The future of access control: Offline biometric authentication and optional tokenisation

As security demands increase, biometric authentication combined with offline processing offers a more secure solution.

Here, CardLab explores how these technologies address key challenges in Identity, Credential, and Access Management (ICAM) while integrating with existing software solutions.

The access control problem

Have you ever tried to work out how many passwords you are using and how many tricks you are making to try to remember them? The result is that the same password, or simple variation of it, is often used in 25 or more different applications. This puts companies and individuals at high risk of cyber-criminal activities.

To keep data, networks, critical infrastructure and personal identity safe, CardLab has faced the evolving security demands that traditional methods struggle to keep up with by providing a biometric authentication which combines an offline identity verification and tokenisation process to offer a significantly more convenient and secure solution.

Passwords, tokens, and even multi-factor authentication (MFA) are under constant attack from increasingly sophisticated cyber threats and introduced complexity that fosters unsecure workarounds. Passwords can be stolen, tokens can be lost, and MFA via SMS or other online authenticators – while an improvement – can be intercepted, adds user friction, and still doesn’t fully eliminate vulnerabilities.

Organisations face three critical challenges:

• Inability to securely tie digital identities to real people: Traditional methods, such as passwords and usernames, cannot definitively confirm whether the person using the credentials is the rightful owner.
• Increased cyber threat sophistication: Network-based attacks, such as man-in-the-middle and phishing, make passwords and tokens easy targets for cybercriminals.
• Increased human failure risk: Unsecure workarounds with complex, sophisticated and manual passwords.

These issues highlight the need for more user-friendly and secure solutions. As a minimum, offline biometric authentication using unique physical identifiers, like fingerprints, to verify identity is needed. Unlike passwords, which can be shared or hacked, biometric data offers reliable, secure, and unique identifiers that can directly verify the physical presence of a human being. When paired with offline processing, which allows verification to happen locally on the device rather than over vulnerable networks, biometric authentication offers a seamless, secure, and scalable solution for organisations of all sizes.

Why this solution works

Biometric authentication is inherently secure because it ties access control to something that is unique to the individual, such as a fingerprint. This means that the risk of impersonation is drastically reduced to only sniffing and ‘man in the middle’ attacks. While software encryptions, such as online syncable passkeys (like passkeys in Apple’s ecosystem or Google’s Android platform) are useful in strengthening security, biometric authentication offers an even stronger, complementary layer as it becomes person-based authentication instead of device-based. These systems can integrate seamlessly with existing encryption-based security protocols, enhancing protection and replacing reliance on password-based systems.

Using offline biometric data verification processing, the CardLab Access solution takes security to the next level. Here’s why:

• Biometric authentication for high security: Unlike passwords or tokens that can be stolen, biometrics such as fingerprints are unique and difficult to forge. This makes fingerprint authentication one of the most reliable ways to confirm identity. With CardLab’s solution, fingerprint data is stored locally on the card, eliminating the need for transmission over networks.
• Offline processing for reduced exposure: One of the key advantages of this card is that the authentication process happens offline. Since no sensitive data is transmitted over networks during the identity verification process, it makes man-in-the-middle attacks, phishing, or data interception virtually impossible.
• Tokenisation as an add-on for extra security: Tokenisation, which generates a tokenised identity upon identity verification, is offered as an optional extra layer of security. Organisations that require this added level of protection can adopt tokenisation based on their specific security needs. By framing it as an add-on option, organisations can integrate the card with varying levels of security into existing company infrastructure.
• Communication via Near-Field Communication (NFC) and Bluetooth Low Energy (BLE): The CardLab Access card communicates via NFC and BLE, ensuring compatibility with a wide range of physical and digital access systems. Whether logging into a secure digital system or accessing a restricted physical area, the card enables secure communication without exposing sensitive biometric data.

By addressing the limitations of traditional MFA and encryption-only solutions, CardLab’s Access products provide a comprehensive and flexible solution that enhances security and user convenience by being an ‘all in one’ MFA solution.

The challenge of multi-factor authentication

MFA was introduced to strengthen access control by requiring users to provide multiple credentials to gain access – usually something they know (password), something they have (a token), and something they are (biometric data). However, while MFA adds layers of security, it also introduces complexities and friction for users.

Moreover, traditional MFA systems are still vulnerable to phishing attacks, especially when SMS, online authenticators, passwords or network-dependent tokens are involved. CardLab’s biometric authentication solution removes the need for passwords or network-based tokens, streamlining the process while enhancing security. By leveraging fingerprint authentication – the card with fingerprint sensor and tokenisation ensures an all-in-one solution: something you are (fingerprint), something you have (the card), something you create (the token generated by the card) for a robust security solution – the CardLab Access control solution can fully replace traditional MFA while providing greater ease of use.

Real-world applications: Who benefits?

The CardLab Access card’s form factor offers significant advantages across multiple use cases:

• ID Card (proof of identity): The card acts as a secure form of identity, allowing users to prove who they are without needing additional credentials.
• Physical access card (door locks): It can be used to gain access to secure areas by verifying the user’s identity through a fingerprint scan.
• Logic access (logins): The card enables secure login to computer systems and applications, replacing the need for passwords or other network-based methods.

These capabilities make the CardLab Access solution applicable across various industries. Here’s who benefits the most:

Small and large enterprises

For small and large enterprises, secure access control is a top priority, whether it’s for physical locations, sensitive IT systems, or corporate infrastructure. Many businesses struggle with password management or token-based systems that are cumbersome for employees. The CardLab Access card provides a streamlined alternative, allowing employees to authenticate quickly and securely using their fingerprint.

In addition, the NFC and BLE capabilities of the card enable it to integrate seamlessly with existing infrastructure, reducing the need for costly upgrades. This makes it a scalable solution for organisations that are growing or facing increasing security demands.

• Small enterprises: SMEs often lack the extensive security infrastructure that large corporations have. The CardLab Access card offers an affordable way to introduce biometric authentication without disrupting daily operations.
• Large enterprises: For global corporations managing thousands of employees and multiple access points, this solution ensures centralised control while enabling local authentication, single sign on etc. reducing the need for managing thousands of passwords and tokens.

The card also plays a critical role in cybersecurity, as it helps protect against the rise in cybercrime. As organisations face growing threats, the card offers a FIDO 2-compliant solution that ensures compatibility with existing authentication protocols and emerging security standards.

Government and military sectors

In high-security environments like government offices and military facilities, access control must meet the highest security standards. The CardLab Access control solution offers robust offline biometric, tokenised authentication without relying on network communication for identity verification, ensuring that unauthorised access to sensitive government data and classified military information stays protected from cyber threats.

By providing personal offline verification and tokenisation on the card with a fingerprint, the card ensures that only authorised individuals gain access to restricted areas or sensitive systems. This offline functionality also makes the card a valuable asset in environments where network access is restricted or prohibited.

Financial institutions

Financial institutions handle some of the most sensitive data in the world, and they are constant targets for cybercriminals. The CardLab Access control solution provides a solution for securing access to financial systems, vaults, and sensitive customer data without relying on network transmissions critical data. By using offline biometric verification, financial organisations can comply with strict data protection regulations like GDPR and PCI-DSS while enhancing convenience and security.

Moreover, while the card form factor often conjures associations with payment solutions, its primary use in these institutions is access control for employees and secure areas.

How the CardLab Access Control solution works

CardLab’s Access Control solution brings together the power of offline biometric verification and identity tokenisation. Here’s how it works:

1. Biometric data storage: The user’s fingerprint data is stored in a secure area on the card itself, ensuring privacy and compliance with data protection regulations.
2. Local user verification: When attempting to access a secure system or location, the biometric data is verified locally on the card, eliminating the need for external network communication during authentication.
3. Tokenised identity generation (optional): As an optional extra layer of security, the card generates a tokenised identity for further interaction with backend systems and company APIs. This fully protects the user’s identity and delivers dynamic tokenised access to companies and organisations, protecting against password abuse, ‘man in the middle attacks’, and AI-assisted deepfakes. It is the unbreakable link between the physical and digital identity.

This process ensures that biometric data is never exposed to external threats while maintaining a fast and seamless user experience. Lack of biometric verification of the user’s identity means no access to systems or facilities.

Future-proofing access control

As cyber threats continue to evolve, organisations need to adopt solutions that provide maximum protection without sacrificing convenience. The CardLab Access control solutions address these challenges by using offline processing of biometric verification to ensure that sensitive data remains secure at every stage.

By eliminating the need for passwords and network-dependent tokens, this card provides a future-proof access control solution that is scalable, easy to integrate with existing systems, and compliant with global privacy standards.

Whether it’s securing enterprise facilities, protecting government data, or ensuring compliance in financial institutions, CardLab Access is the solution for the modern world of access control.

Please note, this article will also appear in the 20th edition of our quarterly publication.