Alcatraz AI is offering web-based mobile enrollment and privacy consent management to optimize the onboarding process for its facial recognition building security system.

Access control provider Alcatraz AI is adding web-based, mobile enrollment and privacy consent management to its flagship facial authentication product, the Rock, to enhance building security and ease employee and visitor registration.

The Rock includes an edge device installed near the doors to buildings and secure areas, using 3D facial mapping and machine learning analytics for facial  authentication. The update adds mobile enrollment to the system to streamline onboarding by allowing new employees and visitors to register remotely and securely through their own mobile devices and tablets, according to Blaine Fredrick, vice president of products at Alcatraz AI.

The updated privacy consent management process is designed to offer an opt-in choice via mobile devices, allowing Alcatraz’s enterprise customers to inform end users about the usage and management of their personal data, which they can choose to accept or decline.

With the two new enhancements to the Rock, Alcatraz AI expects to reduce the overall cost and complexity of the enrollment process and also enable corporate compliance with privacy laws such as the EU’s General Data Protection Act (GDPR), the US’ Biometric Information Privacy Act (BIPA), and India’s Central Consumer Protection Authority (CCPA) guidelines.

The system has been designed to initiate enrollments by sending QR codes and links directly from the security teams at organizations that have installed the Rock system, using multifactor authentication, including via emails, to reconfirm access, according to Blaine.

Mobile enrollment raises security concerns

Enabling distributed access with the mobile enrollment feature, however, may raise concerns about malicious attempts to impersonate valid visitors, said Michael Sampson, an analyst at Osterman Research.

“There are definitely security concerns if they are relying on the future employee’s personal mobile device and personal email address (to which a a link or QR code is sent),” said Sampson. “If the future employee’s email account had been compromised through phishing or other credential compromise avenues, then it is possible that a threat actor could enroll as the employee and gain building access. There’s a few hoops they’d have to jump through, but there are weaknesses in the security chain when personal devices and personal addresses are utilized.”

Otherwise, Alcatraz AI’s new privacy consent management capability is expected to allow for transparency in the usage of user data.

“The privacy consent is a good angle, and an essential one. There’s lots to get right in that, including the process for revoking consent and providing optics to the employee on where their biometric data is being processed,” Sampson said.

The Rock features a range of compliance and security tools, including real-time event log monitoring, customizable data retention schedules, and hard data deletes.

The new mobile enrollment and privacy consent management features will be generally available in the second quarter of 2023 to all Alcatraz AI customers using the cloud-based version of the Rock. The company did not immediately specify whether the new features will be rolled out to the on-premises version of the product.