In case you hadn’t notice, there is a subtle revolution going on in how people identify themselves. You may have experienced this at airport security checkpoints or boarding gates, where the Transportation Security Administration, Delta Airlines, American Airlines and others have been testing face readers. I admit it was a bit disconcerting when I walked up to the pre-check security checkpoint at O’Hare shortly before COVID, started to present my driver’s license and boarding pass, and was told “you can put those away and go right through” … especially since I had never pre-registered. I can only guess that they had matched the photo they had from my Global Entry membership, or maybe my passport, with a list of departing passengers for that day.
Of course, Face ID or a thumb print now unlocks many smart phones, and increasingly the apps on them as well. And as I covered in my last blog on the arrival and check-in process, facial recognition is starting to show up in hotel apps and check-in kiosks as well. How will it, or other biometrics, emerge in hotels?
The need to verify a customer’s identity varies a lot in the hotel industry. With many hotels in North America, identity checks are often quite loose: often a cursory glance at a driver’s license, or mobile check-in with mobile key and no ID check at all. In other countries, however, requirements can be quite strict: the hotel may have to make a copy of a passport or national ID card, validate it, compare the photo to the person presenting it, and report it or send a copy to authorities. Hotel owners with varying attitudes toward risk may also require more (or less) stringent checks. Even in major-brand U.S. hotels, I have more than once been told that the hotel must make a photocopy of every customer’s ID. That is over the top, and not in any brand standard, but after a long day of travel, it was either hand it over, or schlep to another hotel, so I caved.
If your hotels never really want or need to verify the identity of guests or staff, then you can stop reading now, because my topic this week is biometrics and identity verification. You will not find many vendors selling these products directly to the hotel industry, but they are starting to be embedded into many other common products, as well as mobile apps. If your properties could benefit from biometrics, whether for staff, guests, or both, this article may help you understand what the technologies do and how various implementations differ.
Biometrics are moving very quickly into the broader travel space and will soon be starting to set customer expectations. In some cases, the motivation is security (such as at border crossings and airports), but for customers it also offers a more convenient check-in process while also providing better security for immigration authorities, airport security, airlines, rental car providers, and yes, hotels.
Biometrics and identity verification are tightly interrelated in travel. Travelers typically present some form of identity that has a photo, and biometrics can then be used to verify that the person presenting it is the person in the photo. Many use cases require that they be used in tandem, but the technologies are separate and are often provided by different companies. Sometimes only one or the other is needed, so in this article, I will address each in turn.
Biometrics
The four commonly used forms of physical biometrics are facial recognition, iris scanning, voice recognition, and fingerprints or palmprints. Of these, only facial recognition has much traction in hospitality, and I will cover that in more detail after briefly addressing the others. In addition to physical biometrics there are various forms of behavioral biometrics, but I will leave that topic for a future column.
Iris scanning requires light, such as visible light from a flash (not easy for a mobile phone selfie since the flash is on the rear camera, and intrusive) or from an infrared light source that is not available on most mobile devices. Iris scanning works well for access control to secure areas, where the authorized users can be scanned at enrollment, and where infrared light can be built into the camera at the point of entry. It could also work for guests at kiosks, but the applications would be limited since the biometrics would first need to be collected at the kiosk and would then generally be unusable except at locations with infrared scanning capabilities (meaning probably anywhere except at a kiosk).
Voice recognition can be quite accurate, with some of the better options claiming about a 0.01% false acceptance rate. Common issues include the need to train the algorithm to recognize each person’s voice, a higher false rejection rate (around 5%), problems when illness causes changes in the voice, and potential fraud from recorded voices (which can be reduced or eliminated if the words to be spoken are generated at each test). Voice recognition is commonly used on telephone calls but face recognition typically works better in person.
Fingerprints or handprints are commonly used for access to highly secure areas such as data centers, and Yotel reportedly also uses handprints to identify staff members at time clocks. At least one Spanish hotel has installed guest room door locks that are fingerprint-activated. However, the privacy aspects of collecting fingerprints from guests for comparison may be concerning; the technical implementation requires more expensive online door locks; and the solution may be less desirable for travelers now sensitized to contactless or low-contact options.
Linxens offers a fingerprint-activated NFC keycard, although to my knowledge it is not yet marketed or deployed in hospitality; this could be useful for staff master and zone keys. It could also enable a “lifetime” guest key, although it would likely be usable only at one hotel, or within a hotel group that used all the same locks.
Because of the limitations cited above, facial recognition has been the clear winner in early biometrics applications in hospitality. Accuracy is not perfect but is quite high, and the impact of false negative matches can usually be handled on site as an exception. Numerous third-party vendors provide plug-in modules that can be integrated into mobile apps, kiosks, video surveillance systems, and other applications. While not widespread, many of these have been deployed to verify identity in mobile check-in systems and kiosks, primarily in countries where verification of identity documents is required. Facial recognition is also common in environments like casinos, where integration with surveillance systems can enable the casino to detect and act upon entry by someone who has been blacklisted. Some high-end resorts have evaluated it as a way to ensure that only registered guests, and not those staying at adjacent properties, use the facilities.
The most common form of facial recognition is where the hotel wants to match the face to an identity document such as a passport, national ID card, or driver’s license – something that is required as part of the check-in process in many countries. In other cases, where the hotel has a photo of a staff member, VIP guest, or banned individual, the match may be to a photo (or a biometric summary of the face) that is stored in a database.
Depending on the use case, it may be important to prevent someone from simply putting a photo of the subject in front of the camera; this can be handled by “liveness detection.” Liveness detection can be passive (determined either by video or by using two still cameras, which will capture slightly different images when the subject is live), or it can be active, where the subject is captured on video and asked to do something specific, such as smile or turn their head. Most of the face recognition products I have seen do at least passive liveness detection.
Facial recognition can also be used to authenticate within mobile apps. This can be done using the native capabilities of the phone operating system (e.g. Face ID on late-model iOS devices); alternatively, it can be embedded in a mobile app for additional functionality and/or for compatibility with phones that do not support facial biometrics. Using facial recognition to log in to a hotel’s mobile app provides strong evidence as to who is checking in, but there is no guarantee that someone else will not show up at the hotel. For this, you can have the guest can complete registration details in the app prior to arrival, but then have them complete the process in the lobby by taking a selfie. The app would combine facial recognition with a geofence to ensures that the guest is at the hotel.
Facial recognition is gaining traction in air travel but is still in its infancy in hotels, except for monitoring guests entering casinos. Two vendors, NEC (see video) and YooniK, offer capabilities that incorporate face recognition and matching on various devices such as kiosks, but neither are yet widely deployed in hotels. The Spanish company Mobbeel has integrated facial recognition and document validation with several hotel mobile apps. Several other companies provide facial recognition mobile plug-ins that have been incorporated into banking and other mobile applications, which could also be used in hospitality. NEC’s facial recognition technology is also deployed in partner products, such as for time clocks and access control at staff entrances.
Identity Verification
Biometrics can be combined with identity verification to determine, with very little doubt, who a person is that is using an app or standing at a kiosk, door, or other biometrically enabled device. The usual process is to capture an image of an official identity document that has a photograph, validate that it is has not been altered and is not a forgery, and compare the photo to a selfie or to an image captured by a camera in the kiosk. This is now entirely practical for capturing and validating required documentation such as passports, and a few governments that require this process are starting to accept this as sufficient for check-in at a hotel.
The captured image need not be stored unless required by regulation, and for compliance reasons, most hotels will not want to store unnecessary personal data. In some countries where capture is required, it is possible to send images directly to the government to avoid the need to store them; unfortunately in others, it is not.
For many hotels, facial recognition may be unnecessary. Where there is no regulatory requirement to check, hotels may feel sufficiently protected with a scan and validation of identification document and presentation of a valid credit card in the same name; these can be handled by a kiosk or (with some limitations) mobile app.
Identity verification can be simple or complex, and there are numerous companies such as Acuant, Onfido, and Jumio that provide plug-in modules to accomplish this in conjunction with a kiosk with a document scanner and/or a mobile app, and facial recognition where required. Important issues to consider with document scanning include:
- Images may need to be straightened before analysis, and document photos taken by mobile phones need to be corrected for angular distortion.
- Document photos taken by mobile phone may have shadows that interfere with validation; these need to be compensated for by the recognition algorithms.
- Document photos taken by mobile phone may be out of focus; better products ensure adequate readability when the photo is taken and ask the user to try again if needed.
- There are literally thousands of different documents that may be accepted for identification in different parts of the world. The better products can validate most of them, but it is important to understand which ones you need and whether they are supported.
- Many identity documents have security features that are invisible to the naked eye but that can be detected using ultraviolet light or high levels of magnification; the better products can determine whether these are present.
- The content of many identification documents includes multiple internal consistency checks, similar to the check-digits used on payment cards but more complex; each one should be verified to ensure the document is not altered or forged.
- Even legitimate identity documents expire, get revoked, or are lost or stolen. Expiration dates should be checked as part of validation; for other statuses, various governmental and commercial databases are available to check, and the better products know how to check them (for a fee). For hotels, these steps are rarely considered in manual processes today, and may be necessary only in rare cases.
- Scanned documents can be converted into text and used to automatically populate or correct fields in the property management system to save time, if desired.
- Rejected documents may not be fraudulent, so it is important that staff take control when one is rejected, and that they have access to information that can help assess the risk. An expired driver’s license might be rejected, for example, but not considered a risk in many situations, while a passport with several suspicious issues is probably forged.
Conclusion
The launch of IATA’s Travel Pass, originally designed to use biometrics to speed the traveler through the airport, has been accelerated by its ability to also handle health credentials such as vaccination certifications and COVID tests, which many countries currently require for travel. The general consensus in the airline industry is that biometrics will begin to become commonplace in air travel over the coming year. Consumers will greatly benefit from the process over time, and this will set expectations for other business interactions, especially in travel. While biometrics may not have compelling use cases in many hotel settings, in others they will quickly become essential, and hotels in markets where identity checks are required should be starting to think about how they will address them.
Douglas Rice
Email: [email protected]
LinkedIn: www.linkedin.com/in/ricedouglas