenger processing at US airports is
different from biometrics for staff access control. There are two
main use cases.
a) Passport control and Customs processing
Most passports include a biometric of some type. The
simplest ones are simply a picture which can be manually
compared against the passenger. Others contain an encoded
biometric of the holder. It is standard practice in almost every
country to verify both the passports validity and also that the
passport is being used by the person to whom it was issued.
Unfortunately use of fake or illicitly obtained passports is
common in some parts of the world.
 The US Customs and Border Protection agency (CBP) has
used biometrics in various forms for this process for many
years. It is starting to use biometrics to verify identity on both
arriving and departing passengers. This is already done in
several other countries.
b) Passenger Screening
At some locations in the US, the use of biometrics is
employed to help provide an optional service to speed
passengers through a TSA operated screening process at the
passenger screening checkpoints.
This optional service, currently provided in the US by the
commercial company “Clear”, uses biometric identification to
identify a passenger and provide a better level of service than
the regular screening process, but this service does not change
the nature of the screening process, as does the TSA “Pre-
Check” program.
VI. BIOMETRICS FOR AIRPORT STAFF BACKGROUND
CHECKING
At US airports biometrics are used in the federal
background and security risk checks made before each airport
staff member is issued an airport credential. This occurs when
the credential is initially issued and is also part of the regular
renewal process.
Details of these checks made are not public, but the checks
do involve using conventional finger print capture technology
to capture a complete set of prints of each applicant according
to US FBI technical standards, to allow comparison with
federal data bases.
VII. STAFF ACCESS CONTROL REQUIREMENTS AT AIRPORTS.
There are fundamental operational differences between the
use of biometrics for staff access control and other uses at
airports.
Passenger processing utilizing biometrics is currently done
at a few specific locations, with backup manual support at
passport kiosks, checkpoints, and boarding gates. Staff
background checking is done infrequently at an airport badging
office with specialist staff present.
Staff access control, by contrast, is distributed across an
airport with many access points typically with no manual
backup support or alternative available locally.
This means that the level of reliability of the biometric
capture device for staff access control needs to be much higher
than the other modes of use. One failed biometric recognition
in one plane load of passengers can easily be handled by a
local manual inspection of documentation. But one failed
biometric recognition for a staff member at a remote portal
would need the dispatch of a guard, which would reduce staff
effectiveness and increase security staff requirements.
Remote resolution by means of video of such failures could
be possible, but this would also take staff time and would need
some audio capability and well placed video feeds. Of course
one could reduce the biometric modality sensitivity so as to
reduce “false matches” and “failed matches”: but to what end?
This would obviate the purpose for which biometrics are
intended. Unfortunately such reductions were required at some
facilities in early tests of biometrics. Technology has
fortunately advanced such that such measures are no longer
required.
It should be noted that this difference between passenger
processing and staff access processing is reduced when staff
are only allowed access to secure areas via specific and limited
numbers of portals with staff screening processes at these
specific portals. This allows an on-site security officer to take
an access decision following credential inspection, should an
automated system fail.
In the US the topology of many airports makes limiting
portal availability for staff access challenging: but several have
deployed such measures for some categories of staff.
A final difference between the modes of operation is the
acceptable time delay in capture and “recognition” of a
biometric for staff access control. A passport scan takes time
and frequently passengers have to wait several seconds for the
biometric processing to take place.
This level of delay is not acceptable for staff access control
as they may have to go through such access portals many times
a day as part of their duties.
VIII. TECHNOLOGY DEVELOPMENTS MITIGATING BIOMETRIC
CHALLENGES.
Technology development in biometrics in recent years has
been most promising.
All biometric modalities have seen a steady improvement
in False Acceptance Rate (FAR) and False Rejection Rate
(FRR) levels. Many are now (finally) at levels acceptable to
airports.
It should be noted that existing access control systems at
airports sometimes do not always grant access as required:
cases in point, misreading a credential, and mis-entry of a PIN,
so airport staff are used to occasional errors. So a device which
occasionally requires a second presentation of a credential and
a slight delay is acceptable.
But given these developments and the security advantages
of identity verification by automated biometrics, why are more
airports not deploying such biometrics for staff access control?
What are the other challenges?
A. Biometric deployment challenges at US airports
Unfortunately, there are numerous other “challenges” when
biometrics are being considered for implementation for staff
access control purposes at US airports.
B. Environmental
Almost all US passenger processing stations are inside a
facility. This means that the biometric devices for passenger
processing are in air conditioned, clean, and well-lit but not
over-lit areas.
A number of access portals at airports match these
requirements but a significant proportion do not, being
externally located with no environmental conditioning, and
subject to the vagaries of weather, which can include high or
low temperatures, humidity, and occasionally sand or snow
storms. (Not normally at the same airport!)
Biometric devices for staff access control would thus need
to work in such conditions to the same level of performance as
other locations. This is clearly a challenge. This challenge can
be mitigated by careful mounting and protection of the
biometric devices, but in some cases this is not feasible.
Airports have recognized this and the use of vestibules for
existing staff access control devices (with or without
biometrics) have become more common, but of course at extra
cost and space occupancy.
C. Number required
Large airports within the USA may have many thousands
of access control doors and portals. For example LAX has
around 2000, DFW has about 1500, and SFO has around 1800.
Clearly converting all of these to biometrically enabled
portals would be a significant cost, and a significant ongoing
maintenance overhead. However, in practice not all portals at
an airport need to be so converted, (such as ones giving access
to separate sections within a secure area) and US airports have
typically focused on high threat portals, but even so the capital
costs and maintenance costs are significant.
D. Location distribution
In addition many airport staff access portals at US airports
are very widely distributed across the airport. For some airports
there can be perimeter gates some several miles away from the
main terminal buildings.
The costs to implement the communication infrastructure to
support an access control system, with or without biometrics, at
such portals can be an order of magnitude greater than the costs
of the portal itself. And biometrics can require a higher
capacity communication link.
Wireless connectivity is a possibility to such locations, but
this is less secure than hardwired infrastructure, and one still
needs power at the portal.
E. Biometric system communication infrastructure
requirements and security
To support biometrics using a central repository of
biometric data requires a modern and high capacity
communication link to enable reasonable operating
performance. Typically such links are based on IP technology
and have connectivity via Cat 6 cabling or fiber.
But only a handful of airports have such infrastructure to
each secured staff access portal, as legacy access control
systems did not use such cabling. However specifying a Cat 6
end connection to each portal in new facilities has become
standard at many larger airports.
But one could ask why do you need a central repository of
biometric data? With smart cards one can hold the biometric on
the card. This is true, but brings in another challenge: security.
And some states within the US have state specific rules with
regard to biometrics security which make it very challenging to
have a biometric on a card.
These security concerns are both about the integrity of the
data and also accidental exposure revealing personal
information. Of course one can encrypt the biometric
information on the card, but then the decryption process at time
of use needs a password or key. Use of a simple common key
for all cards is NOT a secure option. But then where does the
password/key come from?
A high level of security can be obtained with the use of
public/private key technology. Using a full PKI structure with
the credential normally requires a high speed communication
infrastructure.
Other mechanisms may be used but do not offer the same
level of security. Similar concerns apply to centralized
biometric storage approaches.
This issue is complex and the reader is referred to the
description of the US FIPS 201 standard for details of such
security issues.2
F. Lack of mandate from TSA
Airports in the US are with some exceptions expected to
make profits or at least cover their costs.
Like all profit making enterprises airports typically only
implement what is mandated by either federal or state
governments, unless there is a compelling need otherwise.
After 9/11 the TSA considered mandating biometrics for
access control, but faced with a significant cost and extended
schedule did not do so, and since then faced with more
pressing concerns have not raised this issue so there is
currently no such federal mandate for biometrics.
G. Lack of credential technical standards
This lack of a mandate for biometrics is accompanied by a
lack of standards for the technology of an airport access
credential with or without biometrics. (In contrast, there are
requirements for the visual features of an airport identity
2
For details of FIPS 201:
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.201-2.pdf
credential). Currently many US airports use some form of
smart card as a combined access and identity credential. But
not all smart cards are convenient for biometric deployment.
H. TWIC negative experience
Several years ago the TSA, recognizing the significant lack
of effective access control at maritime facilities decided to
undertake a program to implement a Transport Workers
Identity Credential (TWIC) at these locations.
This was to be based, unfortunately rather loosely, on the
Personal Identity Verification (PIV) card used for federal
employees for identity verification and potentially access
control. 3
This credential was then planned to be used in a more
extensive program for all transportation workers, potentially
including airports. Unfortunately the program ran into both
technical and contracting difficulties and was only operative
several years after the deadline and still has not attained all its
objectives.
Based on this experience, the TSA recognized the difficulty
of implementing a nation-wide credentialing system and
decided not to expand the TWIC program to airports, but left
the responsibility for issuance of both the access and identity
credentials with each airport.
But the stigma acquired by biometrics in the TWIC
implementation led to a widely held belief that biometrics was
“just not ready" for airport use.
This was unfortunately confirmed by a number of airport
pilot studies funded by biometric suppliers in an attempt to get
acceptance of their products, which in several cases did not
meet expectations.
But quite recently, the TWIC program has started to
introduce a new credential which is closer to the PIV card
technology: this may result in technology of interest to airports.
I. Implementation issues
A further challenge to deploying biometrics is the
difficulty of integrating biometrics with existing legacy access
control systems at airports.
Many legacy access control systems were developed
and installed before biometrics were available and do not
natively support biometrics. Replacing a complete ACS system
at an airport is expensive and operationally challenging, even
without biometrics.
But the costs and risks associated with custom
integration of a new biometric capability within an existing
system are also high and have the additional risk of becoming
“orphaned” technology, with limited support from the
integrator.
3 For details of PIV: https://csrc.nist.gov/Projects/PIV
If a “centralized” biometric data storage approach is
adopted, there is a need for a high speed communication link to
a central repository of data which is not supported by many
existing legacy access control systems at each portal. As a
result, approaches using a separate communication system for
biometric data, supplementing an existing access control
system have occasionally been adopted.
Remote biometric processing clearly requires advanced
encryption to ensure the privacy and security of the biometric
data whilst in transit and at rest in the data base. This is a
concern for all such centralized storage biometrics systems.
The alternative approach is to use the “biometric on
credential” approach, described above. This allows local
processing without a high speed data link for biometric data
transfer from a remote server.
This approach is more appropriate for some types of
biometrics than others and clearly requires encryption to ensure
the privacy and security of the biometric. This approach is
typically simpler to interface with existing legacy systems.
This approach has typically been used with finger
print biometric technology for which there are numerous
commercial fingerprint capture and analysis devices, which can
use biometric storage on commercially available smart cards.
Legacy access system conversion to biometrics is a
complex issue and full details are beyond the scope of this
paper.
J. Public acceptance of biometrics
The good news is that with the spread of smart phones,
public acceptance of biometrics and their storage on portable
media has increased significantly in recent years. But it has
also alerted the public to the risks of biometric loss and identity
fraud.
But in one respect the public acceptance of biometrics has
had a setback. Specifically the threat from pandemics has seen
a preference for a non-tactile biometric: for personal devices
such as smartphones, the issue is moot.
K. Organizational
Another cause for slow introduction of biometrics as an
additional access control factor at airports in the US is that
some of the larger airports have leased out their facilities to
airlines that operate them independently.
Examples include JFK, BOS and LAX. Details of the
division of operational functions vary between airports.
As a result the operators of some of these facilities may be
responsible for the staff access control measures, which can be
any system which meets the federal and state requirements.
Since these requirements do not mandate biometrics, these
airlines or operators are under no obligation to implement
biometrics, and in many cases do not do so.
L. Funding
Airports are always short of funds. Security upgrades can
be funded by the federal government through a complex
sequence of grants and allowances. But to get these grants and
allowances is not trivial and to use them brings constraints on
use.
Airports with significant income from other sources (such
as Las Vegas) do not have to use such funding and have more
opportunity to innovate.
IX. AIRPORT BIOMETRIC MODALITIES ANALYSIS
It is outside the scope of this paper to provide a comparison
and analysis of all potential biometric modalities, and their
applicability to airport operations and specifically airport staff
access control. However, a summary of the main modalities in
use at airports and their operational advantages and challenges
is appropriate.
1) Finger print
This was for many years the biometric modality of choice
for airports, based on past law enforcement experience with
fingerprints and the number of capture and recognition devices
commercially available.
Despite this experience, this biometric modality had issues
as an additional access control factor. Single finger print
versions had a relatively high error rate, a not insignificant
failure to enroll rate, and this modality has the disadvantage of
being a tactile technology, so it could be a source of infection.
Recently non-tactile finger print readers have become
available, removing the tactile infection risks, and both
operational error rates (FAR and FRR) have improved
significantly and the device costs have reduced.
This modality is the most common modality in use at
airports.
2) Facial recognition
Facial recognition was for many years a second choice
biometric.
Capture and recognition was found to have environmental
and operational challenges: specifically lighting, headgear,
sunglasses, and angle of head when in use as an additional
access control factor. However, in recent years quite
remarkable developments have taken place in facial
recognition technology using multistage neural networks.
The end result has been a surge in interest as performance,
reliability, and convenience has improved by orders of
magnitude. It is such a vibrant industry that NIST is running an
ongoing evaluation program with monthly updates4.
4 For details of the NIST facial recognition program :
https://www.nist.gov/programs-projects/face-recognition-vendor-test-
frvt-ongoing
But it’s not just the performance that has improved. The
restrictions on the biometric capture devices have been
mitigated, and now previously deployed video cameras
providing general surveillance capability may potentially be
redeployed without relocation for identification activity,
provided that the view is suitable for a facial biometric capture.
The number of such cameras available is greater than might be
expected, due to the common US airport practice of having a
camera watching each high threat door.
Unfortunately no major pair of VMS or ACS vendors yet
offer this integrated capability as a standard product offering:
but they almost certainly will in the near future. As of the time
of writing this paper at least two US airports are investigating
facial recognition technology for staff access control.
3) Other Biometrics
There are of course other biometric modalities. Airports
have experimented repeatedly with biometrics since 9/11, some
with quite extensive pilot programs.
Iris recognition for example, which has some of the best
error rates when the biometric is captured correctly. This
capture is however is an inconvenience due to the need to “line
up” on a reader.
This modality was tested in pilot installations at numerous
airports since 9/11 and at one point was identified as the
“biometric of the future”, but costs and operational issues
intervened and it was not widely deployed.
The author knows no significant deployment of any other
biometric modality at a US airport, excluding legacy
deployments of hand geometry readers (at SFO for example)
which have proved to not be an effective operational biometric.
Recently there have been some proposals to use smart
phones as access credentials, potentially including biometrics.
The Secure Technology Alliance (based in Washington DC) is
working on this. It clearly has some security challenges. No
airport within the US currently uses this approach for staff
access control.
4) Biometrics system deployments without an access
credential requirement.
Notwithstanding several movies indicating the opposite,
effective fast facial recognition or gait recognition of one
individual out of the many thousand who work at an airport,
without the prior identification by means of a credential is still
not as reliable, or as practical as might be expected.
For example, at LAX with an active badge population in
excess of 40,000 this is a significant technical challenge. For a
smaller airport such as Grand Rapids (GRR) with an active
badge population less than 1000 this is not such a technical
challenge.
This approach normally needs a high speed connectivity
capability from the capture point to the facial recognition
processing location, typically a remote server. But with most
new cameras using IP, this connectively in many cases exists.
 This mode of use contrasts with the use of a smart card
credential, where the biometric can be stored on the credential,
and retrieved at time of use, and enables local “1-1” matching
and not “1-n” matching.
X. RECENT US FEDERAL INSPECTION SERVICES
DEVELOPMENTS
In the US Federal Inspection Services sector, biometrics are
gaining traction rapidly. The year 2018 has seen more changes
in the way passengers are processed by the Customs and
Border Protection agency (CBP) than any recent year.
After migrating from a “manned booth” operational model
to a “self-service kiosk” operational model starting about 2010,
the CBP has now determined that self-service kiosks are still
too slow to handle the increased international passenger load,
and that facial recognition based on advance passenger
biometric information is a potentially faster method of
processing these passengers, and trials are starting.
This shows a significant degree of confidence in facial
recognition technology and indicates that this modality can
probably meet even the CBP’s exacting standards.
It is interesting to note that European and other countries
use biometrics based on an electronic passport provided
biometric data at time of inspection, and not advance provision
of biometric data.
But in addition to this change in passenger processing
requirements, in the recently issued new technical standards for
CBP facilities, the CBP have also enhanced their requirements
for controlling airport staff access into CBP areas in US
airports, with biometrics as one component. This of course
only applies to CBP facilities in the international arrival
sections of US airports with direct in-bound flights from non
US airports without pre-clearance capabilities.
XI. CURRENT STATUS OF DEPLOYMENT AT AIRPORTS FOR
STAFF ACCESS CONTROL.
Determination of the exact status of staff access control
measures at airports within the US has regulatory challenges.
Airports do not reveal details of their security measures.
However some, but not all, airports are willing to speak in
generalities about their use of biometrics.
Based on this limited available knowledge and the author’s
own consulting experience, it is clear that there has been a
recent increase in the deployment of biometric system for staff
access control systems after a fall off in implementations since
the “early adopters” shortly after 9/11.
. A summary of the findings is listed below.5
5
With the exception of SFO all existing systems are currently based
on fingerprint technology
• LAS about 100 ( since 2009)
• DFW about 200 (under development)
• LAX about 200 (under development)
• ORD 300 (installed)
• SFO 1000 more being deployed (replacement of old
hand geometry system)
• DIA about 300
• SEA Site wide (an early adopter)
• BOS Site wide (an early adopter)
Several other airports confirmed that at present they have
no immediate plans for biometrics as an additional access
control factor: others have not provided information for
security reasons: others do not want to be mentioned.
It is clear that this is not a representative or potentially
statistically significant sample. But it does cover a significant
number of the Cat X airports within the USA. From these
numbers, it is also clear that some airports are only providing
biometrics an additional access control factor at selected,
presumably, high priority, doors.
So why are these airport introducing biometrics now? Few
airports would discuss the specific reasons, but from interviews
with some of the abovementioned airports, it is clear that:
• Improved technical feasibility
• Reduced costs to implement.
• Improved reliability and performance.
• An increased recognition of the “insider threat”.
• Comparative deployments in passenger processing.
...were key factors in this recent surge in biometric
deployments.
XII. SUMMARY OF ANALYSIS, MAIN FINDINGS AND
SIGNIFICANCE:
No formal analysis of the data collected was undertaken
due to the limited number of reports available.
But despite this, the increase in planned and ongoing
deployments in recent years seems significant. But is it really
significant? Time will of course tell.
The main findings which may account for this increase in
deployment are:
• More people are familiar with and accustomed to using
biometrics from their introduction in the smart phone
marketplace.
• The perception of the practicality of biometrics has
changed with the expanded use for passenger processing,
and a feeling that an equivalent level of identification is
appropriate for staff access control.
• The perception of need for biometrics has changed with
increased emphasis on the insider threat, and ongoing
 TSA encouragement of countermeasures for this threat
area.
• The cost of biometric devices suitable for staff access
control at airports has now reduced enough to be
considered even by smaller airports
• Biometric access control deployment now no longer
always need a completely new access control system, and
the use of an existing airport credential is possible in
some cases
• The effectiveness of biometrics now good enough for
staff operational use at access portals without any manual
backup.
• Now that several major US airports are now installing
biometrics for staff access control this may be an example
to others to enhance their security in the same manner.

And in technology:

• Facial recognition is now becoming “the technology of

the future” and the possibility of integration with existing
surveillance video systems is becoming feasible for the
first time.
• Facial recognition may eventually replace the existing
deployments of fingerprint biometric devices at airports.
• The possibility of using a smart phone as an access
credential is a new focus of technology development but
security concerns remain.

Introduction of biometrics as an additional access control

factor for staff access control systems will provide a major
enhancement of airport security against insider threats,
including mis-use of stolen and lost airport credentials.
However, it should be emphasized that deployment of
biometrics does not address all threats. Examples include:
piggy backing, and prohibited items introduction into secure
areas.