Regarding ID Spring 2016 by AVISIAN

45 A SURVEY OF ID TECHNOLOGY - SPRING 2016 - ISSUE 45

PACS 2.0 is CLOUD-based,

IT-centric,

token-agnostic ... but will it be Follow @Avisian on Twitter, win $100 gift card.

CHEAPER?

TESTED AND TRUSTED PIV-I EXPERTS SureID® IS THE LEADING PROVIDER OF HIGH-ASSURANCE IDENTITY MANAGEMENT SOLUTIONS FOR SOME OF THE MOST SECURITYCONSCIENCE ORGANIZATIONS IN THE WORLD. We have built our reputation by increasing one’s confidence that someone is trustworthy and are who they say they are. Tested and trusted by the U.S. military for over a decade, SureID has expanded its capabilities and is now the leading PIV-I issuer in the nation, with more than 100,000 credentials issued to date.

When your networks, assets, employees and reputation are at stake, don’t take chances. Choose the most tested and trusted high-assurance identity management partner.

WHEN TRUST IS ESSENTIAL, SO ARE WE.™

HOW DO YOU ISSUE ID CARDS IF YOU HAVE A MAC?

“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”

— Robert H. Marketing Director Corporate Technologies

Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.

Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.

DATACARD GROUP IS NOW ENTRUST DATACARD

CONTENTS

20 Cover Story: PACS 2.0 is cloud-based, IT-centric, token-agnostic … but will it be cheaper? The physical access control market tends to move at a glacial pace, and to date the vast majority of systems remain wired and on premises. But the industry is staring at a cloud-based future that is moving servers out of back rooms and enabling entry with the tap of a button on a mobile device. These new IT-centric PACS may very well be cheaper for end users as they challenge the longstanding business models that have defined the industry.

Are states speeding toward mobile driver licenses?

36 DOD web site kills the password

In an apparent first for federal web sites, the Defense Technical Information Center has outlawed the use of passwords for user access. Instead, it is requiring all users to have PKI-based credentials, either smart card or software-based certificates. It’s a real-world test to see if passwords can truly be eliminated. If users still come, other government sites – and perhaps the whole Internet – will follow.

40 Are states speeding toward mobile driver licenses? The identity industry has been buzzing about the possibility of placing driver licenses on mobile devices. Vendors are touting products and one state has been piloting a system for months, but it’s no slam-dunk. Roadblocks include standards, infrastructure and relying party acceptance, as players wade through the long list of extraneous functions served by state-issued IDs.

Educating issuers of all levels to benefits of advanced card materials

Facial rec helps U.S. customs validate identities at JFK

Employee benefits firm protects clients with two-factor auth

Spring 2016

CONTENTS

Integrators, ‘RMR’ and the changing business model for PACS

Feds mandate strong authentication for E-prescribing drugs 6

Bad messaging plagues ID and security industry

ID Shorts News and posts from the web

DOD web site among first to eradicate passwords Research site mandates PKI certs for all external users

Are states speeding toward mobile driver licenses? Interest is high, but roadblocks include standards, infrastructure, relying party acceptance

20 PACS 2.0 is cloud-based, IT-centric, token-agnostic … but will it be cheaper? 22

Integrators, ‘RMR’ and the changing business model for PACS

Cybersecurity at the ‘edge’ of cloud-based access control

Texas municipality replaces cards with mobile credentials

28 Feds mandate strong authentication for E-prescribing drugs Resistance from docs, inconsistent interpretation leading to problems 32 PIV and multi-factor authentication: Ensuring security in an increasingly mobile, global and flexible economy 34 Corporations benefit outsourcing employee ID card production Issuance as a service: snap a photo, upload data, receive cards via mail

Spring 2016

Florida researches mobile driver licenses

State lawmakers consider mobile driver licenses Numerous states proposed legislation in 2015, more expected in pending sessions

The long road to biometric exit in the U.S. Advances in biometric technologies finally leading to progress tracking foreign travelers

It’s not your enterprise IAM Consumer-facing identity systems are vastly different from those used by employees for network access

Will biometric payments become reality? Mastercard, Visa look to face recognition and fingerprint

Face coming to forefront of biometric modalities Tech makes new gains, erasing black eye from post 9/11 claims

Lessons learned: Everchanging mobile operating systems pose challenges

Educating issuers of all levels to benefits of advanced card materials Evangelizing more durable, counterfeitresistant IDs takes buy-in from everyone in the supply chain

Employee benefits firm protects clients with two-factor auth 65

Facial rec helps U.S. customs validate identities at JFK

Two-thirds of enterprises going multi-factor

White House releases new cybersecurity plan New plan pushes toward multi-factor authentication

MORPHOWAVE

AWARDED BEST NEW PRODUCT OF 2015 BY SIA MAXIMUM SECURITY Multi-Finger Matching

HIGH THROUGHPUT On the Move Matching

EXTREME CONVENIENCE Touchless Operation

NO COMPROMISES: Ultra Convenient Frictionless Access AND Ultimate Security from the world leader in biometrics with an FBI Certified sensor and #1 NIST ranked algorithms ACCESS CONTROLLED WITH A WAVE OF THE HAND

info.USA@morpho.com www.Morpho.com/USA 1-800-444-0496

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline

BAD MESSAGING PLAGUES ID AND SECURITY INDUSTRY ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com

OVERHEARD AT A RECENT SECURITY CONFERENCE:

SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301.

When I heard this I chuckled. Of course it’s for real, the cloud enables companies to do things they would not normally be able to and take advantage of economies of scale. For a small business instead of having a dedicated computer under lock and key in a closet at the whim of consumer telecommunications technology they can outsource operations for applications, services and web sites, having them hosted from virtual machines around the globe securely and with plenty of redundancies. The cloud is not a passing fad. It highlights a problem with the way technology companies – and those in identity and security in particular – communicate about their products. Sure, the gentleman who made the comment was older and likely the type to wait in line at the airport rather than download a boarding pass or app, but that doesn’t erase the fact that the industry does a poor job of explaining technologies. I read a lot of press releases and article pitches every day. This is typical of what lands in my inbox: “Our ID management solution redefines the IAM landscape providing the industry’s first fully-automated approach to securing network resources via unique customer defined data sets.” What does this mean? This is what I need: “Our solution helps enterprises onboard new employees and securely provision access to facilities and networks. Company X has deployed the system and it’s helped secure sensitive data, reduced the time it takes employees to access resources and consolidated multiple credentials to one.” Press releases, white papers and other materials from vendors in the identity market need to focus on the problems that these technologies can solve. Stop writing about how technology is “first,” “fastest,” or “industry-leading” and tell me – and potential buyers – what it can do. In this issue the cover story looks at cloud-based physical access control systems. Physical access control might be one of the last industries to embrace the cloud, but as you will read this new generation of systems is ushering in some impressive advances. In physical security, the challenge around introducing innovation has long been convincing the dealers and integrators. They wield the most influence when it comes to recommending systems, but far too often they stick with what they know – long-

ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2016 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

Spring 2016

“IS THIS WHOLE CLOUD THING FOR REAL?”

PERSPECTIVE established, perhaps-aging technology. Educating them on the benefits of new systems and technologies can help them and their customers. A similar messaging challenge can be found in our article on the migration to mobile driver licenses. It was one of the hottest topics of 2015, and vendors are pushing to get products ready as states try to figure out how to implement the new credentials. Much of the early messaging around mobile driver licenses has focused on getting rid of wallets, claiming that’s “what young people want.” This may be true to some extent but alone it is not sufficient. States don’t care about thinning out the wallet or getting rid of it. Messaging needs to tell DMVs and government agencies how will it help solve their challenges. They also need to tell consumers why having a driver license app will help them? Cybersecurity remains a huge problem, and depending on the stats, as high as two-thirds of all data breaches are caused by stolen or misused credentials. Identity companies are spending a lot of money to try and sell their systems to enterprises, but if you look at the state of cybersecurity it doesn’t seem to be going very well. A big reason for this gap is that identity is a tough sell. When trying to get funding from the C Level it’s easy to explain what a firewall does or how an intrusion detection system can help. But

identity and access management systems are harder to explain and thus placed lower on the funding list. This could change if identity companies communicated differently about their products. Too often the conversation revolves around technology and not the problems it can solve. Until vendors start talking about identity in terms of solving problems that enterprises face, it will continue to be a tough sell. “Our solution can enroll a new employee into an identity and access management system by scanning their driver license or passport. With some clicks on a screen that employee can be provisioned access to necessary networks, apps and physical locations along with a strong authentication token of the enterprise’s choosing.” This helps a company understand what an identity and access management system can do. Identity and security is an integral piece of the complex cybersecurity puzzle. Vendors need to start better communicating so organizations understand what the systems actually do and can get required funding to solve the problems.

Spring 2016

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

GPO PRODUCES 5 MILLION TRUSTED TRAVELER CARDS The U.S. Government Publishing Office reached a milestone in the production of secure border credentials, topping 5 million Trusted Traveler Program cards for

the Department of Homeland Security’s U.S. Customs and Border Protection. During this process, GPO and CBP have successfully manufactured these secure credentials for members of the various programs without a fruitful counterfeit attempt. GPO has been producing the cards since 2008 at the

agency’s ISO 9001 certified secure production facilities in Washington, D.C. and Mississippi. GPO is responsible for designing, printing, personalizing and mailing the cards. CBP’s Trusted Traveler Program provides expedited entry process for pre-approved, low-risk travelers upon arrival in the United States. Trusted Traveler Programs cards, including NEXUS, SENTRI, FAST and Global Entry, are approved travel documents under the Western Hemisphere Travel Initiative.

MORPHOTRAK UNVEILS AFIS IN THE CLOUD MorphoTrak announced the launch of Morpho Cloud, a multi-biometric Identification-as-a-Service solution. Morpho worked with Microsoft Corporation to develop a cloud service for Morpho’s Biometric Identification Solution. Morpho Cloud is hosted on Microsoft Azure Government, the cloud platform with a contractual commitment to support several U.S. government standards for data security, including the FBI’s CJIS Security Policy. Backed by

Spring 2016

ID SHORTS

CALENDAR

SEPTEMBER

JUNE

MAY

APRIL

MARCH

2016

OCTOBER

the Microsoft Azure Government platform, Morpho Cloud complies with the stringent security standards for storage, transmission, monitoring and recovery of digital information. In the further interest of security, the solution is hosted in the U.S. and operated by U.S. persons with the appropriate level of clearance. To protect the integrity of the data, it is stored in regional geo-redundant data centers, located at least 500 miles apart. These paired data centers ensure that in the event of a technical failure or a natural disaster in one region, a second regional data center takes control of the system with no interruption of service or loss of data. This combination of security and integrity guarantees high availability of the system’s data. To address a range of customer needs, Morpho brings a full spectrum of its technologies to the cloud, starting now with friction ridge biometrics, facial biometrics and iris recognition. Morpho Cloud leverages Microsoft Azure Government to provide customers with an AFIS that is evergreen – always functioning at the peak of AFIS technology – and to build new services such as Cloud Disaster Recovery for existing on-premises AFIS customers.

Connect ID March 14-16 Walter E. Washington Convention Center Washington, D.C.

ICMA Expo and SCA Payments Summit April 5-7 Loews Royal Pacific Resort Orlando, Fla. ISC West April 6-8 Sand Expo Las Vegas, Nev.

Security Document World May 10-12 QEII Centre London, UK

Cloud Identity Summit June 6-9 New Orleans Marriott New Orleans, La. Security Industry Association Government Summit June 15-17 Westin City Center Washington D.C.

Global Identity Summit September 19-21 Tampa Convention Center Tampa, Fla.

Security of Things Conference October 19-20 Chicago, Ill. Securing New Ground October 19-20 The Grand Hyatt New York City

Spring 2016

ID SHORTS

FBI CERTIFIES MORPHO’S CONTACTLESS FINGERPRINT SCANNER Morpho announced that the FBI has certified the MorphoWave Desktop contactless fingerprint scanner for meeting the Personal Identity Verification Image Quality Specifications standard. The FBI certification validates that the images produced by the touchless biometric device are equivalent to other contact single-finger scanners and meet or exceed required quality levels. The MorphoWave Desktop uses imaging technologies to simultaneously acquire four fingerprints in less than one second by a simple wave of the hand. With its bi-directional capture design, it can capture fingerprint images for the left or right hand without the need to change device settings or add another scanner. It is ideally suited for high traffic environments such as border control at international entry or exit ports, or access control at public and private facilities.

NETFLIX TAPS PING FOR IDENTITY MANAGEMENT Google recommends Ping for ‘Apps for Work’ Netflix uses Google Apps so employees can access email, save files and create and share documents. Because employees are so accustomed to the two-factor authentication within Google Apps, Netflix decided to centralize access to all of its cloud apps through Google. This wasn’t an easy task as Netflix has more than 400 cloud applications, many of which were custom-built for specific use cases. Google provides a secure central access point to cloud apps, but Netflix required more granular contextual control over who could access specific apps. For example, someone in the marketing department might not

Spring 2016

need to use an app that’s built specifically for the finance department. To enable this fine-grained single sign-on, Netflix turned to Ping Identity. “Ping’s Defined Security platform serves as the glue that enables our workforce to have seamless and secure access to the additional apps and services needed while giving our IT team the control over securing application access that we need,” said Justin Slaten, manager of enterprise technology and client services at Netflix. “Ping helps us empower developers to build and deploy new apps based on standards so the workforce can use them securely, quickly and easily in this single sign-on environment.” Netflix employees simply login to their Google Apps account and are

automatically granted access to their other approved applications. “Netflix has essentially outsourced its identity management to Google, they have no active directory,” says Andre Durand, CEO at Ping Identity. Subsequently, Ping was named an inaugural member of Google’s “Recommended for Google Apps for Work” program. Through the program, Google and Ping Identity will provide joint enterprise customers an easy to use Google Apps for Work experience by integrating applications with the Google login, providing secure access and single signon to enterprise applications running anywhere.

ID SHORTS

NON-PAYMENT USE CASES FOR NFC The Smart Card Alliance released a white paper looking at non-payment use cases for near field communications technology. While the different payment schemes from Apple, Samsung and Google receive the bulk of the attention, there are numerous other applications for the communications protocol. The white paper explores use cases including marketing, identity and access, ticketing and gaming. Related to access control applications, the paper details use cases for building access, hotel access and even automotive access. The value proposition with NFC over cards is convenience – no need to wait for a visitor badge, streamlined ID issuing, Over-the-Air issuance, and secure storage of IDs. One example of a frictionless transaction is the delivery of a hotel room key or a student dorm-room key to a user as part of a check-in process. Implementation requires a secure means of generating credentials that can be registered with the physical access control system and provisioning such credentials to a secure environment on an NFC phone that can then be used to present them to the NFC door reader. A wallet application on the smartphone can provide the user interface through which the user can select which credential to activate. More sophisticated apps may use Bluetooth beacons to streamline the selection process, waking the app and prompting the user for some form of authentication, such as a biometric. Use of the technology on campus has been popular. Villanova University reported that by removing combination and key locks and using mobile phone activated doors the university saved a tremendous amount of money in the annual turnover that is required to re-key dorm rooms each year.

GALLAGHER RELEASED AN UPDATE TO ITS SECURITY MANAGEMENT PLATFORM, COMMAND CENTRE V7.40, ADDING MULTIPLE NEW FEATURES

The school has also reduced the amount of lockouts because students seldom leave their mobile phone in the room. Another savings is the elimination of the need to rekey all doors if a master key is lost. Now, with a centralized roomkey management system it is easy to do the annual changeover, issuing one-day permission to certain rooms as required, and enabling other key-related actions. The paper is available for free download at smartcardalliance.org.

GALLAGHER UPDATES PRODUCT LINES Gallagher released an update to its security management platform, Command Centre v7.40, adding features to improve operational efficiency and user experience. The introduction of a

bar code scanner for the Gallagher Visitor Management Client and Kiosk can speed up the entry and exit process for visitors to a site. Other enhancements to the Visitor Management suite include customizable branding on the kiosk and further automation of host interactions. Gallagher’s T20 Card +PIN Terminals will also receive a software upgrade with the release of v7.40 enabling the management of perimeter alarms as well the ability to perform overrides and conduct maintenance and repairs on the fence line. The company also released a new mobile reader to extend security beyond the door giving guards the freedom to search cardholder details and access privileges without returning to a workstation. The Gallagher Mobile Reader is designed to work with all the latest Apple devices operating on iOS 8 or iOS 9.

Spring 2016

ID SHORTS

ENTRUST DATACARD UNVEILS IDENTITYGUARD 11.0 WITH ADAPTIVE AUTHENTICATION Entrust Datacard released IdentityGuard 11.0 bringing new capabilities to customers that are facing challenges as digital, cloud and mobile applications are changing their businesses. The latest update offers a range of authenticators and technologies to enable trusted identities and secure transactions. The addition of adaptive authentication is one of the major updates to IdentityGuard. Adaptive authentication doesn’t rely on any one or two identity attributes but rather pulls from multiple sources to create and authenticate an identity. “The market is looking for more strong, transparent authentication across all segments,” says Mike Byrnes, senior product marketing manager at Entrust Datacard. The focus for the adaptive authentication piece is around the mobile device, Byrnes says. At the core of the system is a strong, transparent digital identity embedded into an application and layered on top of that is the context of a transaction. Where is the individual logging in? What’s the time of day? Is the device recognized? Entrust Datacard has software developer toolkits that can look at the email address, phone number and configuration settings and put it all into a policy engine to determine a risk score. If something looks risky the system can then prompt for step-up authentication, Byrnes says. This could be something as simple as swiping an icon on a mobile device or opening an app. The enterprise environment is looking at adaptive authentication for employee access to resources and the consumer space is looking at it to secure transactions online, Byrnes says. Entrust IdentityGuard 11.0 also introduces new options for transaction signing for online banking and card-not-present fraud. Organizations can leverage a range of approaches including mobile solutions that provide oneclick transaction signing, which increases customer satisfaction and builds trust.

Spring 2016

ID SHORTS

GEMALTO PROVIDES TWO-FACTOR AUTH TO SINGAPORE Gemalto has deployed its Coesys eGov Authentication Server in Singapore to provide two-factor authentication and end-to-end encryption of passwords to secure Singapore Personal Access (SingPass) logins. The authentication solution helps to provide better security for SingPass users when they access government e-services involving sensitive data. As part of the new two-step login process, users are required to enter a one-time password, in addition to their SingPass user ID and password. By end of 2016, more than 60% of countryâ&#x20AC;&#x2122;s e-government services will require users to use this additional layer of verification, offering greater security for citizens and Government alike. Gemaltoâ&#x20AC;&#x2122;s Coesys eGov Authentication Server supports a range of authentication methods, including hardware tokens and mobile phones. It is compatible with all open standards and is easy-to-integrate with existing solutions within the e-government framework.

Spring 2016

ID SHORTS

EVOLIS LAUNCHES NEW CARD PRINTERS FOR SELF-SERVICE KIOSKS Evolis is extending its range of printers with four new models designed for kiosk integration to enable self-service card printing. Instant card printing from freestanding terminals enables companies, banks and campuses to provide immediate on-demand card printing and reduce waiting times. The printers can issue payment cards, gift cards, membership cards, student IDs and corporate badges. The new Evolis range aims to meet requirements for the self-service personalization of single plastic cards with solutions customized to meet client specifications. The printers have a range of encoding options including magnetic stripe, smart card and contactless smart card. The choice of which of the four printers – the KC200, KC200B, KM500B and KM2000B – is determined based on criteria such as physical space available within the kiosk, quantity of cards to be printed, the number of different designs of pre-printed cards, and the desired frequency for loading consumables.

Spring 2016

QEII CENTRE, WESTMINSTER, LONDON, UK CONFERENCE: 10-12 MAY 2016

10th EDITION

EXHIBITION: 11-12 MAY 2016

The Global Hub For Next-Generation Citizen and Government ID Solutions

ePassports • visas • breeder documents • national IDs • worker credentials • registered traveller programmes • driving licences • eID • advanced border control • anti-counterfeiting • document design and much more…

• Meet 2,000 attendees from 65+ countries at this major

global secure document and identity technology event – Join our 10th Anniversary celebrations

• More than 130 companies exhibiting from around the world in the expanded exhibition

• Major focus on document design and fraud detection as well as intelligent border control techniques

• Multi-track conference with a series of in-depth, non-

commercial presentations, case studies and discussions. Plus Views from the Top

• Take part in SDW 2016’s ePassport InterOp event • Book early for preferential rates to attend the

conference – the earlier you book, the lower the rate! Entry to the exhibition is free – Register today

• Discounted rates for government attendees to the

conference – Plus buy one place and get the second half price

• Attendees from Africa, Asia and South America benefit from our lowest rates

IF GOVERNMENT AND CITIZEN ID MARKETS ARE YOUR BUSINESS, SDW 2016 HAS THE ANSWERS...

www.sdw2016.com

ORGANISED BY:

ID SHORTS

SMARTRAC LAUNCHES MIFARE PLUS PRELAMS Smartrac announced the launch of new PRELAMs based on NXP’s MIFARE Plus SE chip, which enables Advanced Encryption Standard (AES) for authentication, data integrity and encryption. Tailored for automated fare collection and enterprise access control applications, the PRELAMs are available in PVC, PETG or polycarbonate materials. Smartrac’s PRELAM inlays provide a durable solution for the manufacture of finished cards. The portfolio has now been expanded to include products utilizing NXP’s MIFARE Plus SE chip. Offering 1K EEPROM and full MIFARE Classic backward compatibility including value block support, MIFARE Plus SE offers a solution for upgrading existing MIFARE Classic 1K solutions to 128-bit AES security. Most MIFARE Classic customers can even map their existing card layout to MIFARE Plus SE.

Spring 2016

PANAMANIAN HOTEL DEPLOYS CONTACTLESS SOLUTION FROM ASSA ABLOY The Las Americas Golden Tower is set to offer guests advanced property security with electronic door lock and safe innovations by ASSA ABLOY Hospitality. Boasting 30 floors of guestrooms and amenities, the 285-room Panamanian property is on track to open in January 2016, equipped with VingCard Signa-

ture RFID door locks and Elsafe Sentinel electronic safes in all rooms and suites. With VingCard Signature RFID, Las Americas Golden Tower is implementing a contactless solution that enables guests and staff members to gain access to assigned guestrooms by tapping the keycard on the door’s reader. This technology provides the property with operational benefits as well, such as eliminating the potential for keycard de-magnetization.

ID SHORTS

Leveraging the benefits of an online locking system, Las Americas Golden Tower also utilizes VingCard Visionline enabling staff members to extend hotel stays or re-assign keycards to other guestrooms; eliminating the need for guests to return to the front desk and providing an efficient method of tracking access and remote cancellation of keycards.

VERI-FIRE’S GUARDIAN OFFERS FAST BIOMETRIC ACCESS TO LOCKED GUN Veri-Fire, a firearm safety company focused on home defense, conducted a crowdfunding campaign for its Guardian biometric trigger lock. The device is mounted on the weapon’s trigger guard and incorporates a spring loaded metal slider that retracts to cover the trigger. “It’s custom adapted to each handgun. Once it’s attached, you pull the slide to the rear and it automatically locks in place,” says Matt Barido, co founder Veri-

Fire. “It’s spring loaded, so it’s sitting in that compressed spring state.” The user’s fingerprint unlocks the device in less than a second, according to Barido. The spring loaded slide then snaps forward and grants access to the trigger. Owners can store up to five distinct fingerprints in Guardian’s memory and delete them anytime. Users also have the option of punching in a 4-digit PIN on the device instead of using the biometric, which comes in handy if the finger is wet or covered by a bandage. Veri-Fire is trying to fill the niche of enabling owners to properly secure guns but still have fast access when needed. Barido is quick to add that Guardian is not a smart gun – it’s a device that attaches to your gun. Testing is ongoing to make sure the device can withstand repeated firing. “We’ve been really pleased with the results and we haven’t experienced any sort of malfunction as a result of shocks so far,” Barido says. They’ve spent 6 years

in development and plan to release the full production version next summer. The company held a crowdfunding campaign for Guardian on Indiegogo late last year to raise money and to understand what the adoption rate would be, Barido says. “As our society becomes more familiar and more comfortable with (biometric) technology as a security access measure, our adoption’s only going to go up.” The company is looking at a launch price of $199.

HACKATHON AWARDS DEVELOPERS IN PROXIMITYBASED TECHNOLOGIES The spread of mobile is driving demand for creative mash-ups of proximity-based technologies. That’s why tech incubator AccelerateNFC and proximity ID company Flomio created TrackHack: The Proximity ID Hackathon.

Spring 2016

ID SHORTS

are creating the next stage of the IoT journey. We are already planning our next TrackHack.” It will be held March 11-13, 2016 in Austin, Texas, during South by Southwest.

GERMAN IMMIGRATION OFFICE USING CROSSMATCH FOR REFUGEES

TrackHack is a first-of-its-kind event focused solely on the proximity ID technologies that power the Internet of Things – radio frequency identification, Bluetooth Low Energy and near field communication. The hackathon was held November 20 – 22 in London. Organizers call it “an event where hackers and developers can access all proximity ID tech and do what they do best – create, innovate and disrupt.” Eleven teams submitted identity-related entries. Projects included simplifying management of contacts, keeping track of luggage while traveling and reducing electronic waste. “The tech used in the award winning applications included NXP, HID, OmniID and UGrokIt – which provided a nice mix between NFC, RFID and Bluetooth beacon tech,” says Robert P. Sabella, founder of NFC Bootcamp and AccelerateNFC. “Projects also included wristband identity solutions for event check-in and payments as well as injectable chips to enable identification and payments via the tap of a human hand.” The hackathon brought together experts in development, software/ hardware, technology standards, and marketing. Sabella says developers were given a real world perspective in creating

Spring 2016

solutions and understanding the process of rolling out a new solution “from ideation to development to implementation.” But there’s a learning curve on how to effectively integrate proximity hardware into a web application. So for future events, organizers hope to seed developers’ ideas with current use cases and give them examples of sample code in advance. “A lot of people today are talking about the Internet of Things. There are ‘connected’ cars, wine bottles, clothing, appliances, jewelry, movie posters, games and toys. Just about any product you can think of can be connected to the digital world in some way,” Sabella says. “We

The German Federal Office for Migration and Refugees is using Crossmatch’s Guardian fingerprint scanner to enroll thousands of refugees and migrants entering the country. As the influx of refugees and migrants fleeing economically depressed, war torn or politically unstable states continues, EU member governments are under pressure to process and place individuals. One of the first steps in processing migrants is to verify or establish an assured identity. This is routinely done through fingerprinting, as many arrive without any form of valid identification or with falsified credentials. The procedure reduces fraud and abuse of the asylum process, as well as seeks to rapidly identify known terrorists or persons-of-interest. To date, the German Office has deployed more than 1,000 Guardian devices at three-dozen field offices where refugees are fingerprinted and asylum applications are processed. Refugees’ fin-

ID SHORTS

gerprints are checked against databases to verify identity and improve tracking, support administration and ensure accurate benefits disbursement.

FEDS APPROVE FACIAL RECOGNITION FOR ONLINE PARENTAL CONSENT The Federal Trade Commission (FTC) has approved facial recognition as a way for companies to obtain verified parental consent under the Children’s Online Privacy Protection Act (COPPA). The five-step method was proposed by London-based Riyo Verified. The identity and age verification company creates trust and regulatory compliance online RE ID v1.4 FINAL.pdf 1 2/10/16

by turning a smartphone or webcam into an ID scanning terminal that matches an ID holder to an identity document in real-time with facial recognition. Riyo Verified’s method uses a parent’s photo ID, a live picture of the parent’s face, a system match of the pictures via facial recognition and finally verification by a live agent. Deletion of the identification information occurs within minutes following the process. “The method of verified parental consent has now been approved by the FTC, and this makes it the only global, scalable, free-to-consumer COPPA solution,” says Tom Strange, CEO of Riyo Verified. “We currently provide the solution on iOS, Android and via the web browser in more than 125 countries.” 4:16 PM

Complexity made simple...

IDENTIFY

Strange says he hopes more companies will serve children with COPPA compliant products as opposed to avoiding the matter by not triggering COPPA. For example, social network Instagram is popular with tweens. It’s supposed to be for ages 13 and up, but users don’t have to prove their age unless someone reports them. “We are very excited because this truly is a big deal. Big tech companies like Google and Facebook have not been able to serve this demographic in the way they’d like to because of data regulations,” Strange says. “Now, they can make products that use the best of what technology and data can do – that are also personalized to the age, interests and abilities of children.”

AUTHORIZE

Student ID, Employee ID, Government, Payment, Access Control

CardExchange Solutions, Inc. is a manufacturer of credential software serving the Security Industry with focus on Identification and Visitor Management products. Whether you have a simple or a high-level application with encoding requirements, CardExchange™ offers a family of integrable and scalable products. Contact Us +1 (925) 529 4999 +1 (855) 538 7774 cardexchangesolutions.com

CMY

Spring 2016

PACS 2.0 is CLOUD-based,

IT-centric,

token-agnostic â&#x20AC;Ś but will it be

CHEAPER? Autumn Cafiero Giusti, Contributing Editor, AVISIAN Publishing

Spring 2016

As the Internet of Things continues its rapid evolution, everything from refrigerators to toothbrushes is connecting to the cloud. So the logical assumption would be that physical security would be quick to follow the trend. But in physical security, nothing is quick. Many industry leaders tout cloud-based physical access control systems as the next generation. They cite that the cloud can provide end users with enhanced functionality and unlimited scalability, at lower cost and with less maintenance than traditional systems. Next-generation physical access control systems have begun to shift from traditional hardware-centric architecture to newer IT-based approaches, but the traditional systems still dominate deployments. Indicators suggest that this is changing. According to a 2015 white paper by access control and security manager Viscount Systems, computing power is more than 30,000 times what it was three decades ago, and wired communication speed has increased more than 10,000 times. The report highlights that the technology limitations that required hardware-centric, distributed-intelligence systems no longer exist, but still most access control architecture remains the same, saddling customers with needless limitations and costs of hardware-centric systems.

IDENTIFY WITH BRIVO

BRIVO MOBILE PASS

Brivo, the leader in cloud-based physical access control systems, brings you mobile identity, access control, and video in one unified solution. Brivo Mobile Pass puts mobile identity in the palm of your hand, saving you time and money. Now that's something to identify with.

Visit www.brivo.com/mobilesolutions

There are varying degrees of “cloud” in cloud-based PACS and definitions are numerous and varied. Some physical access control manufacturers have moved the database server component of the architecture to the cloud, but left the ability to grant or deny access to traditional hardware on premises at the protected facility. Other solutions are removing virtually all hardware – even the door access reader – from the physical location in a fully-cloud play. Regardless, there are both real and perceived concerns about cloud-hosted physical access control systems, and switching from an on-premises or managed-access system to a cloud-based architecture is not an easy decision. “Much of what we’re seeing in the security industry related to cloud-based PACS is generational. People have been doing it the old way for 20 or 30 years, and many industry types continue to be very resistant to change,” says Steve Van Till, CEO and founder of security systems provider Brivo.

Still, Van Till says it’s only a matter of time before commercial locks are wireless, which will make it seem commonplace that doors are connected to the Internet. “I think the role of the cloud just becomes assumed at that point,” he says. He alludes to an interesting point. The access control industry has evolved, often reluctantly, from mechanical to electronic, prox to contactless, and Weigand to IP. Is cloud simply the next great migration for physical access control?

CLOUD VS. LEGACY PACS With both legacy and cloud-based systems, the infrastructure at the door is relatively the same. The primary difference is where the access database is maintained, explains Rajeev Kak, chief marketing officer for Cloudastructure, a company offering cloudbased access control.

Integrators, ‘RMR’ and the changing business model for PACS The business model for the physical access control market had been pretty stable. Companies that wanted to deploy a new system paid a large upfront cost – requisite wiring, installing control panels, deploying readers and issuing cards – but then didn’t have to think too much for about a decade until the system started to become obsolete. Companies might pay a nominal monthly maintenance fee but other than the cost of additional credentials for new users, the system was paid for upfront. For as long as companies have been using cards for physical access this business model has worked. But it might be on its way out. As with just about everything IT related, the cloud is starting to influence the physical access control market. It is bringing with it a new business model and a shift from large upfront costs to recurring monthly revenue (RMR). “With cloud sales you exchange upfront revenue for monthly revenue,” says Steve Van Till, CEO at Brivo. It is a model common in the software industry but seldom seen in traditional hardware-centric sales. In the security world, however, it has long been the model used by integrators of residential systems. Cloud-based access control is now helping

Spring 2016

to usher this model into the corporate PACS world. While the cost of the actual system is structured differently, another big change is in the price of credentials. Physical security integrators have commonly charged between $5 and $20 per card with selfhosted systems. Some of these new cloudbased systems have seen the cost of the

following the initial installation. In the new model, the monthly fee structure makes credential revenues less essential to integrators, enabling ongoing revenue via an overall monthly fee. Brivo has been at the cloud-based physical access control game for more than a decade and while wide-scale deployments of cloudbased physical access systems are still on

Integrators charge as much as $20 per card with traditional systems, but some next-gen PACS are slashing the cost of credentials to just a dollar or two credentials come down dramatically with some charging just a dollar or two. Others are eliminating hard tokens altogether by moving the credentials to mobile devices. This is causing some established players to scramble as they try to adapt. In the traditional business model, ongoing card sales were one of the only opportunities for integrators to charge clients

the horizon – about 5% of new systems in 2014 were cloud – they see these numbers increasing. Tyco has seen the number of cloud-based doors going up year after year, says Rajeev Dubey, senior product manager at Tyco Security Products. “It’s catering to the small and mid-sized markets,” he adds. “If I’m a restaurant owner I don’t have time

CLOUD-BASED ACCESS CONTROL SYSTEMS CAN INTEGRATE WITH OTHER CLOUD APPLICATIONS SUCH AS TIME AND ATTENDANCE AND HVAC SYSTEMS

Legacy PACS: The database resides on the premises within a controller connected to a computer or local network. When a company needs to add or modify an employee or contractor, an administrator with sufficient privileges logs in at an on-premises station at the facility. Cloud-based PACS: The database resides in the cloud, with a local cache copy in the controller that is refreshed frequently – in time frames of seconds or minutes. An advantage is that the administrator can manage the system and change access levels from anywhere and from any device without having to be physically near the door or building. The similarity between the two architectures is that the infrastructure at the door is typically the same. To operate either

to dedicate to security. I would rather offload it and have someone else manage it for me.” The mantra of moving to the cloud means less upfront costs and simpler day-to-day management but potentially means spending a little more over time compared to a traditional self-hosted system. Small and medium-sized companies that don’t have a lot of staff to manage systems often look to the cloud because it makes life easier. Larger enterprises won’t necessarily see the value in the cloud because they have the staff to manage systems, but even this is changing, Dubey says. Even large companies with systems reaching end-of-life and requiring wholesale replacement are considering cloud-based access control options. Buying new servers and software, as well as training employees to manage all these new systems takes time and resources. “They pay more per-door, permonth, but it can come with a service provider who is managing everything,” Dubey explains.

system, a user presents a credential, such as an access card or badge, to a door reader, which captures a digital ID number from the credential. This number is transmitted to a controller, which checks a database to verify access and then responds with either an “unlock” or “no access” signal to the door controller.

says. “I’m a service provider hosting thousands of customers so I have a lot of analytics that I can run to help them detect anomalies,” he explains. Daniel Bailin, director for strategic business development and innovation at HID Global, says these new models provide opportunities. “There’s a class of customer where this is a good thing, but there are others where the traditional model works,” he explains. Enterprises that have acquired other organizations in different locations and want to consolidate physical access across all locations would be a good candidate for cloud-based physical access, Bailin explains. “If you’re a large company and growing through acquisitions this could be a good way to consolidate,” he explains. Deploying a cloud-based system can also be quicker than installing a traditional system from scratch. “There’s still a large number of enterprises that are using locks and keys,” Bailin says. “That’s new territory and the cloud’s ease of deployment has a lot of upside.”

Using the cloud may actually help enterprises spot security problems, Dubey

Spring 2016

The location of the database – on premises or in the cloud – is the primary difference between legacy and cloud-based PACS. Because a traditional system needs to be connected to a computer or local network within the building, geography and the number of doors it can control are limiting factors. “The beauty of

Cybersecurity at the ‘edge’ of cloud-based access control Some believe that more attention must be paid to the “edge” – in the PACS world door – before the cloud is fully embraced for physical access control. Sal D’Agostino, CEO at consulting firm IDmachines, questions whether physical access control systems are ready for a complete migration to the cloud because fundamental levels of cybersecurity need to be raised first. “What’s going on at the edge is dynamic and hardly settled at this point,” he says. Next-gen physical access control architecture should require a distributed approach, pushing more of the access control decisions to the edge, he explains. The way that physical access control works today is monolithic: A credential is presented to someone for authentication, and then that person determines whether or not the user has a right to a pre-defined set of resources that are established in the database. How the architecture might evolve is more toward distributed, autonomous, context-based access control decisions. For example, a door would know what kinds of people are allowed to enter, as opposed to specific list of individuals. Another example might leverage an individual’s GPS device, so you would need to know that person is physically in front of that door before granting access. “In order to leverage the IT resources, you’re going to need to make sure you’ve got best practices around security,” D’Agostino says. “And you’re probably going to have to look at something other than simply an access control list as the way that you determine whether or not an access grant is going to take place.”

Spring 2016

a cloud-based database is you’re not limited by a single building or location,” Kak says. A cloud-based system enables management of doors in multiple buildings in different cities, all from a single database. From this one system, Kak explains that a group of employees could have access to the front doors of their offices in San Francisco, London and Los Angeles. While this functionality could be achieved in traditional systems, it is far more efficient in cloud-based offerings. But the location of the database is not the only defining factor for cloud-based PACS. It is a combination of hardware, infrastructure-as-a-service and platform-as-a-service that allows redundancy, storage and databases to be scaled up without adding extra hardware, explains Patrick Barry, CEO at BluBOX, a provider of cloud-based physical access. “With client-server, you have to invest in a lot of infrastructure. With cloud, you don’t,” he says. Barry believes it’s time for the industry to abandon legacy architecture, in which all of the servers and hardware are located on the premises of the facility being secured. “It is technology that’s 35 years old, and the rest of the world has moved on,” he says. “We live our lives every day in the cloud – we do all of our purchasing, buy theater tickets, do banking – and it’s been that way for quite some time. The security industry needs to move on from the old architecture and embrace what everyone else has already embraced.”

EVOLVING ARCHITECTURE, ATTITUDES

With on-premises systems, internal IT departments build and maintain the servers and infrastructure for their organizations on site. It is the way things have always been, but it can be an expensive way of doing things. Because cloud-based PACS eliminate the need for on-site servers and appliances as well as the man-hours required to support them, the cost of ownership can be lower. Brivo has been providing cloud-based physical access control since 2001 and is often credited with championing the security industry’s move to the cloud. Brivo learned early on that the security industry is not set up to allow providers to sell direct to end users. Van Till realized Brivo would have to follow the channel model and go through integrators and dealers to sell product. But that long-established model put the industry behind a massive wall of entrenched beliefs as to what is secure and should be trusted. “We spent a good five or six years evangelizing cloud and simply getting people to understand that this is actually safer than many of the on-premises installations that people were using,” Van Till explains.

For Brivo, this added safety includes high-level cloud security and a very limited on-premises footprint. There is still a microcomputer-embedded device and a

controller present at a Brivo customer’s location. A little black box, about as big as two iPhones stacked on top of one another, connects the doors to the Internet.

Texas municipality replaces cards with mobile credentials Harris County Water Control and Improvement District in Texas chose Brivo Mobile Pass because of the flexibility it gave the organization when issuing credentials to employees and long-term contractors. Brivo’s Mobile Pass is an addition to its OnAir access control system that enables users to gain access with just their mobile device. The vast majority of access control systems use cards, or a mobile device’s NFC or Bluetooth interface for access. Mobile Pass, however, just uses an app on a smart phone. A user simply activates the app and presses a button, then a call goes to the cloud to validate access and the door opens, says Steve Van Till, CEO at Brivo. Start to finish the process takes about one second. The District manages an array of facilities serving 2,200 homes and 250 businesses. In addition to water and sewer services, it provides commercial development as well as parks and recreational services. Keeping track of recreational parks, a members-only sports club and a water/sewer plant is a 24-hour job and access control is crucial, says Jody Dellinger, District and Parks & Recreation manager. He relies on Brivo’s OnAir system to manage access via the cloud. When Dellinger heard about Brivo’s new Mobile Pass offering, he ordered 100 credentials immediately. It has proved to be cost effective, saving money compared to physical cards due to the mobile credential’s ability to be reused, he explains. Employees can forget their access cards, but will likely not forget both their smartphone and access card. This allows the district to have a back up access option in place at all times. It was when the district faced an emergency the system came in particularly handy, Dellinger says. First responders were called to a park after hours and needed to gain entry to a secured area. With a touch of an app on his smart phone, Dellinger was able to open the entrance without driving across town and delaying the process. The system is currently being used for employees and contractors. “I don’t need to worry about individuals forgetting their access cards, contractors losing cards or replacing damaged cards,” says Dellinger. With the success of the mobile credentials, plans are to expand use to other Harris County facilities in the future.

In September, the company launched Brivo Mobile Pass, which further reduces the need for on-premises equipment. The ID credential is transmitted from the phone directly to the cloud, the access decision is made, and then the cloud tells the doors to unlock or deny access. No card reader is required at the door in this new architecture. The technology has been well received by dealers who are realizing that they can now control doors without readers. This means they don’t have to run wires and can save money on the installation. “They’re seeing an economic advantage in systems that don’t force them to have a reader right there at the door,” Van Till says. Cloudastructure is also leveraging cloud-based infrastructure to deliver physical access control as a service, often abbreviated as ACaaS. Kak says the business has seen a lot of traction from colleges and universities and from utilities and telecommunications providers that have substations in remote locations. Kak says multi-location scenarios with multiple people monitoring illustrates a perfect example of how cloud differentiates itself from traditional systems. In the past, each substation would require DVRs for video and PACS controllers at each facility. Providing remote access required creating holes in each location’s firewall, he explains. “When you do it on the cloud, the footprint becomes much lighter. You can do cross-substation, cross-location management much more intuitively,” he says. Cloud-based systems are also much easier to scale and can handle more buildings and more entry points. “The physical entity of the building – that has always been the constraint in the traditional system – goes away when you do it on the cloud,” Kak says. Instead of driving 20 minutes to the office, a system administrator can securely grant a contractor access from the couch, he says.

Spring 2016

What we’re seeing related to cloud-based PACS is generational. People have been doing it the old way for 20 or 30 years, and many industry vets continue to be very resistant to change

ACCESS CONTROL AS A SERVICE MODEL TAKES HOLD In addition to cloud’s ease of use and lower ownership and IT costs, it is creating a new business model for access control as a service in the PACS space. Van Till says cloud-based access control has created the opportunity for new recurring monthly revenue streams, or RMR for installing dealers. “That’s probably the most powerful motivator for the channel to begin embracing this next generation of access control,” he says. Interest in access control as a service appears to be growing. According to estimates by market research firm IHS Technology, hosted and managed access doors represented just 3% of total new doors controlled in the Americas in 2013. This means 80,000 new doors using access control as a service were added that year. IHS predicts that by 2018, 1.8 million doors will be controlled using access control as a service. Rajeev Dubey, senior product manager for Tyco Security Products, looks after the Kantech line of access control products. He says people are beginning to look at security as an expertise, seeking to completely outsource it to third parties. This makes the hosted or managed access model crucial. “Customers want to focus on running their business, rather than focus on security,” Dubey says. Tyco’s Kantech access control integration has a cloud-based system called Hattrix, which hosts tens of thousands of doors in a hosted and managed architecture. Four years ago, Hattrix’s hosted and managed system accounted for just 2% of doors sold through Kantech, but as of 2015, it comprised 10% of doors sold. Van Till estimates that 5% of new access control doors added worldwide in 2014 were access control as a service, and he sees

Spring 2016

huge growth potential for the sector. “That’s a very tiny fraction overall, but it’s much bigger than prior years, so the trend is beginning,” he says. Van Till expects that the availability of mobile credentials will push this trend even faster as end users experience the convenience of mobile over cards and fobs.

CLOUD CONCERNS ABATING To this point, cloud-based PACS have been embraced more by small and midsize operations than large organizations with highlevel security concerns. Dubey says that smaller businesses are more likely to pursue the cloud because they have lower-level security needs and limited in-house resources. “If I’m starting up a new business or running a small business, I really would rather focus on the core of my business than worry about security. With that pain point in mind, cloud addresses a significant concern,” he says. For complex facilities such as airports and high-level government locations, there are very stringent requirements. In these scenarios, Dubey says people still have concerns, both real and misplaced, about cloud security. Ensuring that data transmission and housing is secure, particularly in countries that aren’t well regulated, remains a concern with multi-national organizations. “As more and more IT systems in that segment of the market adopt the cloud and those concerns go away, I think you will see a similar adoption for PACS in cloud as well,” Dubey says.

Easy to Authenticate. Difficult to Replicate.

TESLIN® substrate (pictured left) is the proven global substrate for secure credentials and ID cards.

When credential security and durability are paramount, TESLIN® substrate… • Offers exceptional flexibility to outlast more rigid card materials while protecting and cushioning embedded electronics.

• Features the ability to be customized with embedded security features for program-specific formulations that enhance material tracking and credential authentication. • Locks in printed graphics and forms virtually indestructible bonds with overlay and card body substrates to deliver highly secure card constructions. • Delivers tamper-evident protection by permanently distorting if alteration is attempted. • Prints unparalleled high-definition color images for quick and easy authentication by field agents.

Learn more by visiting Teslin.com/Easy.

FEDS MANDATE STRONG AUTHENTICATION FOR E-PRESCRIBING DRUGS RESISTANCE FROM DOCS, INCONSISTENT INTERPRETATION LEADING TO PROBLEMS AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

The federal government requires doctors to use two-factor authentication credentials in order to electronically prescribe controlled substances. But medical records and security experts say that the implementation of this rule isn’t quite where it should be. There’s been some resistance from doctors, who find the requirements overwhelming. There have also been inconsistencies in the interpretations of the rules by pharmacies, the vendors of e-prescribing solutions and by the auditors that review these prescribing applications. “It’s a bit of a wild, wild west scenario out there right now in terms of how the rule is being implemented across all of these different vendors,” says Jerry Cox, director of product management for IdenTrust, which provides identity solutions and digital certificates for e-prescribing. In 2010, the Drug Enforcement Administration issued its Electronic Prescriptions for Controlled Substances, or EPCS, interim final rule. EPCS made it legal for doctors to electronically prescribe controlled substances, as long as they use two-factor authentication credentials to do so. Cox explains that the DEA’s initial set of rules governing EPCS were pretty tightly written and fairly secure. Those rules required practitioners to digitally sign the prescriptions and transmit them to the pharmacy. The pharmacy would then validate those digital signatures, which would give end-to-end control from the point that doctor signs the prescription to the point when the pharmacy fills it. It also ensured an electronic record of what happened. But some from the credential service provider community pushed to use other methods for authentication in addition to digital certificates, such as one-time passwords. Varying interpreta-

tions of the EPCS rule have come up since then, Cox explains. “It’s not as secure as it was originally intended,” he says. The auditors reviewing EPCS applications are another issue, Cox believes. Each system that is being used for EPCS, whether it’s a prescribing app or a pharmacy app, has to go through an independent third-party audit. The DEA has certified a handful of auditors, but the rules allow others without that certification to perform audits. “Auditors interpret the EPCS requirements differently, which leads to inconsistencies in how applications are or are not approved,” he says. Cox says he is hopeful that the DEA will clear up some of the issues related to EPCS in its final rule, which could be released in 2016.

REQUIREMENTS OVERWHELM DOCTORS Not all doctors have been eager to comply with two-factor authentication, as some find the requirements onerous. “There’s a lot of resistance, and we need more education,” says Dr. Tom Sullivan, chief strategy and privacy officer for e-medication management software company DrFirst. Sullivan cites a few challenges doctors face with two-factor authentication. The first and biggest one, he says, is that doctors have to go through a one-time identity verification process in order to obtain a two-factor authentication credential. “There’s reluctance on the part of doctors to go through this one-time hurdle because it costs a little extra and it takes a little time,” Sullivan says. The most common form of identity proofing involves providing financial information, such as a credit card, which some physicians have been reluctant to provide. “We’re trying to move away from that because people don’t like to give up their credit cards.”

EPCS MAKES IT LEGAL FOR DOCTORS TO ELECTRONICALLY PRESCRIBE CONTROLLED SUBSTANCES, AS LONG AS THEY USE TWOFACTOR AUTHENTICATION CREDENTIALS

Spring 2016

In response to the doctors’ concerns, Sullivan got some of his DrFirst colleagues to go to NIST’s headquarters and convince them to loosen up some of their security recommendations for EPCS. “We said they should give a little break to health care because doctors are already so credentialed and identity proofed that it is redundant. We’re probably the most regulated industry in the world, or at least in the United States,” he says. When working with either doctors or hospitals, Sullivan emphasizes that EPCS isn’t just a law, but also a process that can increase productivity and improve patient safety. E-prescribing also makes it so that doctors and patients can interact over the phone, so the patient can avoid having to drive to the doctor’s office and then drop off the prescription at the pharmacy. Sullivan says that although most doctors like e-prescribing and the conveniences that come with it, they dislike the requirements involved. “We want to change the attitude that this is just another mandate getting in the way of the efficient diagnosis and treatment of patients,” he says. Dr. Peter Kaufman, chief medical officer for DrFirst, points out that e-prescribing has several advantages. For one, a prescription is more secure when sent electronically than with a wet signature, because it’s going through a secure trusted network. “The DEA in its early stages was very insistent that they didn’t want to match the security of paper,” Kaufman says. “They wanted to increase the security.” Perhaps the greatest advantage is that e-prescriptions allow doctors and pharmacies to check the prescription against a patient’s allergies and medical records. Kaufman cites the Institute of Medicine’s 1999 report “To Err is Human,” which linked medical errors – including prescribing issues – to as many as 98,000 hospital deaths. “E-prescribing has helped us with those issues a great deal,” he says.

REPLACING THE PRESCRIPTION PAD There were several factors that prompted the DEA to come up with the EPCS requirement in the first place. Doctors traditionally have written prescriptions on a prescription pad, and the reputation

THE GOVERNMENT WAS INSISTENT THAT IT WANTED TO INCREASE SECURITY, RATHER THAN SIMPLY MATCH THE SECURITY OF PAPER -BASED PRESCRIPTIONS

Spring 2016

THE DEA REALIZED THAT IT WAS IMPORTANT TO REGULATE THE PRESCRIBING OF CONTROLLED SUBSTANCES BECAUSE OF PRESCRIPTION PAD THEFT AND OTHER DRUG FRAUD

doctors have earned for having poor handwriting is often more than just a stereotype, says Debra Spitler, vice president of business development at IdenTrust. “There was significant damage resulting from pharmacists being unable to read prescriptions,” she says. The DEA realized that it was important to regulate the prescribing of controlled substances because of prescription pad theft and other drug fraud. For doctors to obtain a prescription pad, they must register with the DEA and obtain a registration number indicating that the pad is legitimate. People have been known to get jobs in hospitals and clinics just to put themselves in a position to steal prescription pads. “There is a huge industry around this,” Spitler says, adding that the pads can go for $60,000 to $150,000 on the black market. “The pads are being stolen and used to write prescriptions for fictitious people and then the drugs are sold,” she says. It is legal at the federal level for doctors to electronically prescribe controlled substances, and late in 2015 all states began allowing the practice. Some states, however, are moving to actually require e-prescribing as the only method to prescribe controlled substances. New York became the first state to do so when it passed the Internet System for Over-Prescribing Act, or I-STOP, in 2012. The law requires all prescriptions to be electronically transmitted. New York’s mandate was supposed to go into effect last March, but the deadline was extended to March 27, 2016. Other states have been exploring e-prescribing options, including Florida, Illinois, Massachusetts, Texas and Utah.

Spring 2016

READINESS LEVELS REMAIN LOW Despite the fact that e-prescribing is legal at both the state and federal level, the readiness on the part of electronic health records providers is reportedly low. Research by e-prescription network Surescripts found that the national average for readiness below 5%. “I think we’re going to see the federal government step in and force states to require electronic prescriptions for controlled substances in order to receive federal funding for various things,” Spitler says. She believes that awareness about addiction will help drive this shift and that it will prove to be a necessity. Kaufman says that doctors and even some pharmacies still don’t realize that it’s legal to e-prescribe controlled substances. “More people are coming to the realization, and people are using it more and more,” he says. Sullivan believes that the advantages of patient safety and convenience should motivate the industry to streamline EPCS and two-factor authentication requirements. “It’s to everybody’s benefit that we adopt these kinds of guidelines and continue to work with federal and state governments to make these less onerous so that people will adopt them quickly,” he says.

DID YOU KNOW you can access many valuable e-gov online services with your bank log-in? You can trust a single log-in without having to create a new account or remember yet another password! Not only that, you can rest assured that your banking information is never shared with the sites using SecureKey Concierge.

Concierge Learn more at www.SecureKeyConcierge.com

PIV AND MULTI-FACTOR AUTHENTICATION: ENSURING SECURITY IN AN INCREASINGLY MOBILE, GLOBAL AND FLEXIBLE ECONOMY ABRAR AHMED, CIO AND SENIOR VICE PRESIDENT OF TECHNICAL SERVICES, SUREID JEROME BECQUART, VICE PRESIDENT OF OPERATIONS AND MARKETING, AXIAD IDS

The U.S. Office of Personnel Management (OPM) addressed security vulnerabilities in its Federal “Cybersecurity Sprint,” stating that cybersecurity poses some of the most serious economic and security challenges of this century. In June, the Obama Administration noted the need to “dramatically accelerate implementation of multi-factor authentication” as a crucial step to improve cybersecurity. To that end, the Defense Department has already deployed the Common Access Card (CAC) for its personnel and the Personal Identity Verification (PIV) for government employees. It is now recommending the Personal Identity Verification-Interoperable (PIV-I) cards to enable multi-factor authentication for its contractor base. This credential system also supports multi-factor identity authentication with photo, fingerprints and a PIN, representing the most effective way of addressing security vulnerabilities both online and on-premise. It’s a win-win for federal agencies and its diverse user groups given that it works seamlessly across a wide range of physical and logical access control systems.

think of online email or commercial web sites allowing anonymous, unverified users to create accounts – and level four representing the highest trust assurance possible. PIV/PIV-I credentials are considered “Level of Assurance Four” or LOA4 for the requirements of in-person identity proofing, hardware-based digital certificate storage and secure issuance policy so the correct person receives the correct credential. This year, entities contracting with the federal government may need to increase the deployment and usage of PIV-I credentials for multi-factor authentication. U.S. CIO Tony Scott said he wants to get to 100% use of PIV cards for privileged users of federal systems by the end of President Obama’s term. As a result, federal agencies have stepped up their efforts deploy PIV and PIV-I for both privileged and nonprivileged users. This program will not only bring greater security to the government and its contractors, but it also provides a security model that private enterprise can adopt to prevent the next big security breach.

WHY PIV/PIV-I?

PIV FOR COMMERCIAL ENTERPRISE: PIV-CIVILIAN (PIV-CIV)

The foundation for trust enabled by PIV/ PIV-I lies in the identity proofing and issuance requirements associated with high levels of assurance credentials. The federal government has made specific policy guidelines for various levels of trust associated with different credential types, referred to as “Assurance Level.” This federal policy identifies four levels of assurance with level one being the lowest, requiring no identity verification –

Spring 2016

Security breaches are not an option, especially for organizations for which a breach could have a highly damaging impact, such as global financial institutions conducting multi-million dollar transactions, companies handling sensitive personal health records or nuclear power plants managing mission-critical assets.

The efficiency and ubiquity of the PIVI model – or PIV-CIV when used in the commercial space – more than offsets the initial investment in time and resources when literally billions of dollars worth of assets and information are on the line. Furthermore, the PIV framework provides the flexibility to manage increasingly diverse workforces that demand more options for when and how work is conducted. Great strides have been made in recent years to make this framework more accessible.

DERIVED CREDENTIALS FOR MOBILE WORKFORCES Since the PIV standard was first introduced in the previous decade, the nature of work and how it is conducted has continued to evolve. As workforces become more mobile and flexible – increasingly working remotely from a variety of geographical locations on a variety of devices – multifactor authentication that leverages a secure digital identity can greatly reduce the threat of cybersecurity breaches. Today, many laptops include smart card reading capabilities and combined with Microsoft Windows’ native support for PIV/PIV-I, a mobile user can log on with the same identity assurance and access privileges as within the workplace. With work increasingly conducted on mobile platforms and devices, cardholders may also benefit from “derived credentials,” which are carried on mobile devices instead of the card. This option provides a cost-effective alternative to adding smart card readers to mobile devices or replacing machines

that don’t support the form factor. It also improves productivity, accommodating employees who prefer to use their personal mobile devices for work. Additionally, mobile devices increasingly offer biometric validation, such as facial recognition and fingerprint scanning that could be leveraged in conjunction with the PIV/PIV-I derived credential.

an estimated $17.8 billion, a 56% increase from 2000. The lessons learned from the U.S. Census Bureau will also benefit the private sector. Mission critical industries, largely considered conservative regarding IT, such as energy, utilities and waste treatment, are leading the way in the percentage of users logging into work only on mobile devices.

FOR PIV-I AND PIV-CIV, THE FUTURE IS NOW After experiencing a number of hurdles on its journey to becoming the robust system it represents today, the PIV framework is, and will remain, the gold standard for multi-factor authentication in the current cybersecurity landscape.

AN EMERGING PIV ECOSYSTEM: LOGICAL AND PHYSICAL CONVERGENCE Many federal entities have already leveraged PIV cards as strong multi-factor authentication credentials for internal logical access. We also have seen additional mandates such as OMB Memorandum M-11-11 that requires the usage of PIV cards for physical access. These mandates have created an ecosystem from a variety of vendors like Microsoft and HID Global that are laying the groundwork for future adoption. Microsoft has supported PIV for login, as well as digital signing and encryption, starting with Windows 7. Several commercial vendors now produce physical access card readers and physical access control systems (PACS) that support the PIV standards. Federal agencies have already made tremendous strides in implementation. Last June, the Department of Veterans Affairs (VA), implemented a policy to make PIV cards mandatory on VA information systems. Furthermore, this includes those accessing the network with elevated privileges. That effort appears to be paying off. In its December monthly report to Congress, the VA saw a more than 60% decrease in personal-health-information-related data breaches since November. Meanwhile, late last year, the U.S. Census Bureau began testing derived credentials from PIV for use in mobile technology and smartphones in preparation for the 2020 census. The goal is to trim logistical inefficiencies from its data-gathering duties, which in 2010 cost U.S. taxpayers

PIV, PIV-I AND PIV-CIV ARE THE STRONGEST CREDENTIALS TO REPLACE PASSWORDS AND OFFER MULTI-FACTOR AUTHENTICATION REQUIRED TO ADDRESS CYBERSECURITY THREATS A SECURITY PANACEA? PIV, PIV-I and PIV-CIV remain the strongest credentials to replace passwords and offer multi-factor authentication required to address cybersecurity threats. PIV-CIV, in particular, is flexible and can match all the security requirements of the commercial enterprise. While these credentials offer the highest level of security available today, there will never be one credential to rule them all. Other lower-strength authentication methods, such as one-time password tokens, will continue to serve their purpose in the appropriate context. Overall, there will be a continuing need for credentials to match the level of risk or trust necessary to control access to resources and services.

The damage wrought by high-profile hacks within the government and private sectors has laid bare the tremendous cost of insufficient security measures, casting new light upon the cost-benefit analysis of investing in the world’s most robust security options. In short, the world’s most sensitive governmental organizations and industries can no longer afford not to implement a multi-factor authentication process with PIV, PIV-I or PIV/CIV. By leading the way to a more secure future, the federal government continues to create and implement the standard set of practices and technologies required to raise security standards across the globe. In time, the on-going effort will hopefully one day make large cybersecurity breaches a piece of business history.

Spring 2016

CORPORATIONS BENEFIT OUTSOURCING EMPLOYEE ID CARD PRODUCTION ISSUANCE AS A SERVICE: SNAP A PHOTO, UPLOAD DATA, RECEIVE CARDS VIA MAIL For a small business like Guaranteed Subpoena Service, hiring an outside company to issue its ID badges is a no brainer. The Union, N.J.-based process serving company pays about $6 to print each ID and gets free shipping. With about 30 employees, it costs $180 to print all of the badges, compared to a card printer that would cost more than 10 times as much. “We can’t justify paying $2,000 for a machine when they’re charging $6 front and back for an ID. You just can’t beat the price,” says John Metta, chief technology officer at the company. Guaranteed Subpoena Service joins a growing number of small and medium size companies that are opting to outsource their ID card issuance instead of doing the job in house. Smaller businesses like the simplicity of being able to farm out

Spring 2016

the job because they don’t have to worry about buying and maintaining issuance equipment and software, stocking card supplies onsite and paying employees to handle the work. Outsourcing card production, sometimes called ID as a service, has many meanings. It can simply refer to the outsourcing of physical card production or it can extend all the way through the onboarding, lifecycle management and revocation of employee privileges. “Small to medium sized companies generally need smaller volumes of cards, so there is value to allowing somebody else to manage that service for them. Not having the employee overhead and training is attractive,” says Josh Nippoldt, senior product marketing manager for HID Global, which offers ID on-demand services.

For companies that opt to obtain their cards through a vendor or service bureau, the first step is to determine the information to include on the card. From there, companies work with the vendor to develop a card design. Next, the company uploads cardholder data, the vendor creates a proof and finally cards are produced and distributed.

BUSINESS CITES IMPROVED ISSUANCE Until last year, Guaranteed Subpoena Service issued all of its ID badges in house. But when the employee in charge of the task left the company, Metta started exploring other options. The company contracted with IDSecurityOnline to issue the ID cards.

Metta says he chose the offsite printing option because of the substantial cost savings. But there are other benefits as well. One of these benefits is that the badges have a more professional appearance than they did when the company was doing all of its badging in-house, says Metta. It’s also easy to order a single badge when the company makes a new hire, rather than fire up an in-house system and try to remember how to make it all work, he says. To create an ID, Metta takes the employee’s picture, generates a unique employee

COST SAVINGS, SIMPLICITY TOUTED Issuers cite multiple advantages for outsourcing ID production. Schonzeit says the model can be a revenue generator in addition to a cost saving measure. For example, a university might ask its incoming students to pre-enroll in the ID system by entering their data and submitting a photo. Instead of having to buy multiple printers to produce cards for the entire student body at the start of a semester, the campus

THERE IS A GROWING WILLINGNESS AMONG BUSINESSES TO UPLOAD EMPLOYEE DATA TO THE CLOUD, WHICH CREATES A MARKET FOR ID ISSUANCE AS A SERVICE bar code and places them into a template. He exports a jpeg file and emails it to the vendor for production. From there, IDSecurityOnline prints the badge or badges and mails them back to within a day. Though the company primarily sells card printers, they saw a need for offsite ID issuance as a service, says Gabriel Schonzeit, president and founder of IDSecurityOnline. The New York-based company offers 24-hour turnaround time to clients within a three-state range. Although smaller companies like Guaranteed Subpoena Service use IDSecurityOnline as their primary source for ID issuance, Schonzeit says it’s also common for the company to serve in a hybrid capacity, providing the service as a value add for clients that have their own printers. Schonzeit says there’s a growing willingness among businesses to upload employee data, which creates a market for ID issuance as a service. “The cloud is becoming a trusted environment,” he says.

can print most IDs offsite. Students who don’t pre-enroll could be charged a fee to have the ID printed on site. Outsourcing also helps companies make ID printing into a smaller, monthly operating expense instead of the large, upfront capital expense that stems from the traditional model of purchasing issuance equipment. “With a service model, it’s a higher per-card cost but a consistent cost spread over time,” Nippoldt says. Offsite issuance is also ideal for businesses that have multiple sites in different parts of the country and would otherwise need to distribute hardware to each location. Entrust Datacard supplies the equipment and software that enables card production and remote provisioning of secure credentials. Tim Klabunde, the firm’s director of Government Identification Solutions, says there are advantages for both the public and private sector entities to utilize a service bureau approach. They don’t have

the overhead or operations to worry about, and they typically pay a per-badge price. “You have the flexibility of higher efficiency equipment, the ability to make smaller runs and you can manage a lot of different programs without having to warehouse cardstock or manage the supplies,” he says.

CONCERNS ABOUT SECURITY, LOGISTICS The outsourcing model is not without its risks, and protecting cardholder data while it’s in transit to and from a third party should not be taken lightly, Schonzeit says. “The pre-enrollment side of things can be scary – what if the wrong person the gets the ID?” he asks. “You have to be very careful with service bureau work.” Although Schonzeit believes in ID as a service, he still says in-house issuance remains the most secure option for businesses. “I would prefer for a person to purchase a designated computer and photo ID printer that’s only used for the printing of IDs internally. That is still my preference from a security standpoint, but in many cases outsourcing makes sense,” he says. There are also some logistical challenges that stem from having an outside vendor take over ID issuance. Outsourcing can create challenges for a business that needs to print cards on demand, Klabunde says. A company might not be able to issue replacement badges as quickly and easily. “You have to make sure you have a badge ready for someone who shows up to work on Monday,” Klabunde says. Despite any drawbacks of outsourcing, Nippoldt believes the market is shifting toward the ID as a service model, especially among small and medium size businesses. “Smaller companies are starting to utilize the model because – for the first time – they’re seeing the value in having cards, versus not having cards,” he says.

Spring 2016

DOD WEB SITE AMONG FIRST TO ERADICATE PASSWORDS RESEARCH SITE MANDATES PKI CERTS FOR ALL EXTERNAL USERS AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

The federal government’s use of user IDs and passwords for access to its applications could soon give way to more secure PKI-based credentials if more government entities follow the lead of the U.S. Department of Defense. The Defense Department is leveraging PKI to better protect its information systems, with the intent of making access much more secure than the old login system. The DOD’s Defense Technical Information Center (DTIC) – a DOD entity that

Spring 2016

serves the information needs of the defense community and maintains a large database of research information – announced that it would no longer enable users to access its secure websites by a user ID and password. Instead, DTIC will rely on the use of one of three PKI-based digital credentials: a DOD Common Access Card, a Personal Identity Verification (PIV) credential or an External Certification Authority (ECA) certificate.

The Defense Department established the External Certificate Authority program years ago as part of an overall effort to provide a stronger and more secure authentication for accessing information systems. The agency launched the program to enable the issuance of DODapproved certificates to contractors and other external entities that otherwise do not qualify for or need a DOD Common Access Card. ECA certificates can be software-based, stored within the user’s

THE PROJECT IS A REAL WORLD TRIAL OF AN ENVIRONMENT THAT IS PASSWORD-FREE. IF USERS DON’T BALK, IT COULD SERVE AS A MODEL FOR OTHERS TO FOLLOW

Internet browser, or hardware-based and stored on a smart card or USB token. DTIC’s requirement of PKI-based credentials is one of the first known cases of a government entity requiring PKI in lieu of a user ID and password for access to systems. Industry leaders say that this use case could be the first of many for the government. “There are hundreds, if not thousands of use cases for PKI that would solve a myriad of problems throughout the government space,” says Richard Jensen, director of government sales for IdenTrust, one of three contractors providing ECA certificates to DTIC. Jensen runs IdenTrust’s ECA program. Symantec and Operational Research Consultants also provide the certificates.

DTIC relies on several outside contractors to support its research and development work in science and technology. ECA certificates are of particular use to people who contract with the DOD but don’t receive a CAC card because they don’t require physical access to DOD facilities. “Our industry partners are a critical component of how we perform work in the department. So making sure that they can get to information is important,” says Christopher Thomas, administrator of the Defense Technical Information Center. DTIC set up its capability to accept ECA certificates in October and is requiring users to have PKI login credentials by early 2016. “We’re expecting to see a

rush of people applying for certificates,” Jensen says.

ECA AS AN OPTION FOR CONTRACTORS About a year and a half ago, IdenTrust received a call from one of the program managers at DTIC asking about the ECA program. DTIC had a database of research information that had been poorly protected. “As research is extremely valuable, one of DTIC’s goals was to do lock this down so that they had a better control over who was accessing the data and have more visibility into that,” Jensen says. Thomas says DTIC’s move to the ECA credential for industry members who can’t get the CAC is a natural progression

Spring 2016

THE DTIC PROJECT GIVES A NOD TO DIGITAL CERTIFICATES IN MULTIPLE FORM FACTORS, ENABLING BOTH HARDWAREBASED CERTS AND SOFTWARE-BASED CERTS to make sure the program is securing access to the information, but still making sure people can get to it. “We know that having a certificate gives us a higher assurance of who the person connecting to us is, and it will allow us to have more confidence in sharing the information,” Thomas says. Companies that have already issued ECA credentials to employees for internal use are the most likely initial users, he explains. Companies that aren’t using the certificates will be slower to understand the benefits. “We really are going to need to have communication and outreach to help other people understand it. I expect that it will take awhile for the full adoption,” Thomas says.

DOD CRACKS DOWN ON LOGINS At the outset of the ECA program, the DOD didn’t enforce the use of certificates for access to information systems. “Thus, it took a long time for adoption to really start,” Jensen says. When the DOD first came up with its PKI-based certificate program and started issuing PKI credentials to its personnel, they did it through the Common Access Card. This created an issue for DOD systems that defense contractors needed to access, because the DOD had to issue CAC cards to these contractors. “It was a very time consuming and expensive endeavor to give CAC cards to people outside their own domain,” Jensen says. In response, the DOD came up with the External Certificate Authority program to issue DOD-approved credentials

Spring 2016

to the defense contractor community. ECA certificates hold three functions for contractors: 1) logical access to DOD information systems, 2) digital signatures and 3) encryption. About five years ago, the DOD started cracking down on entities that were still using user IDs and passwords and pushed to require that they enable their systems with PKI. “Slowly but surely, more and more systems are coming online,” Jensen says. “Originally, we saw adoption of the ECA certificates for logical access to DOD information systems, and recently, we’ve seen more use for their digitally signing and encrypting emails. So it’s an easy way for them to protect what we call data in transit,” Jensen says. There are a number of systems in the DOD realm that defense contractors need to access in order to do business with the department. One example is the Joint Personnel Adjudication System, or JPAS. In order for defense contractors to have meetings discussing DOD business, they need to meet defense standards and assign what’s called a facility security officer, or FSO. An FSO is required to verify that whenever there’s a meeting involving DOD topics, every person attending meets security standards that have been validated in the JPAS system. To access the system, the officer needs to use an ECA certificate.

DTIC SETS EXAMPLE WITH PKI USE Jensen believes DTIC’s use of PKI credentials, including ECA certificates, could serve as a best practice for other government applications. “Every agency

in government and every agency in the DOD has use cases for this,” he says. For example, pilots have to send their health information to the FAA to obtain their license. Much of this information is personal, yet the pilots submit it via fax. “It’s a very unsecure way to send this information, and people should be able to digitally sign it, encrypt it and send it,” he says. Once people realize what can happen when systems are not properly secured, Jensen says the adoption rate will start to change. One of the main barriers is that there is no known enforcement behind this adoption, even though the DOD is telling agencies to follow these guidelines. “In the PKI world, the only time you really see rapid adoption is when there’s accountability, enforcement and use becomes mandatory,” he says. Thomas says that people will appreciate the ease of using the certificates once they get through the registration process. “I know that for my own purposes, moving away from a login and password to a CAC made it a lot simpler for me because I didn’t have to constantly change my password and keep track of it on different systems,” he says. As more organizations adopt the use of ECA certificates, people will be able to use one certificate for multiple purposes, instead of having to maintain different logins and passwords for each different system they use. Jensen is confident that as more organizations start following the DOD guidelines information systems will be more secure and breaches minimized. “It’s really exciting when institutions like DTIC adopt certificates, because they see a lot of benefits,” he says.

Certiﬁed Smart Card Industry Professional The industry’s only standardized certiﬁcation program recognizing professionals with advanced smart card industry knowledge and experience

With the CSCIP credential, you are immediately recognized as having the most up-to-date knowledge of smart card technology. The designation distinguishes you as a certiﬁed professional with knowledge of both current smart card technology and applications and emerging trends.

GET CERTIFIED

BUILD YOUR

CAREER

The Smart Card Alliance offers three separate CSCIP credentials CSCIP The general CSCIP certiﬁcation is for professionals who support all applications using smart card technology.

CSCIP/Government The CSCIP/G certiﬁcation focuses on identity and security applications and government-speciﬁc smart card initiatives.

CSCIP/Payments The CSCIP/P certiﬁcation focuses on payment applications including EMV chip, mobile, contactless and transportation.

All CSCIP certiﬁcations demonstrate proﬁciency in the following principles: • Smart card technology fundamentals • Security • Application/data management • Mobile and NFC usage models • Identity and access control usage models (CSCIP and CSCIP/G only) • Payments usage models (CSCIP and CSCIP/P only)

To learn more about CSCIP certiﬁcation, training dates, and fees, visit: www.smartcardalliance.org/cscip 1-800-556-6828 Spring 2016

ARE STATES SPEEDING TOWARD MOBILE DRIVER LICENSES? INTEREST IS HIGH, BUT ROADBLOCKS INCLUDE STANDARDS, INFRASTRUCTURE, RELYING PARTY ACCEPTANCE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

The ubiquitous plastic card that resides in the wallets of most people 16 years of age and older may be in for a makeover, and this one could entail more than a new hologram. States across the country are considering the issuance of driver licenses on mobile devices. In most states, this mobile driver

Spring 2016

license would be in addition to the cards that people already carry in their wallets, but what might the future bring? The driver license is supposed to be nothing more than proof that the cardholder can operate a motor vehicle, but it has become so much more Â â&#x20AC;&#x201C; facilitating everything from air transportation to

alcohol purchases and financial account opening. There are many reasons states are looking at mobile driver licenses. One school of thought is that the younger generation is fed up with carrying pieces of plastic, purses and wallets, preferring instead to do everything with a mobile device.

Others point to efficiencies as the primary reason. A mobile credential and app gives driver license issuers an easier way to communicate with customers. It can also enable customers to perform self-service tasks, such as address changes or license renewals, all through an app instead of visiting a physical location. Privacy is another often-cited benefit. Instead of having to show a stranger a card with a home address and date of birth to buy a six-pack, an app could simply confirm that the customer is at or beyond the authorized age without giving up extra personal data. Lastly, there may be a larger role for a mobile driver license to play with digital identity. Driver licenses are one of the few pieces of identification where individuals actually go somewhere, provide documentation to prove identity and have that data verified. Being able to use that high-assurance identity coupled with multi-factor authentication in the digital world could be the solution to some of the digital identity woes currently plaguing enterprises. But doing mobile driver licenses the right way will require more than just placing an image of the card on a device. States will need to overcome numerous challenges before securely placing an identity on a mobile phone. Standards have to be developed so that licenses issued in one state can be accepted in all others, and a vast infrastructure will be needed to electronically verify mobile IDs.

IOWA OUT AHEAD OF THE PACK Iowa started its pilot of mobile driver licenses with a dozen employees in August 2015 and has since expanded its test to more than 60 license holders, says Mark Lowe, director of Iowa Department of Transportation’s Motor Vehicle Division. Participants download an app after receiving an email inviting them to enroll. After entering the email address and PIN, the user takes a selfie, which is checked against the previously enrolled image at the DMV. If the facial recognition passes,

MOBILE DRIVER LICENSE USE CASE:

LAW ENFORCEMENT

OFFICERS WILL REQUIRE BOTH ONLINE AND OFFLINE ACCESS TO MOBILE LICENSES ISSUED BY ALL JURISDICTIONS

they can then create the mobile driver license. The pilot is testing updates to the customer record system with changes rendered to the handset in real-time. Information such as change of address, over/under 21-years-old status, organ donor status and change in driving status, endorsements, or restrictions, can all be updated to the

for identification purposes and protect against fraudulent reproduction. In addition to PIN and fingerprint-based security features already built into phones used in the pilot, the mobile driver license app can also be secured using facial recognition technology. This requires the user to take a selfie and input a custom PIN prior to launch.

MOBILE LICENSES CAN IMPROVE PRIVACY, ALLOWING CITIZENS TO CHOOSE WHEN AND WITH WHOM THEY SHARE THEIR INFORMATION, AND AS IMPORTANTLY, HOW MUCH INFORMATION THEY SHARE mobile driver license immediately. As an example, when an individual turns 21 the mobile version of the document switches from the vertically printed format to horizontal in the same way that the physical card would change upon reissue. The mobile driver license software carries the same level of trust as the physical driver license ID card and includes both visible and covert security features that are layered in the digital image displayed on screen. These features are designed to enable the mobile drive license to be quickly and reliably authenticated when presented

In the future Bluetooth or NFC could be added to share information with law enforcement or others, Lowe says. Instead of having to hand the device to the officer, the mobile could wirelessly transmit information to the officer’s handset. Another scenario would see the officer using his own mobile device to scan a bar code on the citizen’s device, in order to access the individual’s driving record. The second stage of the pilot is testing this capability outside of law enforcement. Iowa is working with a group of local retailers to explore how license information can be electronically presented and validated.

Spring 2016

MOBILE DRIVER LICENSE USE CASE:

GOVERNMENT SERVICES AGENCIES WILL NEED THE ABILITY TO EASILY ACCESS LICENSE APPLICATIONS FOR IDENTITY PROOFING AT VARIOUS POINTS OF SERVICE

One scenario involves a retailer scanning a bar code from the license app to validate that the ID holder is over a certain age, Lowe explains. Later this year, the Iowa pilot is likely to expand to a test group outside the transportation department.

STATE LEGISLATORS PUSHING MOBILE DRIVER LICENSES While the Iowa project came out of internal discussions at the agency, other states are seeing legislators propose the idea. Delaware is investigating mobile driver licenses because the General Assembly passed a resolution asking the Division of Motor Vehicles to explore and consider the technology, says Scott Vien, director at the Delaware agency. “You do so much with your phone and so much is moving to the mobile platform, driver licenses have been a missing piece and it’s something we would like to get ahead of,” Vien explains.

Spring 2016

Kentucky Rep. Jonathan Shell (R) proposed a resolution in the General Assembly in 2015. The resolution didn’t come up for a vote but Shell plans to resubmit. The 28-year-old legislator says that mobile driver licenses can add convenience, especially for the younger generation. “I’ll walk out the door to pick up pizza and get there and realize I don’t have my wallet,” he says. “But I don’t forget my cell phone.” Even though the bill didn’t capture the attention of the General Assembly, the Joint Committee on Transportation held a hearing that discussed mobile driver licenses last fall. HID Global executives testified at the hearing, briefing officials on the latest developments in mobile credentials. The company talked about its proof of concept for a mobile driver license and what is involved with such a project, says Kathleen Carroll, vice president of corporate affairs at HID Global. States are looking at mobile driver licenses to increase security and conve-

nience, Carroll says. Individuals have to carry around multiple IDs for different purposes – driver license, health care, work, etc. By placing identity on a mobile device individuals will only have to carry the smartphone. Mobile driver licenses may also ease the burden on state workers. Instead of having to wait in line for a change of address or a license renewal, administrative functions could all be handled through the app. “Because there is a secure trusted relationship between the state licensing authority and the citizen’s smartphone, new services can be added and the need to stand in long lines can be eliminated,” Carroll says. Privacy can also be increased with a mobile license. “A secure mobile technology platform will give citizens more control over their personal information allowing them to choose when and with whom they share their information, and as importantly, how much information they share,” she says.

Securing the identity and bringing trust to millions of citizens worldwide Securing people in todayâ&#x20AC;&#x2122;s digital world begins with protecting their identities and personal data. Gemalto contributes to more than 100 government programs worldwide including 30 ePassport and 25 national eID initiatives.

gemalto.com

In an IncreasIngly connected socIety gemalto Is the leader In makIng dIgItal InteractIons secure and easy. learn more at gemalto.com Spring 2016

MOBILE DRIVER LICENSE USE CASE:

RETAIL ENVIRONMENTS

LOCATIONS WILL REQUIRE VARYING DEGREES OF LICENSE DATA FOR DIFFERENT APPLICATIONS, SUCH AS PURCHASING TOBACCO, CREDIT APPLICATIONS AND LOYALTY PROGRAM ENROLLMENT

ADDITIONAL PRIVACY The privacy enhancing aspect is attractive to many states and constituencies within states, says Frank Dean, transformation and strategy consultant at Mathtec, a consulting firm that works with states evaluating security and issuance options for licenses.

While developing a report for Florida, Dean interviewed bartenders, law enforcement and other parties that consume driver license data. One woman told him a story about going to a club where she showed the bouncer her ID to prove she was over 21. The bouncer hit on the woman, but she rebuffed his advances. That night she saw the same bouncer waiting outside her apartment. Luckily,

Florida researches mobile driver licenses The State of Florida commissioned consultancy Mathtec to create a driver license market and technology report. The 133-page document covers an array of subjects pertaining to physical driver licenses and mobile apps. Ultimately, the report had three recommendations on how the Sunshine State should proceed: Establish the major systems first: Before contemplating a mobile system, existing physical driver license and ID card issuance services need to be overhauled. Mathtec recommended that Florida go to a central issuance model. Florida officials should work to establish protocols and architecture to support mobile driver licenses in both their new issuance systems and their back-end modernization systems. If portals for mobile driver licenses are included in the design of those foundational systems, then selecting a vendor to connect to that architecture will be much easier. Work with current vendor on mobile driver license solution: Most vendors have prototypes for mobile license solutions and the state should add a clause in any future contract to extend it for mobile services. This gives the state the ability to acquire these services without going out to bid, and it could also give the vendor incentive to do research and development without Florida having the fund it directly. Give the market another 18-24 months to develop: Waiting will give Florida a chance to see what technologies shake out and can ensure that any investment in mobile driver licenses can become a permanent part of its customer service infrastructure.

Spring 2016

nothing more transpired, but had she been able to show something that proved she was over the age of 21 rather than a document with her name, address and date of birth she may have been safer. “The question becomes can we build the mobile ID in a way that we can verify age and nothing else,” Dean asks. The same can be true of other applications as well. Dean talks about signing up for access to a local recreation center and being forced to provide his complete address. A mobile driver license could be used to just confirm that an individual is a resident of a particular town, without giving away the keys to the kingdom.

NO MORE WALLETS? A popular refrain when discussing mobile driver licenses is that the younger generation doesn’t want to carry a wallet. The logic seems sound, since we can already buy coffee, get on an airplane and enable access to work computers with a mobile device. So why can’t it also be used as a primary identity document? For one, mobile driver licenses introduce a whole new crop of fraud issues to the table. “Anything in software can be hacked, and people are making a good living creating fake software,” says Steve Purdy, director of business development for Government Affairs at Gemalto. “There’s no way to have something on your mobile that can provide the look and feel of an authentic document.” Real world driver licenses have an array of security features that can be examined

RIGHT NOW YOU HAVE SUPER SECURE CARDS, BUT YOU DON’T KNOW IF THE PERSON HOLDING IT IS CONNECTED TO IT. WITH MOBILE DRIVER LICENSES, WE BELIEVE WE CAN ACHIEVE FULL CONFIDENCE THAT THE PERSON INTERACTING WITH IT IS THE OWNER.

to prove authenticity. Some cards have a different composition of materials that can make them feel different when handled. Still, even with real world driver licenses and the host of embedded security features, fraud remains a problem. Should we not assume that this fraud would also migrate to the mobile license world? College students can send photos and a couple of hundred bucks off to a counterfeiter in China and receive valid looking documents within days. “Security features are good to a point, but fake licenses often include passable security features too,” says Dean. “If we’re going to implement mobile driver licenses by simply reproducing a card on the phone, then we’re going to have a fraud problem,” he says. Perhaps the answer to document fraud will be found in something not possible with a plastic card: connectivity. “There needs to be a backend verification process to ensure a digital driver license was issued by – and remains valid with – the proper authorities,” Purdy explains. This means leveraging the technology behind the screen of a mobile device, says Dean. “You need to make sure the information is verified and not just a simple screen grab,” he explains. “I want to take the human element out of it and electronically verify the information that’s being shown on the screen.” While connectivity can offer assurance, it can also be a problem if not available. Imagine that deserted stretch of highway and an officer needing to validate a license. A mobile driver license solution must work in both online and offline environments. The numbers of relying parties – grocery stores, airline gate agents, nightclubs and law enforcement – that will need to read and confirm that data from a license is massive. The infrastructure to read these licenses will be essential to mobile license success. There are a number of ideas being considered to electronically verify a mobile driver license. Using near field communication or Bluetooth Low Energy are two schools of thought. Being able to transmit information to a reader with a touch of a button to verify pertinent details could solve many problems. “You need to have a secure method of exchanging information that is ubiquitous to the entire population,” says Purdy. With ubiquity a necessity, NFC and even Bluetooth may temporarily be ruled out going instead to an old-school solution that’s

already familiar to driver licenses issuers across the country – the PDF 417 bar code, says Jon Ekers, global CIO and senior vice president at ABNote. “You have the bar code that is digitally signed privately and then a public key could validate that it’s been properly issued,” he adds. But all of this is contingent on connectivity. Unless that app is pinging a database to show that the information is current, there will still be fraud concerns. “Offline transactions are a must but it’s choppy waters and we need to figure out how to do this,” Ekers says. It is possible that the mobile driver license app could update in the background a couple of times each day to ensure data is relatively current, Ekers says. This could enable reasonable assurance of validity in offline use cases. Still, how to absolutely authenticate a mobile driver license in an offline environment remains a problem that needs to be solved, he says. There is also a fine line of how much information needs to be shared and displayed with a mobile driver license. Does every grocery store checkout line need to be connected to a state DMV database to say an individual is over 21? “Do you want all these retailer and bars connecting to the DMV to do authentication?” asks Purdy. If every grocery store and airline check-in point is pinging a state’s DMV database to verify info, it could quickly become overwhelm systems. A bar code or QR code could be used in place of real-time database checks without adding infrastructure as these relying parties already use bar code scanners. Instead of displaying personal information there could just be a red light/ green light that enables the transaction to move forward.

LAW ENFORCEMENT NOT SOLD ON MOBILE Some industry executives say that law enforcement is nowhere near ready to embrace mobile licenses. How would officers work with these digital representations when pulling someone over? Would they take the mobile device back to a cruiser to verify information? What happens if the officer drops the mobile device? What if the individual receives an incriminating text while the officer is in possession of the device?

Spring 2016

SECURITY FEATURES ARE GOOD TO A POINT, BUT FAKE LICENSES OFTEN INCLUDE PASSABLE SECURITY FEATURES TOO. IF WE’RE GOING TO IMPLEMENT MOBILE DRIVER LICENSES BY SIMPLY REPRODUCING A CARD ON THE PHONE, WE’RE GOING TO HAVE A FRAUD PROBLEM.

The biggest concern is that officers don’t want to handle a citizen’s device. It is a problem that could be addressed using Bluetooth, NFC or a bar code to enable an officer to use his own mobile device to collect necessary information from the individual’s device. From there, the officer’s device would handle the verification of the license data with the issuer. HID’s Carroll explains how the system can make their jobs easier. “When appropriate, a secure mobile driver license platform would allow the authentication of a person’s ID from a safe distance using Bluetooth technology to give law enforcement officers more time to determine if a traffic stop is routine or more complex,” she says. To ensure privacy, an officer’s mobile device would have to be equipped with the proper digital certificates to enable it to read the mobile driver license data. “A mobile credential would only be sent to a mobile device through a secure service by an authorized state licensing authority,” Carroll explains. “During use of the credential, a mutually authenticated channel

Spring 2016

would be established between the mobile device and the relying party application to ensure privacy.”

A HIGH-STAKES STANDARDS GAME It may sound straightforward, using Bluetooth or another technology to transmit license information to an officer in a cruiser. But for this to work states, vendors and law enforcement would all have to agree on a standardized approach. The American Association of Motor Vehicle Administrators is in the early stages of creating mobile driver license standards that would be used by all members, says Geoff Slagle, director at AAMVA. The stakes are extremely high in this process. Many states are already evaluating mobile driver licenses, but all will need to agree to minimum standards so that each license can work in all other states. “You have to have the standards down, so mobile driver licenses can be leveraged regardless of the jurisdiction,” Slagle explains.

This doesn’t mean states will have to all use the same vendors, but they will have to make sure that the vendor they choose is using the standardized approach, Slagle says. He uses ice cream as an analogy. As long as systems are using the same ice cream base – a standardized secure mobile driver license – vendors can offer different add-ons – hot fudge, sprinkles or whipped cream. “The base has to have the ability to communicate in an electronic and trustworthy way,” he adds. The standards will revolve around making sure that the application is secure and verifying that the credential is legitimate, Slagle says. “Right now you have people walking around with super secure cards, but you don’t know if the person holding it is connected to it,” he explains. “With mobile driver licenses, we believe we can achieve full confidence that the person interacting with it is the owner.” AAMVA hosted the first mobile driver license standards meeting in November 2015. With interest in mobile licenses so high the committee hopes to move quickly, but it will likely be late 2016 at the earliest

State lawmakers consider mobile driver licenses

Numerous states proposed legislation in 2015, more expected in pending sessions JOSEPH HOELLERER, MANAGER OF GOVERNMENT RELATIONS, SECURITY INDUSTRY ASSOCIATION

Mobile driver license legislation was introduced in ten states during 2015 – Arizona, California, Delaware, Illinois, Iowa, Kentucky, New Jersey, North Dakota, Tennessee and Texas. Generally, bills either directed a feasibility study for mobile driver license implementation, or directed certain state agencies – notably licensing commissions – to set up and carry out a program. Outcomes were mixed. In Texas, a law was passed directing state officials to carry out a mobile driver license feasibility study. Tennessee went a step further initiating the creation of an actual program. Conversely, lawmakers in California approved legislation directing the state’s Department of Motor Vehicles to initiate a study. Gov. Jerry Brown (D) vetoed the bill, however, stating, “While the idea of a digital license sounds innovative, it poses numerous technical difficulties. Given the many new responsibilities that the Department of Motor Vehicles is already dealing with, I don’t believe this bill is advisable.” Despite a veto-proof margin and support from every Democratic legislator that voted on the measure, a veto override is not expected. It would be the first veto override under the Brown Administration, a precedent that California Democrats have so far been unwilling to set. In the remaining seven states, mobile driver license bills did not see further action in 2015 sessions. Three of these states – Delaware, Illinois and New Jersey – are technically still considering the legislation from carryover sessions, but it is unclear whether any will see further legislative action in 2016. Members of the Security Industry Association (SIA) specializing in identity management technology are advising policymakers on what it would take to create and deploy a successful and secure program. Last November, representatives from HID Global testified before the Kentucky Joint Committee on Transportation regarding legislative proposals to provide citizens with mobile licenses on a voluntary basis. Throughout the hearing, witnesses emphasized that mobile driver licenses should remain an optional alternative and legislation should not mandate the discontinuance of physical driver licenses. They stressed that convenience should not substitute for efficacy and security. Witnesses identified key stakeholders that should be a part of crafting any solution to ensure it meets the unique needs of the state:

Citizens need demonstrable assurances that their personal information will be protected against unauthorized use Law enforcement officials must ensure any changes in procedure enhance their ability to protect the communities they serve Federal authorities and state licensing authorities must be assured that any potential operational issues that may arise will not compromise their ability to provide accurate identifiable information. Another potential obstacle for states is complying with REAL ID, a law passed by Congress in 2005 that established minimum-security standards for state-issued driver licenses and identification cards. Currently, 23 states and territories are compliant with the REAL ID and 27 others have received extensions. Seven states and territories have neither complied nor been granted an extension. Indications are that mobile driver license compliance would track overall with a state’s driver license and identification program. Presumably, a mobile driver license that meets issuance, data, security and other requirements of REAL ID would be considered compliant in a state whose program is REAL ID compliant. Prior to implementation, policymakers should decide how mobile driver license features fit into their state’s policy on REAL ID requirements and be cognizant of additional legislative measures that may need to take place in the future pursuant to REAL ID. On the federal side, while Congress has yet to consider any legislation dealing with mobile driver licenses, several government agencies reportedly see potential value in incorporating their use into everyday operations. Take, for example, the Transportation Security Administration’s airport check-in points of entry. Once this technology is properly tested, the confluence of boarding passes and identification on a single mobile device could add security and streamline processes. Similar identification confirmation mechanisms could be deployed in our nation’s ports and other high-security entry points.

INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.

Spring 2016

MOBILE DRIVER LICENSE USE CASE:

AGE VERIFICATION

LIQUOR STORES, RESTAURANTS, BARS AND GAMING LOCATIONS WILL NEED TO EFFECTIVELY DETERMINE AGE FROM ALL STATE-ISSUED MOBILE LICENSES WHILE ALSO PROTECTING PATRON PRIVACY

with the spring of 2017 looking more realistic to have a finalized specification, says Slagle. Once the committee has finished its work the spec has to go through AAMVA’s Board of Director’s and members for a vote. States already moving forward with mobile driver license tech will have to keep an eye on the work AAMVA is doing and try to stay on the same track. Iowa is keeping this in mind as it moves forward with its pilot, says Lowe. “The really big thing is making sure the mobile driver licenses are accepted state to state and accepted by law enforcement, retail and banking,” he explains. “What is the thing that will make them interoperable? That’s what we’re spending time working on.” If states decide to go with different technology standards it will hamper the adoption of the technology, says Adam Madlin, solutions leader for Identity and Cybersecurity at Symantec. “If you can’t get all the states on board it will undermine interoperability,” he adds. Mathtec’s Dean is concerned that mobile driver license technology may be out of date by the time standards emerge and gain widespread acceptance. “We’re going to spend the next couple

of years working on standards and then another five to 10 years getting states on board,” explains Dean. If biometrics or some other identification technology becomes prominent, they could eclipse the need for mobile license apps, suggests Dean. “Are we inventing a technology that will be leapfrogged?” he asks.

WE’RE GOING TO SPEND THE NEXT COUPLE OF YEARS WORKING ON STANDARDS AND THEN ANOTHER FIVE TO 10 YEARS GETTING STATES ON BOARD. MOBILE DRIVER LICENSES MAY BE OUT OF DATE BY THE TIME STANDARDS ARE READY.

Spring 2016

DRIVER LICENSES FOR THE IDENTITY ECOSYSTEM

Iowa is looking even beyond that. The mobile driver license has potential to be used as a high-assurance digital credential to access other sites and services, Lowe says. That use case may take awhile to develop, but it’s on the road map. Delaware wants the mobile driver license to be a credential to securely communicate with the DMV, Vien says. “If we do this right we can create a secure means of interacting with customers remotely,” he adds. The rollout will be slow, first enabling secure electronic transactions with the DMV and then other state services and other relying parties. North Carolina, Georgia and Virginia are already

MOBILE DRIVER LICENSE USE CASE:

TSA

SECURITY CHECKPOINTS WILL NEED TO ACCESS MOBILE LICENSES FOR TRAVELER IDENTIFICATION AT AIRPORTS AND OTHER PORTS OF ENTRY AND EXIT

using DMV data to confirm the peoples’ identities when setting up credentials to access different state services. Those projects are being done with pilot funds from the National Strategy for Trusted Identities in Cyberspace. But there aren’t many state agencies that wouldn’t love to have access to their state’s DMV records, says Mathtec’s Dean. “In every state that I talk to, all the agencies want access to the driver license data to verify information,” he explains. “The DMV is the one government agency where people have to establish identity face-to-face in a physical location.” Standards will be important in this aspect of mobile driver licenses too, says Symantec’s Madlin. “You have to get all states on board or it won’t have real adoption,” he explains. “As states become the trusted source of identity they can expand their citizen applications, broaden adoption and spur greater success.” Online identity vetting has been a difficult proposition. If states start issuing a digital credential based on in-person identity vetting that solves a lot of problems. “DMVs and mobile driver licenses have a role to play in the bigger identity picture,” says Madlin. The possible applications for mobile driver licenses are endless. The dream of a virtual wallet that combines driver license, payments and a digital identity has been discussed for years but might be around the corner. It promises to change the way citizens interact with DMVs, government agencies and other relying parties. But it will require massive effort to create the standards and build the infrastructure necessary to make this dream a reality.

Lessons learned:

Ever-changing mobile operating systems pose challenges Iowa rolled out its mobile driver license pilot in August. The program was moving along when it hit a snag a few weeks in, says Mark Lowe, director of Iowa Department of Transportation’s Motor Vehicle Division. “When iOS 9 came out we had problems,” he explains. It was an important lesson learned early on in the pilot. DMVs are used to issuing a credential and then not having to see the individual again until they come in years later for renewal. With the constant updates of mobile operating systems states will have to keep tabs to make sure updates don’t lock apps and render them unusable. Iowa is running its pilot now on iOS devices, but when these systems roll out in larger numbers support will have to be available for all devices and operating systems. “You can’t just come up with a secure approach that works on iPhone or Android alone,” says Steve Purdy, director of business development for Government Affairs at Gemalto. “You need one that works on all operating systems and devices.” How mobile driver licenses are verified also has to be ubiquitous across handsets, Purdy says. This may limit the verification technology to bar codes or Bluetooth Low Energy – a technology that has been standard on smart phones since 2012.

Spring 2016

EDUCATING ISSUERS OF ALL LEVELS TO BENEFITS OF ADVANCED CARD MATERIALS EVANGELIZING MORE DURABLE, COUNTERFEIT-RESISTANT IDS TAKES BUY-IN FROM EVERYONE IN THE SUPPLY CHAIN Each issuer has its own set of challenges when it comes to creating a new credential. The most educated enterprises such as government issuers have challenges, but they also bring the most resources to bear during the decision process. At the mid-level, organizations such as financial issuers are beginning to consider more durable card materials, but the vast majority of small to mid-volume issuers lack even basic education on material options. When a credential issuer begins the process of creating a new card or identity document, there are many factors to take into account. Adding further complexity to the decision, these factors typically differ for each individual issuer. “Every situation is different and there isn’t one single process that all issuers follow,” says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries.

Spring 2016

Government issuers are different from financial card issuers who are yet again different from corporations. Issuers from each of these markets often take different paths and rely on different advisors when selecting card materials. Though there are always exceptions, common paths have traditionally included: Government issuers: The agency’s project leads confer with subject matter experts from the system integrator’s team Financial card issuers: The institution’s payment card leads work with their chosen card manufacturer Corporate issuers: A company’s facilities manager or physical security personnel defers to their local access control system installer. Clearly the various paths result in very different outcomes. At the government level, a more consultative approach is

far more likely to include discussions of various advanced card materials, as well as the durability and anti-counterfeiting capabilities of each option. At the corporate level, the tendency is often to default to the cheapest option or the one that the local installer finds most comfortable and familiar. Still, at all levels there are two constants in the decision-making process – durability and cost. Though it need not require the same degree of involvement for smaller issuers, there are valuable lessons that can be learned from the approach taken at government issuer level. “Some very simple changes or considerations at the start of a program can greatly improve both the security and lifespan of any card,” says Scaglia. He suggests that even small volume issuers can benefit by opting for higher quality card materials.

ADVANCED CARD MATERIALS: AMOUNT OF PRE-SALE EDUCATION PROVIDED GOVERNMENT AND HIGH-PROFILE ISSUERS: This group receives the highest level of education on card material choices as project leads confer with subject matter experts from largescale system integrators

FINANCIAL CARD ISSUERS AND MID-TIER ISSUERS: This group receives moderate levels of education on advanced card materials as the issuer’s staff works with their chosen card manufacturer

CORPORATE AND BASE-LEVEL ISSUERS: This tier typically receives little or no education on card material options as the company’s facilities manager or physical security staff defers to local system installers or resellers

LIFESPAN, DURABILITY The first question any issuer must answer when evaluating card materials is how long they want it to last and what, if any, card technologies will be embedded, says Scaglia. “Before EMV a lifespan of two to three years was common for financial cards, driver license issuers typically wanted four or five years and national ID programs were looking for 10 years,” says Dave Tushie, technical and standards representative at the International Card Manufacturers Association. For cards with a one- to three-year lifespan, many choose PVC to keep the cost down, says Neville Pattinson, vice president for Government Affairs, Standards and Business development at Gemalto. “Bank cards tend to be PVC with embossed personalization,” he adds. Cheaper materials have often been considered sufficient, so long as electronics weren’t embedded in the cards and they only had to last a short period of time.

Beyond three years other materials start to emerge. Composite cards that use polyester, Teslin or other materials – in addition to or in place of – PVC, become a virtual necessity. These materials are used by states for driver licenses and by U.S.

materials with Teslin, polycarbonate is also an option, says Tushie. MorphoTrust USA provides the majority of U.S. states with driver licenses and has a process it works through with states, says Roland Fournier, product line director at

SOME VERY SIMPLE TWEAKS AT THE START OF A PROGRAM CAN GREATLY IMPROVE A CARD’S SECURITY AND LIFESPAN. THE CHALLENGE IS GETTING THIS WORD OUT TO ISSUERS ACROSS LEVELS federal agencies for the PIV and Defense Department Common Access Cards, says Pattinson. When issuers want cards to last longer than six years composite cards are still the norm, but additional materials often come into play. In addition to polyester

the company. “We talk to customers and we want to understand their decision-making criteria,” he explains. “It comes down to a cost and security conversation with durability also a factor.” Other determining factors include whether the issuance model will be centralized or decentralized/over-the-counter,

Spring 2016

and what kind of personalization technology will be used. “Understand the requirements is key to making the most appropriate recommendation,” Fournier adds. State issuers also want materials that are unique to them and cannot be obtained readily by counterfeiters. “They want noncommercial materials, something that isn’t available in the wild or easy to get your hands on,” Fournier explains. “They want something that’s tightly controlled and unique to a vendor.” MorphoTrust has worked with card material vendors to create substrates that specifically fit an issuers needs. “They come back to us and give us sample materials, we then personalize it and run it through its paces to see if it meets our requirements,” Fournier adds. With counterfeit driver licenses on the rise, card material suppliers have to keep tight control of the supply chain. “We do not disclose how the cards are made, and we have to make sure the materials we come up with can be produced consistently over a long period of time,” he says.

COMFORT AND COST While government agencies and state driver license issuers are moving to advanced card materials in pursuit of greater security and durability, the vast majority of smaller volume issuers haven’t made the change from pure PVC, says ICMA’s Tushie. He cites cost and comfort as key hurdles. Composite cards are more expensive than pure PVC, but the differences aren’t as much as they were a couple of years ago, says Tushie. “In conversations I’ve had with vendors, they say they can get very close to the cost of PVC,” he adds. “The increased cost could be just pennies on each card.” While the cost might only be nominally higher, another issue is the comfort level of working with new materials. “There

Spring 2016

are different manufacturing processes and equipment involved with polyester that you don’t have with PVC,” Tushie says. “The industry has grown up with PVC – the processes are stable and understood. There’s a reluctance to change because it’s so well known.”

EMV cards with contact and contactless interfaces have been the standard for some time, but still most issuers use straight PVC, says Tushie. In the U.S., however, issuers are sensitive to the additional cost of the electronics in the card and they want to try and recoup that cost with a four or five year lifespan. Many are starting to

THE INDUSTRY HAS GROWN UP WITH PVC – THERE’S A RELUCTANCE TO CHANGE BECAUSE IT’S SO WELL KNOWN. OVERCOMING THIS IS KEY TO CONVINCING ISSUERS THAT THE CHEAPEST OPTION IS USUALLY NOT THE BEST OPTION

EDUCATING ISSUERS ACROSS MARKET SEGMENTS PVC has been the standard material for many types of credentials, but even smaller issuers are becoming aware of the value and benefits of other materials. “Even outside of government-level projects, issuers are starting to engage in active dialogues about these different materials,” says Tushie. Still there is a vast disconnect in the education among government issuers and small and mid-volume issuers. Smaller guys – such as colleges and corporations – are often particularly unaware. “It’s a constant education process, as the small issuers typically haven’t received the education necessary to understand card life expectancy or total cost of ownership,” says Gemalto’s Pattinson. “Usually they want the cheapest card as budget is low and employee or student turnover is viewed as the driving factor.”

look at advanced card materials to help with that longevity. Meanwhile, the education continues. Card material manufacturers are out educating issuers and system integrators all the time, says PPG’s Scaglia. A common misconception educators battle is that a credential can only be constructed from one type of material. In reality multiple materials can and often should be used. “We emphasize that it’s not an ‘either/or’ situation. To create the ideal card for your issuance, you can combine materials,” he explains. As issuers seek a longer life credential and continue to battle counterfeiters, they must turn to advanced card materials. Disseminating this information requires education aimed at all layers in the supply chain. If small integrators, card resellers and local installers understand the benefits, it is far more likely that the level of understanding among small- and mid-tier issuers will follow.

SIA EDUCATION@ISC

EXHIBIT HALL

SA N D S EX P O

APRIL 5 - 7, 2016

APRIL 6- 8, 2016 LAS VEGAS

CONNECTING THE WORLD OF

SECURITY • New Products & Technologies from over 1,000 Exhibitors & Brands • 65+ SIA Education@ISC Conference Sessions • Countless Networking Events • NEW! Connected Security Expo @ ISC West – Bringing Cyber & Physical Security Together

Corporate Sponsors:

THE LONG ROAD TO BIOMETRIC EXIT IN THE U.S. ADVANCES IN BIOMETRIC TECHNOLOGIES FINALLY LEADING TO PROGRESS TRACKING FOREIGN TRAVELERS The U.S. has been collecting biometrics from foreign travelers entering the country for more than a decade. Way back in 2002, US-VISIT – now the Office of Biometrics and Identity Management – was tasked with creating a system to capture biometrics and make sure individuals weren’t on a watch list. It took just a couple of years for biometric entry to be deployed at airports nationwide. It was fairly straightforward because of the architecture of our nation’s airports. They are designed to ensure that foreign travelers go through checkpoints upon entry and that traveler information is gathered and checked before entering the country. But exiting from international airports is a different beast. The same law that mandated biometric entry also called for a biometric exit system. Collecting biometrics at the time of exit would help ensure that the traveler has officially departed the U.S. Implementing a biometric exit system, however, has been

an incredibly difficult challenge, one that remains allusive to this day. Much of the challenge stems from how airports are laid out. When foreign travelers are departing the country checkpoints – like the ones that they encounter upon entry – don’t exist. Travelers go to an airline attendant, show a passport, go through security, get on the plane and depart. Foreign and domestic flights often share the same gates, so the same infrastructure that’s used for a foreign departure could be used for a flight to Milwaukee just minutes or hours later. The delays implementing biometric exit have been a significant sore spot for Congress and were once again in the spotlight during a January hearing. The Senate Committee on the Judiciary, Subcommittee on Immigration and the National Interest held a hearing poignantly titled “Why is the Biometric Exit Tracking System Still Not in Place?” Senators expressed frustration at the lack of progress, with one actually

asking, “If Disneyland can do it, why can’t the U.S. government?” Written testimony from Homeland Security officials described the problem. Rebuilding areas in U.S. airports for departing foreign flights is one solution, but it would cost billions of dollars. The other commonly cited option is a brute force approach that involves hiring officers to manually inspect outgoing travelers. Based on pilot program experience, U.S. Customs and Border Protection (CBP) would likely need seven to nine officers to handle just one large aircraft. In total this approach would require 3,400 additional officers at an average annual cost of $790 million. In the past decade Homeland Security has piloted more than a dozen different approaches to biometric exit. An early program included CBP officers standing at departure gates wearing biometric scanners and other hardware to track departures. This Robocop approach was deemed inefficient.

IMPROVED TECHNOLOGY YIELDING PROMISING RESULTS

ONE NEW OPTION USES A SMARTPHONE WITH ADD-ON HARDWARE TO CAPTURE FINGERPRINTS AND BIOGRAPHICAL DATA

Spring 2016

Pilots since then have been more sophisticated, with recent projects testing different technologies and biometric modalities at land border crossing and airports, says Kim Mills, director at the Entry/Exit Transformation Office in the Office of Field Operations for U.S. Customs and Border Protection. A big part of the recent progress is a combination of improved technology with reduced costs, says Mills. In 2009 CBP conducted a pilot at Detroit Metropolitan Airport where officers captured travel document data, fingerprints and other information from departing foreign travelers at select gates. Detroit had some

BIOMETRIC ENTRY HAS EXISTED AT BORDERS FOR ALMOST A DECADE, BUT BIOMETRIC EXIT STILL HASN’T TAKEN OFF gates with jet ways that led to large rooms, if you were a departing foreign traveler you were routed to one of these rooms where your exit data was captured. While the solution worked, it wasn’t ideal due to the logistics of the gate. There wasn’t real-time connectivity with a back end system and it was labor intensive. CBP had to have seven officers processing travelers at a time to make sure a flight wasn’t delayed, explains Mills. At Detroit this might be feasible because there are not that many international flights at one time, but it’s a different story at airports like New York’s JFK where 37 flights may depart at once. “It wasn’t financially feasible because of the cost of the CBP officers,” she says. But CBP took the premise from that pilot and built on it with new technology, adding a better handheld device that would work in an airport gate situation. The system uses an off-the-shelf smartphone with addon hardware that captures the fingerprint and requisite biographical data. It has realtime connectivity to a back end system so officers can be notified if there’s a problem. Currently, it is being tested at 10 airports across the U.S.

Later this year, CBP plans to deploy a biometric exit field trial that will test the collection of face and iris images from foreign nationals departing from U.S. airports. This program is intended to help determine the feasibility of collecting biometrics on the move.

BY LAND AND SEA TOO While airports might get a lot of the attention, land border crossings are also exploring new technology. Otay Mesa in California started testing facial and iris recognition at land crossings early this year. Some 16,000 travelers cross the U.S. and Mexico border at Otay Mesa every day. Travelers register their travel documents – either Passport or SENTRI cards – at a kiosk where facial and iris biometrics are also captured. Both the Passport and SENTRI cards use long-range RFID technology that transmits an identification number at a range of about 20 feet. After registering in the program enrolled travelers then walk through different lanes that scan the identity document and authenticate the individual with the facial

or iris biometric, Mills says. Some of the biometrics are captured while the traveler is walking, while others require them to stop and look at a scanner. “The system will reach back into the database and do a oneto-one comparison to see if the captured information matches what was previously enrolled,” she says. While the mobile devices at airports and the Otay Mesa land border test new technologies, CBP is also working with Homeland Security’s Science and Technology Directorate on additional new concepts for both biometric entry and exit, says Mills. Science and Technology runs a test facility in Maryland that can be easily reconfigured for different entry and exit schemes in a somewhat real world setting. “Each day, we can run 1,300 people though this from different countries and different ages to see how they react,” Mills says. Though biometric exit has taken far longer than its entry counterpart, the complex challenges are being addressed through the creative use of advancing technologies. CBP will continue to test different systems and approaches in its ongoing attempt to strengthen exit procedures.

Spring 2016

IT’S NOT YOUR ENTERPRISE IAM CONSUMER-FACING IDENTITY SYSTEMS ARE VASTLY DIFFERENT FROM THOSE USED BY EMPLOYEES FOR NETWORK ACCESS Consumers are unpredictable. When it comes to accessing information online, they want easy and secure – and they want it their way. That means anytime, anywhere and via any device. Web site operators must be flexible because the need information from these consumers so they can better market to them and ultimately convert them into paying customers. The struggle to enable consumers to access information easily and securely, while also giving web site operators what they want, is often at odds. Social logins and other federated identity models are emerging as “go-to” mechanisms to enable this, but there’s a battle being waged with corporate IT staff. Corporate IT staff often think the same identity and access management (IAM) system used by employees to access services can translate to the consumer space,

but they are woefully wrong, says Andras Cser, vice president and principal analyst serving security and risk professionals at Forrester Research. “The systems involve different technologies and different performance requirements,” he says. “Customer IAM is fundamentally different from employee IAM.” An enterprise knows its employees and has vetted them, but customers are unknown, says Suresh Sridharan, senior director of technology and product strategy at Gigya, a developer of customer identity management solutions. “With a customer there is no cycle. They visit anonymously and over time you establish mutual trust as they provide more information,” he explains. Employee and customer IAM systems also require different personnel during implementation. IT security is necessary

Forrester’s steps for properly implementing consumer-facing IAM: Create a process map. This details how the consumer would interact with the system from account signup to account deactivation including identity verification, device registration, password recovery and reset. Enable single sign-on. Let customers use social logins and federate access with SAML or OAuth. Think about scale and performance. Is the site having a sale? Is there a certain time of the month where more customers are accessing accounts? Take all of this into consideration, and make sure the system can scale to meet demand. Risk-based authentication is a necessity. Use IP-address lookup, device fingerprinting and session speed as additional attributes to authenticate a transaction in a manner that reduces fraud and friction. Biometric technologies are coming of age. Fingerprint on mobile devices are becoming more popular and the reliability of voice is improving. Collaborate with the business side. They need to understand why customerfacing IAM is different from employee IAM and that these systems can be a lot more complex than the ones employees use.

Spring 2016

to make sure either system is secure, but marketing staff must be involved to make sure a customer-facing system is usable and that the organization can obtain the requisite customer information, Cser says. Also, marketing is usually the department within an enterprise that is paying for a customer IAM system, he adds.

ENABLING ACCESS At a basic level both consumer and enterprise identity and access management systems enable access, but that’s where the similarity ends. The consumer side is about the experience and retaining customers while the enterprise side is about reducing risk, Cser says. An in-house IAM system is owned by IT and the company can control the device that is used to access information, the web browser and authentication technologies, Cser says. “You don’t have as much control with consumer-facing IAM,” he added. “You can’t control the endpoint device or malware controls.” A company can try to limit the browser or other systems used to access a site, but it risks alienating customers if they don’t feel like switching browsers or systems. Likewise, if the site puts too many restrictions in place the consumer will just go somewhere else. There’s also the question of scalability. Enterprises have a pretty good idea of how many employees will access different systems throughout the day, but consumer web sites need to be prepared for anything. If the site is launching a new video or having a sale it needs to be able to scale up to meet the necessary performance requirements, Cser says. Privacy is another matter, Cser says. If a system asks for too much information from the start consumers might just leave.

“Customers are fickle, and they have unlimited choice. That means if your customer IAM is frustrating, your customers will just give up,” says Jamie Beckland, vice president of marketing at customer IAM provider Janrain. “Don’t ask for too much data from your customer right away, and don’t force them to jump through unnecessary hoops. Employees have much less choice – if they want to access their email they must conform to over-the-top security policies and draconian password

WITH EMPLOYEE IAM THE COMPANY CAN MANDATE USE. BUT WITH CONSUMER-FACING IAM, IF ENTERPRISES RESTRICT DEVICES OR BROWSERS OR MAKE ACCESS DIFFICULT, CONSUMERS WILL JUST LEAVE.

rotations. If you ask the same from your customers, they will just abandon.” In this age of the data breach a consumer’s information also has to be protected. Enterprises must make sure that all customer information is encrypted to protect them in case of a breach, Cser says.

MARKETING LEADS THE CHARGE The marketing department is the group within an enterprise that chooses the consumer IAM system, says Beckland. They are the beneficiaries of the data these systems capture and thus write the check. “Typically, we see enterprises starting customer IAM initiatives with their marketing campaign experiences, typically to promote customer engagement through comments, voting, polls and social media,” Beckland explains. “These are quick

to deploy, and enable enterprises to start collecting customer data right away. Then, you will want to expand to high-value points for existing customers; these include communication preference centers, support portals and product registration experiences.”

In the end it all comes down to connecting with consumers, says Sridharan. It’s a little bit of a dance, if consumers feel there is some value in what they get from the site then they will connect and register. But this takes time and consumers can’t be bombarded with registration at the start.

NEW! Dates • Location • Partner In 2015,

628

executives participated

exhibitors and sponsors took part

speakers throughout the three-track agenda

A Bigger Stage for Secure EMV, Mobile and Transit Payments Get ready for the next stage of industry growth at Payments Summit, as the industry continues a remarkable evolution. The US migration to EMV is here and the Smart Card Alliance, the authoritative industry leader for EMV, will continue its comprehensive coverage of this landmark transition. Secure mobile payments are fragmenting the market--conference speakers will review a wide range of solutions being touted by technology providers, networks, telecoms and handset manufacturers. Public transportation leaders will talk about the ongoing move to standards-based contactless and mobile payments. It all comes together at the leading annual event for secure payment systems.

#PaymentsSummit

SCAPayments.com

Exhibit and sponsor marketing opportunities are available: Contact Bryan Ichikawa: bichikawa@smartcardalliance.org or 703.582.7862.

Spring 2016

WILL BIOMETRIC PAYMENTS BECOME REALITY? MASTERCARD, VISA LOOK TO FACE RECOGNITION AND FINGERPRINT GINA JORDAN, CONTRIBUTIN EDITOR, AVISIAN PUBLICATIONS

Making a payment using a part of your body is no longer science fiction. These are exciting days in the world of biometrics and payments. Visa and MasterCard are both working on specifications that will impact consumers globally. Let’s take a quick tour around global world of biometric payments: In Nigeria, biometric data is captured by the government and centralized, enabling banks to verify the customer’s identity More than 80,000 biometric ATMs are in use across Japan identifying accountholders via palm or finger vein scanning In 2013, Citibank introduced biometric ATMs in Singapore, Malaysia and the Philippines, and they’re also live in Brazil and Poland More than 400,000 USAA customers have opted in to use fingerprint, face or voice recognition with the company’s mobile app Barclays is using finger vein readers to authenticate key corporate banking customers. Many other financial services companies and fintech providers are on the cusp of transitioning to biometrics. UK’s digital Atom Bank says it plans to use biometrics for authentication, and France’s Groupement des Cartes Bancaires card scheme reports to be evaluating modality options. The Mobey Forum’s Biometrics Workgroup found that consumers have adjusted quickly to the concept, particularly on

Spring 2016

mobile devices. The introduction of Touch ID on iPhones has them not just accepting of biometrics, but seemingly eager for it.

BLINK AND BUY “Two things have kind of converged,” says Bob Reany, senior vice president of Identity Solutions at MasterCard. “One is that passwords suck and people are fatigued. The other is that there’s a nice substitute at the tip of our fingers.” Reany says technological advances have delivered safe and simple solutions enabling a biometrics boom. Smart phones and other devices are penetrating the market with touch screens, microphones and high-resolution cameras. Look no further than MasterCard’s pilot in the Netherlands last summer for proof that password fatigue is real. Volunteers had no qualms about using biometrics to make purchases. In fact, registration for the pilot maxed out within a day and enrollment surged past the planned 750 participants. ABN AMRO Bank was so happy with the results of the trial that it has continued offering biometric payments online for its customers. “We just finished two pilots, one in the U.S. and one in the Netherlands, and we’re helping people make safer and simpler payments using biometrics in place of a password,” Reany says. To keep transactions as secure as possible, the MasterCard is taking a multi-layered approach. “We know about device identification, geo location, forensics and analytics on behaviors. So you take everything that we already have, and you

add another layer on top of that which would be a biometric authentication.” Say you’re ready to buy something on a merchant website, and you’ve already signed up for your bank’s mobile biometric payment option. “As a cardholder, that’s just another tool that your bank would offer, that MasterCard facilitates,” Reany says. You hit the pay button, and a message goes from the merchant through MasterCard to the bank. “At that point, we would have sent a notification back to the person’s phone saying ‘hey, are you really trying to buy something?’ You press the phone once to say ‘yes,’ and then it says hold your phone up. You hold your phone up to your eye level, you blink your eye, and you never press another button. The blink triggers the fact that the consumer is verifying themselves and that they’re alive. Then we do a quick facial recognition match and give the approval,” Reany says. “Just blink and buy, it’s really that quick.”

A SIGNIFICANT CHALLENGE IS THE LACK OF A STANDARDS FOR BIOMETRIC MOBILE PAYMENTS – GOOGLE, APPLE AND OTHERS EACH HAVE THEIR OWN UNIQUE APPROACH The pilots focused on Internet purchases, where fraud is prevalent. They used three modalities: voice recognition, facial recognition and fingerprint. “We don’t believe in just one biometric modality. We like to be able to plug in more as technology advances, giving choices to both our banks and consumers,” Reany says.

EMV AND BIOMETRICS Visa is actively working to add the security and convenience of biometrics – palm, voice, iris and face – to chip card transactions. The organization’s new specification provides a framework for biometrics to be used as a cardholder verification method with EMV chip payments. That means the users of 3.3 billion EMV chip cards around the world may soon be forgetting their PINs. The specification supports match-on-card biometric authentication, so the biometric isn’t exposed or stored in any central database. “There is increasing demand for biometrics as a more convenient and secure alternative to signatures or PINs, especially as biometric technologies have become more reliable and available,” said Mark Nelsen, Visa senior vice president of Risk Products and Business Intelligence. Building the biometric option on top of the EMV chip standard provides a common, interoperable foundation, he explains.

Visa has offered to contribute the technology to EMVCo, the global body that manages the EMV specifications and works to facilitate interoperability and acceptance of secure payment transactions worldwide. Visa is pursuing what it sees as strong interest in biometric solutions in South Africa and other developing countries. It began a proof of concept trial last fall with Absa Bank, a subsidiary of Barclays Africa Group. Cardholders are using fingerprint readers at select Absa ATMs instead of passwords. “The movement towards added security is already happening. We’ve added the processors onto the cards, and I think biometrics will be the next step,” Todd Mozer, president and CEO of Sensory, a licensing company focused on voice and vision technologies. “It’s not just having that smart card. It’s also knowing who you are when you do the transaction. It’ll be quite natural for the mobile phone to come more into play for products like Square, where you might as well use the camera and the microphone that’s there for doing a biometric.” A significant challenge is the lack of a standardized approach to biometrics for mobile payment “Google’s got their approach, Apple has their approach and a number of others are coming out as well. A clear standard will have to emerge that everybody at some point adopts,” Mozer says.

THE FUTURE OF BIOMETRIC PAYMENTS MasterCard plans to launch biometric payments in North America sometime in 2016, and a global expansion will follow in 2017. By mid-year, U.S. financial institutions will be able to participate in MasterCard Identity Check, a suite of solutions that leverages advanced technologies to prove a consumer’s identity and simplify online transactions. MasterCard also is also eyeing wearables and the role it can play in payments. “We think that there’ll be scenarios where people don’t want to do anything to authenticate themselves,” Reany says. “They’ll want to put their watch or wristband on in the morning, and they’ll authenticate themselves once and walk around all day and things will just happen. Their car doors will unlock, their PCs will get logged onto and they’ll buy stuff.” For now, the immediate focus seems squarely on biometrics. The company already offers a contactless tap and pay system using near field communication (NFC) that can be used with a fingerprint on a mobile device to authenticate a user. But Reany has loftier hopes for buyers at brick and mortar stores. “At some point, you’ll walk up to a grocery store, grab the things out of the aisle, and you’ll be able to check out without having to go through a lane. We call that in-aisle shopping.” Reany says the store of the future will be possible thanks in large part to biometrics. “They won’t have a clerk there, yet they’ll simply verify your identity and check you out.”

Spring 2016

FACE COMING TO FOREFRONT OF BIOMETRIC MODALITIES TECH MAKES NEW GAINS, ERASING BLACK EYE FROM POST 9/11 CLAIMS GINA JORDAN, CONTRIBUTIN EDITOR, AVISIAN PUBLICATIONS

Facial recognition is growing in popularity among biometric forms of authentication. Microsoft has enabled it for access with Hello for Windows 10 users, MasterCard wants to use it to verify payments and other financial institutions are using it to authenticate customers on mobile devices. Still, it’s use spotting suspects in crowds and protecting airports and borders remains the brass ring for security professionals. Face recognition algorithms date back to the 1970s, when the interest was in robotics. It reemerged in the days following the attacks of September 11, 2001. At that time, it was touted as a technology that could spot individuals in a crowd and stop terrorists from entering the country. To a certain extent, it worked fine – if the subjects were cooperative and the images were of good quality – something that wasn’t typically the case at the airports and sports stadiums where the technology was tested. Around the time of 9/11, face recognition was still considered an emerging biometric modality, though it was not truly immature. “IBM laptops already had face recognition locks built into them,” says Brian Martin, director of Research and Technology at MorphoTrust. “After 9/11 the focus went to this kind of ‘bad guy’ use case where you’re trying to find somebody on a watch list. At that point in time, the technology was not accurate enough to meet people’s expectations.” Back then, cameras had much lower resolution and the computational power of computers was much less than it is today. “Now cameras are everywhere. Every mobile phone has a couple of cameras on it. Your phone is as powerful as your com-

Spring 2016

MUCH OF THE USE OF FACIAL RECOGNITION TODAY INVOLVES MATCHING A PERSON AGAINST A SINGLE RECORD – RATHER THAN TRYING TO IDENTIFY AN UNKNOWN SUBJECT FROM A LARGE DATABASE puter was ten years ago. So, it’s a game changer,” Martin says. “You can actually do face recognition on a mobile phone and get good accuracy.” Today, higher resolution images enable matching of small wrinkles and texture of the skin. With cloud computing, endless data is available on the Internet. “Now you can actually train the face recognition algorithms much better than you could 10 or 15 years ago. That’s made a dramatic

difference in accuracy because machine learning requires a lot of data to learn how to solve a problem,” Martin says. Much of the use of facial recognition today involves matching a person against a single record – rather than trying to identify an unknown subject from a large database. This one-to-one facial recognition is easier to accomplish and makes applications like logging onto your phone viable.

Facial rec helps U.S. customs validate identities at JFK Some U.S. citizens and first-time Visa Waiver Program travelers coming into John F. Kennedy International Airport in New York will have their photo taken at the gate and automatically checked against the image stored on their electronic passport chip using facial recognition. The new security procedure adds a step to existing entry processes. When approaching a Customs officer the individual hands over the passport, it’s scanned along and the information stored on the contactless smart card chip is read, and then the traveler’s photo is taken, says Terry Hartmann, vice president of global

transportation at Unisys, which is providing the facial recognition technology. The facial recognition system compares the new image to the image stored on the passport chip, and then gives the probability of a match so the officer can decide if additional security checks are necessary. “The officer makes the decision and refers the traveler to secondary screening if he’s not confident,” Hartmann explains. The images captured on site are deleted unless Customs officials determine that further administrative or enforcement actions are necessary. At first blush it could seem that the system is just matching a face to a stored image, but it’s also verifying the details stored on the ePassport chip, Hartmann says. “It makes it a lot more difficult to counterfeit a passport,” he explains. A counterfeiter can’t just change the information on the data page but would also have to change the information stored on the chip to pass inspection. The deployment at JFK builds on tests of the technology that were conducted at Washington Dulles Airport last year. Additional systems will be rolled out at Dulles in the next month, Hartmann says.

Spring 2016

FACE RECOGNITION IS OFTEN USED WITH OTHER LAYERS OF SECURITY – LIKE GPS LOCATION INFORMATION, REGISTERED DEVICES AND ONE-TIME CODES – AND IT’S SHOWING GREAT PROMISE IN REDUCING FRAUD

“It is important to stress this concept of how facial recognition went from looking for the bad guys to enabling the good guys to do stuff,” he says.

CHALLENGES AND ACCURACY The post 9/11 era spawned significant research into the use of facial recognition for border control and surveillance. “Image recognition is getting a big boost from the artificial intelligence technologies and investments in machine learning,” says Rajiv Dholakia, vice president of Development and Product Management at Nok Nok Labs. “Still, I think an adversary can find these systems a little bit too easy to defeat.” Using face recognition for border control or surveillance applications is very different than using it for user authentication. “You’re trying to prevent bad actors from spoofing a system and that turns out to be more manageable than the border control or surveillance issue,” Dholakia explains. One of the challenges for facial recognition has been liveness detection – making sure the algorithm can detect the difference between a photograph and a real person. Early systems were vulnerable to a replay attack in which a photograph was presented for authentication. Modern systems use layers of technology to more accurately differentiate between live subjects and video images. Facial recognition developer Digital Signal Corporation uses video and Light Detection and Ranging (LIDAR) to produce three-dimensional facial scans at a distance. The founders were using the LIDAR technology in the aviation industry but after 9/11 saw a need in security. “If they could repurpose it for facial recognition, they could possibly prevent a future attack,” says Harry Choi, vice president of Business Development at Digital Signal Corp.

Spring 2016

Choi believes many of the limitations with face recognition have come from the reliance on 2D video cameras and their inability to perform in variable lighting conditions. “They struggle to recognize a face that is in motion and has some levels of occlusion like sunglasses,” he says. “You can detect faces much better utilizing a three dimensional set of data.”

TECHNOLOGY ADVANCES While fingerprint is still the leader in mobile biometrics, facial recognition is growing in popularity. There are no buttons to push, and one blink does the trick. Face recognition is often used with other layers of security – like GPS location information, registered devices and one-time codes – and it’s showing great promise in reducing fraud. Currently, an approach to doing facial recognition has emerged around convolutional neural networks. The whole image of the face is pushed through an artificial neural network. These networks are trained using many images of a known person from social media and other available sources. But much testing needs to be done by independent researchers. “Most of the results are selfreported, meaning the developer self-assesses their accuracy,” says Patrick Grother, a computer scientist with the National Institute of Standards and Technology. “So there’s an enormous amount of work going on in that area at the moment, and that has been made possible by the advent of the digital camera, the invention of convolutional neural networks and the availability of internet-scale data,” Grother explains.

June 15 –– 17, 17, 2016 D.C. June 15 2016• Westin WestinCity CityCenter, Center, Washington, Washington, D.C.

WHY ATTEND? • Learn the latest on legislative and regulatory matters affecting the security industry • Gain a better understanding of market drivers at work in the government space • Network with government and private-sector decision makers

ATTEND THE 2016 SIA GOVERNMENT SUMMIT

Where Technology Leaders Connect To Meet Security Challenges PRECONFERENCE SESSION – JUNE 15 • General Services Administration (GSA) Contracting and The Security Industry

CONFERENCE PANELS: JUNE 16 – 17 • Protecting “Soft” Targets Against the Emerging ISIS and Homegrown Terrorist Threat • What Does It Mean to Secure the Internet of Things?

WHO ATTENDS?

• The Future of Identity Verification Beyond Biometrics In National Security

• Security Executives

• Solving the Video Data Dilemma: Challenges and Opportunities for Local Government

• Sales and Marketing Professionals • Security Practitioners and Policy Specialists • Federal Agency and Congressional Staff • State and Local Government Personnel • Law Enforcement Officials

• How Drones and Video Technology are Redefining Situational Awareness • Surface Transportation Security Trends: Bus, Rail and Mass Transit

securityindustry.org/summit Security Industry Association securityindustry.org

FINANCIAL SERVICES IS THE FASTEST SEGMENT MOVING TO MULTI-FACTOR AUTHENTICATION, FOLLOWED BY HEALTH CARE, PROFESSIONAL SERVICES AND LOCAL GOVERNMENT

Spring 2016

EMPLOYEE BENEFITS FIRM PROTECTS CLIENTS WITH TWO-FACTOR AUTH The P&A Group is an employee benefits firm that helps employers manage employee retirement accounts, flex spending programs and 401K data. For P&A, protecting their clients’ employee data is mission critical. “We have 2 million participants, and if someone takes our customer database we’re out of business,” says Greg Zillox, director of IT Services at the P&A Group. The company was aware of the array of modern threats and wanted to take steps to prevent a data breach. Adding to the complexity is that many of P&A’s employees work remotely. “We have a lot of people in the field and a lot who work remotely, and they all use different devices for logging into the VPN,” Zillox says. With breaches rampant and hackers always trying to find a way in, Zillox has concerns. “If you’re a sales guy or IT guy working remotely and you get a key logger program what are you going to do?” he asks. “Hackers will be able to login to our system and cruise the database.” Conversations with P&A’s disaster recovery provider led the company to SMS Passcode, Zillox explains. After an employee enters a user name and password into the VPN, SMS Passcode sends the employee a five-digit code to their mobile device. If the employee doesn’t enter that code in 45 seconds, an email is sent with the code in case they don’t have the mobile. Some complain that these text messaging and email based code solutions aren’t foolproof. Mobile numbers can be spoofed, text messages rerouted and key loggers can capture codes to be used to gain access. P&A knows about these concerns and performed its own test to see if this is

possible. Using two different laptops, two different people tried logging in with the same username, password and code but only the individual who initiated the session was able to gain access, Zillox says. SMS Passcode ties each code to a unique session ID so that even if someone else has all the correct data they still won’t be able to gain access. P&A hosts the entire SMS Passcode system on premises, Zillox says. Because of the sensitivity of the data it stores the company didn’t want to outsource any of the systems. For more than a year, the company has been using the system with 55 employees without any problems, Zillox says. In the future, they will be using it for password resets as well so employees

don’t have to contact IT if they forget a password. SMS Passcode has more than 10,000 clients around the world, says Henrik Jeberg managing director at the company. While P&A Group opted to host its own system, SMS Passcode can also provide a cloud-based solution. Financial services is the fastest segment moving to multi-factor authentication, followed by health care, professional services and local government, Jeberg explains. The interest often comes from organizations that have a lot of employees on the road. “Basically anything having to do with remote access, lot of VPNs and access to cloud services,” he says.

Two-thirds of enterprises going multi-factor With close to two-thirds of responding companies having suffered a data breach in 2015, 95% reported they would increase cybersecurity spending in the next year. Enterprises are also ramping up authentication procedures with 66% moving beyond user names and passwords. These are results of a survey of 300 IT professional conducted by Wakefield Research sponsored by SecureAuth Corp. Of the companies planning to increase cybersecurity spending, 44% will do so by 20% or more. Some of that increase will go towards identity management and authentication. Recent breaches have shown that user names and passwords aren’t sufficient. This assessment is backed up by the survey results, as two-thirds of respondents will leverage stronger authentication methods. Respondents say that passwords are on their way out, and 91% of cybersecurity professionals agree that the traditional password will not exist in ten years. But the move to new authentication technologies isn’t easy and there is still some confusion in the market. Eight of ten cybersecurity professionals think new authentication methods are prohibitive because they require the latest technology and most up-to-date software. Regardless of the challenges, a overwhelming 97% of respondents say new authentication techniques – such as biometrics and two-factor authentication – are reliable.

Spring 2016

WHITE HOUSE RELEASES NEW CYBERSECURITY PLAN NEW PLAN PUSHES TOWARD MULTI-FACTOR AUTHENTICATION

The Obama Administration has attempted to make strides when it comes to cybersecurity and digital identity. The latest is the Cybersecurity National Action Plan, which urges short-term actions to protect privacy, maintain public safety and empower Americans to take better control of their digital security. Obama’s cybersecurity and digital identity efforts are numerous. It started in 2010 with the National Strategy for Trusted Identities in Cyberspace and its many pilots that continue today. That was followed by a 2014 executive order calling for agencies to secure web sites with multi-factor authentication, and then finally a budget bill signed in December mandating federal agencies to deploy a trusted ID platform for citizen access to information. The new Cybersecurity National Action Plan is multi faceted. It calls for the formation of a new position – the Federal Chief Information Security Officer – to lead these changes across government. The 2017 federal budget allocates more than $19 billion for cybersecurity – an increase of more than 35% over the 2016 enacted level. A separate effort aims to update legacy systems that are difficult to secure with modern technologies. “I’m encouraged that the administration is directing the bulk of new dollars not at new ‘cyber’ programs, but rather at replacing legacy IT systems in government that are so outdated as to be not securable,” says Jeremy Grant, managing director at the Chertoff Group. It’s well beyond time this received some attention. “You can bolt an airbag onto a ’78 Corvette, but it won’t look pretty and it won’t be very effective – and the same goes for trying to bolt modern protections onto outdated systems,” Grant explains. “This budget starts to shift the discussion – moving away from specific cyber programs that are layered on top of old IT and toward buying IT that bakes security in from the start.” Specifically called out in the plan is the possibility of enabling consumers to move to multi-factor authentication: “Empower Americans to secure their online accounts by moving beyond just passwords and adding an extra layer of security. By judiciously combining a strong password with additional factors, such as a fingerprint or a single use code delivered in a text message, Americans can make their accounts even more secure. This focus on multi-factor authentication will be central to a new National Cybersecurity Awareness Campaign launched by the National Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world. The National Cyber Security Alliance will partner with leading technology firms like Google, Facebook, DropBox, and Microsoft to make it easier for millions of users to secure their online accounts, and financial services companies

Spring 2016

such as MasterCard, Visa, PayPal, and Venmo that are making transactions more secure. In addition, the Federal Government will take steps to safeguard personal data in online transactions between citizens and the government, including through a new action plan to drive the Federal Government’s adoption and use of effective identity proofing and strong multi-factor authentication methods and a systematic review of where the Federal Government can reduce reliance on Social Security Numbers as an identifier of citizens.” “It’s good on the identity side to see the White House reiterate the need to accelerate adoption of strong multi-factor authentication and identity proofing for citizen-facing federal government digital services,” Grant explains. But, there are questions as to how this will happen. GSA is called out to lead this effort, but what’s notable is that the White House says the agency will establish a new cybersecurity

program, despite the fact that its already been managing Connect. Gov. Connect.Gov is an existing program to enable citizens to use credentials they already have to access federal web sites, and ‘step up’ their identity if a higher level of assurance is needed. Will this going to be a new program, or will it build on the investments already been made in Connect.Gov? “If there is a new effort, will the GSA be directed to follow the Identity Ecosystem Framework created by the Identity Ecosystem Steering Group?” asks Grant. Connect.gov was architected to align with the framework, ensuring that citizen-facing digital services deliver enhanced privacy, security and usability with a solution that is interoperable across agencies. “Version one of the framework has been released and it will be important for the government to lead by example and embrace it,” says Grant.