Regarding ID Fall 2012 by AVISIAN

31 A survey of ID technology - FALL 2012 - Issue 31

Secure driver licenses arrive States comply with REAL ID

Bleeding-edge biometrics Can newest PIV flavor be trusted? U.S. carriers drag feet on NFC

Bringing security to your world

Delivering ID programs that fit your country Government identity solutions from HID Global. The right interoperable products, the right field-proven brands like LaserCard® Optical Security Media (OSM), ActivIdentity® Credential Management System and FARGO® ID card printers and encoders. Tailored processes backed by years of the right design and integration expertise. We power the world’s most secure ID credential programs — including the US Green Card. We’re HID Global. Learn more at hidglobal.com/citizen-ID

Become an

IEEE Certified Biometrics Professional

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC

WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®

Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

CONTENTS

26 Cover Story All hail the secure driver license The REAL ID Act was a controversial piece of legislation when passed in 2005. While states complained, and some even enacted legislation refusing to comply, the vast majority of have improved their driver license issuing processes and the security of the documents.

42 Enabling federal IDs on D.C. Transit Open-loop transit is sweeping the country from New York to Seattle. The Washington Metropolitan Area Transit Authority is moving in that direction and taking the added step to accept federally-issued PIV credentials for transit payment.

50 Bleeding-edge biometrics DNA, odor and ear biometrics are just a sample of what is on the horizon for biometric modalities. Thereâ&#x20AC;&#x2122;s also a push for biometric solutions that identify individual transparently, without active interaction.

60 Contactless access to lockers and safes Contactless for physical access control is nothing new. For organizations seeking to expand the use of their contactless system, there are plenty of other options. Many are adding convenience and improving ROI with secure, auditable access to lockers, cabinets and safes.

62 Is FIPS 201-2 future proof? The recently released draft of FIPS 201-2 is receiving much better reviews than the previous draft. It offers increased functionality of the contactless interface, additional biometrics and an opportunity to migrate the credential to mobile phones.

42 Fall 2012

CONTENTS

6 REAL ID finally arrives Possibility of high tech, multi-app IDs intrigues

46 NFC’s secure element war Battle continues with consumers at mercy of mobile operators

8 ID Shorts News and posts from the web

47 Legal issues surround control of secure element

9 Calendar Industry events from the identity and security worlds

49 U.S. carriers drag feet on NFC handsets

13 Podcasts Summaries from recent podcasts: Securing high profile events, ‘iris attack,’ FIPS 201-2 24 Stats Highlights from recent research and findings 26 All hail the secure driver license States complying as REAL ID arrives

49 Dynamic duo: Smart card technology and mobile ID New report says card or handset, smart card tech plays critical role 50 Bleeding-edge biometrics DNA, odor, ear and other modalities on the horizon 56 Can CIV be trusted? New ID standard lacks vetting of PIV, PIV-I but expands options for enterprises

58 Campuses pilot NFC for access control Villanova, University of San Francisco expanding trials in fall 60 Contactless access to lockers and safes Enabling access anywhere, anytime increases ROI for ID systems 62 Is FIPS 201-2 future proof? New government ID spec expands mobile use, contactless, biometrics 64 Report: Card market tops $17 billion, 30 billion units in 2011 66 Contactless ticketing catching on at festivals

27 Smart card driver licenses on the horizon? 28 18 benchmarks for REAL ID compliance 31 National driver license database stalled

INDEX OF ADVERTISERS

32 Defining the issuance models

34 Tech 101: What is SAML? Spec could be the backbone to interoperable online IDs 36 Kantara accreditation: Need for chain of trust grows as ID providers proliferate 38 Researchers target iris templates 40 Gartner highlights NFC in 2012 Hype Cycle

42 Enabling federal IDs on D.C. Transit WMATA wants PIV for fare payments 44 Retailers turn to biometrics for time and attendance Apps save money by curtailing employee fraud 4

Fall 2012

2 Datacard Group www.datacard.com/id

41 AOptix www.aoptix.com/identity

5 ASSA ABLOY www.intelligentopenings.com

49 CSC www.csc.com/cybersecurity

7 Digital Identification Solutions www.matica.us

53 Biometric Conference www.biometricconference.com

23 SALTO Systems www.salto.us

55 CARTES www.cartes.com

29 Evolis www.evolis.com

65 ISC East www.isceast.com

33 Lumidigm www.lumidigm.com

67 IEEE Biometric Certification www.IEEEBiometricCertification.org

35 Entrust www.entrust.com/epassport

68 HID Global www.hidglobal.com/citizen-ID

Access control isn’t one size fits all either.

Download Our App

From patented key systems to full-featured, online integrated locksets, ASSA ABLOY offers access control solutions tailored to the unique locking needs of each opening. With the industry’s largest range of products, from the most trusted brands, your security dollars reach farther into your facility. Contact your ASSA ABLOY Integrated Solutions Specialist for a consultation on your next project. Visit us at www.intelligentopenings.com/SecurityContinuum.

Want help finding the right solution for any opening? Scan this Microsoft® Tag with your iPad® or visit the App Store to download the Security Continuum App for iPad.

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Ryan Clary, Liset Cruz, Jill Jaracz, Gina Jordan, Ross Mathis, Denise Trowbridge ART DIRECTION TEAM Franco Castillo, Ryan Kline

REAL ID finally arrives

ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com

Zack Martin, Editor, Avisian Publications

SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Fall 2012

Possibility of high tech, multi-app IDs intrigues

Even before the REAL ID Act of 2005 was made a law it was the boogeyman lurking in the corner, waiting to take away personal liberties and bring us to a “Papers, please” country. Seven-years later, though oft delayed, the first significant REAL ID deadline is just months away and states are taking steps to improve driver license issuance processes and security. Even states that passed legislation saying they would not comply with REAL ID are producing better documents and performing better background checks. And we still live in a democracy and our civil liberties have not been vanquished even though individuals must bring more documentation when renewing a license. Many states did not have sound processes in place for issuing IDs and still more did not have counterfeit-resistant documents. In college I knew people that took their older siblings paper work to the DMV and got legitimate licenses so they could go out to the bars. Others created fake IDs with flat bed scanners and color printers. Having worked as a bouncer, I don’t know

how these IDs passed muster but then again it was Chicago. Fake IDs are a serious business and REAL ID is certainly making an impact. With the majority of states using facial recognition, kids can’t take their brothers’ info to get an ID. New document security features make it more difficult to create fakes using off-the-shelf equipment. This would be apparent, as the fake ID trade out of China is brisk. When the Chicago-local news is covering stories about shipments of fake IDs caught in customs at O’Hare International Airport, you know it has become an issue. But while underage age drinking is a problem, there are greater concerns when it comes to fake IDs. Making sure officials know who is boarding an airplane or entering a federal office building is crucial. Some of the REAL ID requirements were tough to meet. Changing from an over-the-counter issuance model to a centralized issuance model requires a total business transformation. Other changes were long overdue. Hooking into the Social Security Administration database to make sure a name

PERSPECTIVE

matches a number is a step that should have been done long ago to protect citizens from identity theft. All these changes may lead to even greater things to come. Many states have started discussing future use of smart card technology for a driver licenses. This could open doors to a range of additional applications and could be used to access Medicaid, food stamps or any number of other state-run programs. The cost of issuing a smart card would be greater but instead of having multiple state agencies issuing identity documents there would be one that could be used for multiple purposes. And then there are the discussions around securing online identities. By the time you read this the pilot recipients for the National Strategy for Trusted Identities in Cyberspace should

have been awarded. Imagine the day when a state-issued smart driver license could, at your option, be used to secure your online identity during banking, e-government, social media and a host of other now-vulnerable transactions. I hear the shouting already – ‘police state’ … ‘my civil liberties’ – but maybe we can point to REAL ID and how that boogeyman didn’t really rob us of much.

ID SHORTS

ID SHORTS Short stories from the web

ThirdFactor FBI expands facial recognition search pilot All law enforcement agencies in the U.S. will be able to take advantage of the FBI’s facial recognition database now that the

By tapping into the FBI’s Universal Face Workstation, agencies can conduct automated facial and photo searches without having to make a large investment in technology. The FBI’s pilot began last February in Michigan. Since then, Hawaii and Maryland have also joined the project. Three other states are actively working on Memorandums of Understanding in order to participate, and another five states have shown interest in the program. The pilot’s software has a database of about 13 million mug shot photos from criminal bookings. The system should be fully operational by summer 2014. This facial recognition software is part of the FBI’s Next Generation Identification program, which is developing more biometric identification capabilities. Other aspects of this program include a national palm print system, scheduled for spring 2013, and an iris pilot, scheduled for the second half of next year.

GovernmentID GSA taps XTec for cloud-based physical access control XTec announced that GSA Region 1 signed a 10-year licensing and maintenance contract for enterprise support of XTec’s cloudbased physical access control solution. The agreement continues an ongoing GSA partnership with XTec, which provided GSA’s first cloud-based solution. XTec’s AuthentX PACS solution has operated in a cloud environment for more than five years. Off-site hosting offers flexibility for customers with multifacility and multi-tenant enterprise. GSA’s relationship with XTec precedes the advent of PIV credentials. In the years since XTec first provided smart card issuance for GSA, the provider has supported physical access control at multiple GSA federal buildings. XTec’s cloud-based PACS solution is compliant with standards outlined by Federal Information Security Management Act, General Services Administration and the National Institute of Standards and Technology.

13m Mugshots

FBI expanded the pilot to provide all law enforcement agencies with free access to the system.

Fall 2012

ID SHORTS

FEBRUARY

FIPS201.com Schlage releases FIPS 201-1 AD-series lock

NOVEMBER

In addition to GSA, the Department of State, Department of Defense, Department of Homeland Security, Environmental Protection Agency, Bureau of Prisons, National Science Foundation and Department of Labor also utilize XTec’s AuthentX PACS solution.

OCTOBER

Calendar

Infineon Technologies released an NFC tag application developer kit for the North American market to help smart phone app developers design and test information exchange applications based on NFC Forum Type 2 Tag technology. “One key category of applications for NFC technology is based on the ability to create ‘Tap and Use’ applications that link between a mobile device and tags embedded in objects,” said

The 11th Annual Smart Card Alliance Government Conference November 28-30, 2012 Walter E. Washington Convention Center Washington DC 2013 Payments Summit February 5-7, 2013 Grand America Hotel Salt Lake City, Utah RSA Conference 2013 February 25 - March 1, 2013 Moscone Center San Francisco, Calif.

APRIL

NACCU Annual Conference April 14-17, 2013 Disney Contemporary Resort Orlando, Fla. CARTES America April 23-25, 2013 Las Vegas, Nev.

MAY

nfcnews Infineon launches development kit for NFC tag apps

Cartes 2012 Exhibition and Conference November 6-8, 2012 Paris-Nord Villepinte exhibition centre Paris, France

ISC West 2013 April 9-12, 2013 Sands Expo and Convention Center Las Vegas, Nev.

Schlage unveiled its FIPS 201-1 AD-series locks, offering government security personnel a customized electronic lock solution. Sold as a complete system in either wired or wireless versions, the new electronic locks aim to provide increased connectivity while lowering the cost of opening doors. The lock and reader and components of Schlage’s new system are FIPS 201-1 compliant, support both PIV and PIV-I cards and can utilize either the RS-485 of Wiegand interface for communication.

MRTD 2012 Eighth Symposium on and Exhibition on ICAO MRTDs October 10-12, 2012 ICAO Headquarters Montreal, Canada

NFC Solutions Summit 2013 Smart Secure Mobile Payments and Non-Financial NFC Apps May 15-16, 2013 Hyatt Regency San Francisco Airport Burlingame, Calif. CTIA Wireless 2013 May 21 - May 23, 2013 Las Vegas, Nev.

Fall 2012

ID SHORTS

Infineon in a release. “Programmed with a short message or URL pointer to a website, embedded tags can be used to make signs and posters in retail environments ‘smart’ and provide easy check-in to locations for consumeroriented services.” The $99 kit includes 128 byte and 2kb SLE66 R01 Series NFC tags in two form factors and an SLE 66R32 in a card form factor, along with programming information and application notes.

ContactlessNews Mobile technology vouches for age in UK towns Young adults in Wiltshire and Somerset counties in the U.K. can ease the process of proving their age when buying alcohol thanks to mobile technology from Touch2id. The Touch2id sticker attaches to a mobile phone and contains a template of the user’s fingerprint. When held over a Touch2id handheld reader at licensed venues, the reader verifies the user’s adult status and authenticates the user via fingerprint check. This system was piloted for two years and is now being rolled out. It is available at the post office, where enrollees verify their data and receive the sticker in a process takes about five minutes.

GovernmentIDNews HID Global ships 150+ million eID solutions worldwide HID Global reached a milestone by shipping more than 150 million hightechnology electronic passports and

Fall 2012

credentials to governments for citizen IDs around the world. The company has shipped more than 100 million components used in e-passports by travelers in 30 countries, approximately 28% of the world’s market. HID Global has also shipped more than 50 million microchip-based inlays used in eIDs by citizens in 22 countries. HID Global’s secure contactless technology inlays and prelaminates enable governments to make e-passports and other electronic documents more secure. The company’s products are designed to extend the life of e-documents, while withstanding daily wear and reducing incidents of tampering and fraud. By 2015, 85% of all credentials issued annually across the globe will be eIDs, according to a recent Acuity Market Intelligence report. The number of countries issuing eIDs is expected to exceed the number of countries issuing traditional national IDs by four to one.

SecureIDNews Visa’s CitizenCard ID doubles as prepaid card Visa is adding commercial purchases to its Prepaid CitizenCard ID. The

ID SHORTS

cards, which are available for ages 12 and above, display the cardholder’s date of birth of the cardholder as well as an age band – 12-15, 16-17, 18+, 21+, etc. This band, along with the card number, identify whether the cardholder is over or under the age of 18, thus preventing the card from being used to pay for age-restricted goods if the cardholder is not of age. The CitizenCard’s Government PASS mark – a proof of age standard scheme – is recognized as valid ID by the Home Office, the Scottish Government, the Police and Trading Standards and is approved by Visa. The new Visa CitizenCards are prepaid, meaning that money must be loaded onto the cards prior to using it for a purchase. Loading the card is free if done by bank transfer, standing order, online banking or at any Barclays branch. Loading it with cash carries a fee of 2-3%. Advocates of prepaid cards say that this not only improves money management habits, but also avoids the possibility of debt. Additionally, the cards double as a form of identification. With a replacement cost of only £15 – far less than the cost to replace a driver license or passport – the ad-

vantages of the cards are evident. Critics of the cards are skeptical of money and personal information being stored in the same place. Costs for that cards are currently £15 for delivery within a month and £30 for delivery within a week.

SecureIDNews San Luis border introduces Ready Lane for RFID-enabled travel documents The U.S. Customs and Border Protection agency installed an RFID-enabled Ready Lane at the San Luis, Arizona border-crossing station. The single lane will be open between 6 A.M. until 12 A.M. enabling anyone with RFID-enabled travel documents – the U.S. Passport Card, new Legal Permanent Resident “green card” and the new Border Crossing Card – to enter the country. Initially, the CBP has only the one lane open but with sufficient use the agency could add more lanes to the Ready Lane program. Border crossing officials hope to get the word out, so more people will get

RFID documentation and help move border traffic along more quickly.

SecureIDNews William I. MacGregor, ID thought leader, passes William I. MacGregor, one of the driving forces behind the government’s FIPS 201 smart card specification, passed away in late August. MacGregor, Ph.D., CISSP, CISA, served the government and private sector for more than 32 years as a technologist and business strategist, focusing on identity management and enterprise security solutions. MacGregor joined the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology in 2006, where he served as NIST PIV Program Manager and contributed to the development of national and international standards related to identification and authentication systems. “Bill was, not only a true thought leader in his field, but a diligent and considerate partner to his management, to his peers, and to those he mentored,” says William C. Barker, NIST’s ITL Cybersecurity Standards and Technology

Fall 2012

ID SHORTS

Advisor. “His co-workers, NIST, and the nation will miss him as a person and a scientific leader.” In this capacity at NIST, he served as an early visionary for the National Strategy for Trusted Identities in Cyberspace and acted as the lead for FIPS 201-2. He served as the Identity Management Systems Program Research & Development co-lead research on Secure Biometric Match-On-Card authentication and with

Bill was, not only a true thought leader in his field, but a diligent and considerate partner to his management, to his peers, and to those he mentored colleagues on symmetric key injection to smart cards. MacGregor served as NIST PIV Program Coordinator, with the HSPD-12 Executive Steering Committee, OMB HSPD-12 Support Team, Identity Credentialing and Access Management Committee, Federal Identity Credentialing Committee and Government Smart Cards-Interagency Advisory Board. He lead and co-authored several NIST publications in the FIPS 201 standard suite, including SP 800-116, A Recommendation for use of PIV Credentials in Physical Access Control Systems, SP 800-73 Interfaces for Personal Identity Verification, NIST IR 7452 Secure Biometric Match-On-Card Feasibility Study final report. Prior to joining NIST, MacGregor was employed by Schlumberger for twenty

Fall 2012

years and by Bolt Beranek and Newman for three years. At Schlumberger, his positions included founder and Senior Technology Strategist for an information security business group, Manager of a corporate IT Advanced Technology Group, and business intelligence specialist in information security. MacGregor received his undergraduate degree in Mathematics from Stanford University, and a PhD in Computer Science from The University of Texas at Austin.

SecureIDNews U.S. senators ask China to stop selling fake IDs Four U.S. senators have sent a letter to China’s ambassador to the U.S. urging the Chinese government to crack down on companies selling fake driver licenses. Sens. Charles Grassley (R-Ia.), Tom Harkin (D-Ia.), Mark Kirk (R-Ill.) and Dick Durbin (D-Ill.) crafted the letter detailing how individuals can obtain high quality counterfeit licenses from Web sites operated by companies based in China. “Counterfeit driver licenses pose many risks to public safety and national security,” stated Brian Zimmer, president of the Coalition for a Secure Drivers License in a release. “It’s extremely important that the highest levels of the Chinese government be made aware that criminal entrepreneurs operating from their country are undermining the counter terrorism security apparatus of the United States.” The fake licenses have also been obtained by college students who want IDs that will prove they’re over the age of 21. The Chinese Web sites enable an individual to insert a digital photo and biographic information – typically a false age and name – into the current

state-issued driver license or identification card template. For $200 – prices are lower for bulk orders – the individual will then receive two counterfeit driver licenses. One Web site contains templates for driver licenses for more than 20 states, Zimmer said. Chinese companies are also producing fraudulent immigration and work permit documents.

NFCNews Long Island Rail Road tests NFC posters New York’s Metro Transit Authority partnered with Nokia to pilot NFCenabled posters in select Long Island Rail Road stations. The “Touchpoint” posters can be tapped with an NFC phone to automatically launch the Long Island Rail Road help page on the phone’s browser. Eventually the pilot will be expanded to allow customers to use their phones to pay for fares. The pilot kicked off in June with a test phase involving 100 selected Port Washington Branch customers simply making “taps” on the touch points, with no fare payments transacted, according to Metro Transit Authority. Other stations receiving the posters include Great Neck, Bayside and Broadway.

GovernmentIDNews Malaysia taps Infineon for national ID project Infineon Technologies announced it is supplying the security chips for Malaysia’s new national electronic identity

ID SHORTS

cards. Known as MyKad, the smart card features Infineon’s SLE 78 security controller with Integrity Guard security technology, combined with SOLID FLASH for fast deployment capability. MyKad is a multi-application national electronic identity card with biometric identification. It enables the

PODCASTS Episode 97: Investigating the iris attack The 2012 Black Hat conference made headlines claiming iris biometrics had been hacked. But don’t go sounding the warning alarms quite yet. While it’s true that researchers discovered a potential vulnerability, there are countermeasures in place that make the hack impossible, or at least improbable, in the real world. Regarding ID’s Gina Jordan spoke with Arun Ross, associate professor at West Virginia University, who was one of the researchers on the project.

implementation of additional functions such as driver license, health, ATM, e-signature and eGovernment services. Malaysia issues approximately 2 million new identity cards each year. MyKad also uses Infineon’s Integrity Guard security technology. For identification documents with high demands on security, it offers long lasting security with encrypted Dual CPU-core. With this technology, data is encrypted along the entire path.

SecureIDNews Datacard rolls out new card issuance system Datacard Group launched its Datacard MX1100 card issuance system designed to help financial institutions, governments and other organizations take a first step into centralized card issuance. The system offers a combination of low cost-per-card and ease-of-use for expanding card programs. The system can personalize up to 600 cards per hour, creating a complete card-to-envelope solution. Configurations include magnetic stripe encoding, smart card personalization, single-step color printing, graphics printing, laser engraving, embossing, label affixing and bar code scanning. It offers the option to personalize both contact and contactless cards in one system and provides seamless

“It is good to know about these vulnerabilities, but what is more important is to report the fact that there are countermeasures in place that can potentially deflect these attacks,” Ross says. “Vulnerabilities have to be reported because that would allow researchers worldwide to further develop algorithms that can successfully make their systems robust to future attacks.”

Episode 96: Analyzing FIPS 201-2 The revised draft of FIPS 201-2 was released and includes quite a few changes. Additional contactless functionality, new biometrics and mobile abilities are all proposed to be included in future generations of the government credential. Neville Pattinson, senior vice president of Government Sales at Gemalto Inc., talks about these changes and some concerns he has about deploying new credentials and an infrastructure to support them.

Episode 95: Identity with high profile events Large, high profile events, like the London 2012 Olympics, need to be secure while also enabling individuals to get where they need to go without too much of a security hassle. Mark Joynes, director of Product Management at Entrust, explains how security and identity plans for these events are created. He also discusses Entrust’s involvement with the Interpol employee credentials that is used for crossing borders as well as physical and logical access to Interpol facilities and networks.

Fall 2012

ID SHORTS

FInancialIDNews Apple adds wallet to iOS 6 Apple announced that it’s adding a wallet feature to the latest iOS for iPhones, the company revealed at the Worldwide Developer’s Conference. Users will be able to load airline boarding passes, movie tickets, retail coupons, loyalty cards and others in one place. Once a consumer had downloaded the coupon or ticket it will show up as a QR code on the phone which can then be scanned. “Wake your iPhone or iPod touch, and passes appear on your Lock screen at the appropriate time and place – like when you reach the airport or walk into the store to redeem your gift card or coupon. And if your gate changes after you’ve checked in for your flight, Passbook will even alert you to make sure you’re not relaxing in the wrong terminal,” Apple describes. While the system uses QR codes now, Gizmodo.com predicts that this may be a sign that the next iPhone may include NFC technology and added payments functionality.

CR80News University Smart Card celebrates anniversary in Argentina Argentina’s University Smart Card, issued by Banco Santander, is used by 270,000 students and teachers at 25 universities. The program recently celebrated its 10-year anniversary. Argentina’s Business University was the first school to issue the smart card in 2002. It is one of the biggest private universities in the country serving 21,000 students and 4,000 teaching and administrative staff. The card serves as a debit card as well as functions for access control, library loans and attendance records for teachers. Every year, the bank issues about 6,800 cards to new students. So far, 41% of the universities in Argentina have issued the smart card. Universities design and establish the functions of the card depending on the needs of each campus. First issued in Spain in 1995, the smart card is a service provided by the Bank through the Santander Universities global division. Banco Santander currently issues 5.4 million of these cards to more than 250 universities in 11 countries.

integration with Datacard’s MX Lite card delivery system and the Datacard MXi envelope insertion system for a complete card-to-envelope solution.

NFCNews Australian ski resort adopts NFC NFC Wireless is helping make the Australian ski resort town of Falls Creek an NFC-connected locale. More than 50 Falls Creek businesses have added NFC stickers from NFC Wireless to their storefronts, enabling customers to tap their NFC phones to launch a mobile website and download coupons, buy ski-lift tickets, check the weather, access social media and more. Any business can buy the NFC sticker for a few dollars, and then use the company’s on-line tool to set up a mobile “Pod” site in a matter of minutes. From there, the business can choose from dozens of services to offer their customers.

ContactlessNews Evolis ID card printers chosen for Belgian public transit Public transportation operators STIB & SNCB in Belgium have chosen the Evolis Zenius Expert card printer to deliver contactless MOBIB transit cards to commuters who ride the city’s metro, tramways and buses. With the Zenius Expert, sales counters operated by STIB and SNCB can personalize and instantly deliver passes to commuters in seconds. An integrated module encodes all data related to the subscribed travel plan onto the contactless chip. This virtual embedded subscription can be renewed and updated easily online or at counters and vending machines throughout the numerous stations. This contactless technology is compliant with the Calypso2 fare collection standard.

FIPS201.com U.S. Army Reserve Command deploying Monitor Dynamics access control system The U.S. Army Reserve Command implemented Monitor Dynamics’ FICAM Platform to achieve FIPS 201 compliance with its physical access control systems. As per OMB M11-11, each Army Reserve command facility will be required to implement

Fall 2012

ID SHORTS

technology such as the Trusted FICAM Platform to achieve FIPS-201 certification. The U.S. Army Reserve Command supports all Army Reserve troop units in the continental U.S. It also ensures the readiness of its forces and prepares the nearly 1,700 units under its command to mobilize and deploy to a wartime theater of operation. The platform delivers PKI capability to the reader, validating across the Federal Bridge for PIV-I credential verification. The Trusted FICAM Platform has been successfully implemented and is currently operating reading PIV-I and CAC across numerous U.S. Army Reserve Command locations. It has delivered convergence capabilities to the command for both physical and logical access to facilities and computer networks.

Third Factor FBI to start collecting tattoo information The FBIâ&#x20AC;&#x2122;s Biometric Center of Excellence will start tracking tattoos as a biometric identifier. In order to gather its information, the center reached out to academia, industry and law enforcement seeking currently existing databases of tattoo and symbol images, what they mean and if they are affiliated with any gangs, terrorist groups or other criminal organizations.

Fall 2012

ID SHORTS

DigitalIDNews EU to enable cross-border electronic signatures The European Commission announced that the European Union is proposing new rules to enable cross-border esignatures and e-identity. The new proposals enable people and businesses from EU member countries to use their own national e-IDs to access public services in other EU countries that also have electronic identification programs. It will also enable eProcurement across borders. The proposal would not make participation mandatory for those nations with e-ID programs. Instead, it would enable those countries to opt into the program. Likewise, nations with-

out eID systems would not have to adopt them. However, once a country joins this European plan, it must offer the same access to public services to all e-ID holders in the system as it offers to its own citizens. This system could benefit students who register online for enrollment in a foreign university and citizens who move to other EU countries. Additionally, it could assist those who get married abroad, file multiple tax returns or are hospitalized abroad and need access to their online medical records. The EU proposal also includes an update to the current eSignature Directive that would enact common standards and practices for e-trust and verification technology to make those functions interoperable across member countries.

Third Factor U.S. National Capitol Region police agencies deploy mobile devices Patrol officers in the U.S. National Capitol region are now able to take fingerprint images in the field with the deployment of MorphoTrak’s Mor-

Fall 2012

phoIDent, a small mobile terminal that can capture fingerprint images in the field. Police agencies in Fairfax and Prince William counties, among others, have ordered 220 of the identification terminals. They will help officers identify both suspects and incapacitated individuals. The MorphoIDent device has an intuitive user interface and a large color screen that’s visible outdoors, yet it fits into a shirt pocket. It’s capable of capturing two fingerprint images per subject and sends those to the police agency for comparison within a local fingerprint database. Responses come within a minute and are signaled through vibration. Having the device in the field enables officers to have more knowledge when dealing with subjects who come up as positive matches in the system.

Third Factor Sen. Al Franken raises questions about facial recognition technology At a July hearing on facial recognition technology, Minn. Sen. Al Franken (D) expressed his concerns about the technology and its possible abuse by the government and law enforcement agencies. Franken, who serves as chairman of the U.S. Senate Subcommittee on Privacy, Technology and the Law, feels that facial recognition technology poses “acute privacy concerns that fingerprints do not.” His concern was directed at a number of targets including the FBI, Federal Trade Commission as well as Rob Sherman, manager of Privacy and Public Policy for Facebook. Franken’s fear is that facial recognition technology

ID SHORTS

Franken believes that companies should obtain customer consent prior to acquiring their biometric data. will wrongfully invade the privacy of the American public. The technology’s abuse by law enforcement would allow for the identification of protesters at rallies and “make them the target of selective jailing.” The Federal Trade Commission was also a subject of Franken’s discussion, specifically the agency’s efforts to implement best practices for privacy assurance. Franken believes that companies should obtain customer consent prior to acquiring their biometric data. Social networking site Facebook incorporates facial recognition technology in the site’s photo tagging feature. The feature comes standard with membership, but Franken feels that the service should be a choice for the user – an opt-in feature – rather than a default. To support his argument Franken cited Facebook’s privacy page, which fails to mention facial recognition.

SecureIDNews Nano-SIM battle is win for Apple The European Telecommunication Standards Institute (ETSI) ruled on the longdebated nano-SIM technology, selecting

the spec promoted by Apple rather than the version pushed by Nokia, RIM and Motorola. The new SIM will be 40% smaller than today’s smallest SIM but it will be backwards compatible with existing designs and enable all current functionality, according to ETSI. Size matters in smart phone interiors as manufacturers struggle to embed more technologies, larger batteries and screens into smaller and smaller handsets. The nano-SIM or 4FF is designed to be tray loaded into the handset, while the competing design would be push loaded.

NFCNews Alaskan Airlines adopts NFC-ready readers from Access IS

the company. With the NFC base in place, passengers can simply tap their NFC phone against the reader to board their flight. In addition to reading flight tickets, NFC could be integrated throughout the entire airport experience for Alaskan Airlines passengers, including everything from parking access to paying for items at retail locations in the terminal. According to Access IS, Alaskan Airlines will have to wait on the TSA’s approval before switching the devices over to NFC.

SecureIDNews Israel to review smart identity card pilot Israels’ Interior Ministry will reevaluate its pilot of smart identity cards. The decision came during a recent High Court of Justice hearing and questioned whether a single, centralized biometric database is the best choice for collecting and maintaining citizens’ data.

Access IS is supplying Alaskan Airlines with 350 new boarding gate readers that can be upgraded to support NFC phones. Access’ BGR135 unit comes with the ability to scan both mobile and print 2D bar codes, but can be upgraded to accommodate NFC by simply swapping the original base for an NFC-enabled one, according to

Fall 2012

ID SHORTS

Civil rights groups and data security campaigners petitioning that such a database could suffer information leaks and give the government the ability to control and conduct surveillance on citizens. The petitioners also claimed the ministry did not study any alternatives to a centralized database. The court asked that the government reexamine whether a single database is necessary. Civil rights groups have been sensitive to this type of information gathering after a recent theft of a sensitive population registry database that exposed personal data for nine million Israelis.

DigitalIDNews Gemalto unveils law enforcement ID solution Gemalto launched the Protiva Defender Suite designed specifically for law enforcement agencies, justice departments and first response teams. Protiva Defender Suite is a portfolio of authentication software, digital credentials, smart cards, one-time passwords, mobile PKI and related services. This solution comes in response to the growing number of mobile computing devices used by civil servants and solves their need to have a way to securely access law enforcement central networks from outside the office. Protiva Defender Suite also addresses the increasing industry regulations mandating strong digital identity verification when accessing secure networks containing citizen information. With a single identity credential, officers can securely gain access and transfer information from anywhere, through any digital media, such as a tablet or customized handheld device. In addition, they can perform administrative tasks remotely, file paperwork securely, protect email communication

Fall 2012

and digitally sign documents. Protiva Defender Suite can also be extended to integrate eCitation solutions that streamline citation issuance for violations and payment processing, resulting in fewer errors and lower costs.

Third Factor Apple buys AuthenTec Apple announced the acquisition of AuthenTec for $356 million. AuthenTec provides embedded fingerprint scanners, identity management solutions and digital rights management software. Does this mean that Apple devices will start shipping with fingerprint scanners for access? It’s not immediately known. Alan Goode, founder and managing director at Goode Intelligence, a mobile security research, analysis and consultancy, says it’s a positive sign. “It could lead to next generation Apple products having embedded security controls, both hardware and software-based,” Goode says. Fingerprint scanners embedded into mobile devices are not new. Laptops from Lenovo and Dell have carried them for years and Japanese handsets have also incorporated the technology. The scanners unlock the device, can

It could lead to next generation Apple products having embedded security controls, both hardware and software-based provide access to specific applications and serve as authorization for NFC payments, Goode says. AuthenTec fingerprint scanners were also deployed in Motorola’s ATRIX 4G Android handset. The sensor serves as a biometric lockout on the phone in general with other security

options including a drawn pattern, PIN or password. “Could this news be the catalyst to accelerate the adoption of biometric security onto smart mobile devices?” Good asks. “There is now much more of a chance of this happening.”

SecureIDNews South Africa issuing biometric smart card for social security Infineon Technologies is supplying security chips for a government smart card project in South Africa. The government’s South African Social Security Agency is issuing biometricenabled EMV cards for distribution of social grants across all of South Africa’s nine provinces. The smart card system is based on Net1’s Universal Electronic Payment System, or UEPS, which is a biometric payment technology designed to provide financial services to citizens without access to a bank account. Infineon provides security controllers to Net1’s subsidiary Cash Paymaster Services for implementing this service. The project started in April 2012 and Net1 began issuing the first smart cards in June. It uses Infineon’s SOLID FLASH SLE 77 security controller equipped with asymmetric data encryption to enable secure storage of data and identification of the cardholder by fingerprints stored on the chip.

DigitalIDNews ActivIdentity product targets BYOD segment ActivIdentity released a new version of its 4TRESS authentication system that enables granular control of organizations’ enforcement of operating systems,

ID SHORTS

soft tokens and soft token versions. 4TRESS is a soft token system that can work with users personal smart phones and tablets, should a company have a Bring-Your-Own-Device (BYOD) policy. 4TRESS enables system managers to provide multi-layered strong authentication for these devices. The soft token provides a one-time password and can be set to authenticate for a specific OS or version of the soft token. The update also enables administrators to generate reports that show number of end-users by type of OS or the version of soft token used.

SecureIDNews HID global chosen supplier of card printer/ encoders for U.S. department of defense HID Global was selected by the U.S. Department of Defense as the main supplier of printer/encoders for its Common Access Card program. HID Global’s FARGO HDP5000-LC ID card printer/encoders include customized enhancements to handle the government project requisites. The HDP5000 features a SmartScreen LCD Control Panel, an embedded OM-

NIKEY contactless encoder, standard USB and Ethernet connectivity, cartridge-based consumables and a dualsided card printing option that removes the need to manually reload the cards. The printers will be used to produce more than 3 million Common Access Cards annually.

HealthIDNews Olympic teams leverage ID-based medical records Three U.S. Olympic teams carried their health information and medical records on an ID card when competing in the 2012 Olympic Games in London. The U.S. diving, synchronized swimming and gymnastics teams used Merrillville, Ind.-based I-DENTI-FIED’s patent-pending health care identifier system that places medical records onto an ID card. When the records are needed, the ID can be scanned or accessed through I-DENTI-FIED’s technology. The ID system makes it unnecessary for athletes and trainers to recreate their records every time they go to a meet.

cording to the government announcement, the smart card initiative hopes to reduce the duplication of patient records in an attempt to streamline the medical database. The smart cards – which will likely contain names, birth dates, fingerprints, photos and patient identification numbers – would connect to Web-based electronic medical records. The mode of implementation for the new smart cards is yet to be determined, but possibilities could include embedding the information in standard credit card-sized IDs or housing it in the patient’s cell phone.

Third Factor Behavior recognition software in force at Republican convention

HealthIDNews USAID contemplates medical tracking in Haiti

As part of the security measures in place for the Republican National Convention, Tampa police will be employing behavior recognition cameras to help them conduct surveillance. Charlotte-based BRS Labs designed the technology called AISIGHT. The software connects to existing video surveillance systems, and through artificial intelligence, gives police officers the ability to keep tabs on unusual or suspicious behavior around the clock.

The U.S. Agency for International Development (USAID) is considering implementing smart cards to “facilitate medical referral services” in Haiti. Ac-

NFCNews TrustNorway taps Bell ID for TSM solutions Bell ID announced that is trusted service manager software solution has been selected by TrustNorway to facilitate the delivery of NFC services to its customers. Using Bell ID’s Mobile Token Manager solution, TrustNorway will establish itself as the Nordic region’s first neutral trusted service manager. As such it

Fall 2012

ID SHORTS

hopes to coordinate the technical and business relationships of multiple stakeholders – mobile network operators, banks, ticketing agencies – to deliver and maintain NFC payments, loyalty and ticketing applications on customers’ mobile devices. According to Bell ID, the company’s software platform provides over-theair life cycle management of applications, cryptographic keys and secure elements on NFC devices. The solution is vendor and form factor neutral, and supports applications on any type of secure element.

Third Factor DEA approves iBeta biometrics testing Biometrics testing laboratory iBeta received DEA approval and is now authorized to review, verify and certify that particular electronic prescribers or electronic pharmacy applications meet the requirements of DEA’s regulations governing Electronic Prescriptions for Controlled Substances. With physicians, hospitals and pharmacies utilizing electronic prescriptions for controlled substances, DEA-EPCS guidelines are in place to ensure the security and privacy of both the patient and practitioner. As of June 2010 biometrics can be used as the primary credential in lieu of a hard token or a password for prescribing certain medication. The new iBeta approval looks to utilize this feature. By incorporating biometrics into the new certification process, the DEA hopes that the user experience will not only be expedited, but also will be more efficient as biometric credentials are more likely to be in the possession of the user at the time of prescription than would a normal token.

Fall 2012

Third Factor AOptix, Unisys partner Unisys announced a strategic alliance with iris biometric leader AOptix to integrate advanced iris functionality into the LEIDA (Library of eID Artifacts software) framework. Unisys works with its clients to secure their operations, increase efficiency and utilization of their data centers and modernize their enterprise applications. The alliance with AOptix offers a means to accelerate development and reduce implementation time for the company’s biometric identification technology, while enhancing national border and airport security. AOptix iris recognition technology is already employed in secure locations around the world including airports and immigration control operations.

FinancialIDNews Biometric fingerprint readers deployed to thousands of ATMs in Brazil One of Latin America’s largest private banks has added Lumidigm’s multispectral fingerprint readers to its ATM network in Brazil. Lumidigm is working with Brazilian IT services provider Itautec to install the first 12,000 units of the 33,000-unit ATM network. The readers will not only provide customers with secure access to their accounts, but they will also ensure that each person only has one identity. Lumidigm’s biometric readers can read dry, wet, damaged or dirty fingertips, a critical aspect for a reader that will most likely not have someone available for troubleshooting. With the readers, a fingerprint will now serve as the PIN. The Itautec ATMs are not the first to feature this option. Large banks in other parts of

the world, such as South Africa, are also deploying fingerprint-as-PIN methods of using ATMs.

Third Factor Private equity firm acquires Cross Match Technology-focused private equity firm Francisco Partners announced its acquisition of Cross Match Technologies, a provider of interoperable biometric identity management systems, applications and services. In business for 16 years, Cross Match has more than 5,000 customers in more than 80 countries. Its client list includes the U.S. Department of Defense, Department of Homeland Security and State Department, as well as several state, local and foreign governments. With the acquisition, Cross Match will leverage Francisco’s expertise to further develop its technologies to meet market requirements for future biometric tools. Financial terms of the deal were not disclosed.

ID SHORTS

NFCNews Korean researchers reveal 1-cent NFC chips Korean researchers have created a new passive NFC chip that could drastically drop the price of implementing NFC. Developed by Sunchon National University and Paru Printed Electronics Research Institute, these “rectenna” chips are printed in rolls like newspaper – a method that reduces the price per unit to just one penny. These chips could then be implemented in a number of everyday objects – e.g. price tags, signs, posters, etc. – for next to nothing, enabling NFC smart phone users to interact with a rich environment with just a tap of their handset. The rectenna is a combination of an antenna and a rectifier, i.e. an AC to DC conversion device. This allows the rectenna to draw its power directly from the 13.56 MHz radio waves given off an NFC phone and send back information through its digital circuits. Korean websites stop authentication via personal ID Per a Korea Communications Commission law made earlier this year, websites in Korea can no longer col-

rectenna chips are printed in rolls like newspaper – a method that reduces the price per unit to just one penny lect national ID numbers when people register for their services Korean sites and companies that asked for users’ real names and their national ID number when signing up for

a site – even just to post comments – are no longer permitted to do so. The law came about after a series of hacking attacks that compromised thousands of users’ personal information. All websites, including portals, gaming and shopping sites must comply with the new law; however, online financial transactions still require the use of an ID number. A site that currently has collected this personal information must destroy it within two years. The Korea Communications Commission has offered a number of alternative ways to authenticate users other than with a national security number, including i-PIN, cell phone text message, electronic authentication certificate or credit card. While companies have a sixmonth grace period to comply with the law, it’s uncertain how many will be able to do so.

GovernmentIDNews Gemalto, Infineon tapped for U.S. e-passports The U.S. Government Printing Office awarded contracts to Gemalto and Infineon Technologies North America for the U.S. passport covers with contactless chips and antennas. Both companies had previously supplied smart card chips to the Printing Office for e-passports. Terms of the fiveyear contracts were not disclosed. As part of the process, companies

SecureIDNews Datacard launches passport printer Datacard Group launched its PB500 passport printer designed to produce high quality documents like Datacard’s high-volume passport issuance systems, but in smaller or decentralized issuance situations. The standalone PB500 passport printer offers a compact footprint for desktop issuance and personalization. It can serve populations in remote areas or be deployed for instant replacement passport programs. The PB500 passport printer features speeds of up to 80 passports per hour and includes rapid change-out ink cartridges that noticeably speed production and reduce costs.

had to meet the international standards established by the United Nations’ International Civil Aviation Organization. The Government Printing Office produces the U.S. passport for the Department of State at the agency’s secure production facilities in Washington D.C. and the Stennis Space Center in Mississippi. The office has produced more than 80 million passports containing secure electronic features since they were introduced in 2005.

Fall 2012

ID SHORTS

Third Factor Biometrics protects Olympic construction For the past four years, as the organizers of the London 2012 Olympic Games led the construction of the Olympic Park and Athletes Village, British biometrics firm Human Recognition Systems se-

support the Bring Your Own Device trend. The casing provides consistent authentication from the iPhone 4, iPhone 4S and soon, the iPad.

EnterpriseIDNews Study: Companies lack security for BYOD As the Bring Your Own Device (BYOD) movement gains traction among companies looking to incorporate mobile technology into their systems, a study finds that 71% of businesses that do enable employees to use their own mobile devices do not

have policies and procedures for BYOD deployment and security. The study, conducted by security awareness training firm KnowBe4 and research and consulting firm ITIC, polled 500 companies around the world in July and August. It found that while almost two-thirds of businesses permit BYOD for company network access, only 13% have set policies for dealing with BYOD deployment. Another nine percent are currently developing policies.

cured the area with MSite, a biometric identification management and access control platform. The MSite system incorporated biometric identification, card-level encryption and cloud-based technology. The MSite smart card contained both hand geometry and iris recognition templates for identification purposes. MSite had more than 81,000 people enrolled in the system and processed more than 30 million transactions.

The BYOD movement, while helping companies cut technology costs and allow for employee mobility, does leave organizations vulnerable to security breaches. Without policies and security awareness training in place, the study says companies are putting their data and information at risk.

GovernmentIDNews U.S. government orders Tactivo smart casings

FinancialIDNews Google looks to expand Wallet to IDs, tickets

The U.S. federal government will test Precise Biometrics’ new Tactivo smart casing for smart card and fingerprint authentication via mobile devices. It plans to use Tactivo for several pilot projects across government, military and civilian agencies. Tactivo enables companies and organizations to migrate authentication to mobile devices and is designed to

Google Wallet may soon move beyond payments and loyalty to incorporate tickets, credentials and other things cluttering your physical wallet, according to Robin Dua, head of product management for Google Wallet. The expanded Google Wallet would hold all kinds of digitized information – from boarding passes to work IDs to concert tickets and gift cards,

Fall 2012

SALTO Electronic Locking System

THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description

Features & Beneﬁts

The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.

· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates

The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com

i n s p ir edaccess

ID SHORTS

STATS The 2012 global market for smart cards including contact, contactless and dual interface products.

$5.1 billion

Source: Electronics.ca, “Smart Card Technologies and Global Markets”

489M The number of national ID cards and e-passports issued by governments worldwide in 2017. This is an increase from 209 million units shipped in 2011. Source: ABI Research, “Smart Cards in Government and Healthcare Citizen ID”

30 billion The total number of cards manufactured worldwide including all smart cards, magnetic stripe cards, bar coded cards and others. Source: ICMA, “Global Card Market Statistics Report”

$10 billion Global market for biometric technologies in 2014. Source: Reportlinker.com, “Global Biometrics Market Forecast and Opportunities, 2017”

100 million Number of NFC-enabled mobile devices expected to ship globally in 2012. Source: Forrester, “NFC: What Lies Beyond Contactless Payments”

Fall 2012

ID SHORTS

Dua revealed in a new developer video. Dua said that the company is currently trying to “make it super simple” for airlines, transit providers and others to get their credentials stored in the end user’s wallet. “We envision an open platform where we will allow all sorts of partners to issue their credentials into the wallet,” explained Dua, adding that eventually Google Wallet will allow the consumers to abandon the physical wallet entirely. “That’s the goal,” said Dua. “We want you to be able to leave your leather wallet at home and carry your phone and transact with that as your primary transaction device.”

EnterpriseIDNews Dropbox adds two-factor authentication Dropbox is launching two-factor authentication as an added security measure, following high-profile security breaches that impacted it and other cloud-based companies. When the service is enabled, Dropbox users will have to enter both their password and a six-digit security code whenever they sign in or link a new device to Dropbox. Users may choose a third-party authenticator app that’s available for Android, iOS, BlackBerry and Windows phones or receive the security code via text message. The company decided to add the additional layer of security after hackers used stolen passwords to log in to Dropbox accounts. Dropbox announced this feature through one of its community tech forums asking trial users to test the new system.

ID technology news online every day or via a free weekly email Explore online for up-to-the-minute news and insight on identity and security technologies. Articles, podcasts and videos from Re:ID Magazine’s editorial team are added daily to the sites below. Sign-up to receive weekly updates via our free email newsletters. Visit any of the sites below and enter your email in the box at the top left corner of the page to register. ContactlessNews.com: Contactless smart cards, identity, access, payment and transit solutions. CR80News.com: Campus cards for primary and university ID, security and payment solutions. DigitalIDNews.com: Online and Digital ID, securing Web ID’s, PKI and digital certificates. EnterpriseIdNews.com: Identity management systems, cloud-based and financial applications. FIPS201.com: Approved product listings for the FIPS 201 identity standard, PIV and PIV-I solutions. GovernmentIDNews.com: Government ID solutions for citizen ID, driver license, border control and more. HealthIDNews.com: Secure ID for health care payers, patients and providers. IDNoticias.com: ID and security news and insight translated for the Spanish speaking audiences. NFCNews.com: Near Field Communiation technology, handsetsm tags, applications and projects. RFIDNews.org: RFID and sensor technology for logistics, pharma, animal and product tagging. SecureIDNews.com: Government and large enterprise ID, smart cards, identification and authentication. ThirdFactor.com: Biometric identification and authentication solutions for crossindustry applications.

Fall 2012

All hail the secure driver license States complying as REAL ID arrives Zack Martin, editor, Avisian Publications

Fall 2012

States have more than a couple of reasons to improve their driver license

processes. In January the bell tolls for states to comply with the oft-delayed REAL ID Act with potentially severe consequences for states that don’t meet the standards. There has also been an influx of fake driver licenses and state IDs from China. For about $200, an individual can upload a photo and biographical data and receive an incredibly realistic fake ID complete with an encoded magnetic stripe, hologram and other visual security features. Bulk orders receive discounts making these sites particularly popular on college campuses. As of mid-August at least one of these sites had been shut down due the urging of Congressional leaders. REAL ID came out of the Sept. 11, 2001 terrorist attacks. Vulnerabilities in state driver license issuance processes were exposed as hijackers obtained state-issued IDs even though they were not in the country legally. To prevent such breakdowns in the future, REAL ID calls for standardized identity vetting and issuance processes as well as a national database so that states can check if individuals have already been licensed in other states. The law has been controversial with many states calling it an unfunded mandate and

1 in 10

states have submitted Real ID compliance packages some even passing legislation indicating that they would not comply. When U.S. Department of Homeland Security Sec. Janet Napolitano was governor of Arizona she signed a bill into law saying the state would not comply with the mandate. Consequences for residents of states failing to comply could be severe. Docu-

ments issued by those states would no longer be acceptable for access to federal facilities and airports. Overall, states are making their way to REAL ID compliance, according to a report from the Center for Immigration Studies released in February. Five states have already submitted REAL ID compliance packages to Homeland Security and 36 are materially compliant now or likely will be by the January 15, 2013 deadline. Even the states that passed legislation against REAL ID are making improvements to their processes, the report states.

The Delaware example Delaware achieved compliance with REAL ID from Homeland Security in July 2010, says Jennifer Cohan, director of the Delaware DMV. Most changes were to the processes around identity vetting but there were also some changes to the actual ID documents. Prior to 2010, Delaware didn’t conduct a Social Security confirmation or a residency check. Nor did they confirm that the applicant was in the country legally, Cohan says. Today, Delaware conducts a Social Security check to make sure the number matches the name of the individual, a legal presence check and a residency check, Cohan says. Even applicants renewing existing documents need to bring in the additional documentation for the new IDs, which are scanned and stored. With REAL ID the state changed its entire business flow. As soon as the applicant comes in for a license their photo is taken and the same clerk guides the applicant through the complete process. “The clerk never loses custody of the individual,” she says.

Facial recognition is run while the clerk validates and scans the applicant’s docu-

Smart card driver licenses on the horizon? After the Sept. 11, 2001 terrorist attacks there was significant discussion around the use of smart cards for driver licenses. This discussion faded, but has picked up again in recent years. Still, most agree any rollouts are likely years away. “Over the last year we have had some significant conversations with states about issuing smart cards,” says Mary Olson, senior marketing manager for government solutions at Datacard. One group behind these efforts is the National Association of State Chief Information Officers. Different state agencies issue many different types of identity documents, and the organization sees an opportunity for consolidation of services around a single state issued smart card. Instead of having each agency issue these different documents there could be one agency issuing a smart card for all the different purposes, says Neville Pattinson, senior vice president of government sales at Gemalto. “It’s time to consider centralizing identity management and enabling other benefits to the card,” he says. Medicaid benefits, food stamps, and driver licenses are just some of the applications that could potentially be placed on a state-issued ID card, Pattinson says. “This would enable a central point for managing citizen identities and using that identity for multiple applications,” he adds.

mentation, Cohan explains. A response from the facial recognition system takes just two to three minutes. The overall transaction time with the clerk and applicant is six minutes with wait times averaging 14 minutes.

Fall 2012

Delaware differs from other REAL ID compliant states in that they have opted to stick with over-the-counter issuance of IDs. Most states are opting for central issuance to give them additional time to review applicant data and place additional security features in the document. Delaware’s politicians wouldn’t allow central issuance, because residents like walking out the door with their ID, Cohan explains. The state also has only four DMV offices so creating secure rooms in each location to produce the documents wasn’t as difficult for them as it could be in larger states. For residents who don’t care about access to federal facilities, Delaware offers a license that isn’t REAL ID compliant, Cohan says. The resident doesn’t have to proffer any of the documents or undergo any of the background checks. They receive a license that has big black type on it stating that it’s not for use as a federal ID. There have been residents who have returned and upgraded their license after the fact, she notes. The state was aware of the stigma that

REAL ID carries. When it first rolled out the new documents and processes it was not called a real ID compliant document. “We didn’t call it REAL ID because of the negative connotation,” Cohan says.

North Carolina opts for centralized issuance The same is true in North Carolina, says Barbara Webb, assistant director of driver license certification for the Department of

For residents who don’t care about access to federal facilities, Delaware offers a license that isn’t REAL ID compliant Motor Vehicle. The state isn’t marketing its new driver license processes as REAL ID, but rather as a more secure ID.

The vetting processes North Carolina implemented are similar to those in Delaware. A photo of the applicant is captured and the identity verification begins with Social Security, residency and legal presence checks. North Carolina is compliant with the 18 benchmarks for REAL ID compliance and working on the 39 comprehensive benchmarks (see REAL ID Benchmarks). Where North Carolina differs is at issuance. The state started central issuance of driver licenses in 2008 and will be rolling out a new document in 2013, Webb says. The new ID has passed two security evaluations from the American Association of Motor Vehicle Administrators. A third evaluation is scheduled for early next year. The new ID will be made of polycarbonate and include laser engraving, grayscale imaging and a 3D photo. North Carolina will conduct a three to four week issuance pilot next spring, Webb says. After the initial period it will evaluate how the processes went, regroup and start a full rollout. The state will use card printers from Datacard for the new IDs.

18 Benchmarks for REAL ID compliance 1.

Mandatory facial image capture which state must retain Applicant must sign a declaration under penalty of perjury that the information presented is true and correct Applicant must present at least one of a finite list of source documents when establishing identity Require documentation of Date of birth, Social Security Number, Address of principal residence, and Evidence of lawful status

Fall 2012

State must have a documented exceptions process

Make reasonable efforts to ensure that the applicant does not have more than one DL or ID

11. Mark fully compliant DL and IDs with a DHSapproved security marking

Verify lawful status through SAVE

12. Issue temporary or limited-term licenses to all individuals with temporary lawful status and tie license validity to the end of lawful status

Verify Social Security account numbers through SSOLV

13. Have a documented security plan for DMV operations

Issue DL and IDs that contain integrated security features

14. Have protections in place to ensure the security of personally identifiable information

10. Surface of cards must include basic information regarding the cardholder

15. Fraudulent document recognition training and security awareness for DMV employees 16. Background checks for employees with access to personally identifiable information 17. Commit to be in full compliance with Subparts A through D on or before May 11, 2011 18. Clearly state on the face of non-compliant DLs or IDs that the card is not acceptable for official purposes, except for licenses renewed or reissued under § 37.27

All the flexibility you need in a card printer

The ultimate card printer! Because your clients have varied requirements, the new range of Evolis Primacy card printers offers maximum flexibility.

Your customers will appreciate the ease of use, speed and unmatched print quality. You will love the versatility and easy hardware and software integration.

Single or double-sided printing, magnetic stripe encoding, smart contact or contactless chips â&#x20AC;&#x201C; Primacy can do it all, thanks to the many onsite upgrades and options that can be added and combined.

A worthy and reliable successor to the Pebble and Dualys range, Primacy is covered by a full 3-year warranty.

www.evolis.com

Summer 2012

Overall trends The January deadline not withstanding and regardless of whether a state has said it’s pro or con REAL ID, jurisdictions are making improvements to their documents, says John Hilliard, senior director of sales and business development at MorphoTrust USA. Some 41 states use MorphoTrust system for their driver license systems. “When you look at states across the country, REAL ID or not, they are making processes more secure,” he says. Hilliard has been around driver licenses since 1984 when he started issuing IDs at the New York Department of Motor Vehicles. He did that until 2007 when he joined Homeland Security as a senior advisor to help with the implementation provisions of REAL ID. After 14-months at Homeland Security, Hilliard moved to his current position at L-1 Identity Systems, which is now known as MorphoTrust. DMV directors across the country are instituting more secure issuance processes, Hilliard says. Along with the Social Security verification and legal presence checks, states are also deploying document verification technology. These systems scan passports, driver licenses and other ID cards for security features and tell the clerk if they are valid. States are also using facial recognition biometrics to make sure the individual only has one license under one name, Hilliard says. Photos are taken as soon as the applicants steps up to the counter so there’s plenty of time to run the photo through a database. “Facial recognition is extremely effective in making sure a person does not get more than one license,” he adds. To give states more time to verify docu-

ments, many are also moving from overthe-counter issuance to central issuance. Hilliard says more than 20 of the states MorphoTrust works with are going to

looks like, so it’s hard to keep the front line person trained.” There are efforts underway to create an online system to verify birth certificate data

central issuance. Central issuance also means states don’t have to be as concerned about securing the different DMV locations across a state.

with Social Security numbers to make sure the information matches, Hilliard explains. The delay with this system is that the vast majority of birth certificate information is paper based and no electronic version exists. Another REAL ID provision that won’t be ready to go by January is the driver license verification system called for in the law. If an individual walks into a DMV with a license from another state this system is intended to enable officials to check the validity of the license with the other state as well as cancel it when the individual receives the new document in the new states. “It will send in a request to other states and see if they have that same individual licensed,” Hilliard explains. “It’s designed to make sure that the person is only licensed in one state.”

Interstate data sharing remains elusive The area states are struggling with most is the verification of breeder documents, such as birth certificates, Hilliard says. This challenge isn’t new. Each county in each state is responsible for birth certificate issuance. Standardization and security features vary widely. “In the U.S. there are more than 14,000 types of birth certificates and the reality is they’re all paper based,” he explains. “There’s a lack of consistency across the U.S. as to what a birth certificate

Facial recognition is extremely effective in making sure a person does not get more than one license

Fall 2012

National driver license database stalled One of the more controversial components of REAL ID is the driver license verification hub, a database that would link states and make sure individuals don’t hold licenses in more than one state. In 2008, Missouri was awarded $17 million to lead the development of the verification hub, which is intended to serve as a central point for motor vehicle departments to validate an applicant’s source documents. States would be able to verify the identity, legal presence and Social Security number of an applicant

through this common interface. Four other states – Florida, Indiana, Nevada, and Wisconsin – were each awarded $1.2 million to partner with Missouri for testing and implementation of the system. Information on the current status of the hub is not available, but it has not been released for state use. Still, the challenge of checking breeder document validity is being solved through a new system created by the National Association for Public Health Statistics and Information Systems. The

Electronic Verification of Vital Events network permits queries of in-state and out-of-state vital records. Using the Web application a DMV employee enters certain information from a birth certificate. This information is sent to the issuing state and it comes back with a match or no match within seconds. Some 44 states are online with the system and another five are in the process of rolling it out.

7 of 10 states are currently employing or are planning to employ a central issuance model

states are either opposed or uninterested in Real ID compliance

Real ID Federal dollars allocated per state $0 - $3M

19 States

$3M - 6M

24 States

$6M +

7 States

Source: The Center for Immigration Studies, The REAL ID Implementation Annual Report by Janice Kephart

Fall 2012

Because some states have decided not to comply with REAL ID, this system will not be operational by January. However, tests with a handful of states continue, Hilliard says.

Increasing document security In addition to better identity verification, states are also increasing the security of the ID cards, Hilliard says. With an influx of high-quality fake IDs from China, the challenge is adding strong security features that a bank clerk or bar bouncer can readily spot yet can’t be easily duplicated. Add this new adversary to the ever-present threats from terrorist groups and identity thieves and the need for increased document security features reaches unprecedented levels. “The reality is the well funded bad guys are trying to find ways to compromise the security features on a card,” Hilliard says. “And they’re coming up with ultra-violet features that are close enough to survive scrutiny.” Holograms and ultra-violet features aren’t as secure as previously believed, especially for those who may not be well trained to spot slight differences, says Shane Cunningham, marketing and communications manager at Digital Identification Solutions,

good that law enforcement and credential experts aren’t able to tell the difference,” says Tony Ronquillo, business development manager at 3M Security Systems. Adding security features makes it more difficult for counterfeiters but it also makes it more difficult for those trying to authenticate the documents. “You can create an ID with the highest technology anyone has ever seen but the problem is without the proper tools in the hands of the people evaluating those documents, how can they tell the difference?” Ronquillo asks. There’s a fine line issuing agencies walk, making a document secure but not making it confusing, says Steve Rhyner, senior product development specialist at 3M Security Systems. “More security doesn’t equal higher security,” he explains. “Criminals find more complex documents easier (to fake) because they’re so confusing people aren’t sure what to look at.” States are also hesitant to remove existing security features because people expect to see them, Rhyner says. A relatively new solution that states are deploying is a floating image that has a tactile feature so when an individual runs a finger across it he feels something, says Ronquillo. Laser engraving is another solution to the security problem that many states

Over 50% of states have committed to or have already met the 18 benchmarks for Real ID compliance which provides card printers to driver license programs in five U.S. states and three states in Mexico. “You need to be able to spot a fake in an easy visual way, without ultra violet or microprint,” he adds. The cat and mouse game that document security experts play with counterfeiters never ends. For the past year, ID experts at 3M have been helping law enforcement officials analyze some of the counterfeit IDs they have found. “The overt features are so

Fall 2012

are considering, Cunningham says. Laser engraving not only provides a visual feature but there’s the tactile element that an inspector can feel where the laser burned the image or text into the card. Added document security features pushes migration to centralized issuance Laser engraving pushes states to a central issuance model, says Mary Olson, senior marketing manager for government solutions at Datacard. The cardholder’s

Defining the issuance models Over-the-counter issuance: This model provides on-site issuance while and individual waits. It enables immediate verification that the information on the license is correct and allows for fast reprints and replacement issuance. It also provides a level of customer service that cannot be replicated by an off-site operation. It can prove challenging for the issuing agency, however, because it requires the deployment of equipment, printers and card stock to every point in the decentralized network of issuance locations.

Centralized issuance: The centralized, off-site issuance model moves the printing of the ID to a separate location. Finished licenses are later mailed to the local office or directly to the applicant’s address. Real ID compliance is pushing more states toward a centralized issuance model as they strive to increase document security features. Laser engraving, high-end holography and other features can be cost prohibitive in decentralized environments, but the higher priced equipment can be affordable when centralized in single location.

personal information is burned into the card with the laser providing security from alteration as well as the tactile security feature. This type of personalization takes time and is another reason why states are moving to central issuance, says Olson. “About 90% of the recent requests for proposals from state driver license agencies has been for central issuance,” she says. “It’s a trend we’ve seen for the last five to six years.” While the REAL ID Act was controversial when first passed it has lead states to improve identity vetting and document security. As counterfeiters become more advanced it’s only a matter of how states will continue to combat emerging threats.

THWARTED BY YOUR OWN SECURITY?

Security doesn’t have to be in your way. Call us today to add convenience to your strong authentication solution. Convenient security with the touch of a ﬁnger — that’s the Lumidigm Advantage™.

www.lumidigm.com • +1 (505) 272-7057 • sales@lumidigm.com

Tech 101: What is SAML? Spec could be the backbone to interoperable online IDs Jeff Wurfel, contributing editor, Avisian Publications

As businesses move data and applications to the Internet and the cloud, they need a way to authenticate users across a variety of domains and devices. But leaving the relative security of an organization’s internal servers brings with it vulnerabilities as services and access controls move outside of the protected domain. Typically, user authentication involves the selection of a different user name and password combination for each application. The ever-growing list of log-ins hurts productivity and can become a nuisance to staff and clients. But it has an even more dangerous side. According to Pam Dingle, senior technical architect with Ping Identity, roughly 75% of Internet users use the same password for multiple login situations. Hackers target small businesses and easy to hack websites in search of email and password information. After obtaining the login information from the easier to hack locations, they try all the combinations until they are granted access to more secure systems. This technique allows them to get around the larger, more advanced security systems. The Security Assertions Markup Language (SAML) helps organizations address this security risk by eliminating the need for multiple log-ins and the need to store login information in the cloud. OASIS, the organization that standardized SAML, defines it as an XML-based open standard, single sign-on solution. Essentially, single sign-on enables a user to provide an identity once and then use it for secure access to multiple applications across security domains and servers.

Fall 2012

“Think of it like a passport for a traveler flying between countries,” Dingle describes. “Just like the passport, SAML provides identity information and is presented in a trusted format. The border agent believes in the identity of the person because they believe in the issuer of the passport. SAML works in a very similar way, where the receiving party trusts the issuing party.” Fortune 1000 companies communicate with each other using SAML, as do companies that want employees to sign on to each other’s servers, Dingle says. For example, a health care benefits provider will use a SAML in partnership with a pharmacy so that aspects of the pharmacy website will be integrated into their own website. Instead of the user having to sign in to both websites, they need only sign in once. Single sign-on is playing a much larger role in both business and consumer applications. SAML was created in 2002 and has become a leading single sign-on standard for business applications. It’s a well-tested standard with support from many companies.

Examining SAML at work The specification has two major components: an identity provider and a service provider. A user will attempt to access a service provider with a user agent – typically a Web browser – at which point the service provider will send a SAML authentication request to the identity provider. In a common use case, an individual clicks from within their internal domain to access an external cloud-based service. Instead of the browser taking them directly to the application, it redirects to an identity provider. The identity provider is responsible for authenticating the user. This can be done through username/password or by way of a more advanced authentication technology, such as a smart card, one-time passcode or biometric. The identity provider validates the authentication request and creates a SAML assertion – a document that contains the user’s identity and attributes. A digital signature is applied to the assertion and it is encrypted and sent to the service provider. The browser will then

be redirected with the SAML document in the header. The service provider decrypts the assertion, makes an access control decision and then shares the information with the application. After all of those security actions are complete, the user is taken to the application. All of these steps happen seamlessly behind the scenes. The user is unaware of the authenticating, packaging, un-packing and validating that occurs within seconds.

Components of SAML assertion An assertion contains security information in the form of statements. There are three types of statements that an assertion will contain: authentication statements, attribute statements and authorization decision statements. An authentication statement tells the service provider that the identity provider did in fact authenticate the user. The attribute statement is used to make fine-grained access-control decisions. The authorization decision statement states that the user is enabled to perform an action on a specific resource due to a given piece of evidence.

Single sign-on and the future of SAML The current standard, SAML 2.0 is the third iteration. SAML 1.0 was originally developed by OASIS in 2002. A year later, OASIS made a small upgrade to create version 1.1. In 2005, SAML 1.1 was combined with the Liberty Alliance (now Kantara Initiative) Identity Federation Framework (ID-FF) and Shibboleth to form SAML 2.0. SAML is primarily used in the corporate environment but there are other singlesign on standards – such as OpenID – for different situations. The use of SAML is catching on, even among those who were not originally on board. Previously, Microsoft’s Active Directory Federation Server did not support SAML, however, newer editions include its support. According to Dingle, the current SAML 2.0 version will continue to be the standard for quite some time as no new version is on the horizon.

: ePassports Standing Guard. Entrust dual-rooted ePassport security solutions are the most scalable, interoperable and deployed in the world. As the global PKI leader, Entrust provides true point-and-click solutions for first-generation (BAC) and second-generation (EAC) ePassport environments. In fact, Entrust is the No. 1 global provider of ePassport security solutions and continues to lead the migration to the EAC standard. See why Entrust is trusted globally and is the only choice for end-to-end ePassport security, including solutions for travel document issuance and inspection.

888.690.2424

Visit entrust.com/epassport for more information.

Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries. In Canada, Entrust is a registered trademark of Entrust Limited. All other Entrust product names and service names are trademarks or registered trademarks of Entrust, Inc. or Entrust Limited in certain countries. All other company names, product names and logos are trademarks or registered trademarks of their respective owners. ÂŠ 2012 Entrust. All rights reserved.

Kantara Accreditation:

Need for chain of trust grows as ID providers proliferate Jill Jaracz, contributing editor, Avisian Publications

Authenticating users on a secure network is absolutely vital to maintaining the integrity of the system, and today organizations have many options for identity and credential providers. But how can an organization trust these providers? An independent auditor can provide a stamp of approval, but who accredits the auditors? In the case of credentials, that accreditation comes from the Kantara Initiative. Kantara’s Identity Assurance Accredita-

explains Joni Brennan, executive director of the Kantara Initiative, rather, they are third-party organizations verifying the processes employed by the credential issuers against a set of criteria. Brennan says the reason companies and agencies don’t audit themselves is that a third party forces separation and impartiality. Other models, such as universities, may be able to audit their own credentials because they are large enough and have enough legal separa-

Requirements (AQR) document stipulates the criteria and qualifications an assessor’s organization must have to take part in the Kantara environment, says Brennan. The organization looks at a company’s ability to follow requirements including: industry practices, its insurance, its ability to remain impartial and its privacy policy. Kantara looks at these aspects and how the business operates. “Can those processes be translated into an audit environment?” asks Brennan.

Assessors are not the organizations providing or issuing credentials … rather, they are third-party organizations verifying the processes employed by the credential issuers. tion and Approval Program aims to grow identity credential services based on the four levels of assurance that are measured and validated in the U.S. Federal Identity Credential and Access Management (ICAM) trust framework. It’s the only government-approved accreditation provider of its kind that accredits assessors and gives service approvals at levels of assurance 1, 2 and 3 (non-crypto) for the ICAM trust framework. Assessors are not the organizations providing or issuing credentials,

Fall 2012

tion within the organization to enable neutrality. But this is not the case for most organizations. Firms that seek Kantara Accreditation are typical auditing firms. “[They can be] small scale to large scale,” says Brennan. Kantara-accredited Assessors include large global firms like Deloitte & Touche and Europoint, as well as smaller organizations like Electrosoft, which has 20 employees, and eValid8, with just a single employee. Kantara’s Assessors Qualifications &

The Accreditation process requires the applicant has to provide documents and assessments, but it also includes a “prequalifying area,” that recognizes prior certifications counting them toward a Kantara Accreditation. “As long as they can prove that a recognized thirdparty certification is valid and in goodstanding, Auditors can get prequalifying credits,” says Brennan. “We don’t make them prove x, y, and z all over again.” Applicants then use the Assessors Qualifications & Requirements to deter-

Kantara Initiative in brief Founded in 2009, the Kantara Initiative is an independent, non-profit organization that is a program of the IEEE’s Industry Standards and Technology Organization. It was formed out of the Liberty Alliance, a standards organization that worked to provide a holistic approach to identity and identity management on the Web. Building off the principles of its name, which means “bridge” in Swahili, the community collaborates on interoperability issues that exist between enterprise identity systems, Web 2.0 applications and other Web-based initiatives. Kantara is working to speed up adoption of digital identity solutions by relying parties. The initiative does this by building trust frameworks and promoting interoperability and assurance through compliance and certification. Its membership includes government agencies, credential services, audit and testing firms, private sector companies in health care, telecom, entertainment and finance, research and educational institutions, technical and user community organizations and individual contributors. • •

•

Number of members: 79 Number of Work & Discussion Groups: 12, covering policy, jurisdiction and user-focused issues Governance: Volunteer Leadership Council comprised of Chairs of the Working Groups Membership levels: Member and Trustee have voting privileges; Subscribers do not

APPROVED

mine what evidence they need to present to Kantara. The company then provides evidence for the claims made in the application. “It’s almost like performing an audit on an auditor. Here are the answers to the questions, and here is the proof,” says Brennan. It typically takes two to three weeks to put together the application. Brennan says smaller organizations may provide the proof more easily, but a large company like Deloitte & Touche, may have more regulations around what they can share. Due to these sharing restrictions, Kantara may make an on-site visit to review what it needs to evaluate the applicant, while at the same time not compromising the applicant’s security. Next, Kantara’s Assurance Review Board (ARB) evaluates the application and evidence, a process Brennan says takes three to four weeks. Brennan says the board review has three possible outcomes. It may satisfactorily recommend to the board of trustees to grant Accredited Assessor Trustmark. It may recommend Accreditation on a conditional basis, giving the applicant six months to come back with the additional information required to approve or revoke the conditional Trustmark grant status. Or, it may deny the application, most often due to insufficient evidence. The cost of becoming a certified assessor is based on the size, scale and resources of the organization. A company with one to 100 employees pays $5,000 for its initial application. A 101 to 1,000 employee-organization pays $11,000; a 1,001 to 25,000-employee firm pays $17,000 and companies with more than 25,000 employees pay $25,000. These fees cover the application and first year of Accreditation, says Brennan. Companies must renew their certification annually. Year two and each subsequent year costs $1,000 less than the initial fee. In the annual renewal process, Kantara conducts a conformity review to make

sure that nothing has changed from the previous year, says Brennan. Every three years organizations must again go through the full review process.

One assessor’s journey Electrosoft is among the most recent organizations to earn assessor certification. The process began at the end of 2011, when company officials decided to make the investment into the certification process, says Scott Shorter, principal security engineer at Electrosoft. The application was submitted early in January 2012. Shorter says the company had to provide a good amount of information and cite corporate policies with regards to corporate management, ethics, recruitment and contract administration. “It was almost entirely stuff from our internal policies, although we did have to develop a couple of policies for the application,” says Shorter. Once the Assurance Review Board looked at Electrosoft’s application, they had some follow-up discussions about methodologies and PKI compliance audits, which, Shorter says was part of the reason they applied for the certification status. One round of questioning happened in early February, and Electrosoft had one week to respond to the committee’s questions. In early March, Kantara had another round of questions and spent a week onsite at Electrosoft offices. Shorter says that even with the follow-up questioning, the process was “not terribly active.” In early April, Electrosoft received word that it had been certified. Shorter says that possessing the Accreditation enables Electrosoft to participate in business opportunities that Kantara accredits. “We’ve been in the business of ID assurance for some time,” he says. “We are seeing more involvement with the trust framework that supports FICAM in federal government.”

Fall 2012

Researchers target iris templates Attack widely publicized but safeguards protect real world deployments Gina Jordan, contributing editor, Avisian Publications

A team of researchers in the United States

and Spain set out to understand the iris biometric algorithm and determine whether any structure in the code could be exploited. They claim to have found a potential to fool an iris matching system, but as is often the case with publicized ‘hacks,’ others note that they did so only in lab setting without the protections employed by commercial biometric deployments. The experiment started with the code that’s generated when a biometric system captures the image of an iris. “The biometric system would process that iris image using some software algorithms and would generate a mathematical number that now represents this iris image,” explained researcher Arun Ross. “This number in the case of iris is often a sequence of zeroes and ones called a binary string.” Ross is an associate professor at West Virginia University and assistant director of CITeR, the Center for Identification Technology Research. He was part of the five-member team looking into the feasibility of reconstructing the original iris image using the iris code information. “That was the context in which this specific research was conducted,” says Ross. The research was led by Javier Galbally from the Universidad Autonoma de Madrid. He was a visiting scholar in Ross’ West

Fall 2012

Virginia lab who had worked on similar projects involving biometric modalities. “We had a paper in 2007 which talked about reverse engineering fingerprint templates,” says Ross. “So, when Javier came here, we decided to go forth and see if we could do the same thing with iris data.” The team used a matching algorithm and a database of sample iris images that had been made available by universities for academic research. “We took these iris images and converted them into iris code,” says Ross. Then, they tried to determine if it was possible to reverse engineer the code to create the original image. A development system was used to reconstruct iris images and determine whether the reconstructed versions would result in a numeric template that matched the original. The team employed a genetic algorithm, one that learns from itself, to slightly change the iris image over and over again until it matched. This experiment was done completely in a machine-constructed environment, explains Ross. He emphasizes this machine perspective because, he says, a human expert would immediately recognize that the recreated iris images were different. Still, in some cases, they were able to match within the test system. “These images could be fed into a commercial system which would then match against a true iris image and indicate that it’s a successful match,” says Ross. Others disagree with the concept that this technique could succeed in a commercial system. Joseph Pritikin, director of Product Marketing for AOptix Technologies, reviewed the report. “No encryption is broken, no synthetic is either presented to or accepted by any real iris scanner and no liveness or anti-spoofing capability is overridden,” says Pritikin.

No encryption is broken, no synthetic is either presented to or accepted by any real iris scanner and no liveness or anti-spoofing capability is overridden The team never employed an eye scanner, either. Ross says the entire attack was launched in the software domain. “What we reported was not an attack on the scanner itself,” says Ross. “However, it should be possible to take the synthetic iris and perhaps place it in a modified contact lens in order to see if a scanner can be fooled.” The team hasn’t tried that yet. “Our intention was to demonstrate the potential of creating synthetic iris images from real iris code,” says Ross. In a briefing about the report, author Javier Galbally writes: “The experimental results show that the reconstructed images are very realistic and that, even though a human expert would not be easily deceived by them, there is a high chance that they can break into an iris recognition system.” Pritikin finds fault with the “iris matching algorithm” being referred to in the report as an iris recognition system. “This is a misnomer. In general use, an iris recognition system is a system that includes the iris capture device, an application layer for control, a database and the matching algorithm,” says Pritikin. “Anti-spoofing and encryption technologies are present throughout the various components of a true iris recognition system.” While Ross says the results indicate the proposed technique had an 80% chance of matching with a true iris image, Pritikin sees the findings differently. He says a more accurate paraphrasing of the paper would be: “In a particular use case where five synthetic samples were presented to a commercial matching algorithm, the matching algorithm accepted at least one out of the five samples as the original iris more than 80% of the time.” Ross acknowledges that their process would likely be thwarted in a commercial iris recognition system. The team relied on a genetic algorithm that operates similar to a hill-climbing attack.

“It requires the system to provide match codes repeatedly. After two or three (unsuccessful) queries, most commercial systems will shut out the user,” says Ross. “So here, since we had access to a genetic code, we could launch this attack iteratively using this genetic algorithm, which in a real world scenario may not always be feasible.” The team’s algorithm relies on the generation of match codes by a matcher in order to launch the attack. Ross admits it would be difficult for an imposter to access the matcher and then use the iris code to reverse engineer and reconstruct the iris image itself.

Lessons for the biometric industry Ross stresses that any security-based system is vulnerable to attack, and it’s important to let the community know about potential weaknesses. His team is working on a report explaining the counter measures they developed to mitigate the vulnerability addresses in their work. “We cannot believe in security by obscurity,” says Ross. “I think these vulnerabilities have to be reported because it allows researchers to further develop algorithms that make their systems robust to future attacks.” The team is also working to understand how a software system might look at an iris image and determine whether it’s real or synthetic and whether the image has a contact lens in it that is being used to circumvent the system. “This certainly is not the end of iris recognition,” says Ross. “I think what it allows vendors to do is to put in safeguards and then move forward designing robust systems that can be used in real time operation.”

Fall 2012

Figure 1. Hype Cycle for Emerging Technologies, 2012

expectations

Wireless Power Hybrid Cloud Computing HTML5 Gamification Big Data Crowdsourcing Speech-to-Speech Translation Silicon Anode Batteries Natural-Language Question Answering Internet of Things Mobile Robots Autonomous Vehicles 3D Scanners Automatic Content Recognition

3D Printing BYOD Complex-Event Processing Social Analytics Private Cloud Computing Application Stores Augmented Reality In-Memory Database Management Systems Activity Streams Internet NFC Payment TV Audio Mining/Speech Analytics NFC Cloud Computing Machine-to-Machine Communication Services Mesh Networks: Sensor Gesture Control

Predictive Analytics Speech Recognition Consumer Telematics

Idea Management

Volumetric and Holographic Displays 3D Bioprinting

Biometric Authentication Methods

In-Memory Analytics

Quantum Computing

Consumerization

Text Analytics

Human Augmentation

Media Tablets

Home Health Monitoring

Mobile OTA Payment

Hosted Virtual Desktops Virtual Worlds

Technology Trigger

Peak of Inflated Expectations

Slope of Enlightenment

Plateau of Productivity

time

Plateau will be reached in: less than 2 years

As of July 2012

Trough of Disillusionment

2 to 5 years

5 to 10 years

more than 10 years

obsolete before plateau

Source: Gartner (July 2012)

Page 12 of 110

In 2011, NFC payments was at the very peak of the “Inflated Expectations” curve – Gartner, Inc. | G00233931 occupied in 2012 by Bring Your Own Device.

Gartner highlights NFC in 2012 Hype Cycle Research firm Gartner identified NFC payments as one of the fastest moving technologies in its 2012 Emerging Technologies Hype Cycle, an annual report that assesses the maturity, business benefit and future direction of numerous high-impact technologies. In last year’s Hype Cycle, Gartner placed NFC payments at the very peak of the “Inflated Expectations” curve – occupied now by Bring Your Own Device. 2012 finds NFC “moving noticeably” along the curve, followed closely by NFC payments. However, the research firm expects NFC payments to be five to 10 years away from mainstream adoption, i.e. the “Plateau of Productivity,” while NFC in general still has two to five years to go. “The theme of this year’s Hype Cycle is the concept of ‘tipping points,’” said Hung LeHong, research vice president at Gartner. “We are at an interesting moment, a time when many of the scenarios we’ve been talking about for a long time are almost becoming reality.”

Fall 2012

One of these scenarios outlined in the report, “What Payment Could Really Become,” places NFC at the center of a completely cashless society. According to Gartner, a world in which every transaction is electronic would provide enterprises with efficiency and traceability, and consumers with convenience and security. “The tipping point will be surpassed when NFC payment and mobile OTA payment technologies mature,” notes Gartner. In another scenario, “The Human Way to Interact With Technology,” Gartner points to NFC as a “stand out tipping point technology” for enabling people to interact “more naturally” with technology. NFC is joined by 3D printing, activity streams, Internet TV, cloud computing and media tablets as the other fastest emerging technologies in 2012.

Dynamic Duo The New AOptix InSight ® Duo Combines the Performance of Iris and the Utility of Face

The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO / ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Bringing seamless multi-modality and potential for biometric fusion, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security.

For demonstration information, See a InSight Duo at BCCorinmore Tampa, FL September 18 – 20, or please contact us Booth or visit#121 us online at visit us online at www.aoptix.com/identity www.aoptix.com/iris-recognition © 2012 AOptix Technologies

T. 408.558.3300 T. 408.558.3300

Enabling federal IDs on D.C. transit WMATA wants PIV for fare payments Andrew Hudson, contributing editor, Avisian Publications

The Washington Metropolitan Area Transit Authority is in the process of upgrading its fare collection system to one that uses all contactless smart cards. Greg Garback, executive officer in the Department of Finance at the agency, discussed the impending changes at a meeting of the Government Smart Card Interagency Advisory Board. He addressed plans to accept federally-issued PIV and U.S. Defense Department Common Access Cards for access to the transit system. The transit agency is in the throws of an infrastructure renewal process, highlighted by the revamping of its fare collection to an open loop payment system. Dubbed the New Electronics Payments Program, it will bring D.C. transit to the cutting edge of payment technology by accepting bank-issued contactless cards, government issued IDs and completely eliminating the disposable magnetic stripe tickets. The current fare collection system is more that 25-years-old and expensive to maintain, says Garback. Part of the problem is that each individual reader and turnstile needs to be updated manually so a centralized software push isn’t possible. Transitioning from the legacy system to the new system will be difficult because the fares are based on time and distance rather than a flat fee system, explains Garback. The current reloadable contactless SmarTrip cards – in use since 1999 – will still be issued and accepted. The new system will retain some core features of the existing system, namely its SmarTrip and SmartBenefits programs. Civilian riders will still have access to the familiar SmartBenefits account system that enables employers to assign a predetermined dollar value of monthly commuting benefits directly to an employee’s SmarTrip card. These accounts will remain available to the customer to check and manage online. The new contactless fare collection system is inspired by one of the largest sectors of D.C. ridership: federal employees. During the peak season, 40% of D.C. transit riders are federal

Fall 2012

employees, and each is already carrying a government-issued contactless smart card ID. WMATA is keen on incorporating the federal IDs into the system. With such a large sector of D.C.’s ridership already holding these IDs, the marriage of the two seems inevitable. From an economic standpoint, Garback believes that the constant issuing and renewing of temporary cards is senseless. “If federal employees all have a card with a contactless interface that’s secure, why should they get a SmarTrip card?” he asks. “Why should we go through the expense of issuing that card?”

Federal employees are equipped with either a Common Access Card or a PIV to be used as their primary form of access to government facilities as well as its secure networks. WMATA intends to ensure that the new infrastructure upgrade will use these credentials as the payment token for federal transit benefits.

The new system will not load an app onto the federally-issued credentials. Instead, it will link the card to a back office system for payment authorization. Additionally, credentials linked to a transit benefits account can be backed up by a secondary payment source if the customer opts to do so. This is a failsafe of sorts should an employee’s transit benefits be exhausted before the end of the month. Garback sees the incorporation of employee IDs cards as a means to streamline the daily commute. “We want to come up with a model that lets them use their card for everything,” says Garback. “They have to have it for physical and logical access. So why not have same card that gets you into your facility and onto your network, also be the one that gets you there.” This new system will also support PIV I cards that are issued to federal contractors, state/regional employees and the first responder community. “We are looking for a single federal solution to design to,” Garback says. “It will make life far more effective and efficient for everyone.” As part of the bigger picture, the incorporation of PIV applies not only to the D.C. metropolitan area, but its surrounding regional operators as well. “The idea from a fare collection standpoint is to make accessing transit easy, effective and smooth, with the idea that contactless PIV cards will be compatible across various transit authorities,” says Garback. WMATA wants public transit to not only be efficient, but familiar regardless of the location. “We are trying to standardize the look,

why not have same card that gets you into your facility and onto your network, also be the one that gets you there

touch and feel of the transit experience,” says Garback. D.C. is not the only transit authority embarking on compatibility with federal employee IDs. Other regional transit authorities that service large numbers of federal employees are looking at ways to enable them to use their IDs for transit access. Garback cited that PIV compatibility is essential to New York City’s regionalized solution set, with Philadelphia, Chicago, Los Angeles and Boston all moving in that direction as well. Each transit authority will likely have its own unique architecture relative to PIV cards but contactless bankcards will be universally accepted.

Beyond PIV The transit agency is being mindful of the future as the arrival of NFC and mobile payments draw nearer. “The game-changer is the next gen of mobile phones,” says Garback. These handsets will put a fare vendor in the traveler’s hand, showing them where they are, when next train is coming and the fare. Then it will also serve as the instrument to actually pay the fare. Garback and WMATA are aware that technology is ever evolving, and with NFC on the horizon, WMATA intends to be ready. “Whenever NFC comes into play, we will be prepared to accept and process it,” says Garback. For the time being, however, WMATA’s initiative to incorporate Federal PIV/CAC cards into its payment structure is in its own right a game-changer. The pilot phase for the transit agency’s new payment system is still twelve months out, with plans to start at ten rail stations and a select number of bus garages in the lighter trafficked areas of the transit system. From there, the pilot will test some of the heavier, more densely populated sectors of the transit lines in order to thoroughly test the system. Garback expects an award for the project before the end of the 2012 calendar year, with full-scale deployment of the New Electronics Payments Program not expected until 2013 or 2014.

Fall 2012

Retailers turn to biometrics for time and attendance Apps save money by curtailing employee fraud Denise Trowbridge, contributing editor, Avisian Publications

Last year, some KFC restaurant franchisees in the South and Midwest replaced their

PIN-based time and attendance systems with DigitalPersona’s U.are.U fingerprint scanners in a bid to reduce fraud. “Buddy-punching is completely gone from our stores now that we’ve switched,” says Chris Elwood, Omaha area coach for KBP Foods, a KFC franchisee. “Everyone is required to use their fingerprint to get into our systems and anyone clocking in early or staying late has to get a manager’s fingerprint for approval. This gives us peace of mind that our labor costs are accurate.” In April, restaurant chain Hooters replaced the PIN and magnetic stripe card system used to log both transactions and work hours by more than 4,000 employees. The moved to a new solution that uses biometric fingerprints, a move that reduced transaction and payroll fraud while also eliminating the cost of replacing lost ID cards, says Wes Marco, director of information systems at the chain. “The beauty of biometrics is the accountability. Unlike swipe cards or PINbased systems, with fingerprints, no one can clock you in but you. You can’t pretend to be someone else,” says Gary Oberman, business development manager for OEM and Developer Sales at DigitalPersona. “It virtually eliminates time clock fraud.” The costs savings could be considerable. The American Payroll Association estimates fraudulent time clock usage costs businesses

1.5% to 5% of gross payroll annually. According to a Nucleus Research study, the cost of buddy-punching, or having a friend or coworker clock in for an employee who has not yet arrived or has gone home early, accounts for 2.2% of gross payroll. Fingerprint scanners can be integrated into already existing employee databases for punching in and out, Oberman says. Deployment doesn’t take long. “The average business can install software and readers and be up and running in 45 minutes or less with integration with other software,” says Neal Katz, vice president of operations at Count Me In, a software developer that integrates biometric readers into existing systems and offers its Timecard Monitor time and attendance solution. Clients using its biometric time and attendance solutions include Dunkin Donuts, Huntington Learning Centers and FTD florists. Most fingerprint scanner systems do not store an actual image of employee fingerprints. Instead they record a template – an encrypted, mathematical representation of the fingerprint generated with a proprietary algorithm. The stored data can’t be used to reconstruct an image of a fingerprint, and is not linked in any way to any criminal or government databases. Most employees, once they learn how the scanner works, don’t

The beauty of biometrics is the accountability. Unlike swipe cards or PIN-based systems, with fingerprints, no one can clock you in

Fall 2012

mind putting their fingerprints into the systems. “Nine times out of ten they love it but part of that is demographics. With our point-of-sale clients, many have younger employees, and they are people who are interested in new technology and are early adopters,” Oberman says. “They think it’s cool.” For other employees, it can act as a deterrent. “Even though the technology doesn’t tie into any other government databases, our clients have told us it has weeded out some applicants,” who fear that their fingerprint could be matched with other unsavory information, Katz says. A small medical practice that installed a fingerprint system had two employees immediately quit, explains Katz. “Apparently, they had made a habit of not physically being at work for all of the hours they claimed,” he said. Labor costs and labor fraud are a big concern for companies, which is why there is a tremendous upside for these solutions. “The market is still pretty wide open,” Katz says. “There are still huge numbers of businesses keeping track of time with paper or simple spreadsheets.”

The market is still pretty wide open … there are still huge numbers of businesses keeping track of time with paper or simple spreadsheets

Traditional time and attendance leaders go biometric

terminal, and can access information on how many hours they’ve worked, view their schedules, and the amount of time off they have available. ADP offers biometric time and attendance products with the option of hand or fingerprint scanning. Small players are also vying to fill the small-business segment of the market, selling low-cost bundles including both software and fingerprint scanners. DigitalPersona sells the U.are.U series of fingerprint scanners, offering a USB fingerprint reader compatible with desktop and laptop PCs; a heavy-duty scanner for high-traffic locations such as kiosks, point-of-sale terminals, time and attendance terminals, and physical entry devices; and a Windows-compatible keyboard with a built-in fingerprint scanner, for use with desktop computers and point-of-sale terminals. The readers and software are compatible with Windows and Linux-based systems as well as accounting software such as Quickbooks, Peachtree, and Paychex systems.

Smart phones as the new time clocks Other companies are trying to solve complicated time clock issues with other solutions. In May, Utah-based FotoPunch launched FotoPunch Connect, Mobile Time and Attendance, which turns a cell phone into a geolocated biometric time clock. Employers can track the employee’s hours, location and identity, as well as track job costs and collect work-related photos, all without the purchase of additional hardware. Employees clock in to by taking a photo with their smart phone. Nucleus Research said the product’s benefits include increased manager and employee productivity, reduced payroll costs, and the savings associated with not buying new hardware. Biometric time and attendance solutions are now used in a wide range of industries, from food service and retail to hospitals, daycare and financial services. “With a touch fingerprint reader, no one can steal credentials and you can’t fake out the reader,” Katz says. “You can’t leave your finger at home, and you can’t share it with anyone else. It’s the who-am-I approach versus the what-I-have approach.” Part of the motivation for companies to switch to biometric time and attendance is to reduce money lost to fraud. “But the other side is it’s less of a burden to management,” Katz says. “If you have to call IT or human resources every time someone forgets a password or loses a card, that translates to dollars and cents.”

“When we first started out in 1998, we were told over and over that there was no place for fingerprint in time and attendance. It seemed too much like science fiction. People didn’t understand the potential,” Katz says. “Today every single player out there in time and attendance has biometrics in some form.” Kronos sells a variety of biometric time and attendance products, such as Kronos 4500, 4500 Touch ID, and 4510 Touch ID terminals. Employees can use a badge or fingerprint to clock in using the

Fall 2012

NFC’s secure element war Battle continues with consumers at mercy of mobile operators Jill Jaracz, contributing editor, Avisian Publications

Mobile devices are quickly becoming a key tool for ID credentialing, but a lack of standardization of the secure element along with legal questions are causing confusion for organizations considering use of the devices for IDs. Control of the secure element is also an issue with near field communication because that’s where crucial payment card data will be stored. Overall, the choices consumers have when it comes to identity credentials and possible payment technology options won’t depend on the handset they choose. It’s more likely that the carrier will dictate what kind of services they may be able to access for identity credential and payments. This will impact Bring Your Own Device initiatives within corporations and government agencies. Since the consumer doesn’t have control of the secure element, in order to securely load identity credentials on to handsets, partnerships will have to be in place that enable them to be stored on a handset’s secure element. Will organizations be willing to partner with multiple carriers or will they choose to limit the carrier and handset options available to employees?

Fall 2012

Credentials can be securely stored on a mobile device in three areas: a SIM card or UICC, a microSD card and an embedded element. To allocate credentials into the secure element, a trusted service manager divvies up space between service providers, each having access to a dedicated area within the secure domain that is unique to them, says Juan Lazcano, vice president of sales in communication at Gemalto. The secure element has one set of “master keys,” meaning one entity can control it, says Jeff Miles, vice president of mobile transactions at NXP. “A landlord, if you will, owns the rights to that chip.” And in most cases it’s not the consumer who controls that secure element. With the SIM card, the network controls the secure element. With a microSD card, a third-party entity can have control. When the secure element is embedded directly into a phone, the handset manu-

facturer owns the secure element but may have to transfer that ownership to the end user or network operator. Legal questions surrounding the secure element are somewhat uncharted. “The use of the mobile device as an authenticator raises very interesting property law questions. The determination has to be made with property interests and property rights,” says Tim Reiniger, an attorney with FutureLaw. Having the mobile devices used as an identity credential involves multiple parties: the device owner, the owner of the secure element and the owner of the credential. Having multiple owners of different aspects of one device is not a new concept. In property law, there can be multiple owners in the same object or resource, especially in the area of real property, such as joint tenants or easement rights, says Reiniger.

Comparing the options A SIM card is in many phones today and it’s removable. However, it may not work from device to device, and if an individual changes carriers, the credential also changes. SIM cards are also costly, and replacing them is expensive. Networks own the rights to the SIM card, says Miles. Carriers are able to lock the SIM and

prevent it from being used on other networks. For wireless carriers, this is important for subscriber retention. “There’s definitely strong interest from a carrier, once they’ve enabled a subscriber to keep them as a subscriber,” says Lazcano. For the microSD option, ownership my pass on to the consumer, says Lazcano. It can be put into any phone equipped

LEGAL ISSUES SURROUND CONTROL OF SECURE ELEMENT Ownership of the secure element raises key questions from a legal perspective. Who has the right to dictate the use of the mobile device? Who is responsible when there is an authentication failure? With different ultimate owners, each type of secure element potentially transfers responsibility for failures to different parties, says Tim Reiniger, an attorney with FutureLaw. “Entities trying to position themselves to control the element are aware of implications regarding liability and regarding authentication failure,” says Reiniger. For protection, these entities are attempting to use contracts to limit or shift the liability, says Reiniger. “The liability never disappears. It has to fall on some person or entity, so all the players are looking for ways to address it,” says Reiniger. And without legislation, the use of contracts is the primary available method. Another related issue is how the secure element will impact the network access rights of the device holder. “That’s an issue that is related to copyright questions and will need to be worked out by the legal system,” says Reiniger. This could have implications for corporations with Bring Your Own Device policies. “Ultimately, the owner of the secure element has the right to control overall use and access to networks. It is serving a gatekeeper role,” says Reiniger, adding that the owner of the secure element would have the ability to shut off a person’s access at anytime. Predictably, concerns have emerged regarding what rights the consumer has to prevent access from being shut off or subsequently restore terminated access. Reiniger says the government is taking a wait and see approach in terms of liability for the owner of the secure element. However, the Commonwealth of Virginia is now studying legislation to address the allocation of liability for identity credential providers, users and relying parties. “That would obviously have implications for mobile devices being used as ID credentials,” says Reiniger. Virginia is the first state to contemplate legislation addressing liability issues, with interest being driven by technology companies in the northern part of the state that deal with federal employees and contractors. Reiniger says it has been studying it for a year and may have a law in place as soon as July 2013.

for microSD and locked. When the owner wants to change phones, he just unlocks it, removes it, puts it into a new phone and locks it again. An embedded element can offer better performance, Miles says. “The embedded solution probably delivers the easiest as far as implementation,” says Miles, adding that the ownership then lies with the handset manufacturer. Manufacturers, however, may need to transfer ownership to the consumer.

Loading credentials Once a device has a determined secure element, an entity needs to be able to load credentials onto it. Depending on the relationship the carrier had with a trusted service manager this may limit what can be loaded on to the secure element. “There’s always going to be an entity managing and loading credentials onto the secure element,” Lazcano says. This will also prevent users from downloading viruses or malware. To prevent that, someone will manage the credentials, and subscribers will rely on what services are offered to them, explains Lazcano. “Subscribers can request different keys on the card, like a Hilton key, etc., and a trusted service manager will make them available,” says Lazcano.

Standardized secure elements? It remains unclear which element will win out. Lazcano says that the wireless carriers, not the device manufacturers, are driving most of the pilots and developments

Fall 2012

Ultimately, consumers will make the decision on what the secure element will be – and their choice may not have anything to do with which part of the phone holds the element

around the world. Wireless carriers tend to put more emphasis on making sure the secure element is removable and can be transferred from phone to phone. However, Lazcano says if the wireless carriers don’t succeed in pushing their secure element, manufacturers may push their own. There may never be one sole standard for the industry, Miles says. There may even be multiple secure elements within

a single handset. For example, Facebook could use one secure element for accessing their services, while credit card information goes on a SIM or somewhere else. Handset manufacturers and networks may also drive the choice of the secure element depending on what services they can offer the consumers, says Miles. Manufacturers will experience success directly proportionate to innovation and the unique things they can do.

Networks also can provide services that consumers can’t get elsewhere. “How much value can you derive for the consumer in the end?” asks Miles. Ultimately, consumers will make the decision on what the secure element will be – and their choice may not have anything to do with which part of the phone holds the element. “’I want this phone because it does this,’” says Miles. “That will win the battle of the secure element.”

U.S. carriers drag feet on NFC handsets While international carriers have accepted NFC, U.S. mobile network operators seem reluctant, if not skeptical about the new technology. Europe and Asia offer a variety of NFC-enabled handsets and services, but U.S. carriers offer few, if any options. At present, there are less than 20 NFC-capable mobile devices available to consumers in the states, according to NFCNews/re:ID research. This may be changing, as major carriers claim that NFC will be a standard feature on a number of upcoming devices. Reasons suggested for the lag in adoption vary, but a yet-to-bedefined business case leads the pack. Charge-happy mobile carriers may just be waiting for an ongoing revenue stream to emerge. Or, the operators may be buying time as they wait for their own NFC payment and loyalty schemes to take off. Some carriers in the U.S. have gone so far as to turn off or deactivate the NFC capability in handsets they offer that happen to include it. While AT&T offers the Samsung Galaxy SIII, it disables the NFC technology on the handset. Verizon also handicapped the handset originally, but later enabled the functionality. Insiders suggest that AT&T and Verizon did this because, as founders of the new ISIS payment network, they did not want their customers using competitor Google Wallet. Delayed adoption aside, expect U.S. mobile carriers to offer a number of additional NFC-capable options in 2013.

Fall 2012

NFC-enabled phones in the U.S. HTC EVO 4G – Sprint/Virgin Mobile HTC One X – AT&T HTC DROID Incredible 4G LTE – Verizon Nokia Astound – T-Mobile Blackberry Curve 9360 – T-Mobile/AT&T Blackberry Bold 9900 4G – T-Mobile/AT&T Blackberry Curve 9350 – Sprint Blackberry Curve 9370 – Verizon Blackberry Bold 9930 – Verizon/Sprint Samsung Galaxy Nexus – Sprint Samsung Galaxy Nexus 4G – Verizon Samsung Galaxy Note – AT&T/T-Mobile Samsung Galaxy S Blaze – T-Mobile Samsung Galaxy S II – AT&T/T-Mobile/Sprint Samsung Galaxy S III – AT&T/T-Mobile/Sprint/Verizon LG Optimus Elite – Virgin Mobile/Sprint LG Viper 4G LTE – Sprint

Dynamic duo: Smart card technology and mobile ID New report says card or handset, smart card tech plays critical role Smart cards have long played a key role in securing physical and logical access, but now smart cards embedded in mobile devices are emerging as a new, more robust identity credential. The Smart Card Alliance released a white paper on this global trend toward using mobile identity credentials and the role that smart card technology plays in securing those credentials. Mobile devices don’t require individuals to carry around multiple pieces of plastic. Payment cards, driver licenses, health care insurance cards could all be securely stored on the mobile device, the paper posits. “A digital identity credential in a phone could be used to both access a building and digitally sign e-mail messages being sent from the phone,” the paper states. The processing and memory capabilities of a smart phone can enhance or extend the functionality of identity credentials. For example, key codes delivered through text messages can be used as an additional authentication factor and location-based services can add more security to a transaction by confirming the location of the individual.

Companies incur costs to maintain the infrastructure that supports employee identity credentials and to equip facilities, computers and employees with the readers that enable their use. An NFC-enabled mobile device can act as both the credential and the reader for physical and logical access. The report illustrates three different approaches for mobile device authentication in enterprise settings:

Using the mobile device as an out-of-band solution to determine whether an employee is the right employee;

Leveraging the NFC capabilities of a mobile device to read and transmit the details of a company ID credential; Using the mobile device as the credential, leveraging the secure element to securely store credentials and authenticate the employee.

DELIVERING TRUSTED IDENTITIES THAT ARE

BEYOND A SHADOW

OF A DOUBT

Government and business rely on trusted identities. Whether you are protecting information or securing a border or critical infrastructure, you need to establish, with certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide identiﬁcation but also protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, eﬃcient and, most of all, trustworthy. CSC Identity Management Solutions and Services CSC.com/cybersecurity

Fall 2012

BLEEDING-EDGE DNA, odor, ear and other modalities on the horizon Zack Martin, Editor, Avisian Publications

Biometric technology has been around for more than a century, with its

earliest and most common uses centered in law enforcement.

In the past decades, application of the technology has extended to the identification and authentication of individuals at border crossings, onto computer networks and into physical spaces. The triumvirate – finger, face and iris – remain the top three modalities but there are others waiting in the wings. Some, like DNA, have been around for years but are being adapted to new identity-focused use cases. Others are fusing existing a to create new solutions while another set seem completely new. It may be some time before the triumvirate is unseated by another modality but there are some bleeding edge biometrics on the horizon that could change the way individual’s login to computer systems or gain access to secure areas.

Active authentication In recent years the federal government has been waging a war on passwords. Between the National Strategy

Fall 2012

for Trusted Identities in Cyberspace and the Defense Advanced Research Projects Agency’s (DARPA) Active Authentication project, the government wants stronger ways to identify individuals online, says Richard Guidorizzi, project manager for Active Authentication at DARPA. Easy passwords are easily compromised and complicated passwords

Guidorizzi explains. “We want to make the computer aware, tying the identity to the access of a system,” he says. Initially the Active Authentication project will look at biometrics that require no additional hardware. Some examples cited by DARPA include the manner in which the user handles a mouse or crafts written language in an e-mail or document. An emphasis will

DARPA and others are building identification systems that actively authenticate, often even without the user’s knowledge are difficult to remember and thus often written down, Guidorizzi says. Moreover, a password isn’t truly tied to the individual. DARPA wants a solution that doesn’t just identify an individual when they’re trying to access a specific network or file. They want one that constantly identifies the individual at the keyboard,

be placed on validating any new biometrics with tests to ensure they would be effective in large-scale deployments. Later the program will look at solutions that integrate any biometric using an authentication platform suitable for deployment on a standard Defense Department computer. The goal is to combine multiple modalities for continuous

user identification and authentication in a way that is accurate and transparent to the normal computing experience. The authentication platform will be developed with open API to enable future integration of additional software or hardware biometrics.

Bioimpedance offers always-on possibilities While DARPA looks at Active Authentication ad how it can be used to secure computer systems, there are other providers creating new biometrics that would do almost constant authentication. Researchers at Dartmouth College are working with sensor-equipped bracelets that passively take biometric readings for heath care identification. The team is exploring how the bracelet could be used to authenticate the wearer and identify medical needs using bioimpedance as a metric. Bioimpedance measures the flow of electrical current through living tissue. This technology could simplify medical record gathering and share pertinent information in a life-threatening situation. The device has the potential to be used in scenarios from fitness applications to smoking cessation programs. The project is still in its early stages and there are issues to resolve before the technology is viable. One of these is dealing with the variable measures of bioimpedance and how they change over time, although using the sensor in a bracelet form utilizes an area of the body that has less instability due to its tendency to not significantly add fat or muscle.

While DNA identification can take weeks in certain instances, Lockheed Martin has a system that can make a match in 90 minutes.

Gait, feet and bio-soles Another modality that requires no out of the ordinary interaction is being investigated at Carnegie Mellon University’s new Pedo-Biometrics Lab. A project to produce biometric shoe insoles able to identify a person by their gait could prove a unique way to control access to high-security areas. The Pedo-Biometrics Lab is a partnership with Canadian company Autonomous ID and has $1.5 million in startup funding. Autonomous ID has been working on the bio-sole project since 2009, hoping to produce a relatively cheap yet accurate identification solution. The prototype bio-soles are the same thickness as a typical shoe insole sold in a drug store. They’ve been tested on a variety of people in all shapes and sizes and have had an accuracy rate of 99%.

According to lab staff, they are able to confirm identification within three steps and can adapt to changes in a person’s gait, such as injury or fatigue.

DNA: from the crime lab to access control Anyone familiar with procedural crime dramas knows about DNA. From any number of sources it’s the DNA that conclusively links the criminal to the crime. But could DNA also be used as a biometric for identification? It seems like science fiction, but not for much longer, says John Mears, director of biometric solutions at Lock-

Fall 2012

Voice print identification is catching on for one-to-one matching in many markets, including financial services.

heed Martin. “People talk about DNA as a forensic tool but now we are looking at it as a biometric,” he explains. “It really is just like a fingerprint, you’re looking at certain sections of the genome but it doesn’t tell anything about you personally – we’re calling it a DNA fingerprint.” The eventual goal is to create a system that can capture and code DNA quickly, search a database and return results in the same way fingerprint databases function, Mears explains. THE FBI’s DNA database, Combined DNA Index System or CODIS, takes 13 sections from the genome that carries from person to person and creates a unique identifying number. “You can tell the sex of the person but the parts of the genome you look at are only good for identification, so there is no personally identifiable information associated with it,” Mears says. In forensic labs, the DNA testing done is commonly referred to as PCR, or polymerase chain reaction. The testing takes six different instruments that range in price from $35,000 to $250,000. Lockheed Martin is trying to reduce that expense by creating a small plastic sensor that an individual can use to obtain a cell sample via a cheek swab, extract the DNA and gather the specific segments for the PCR test. The sensor is then plugged into a machine about the size of a desktop

Fall 2012

server and results are returned within 90 minutes, Mears says. Only minimal training would be required to run the system, as it’s intended to be operated by police officers in local jurisdictions. “The idea is to have it like fingerprints,” Mears says. “While you’re holding a person you can get the results back and find out if they need to be detained for another crime.”

Noses and ears at work A bleeding edge technology with multiple potential applications is odor biometrics. An individual’s body odor is genetically determined and can be tracked, says Mears. The idea is to create a sensor that replicates a dog’s nose, which is estimated to be 100 times better than that of a human. Such a sensor could recognize subtle differences for authentication or identification purposes. Additionally, body odor changes under stress. This could expand the modality to identify individuals and determine if a person is experiencing stress, perhaps due to lying. Biometric sensors capable of detecting odor could be used to find harmful compounds such as explosives and other contraband. They could also be used to detect harmful bacteria or if an individual is carrying a contagion, Mears says.

There is also the possibility of combining odor and DNA. The odor biometric could locate an individual’s specific skin cells, which are left just about everywhere, and then the DNA could test those same cells, Mears says. The human ear is another pattern unique to each individual. The ear may be as unique a pattern as the fingerprint and iris, says Bryan Ichikawa, senior manager in Enterprise Risk Services at Deloitte and Touche. The challenge is capturing an image as ears are often obscured by hair. Capture devices would likely require infrared capabilities, similar to those used for 3D facial recognition systems.

Your voice is your passport While not as bleeding edge as some modalities, voice may become a major player in future authentication systems. “One-to-one matching is becoming more prevalent when it comes to authentication,” says Mears. And this is an ideal application for voice. The forensic capabilities of voice have been used to identify speakers in one-to-

Ide

nti

thi

ty M

ana

gem

ent

r! Foc

Ses

sio

September 18 – 20, 2012 | Tampa Convention Center | Tampa, Florida Presented by:

Supported by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), the Biometric Consortium Conference is focused on Biometric Technologies for Defense, Homeland Security, Identity Management, Border Crossing and Electronic Commerce. Participants include internationally recognized experts in biometric technologies, system and application developers, IT business strategists, and government and commercial officers.

Two and one half day program: • Four track sessions • Panel discussions with Q&A • Workshops • Social event Keynote Speakers: His Excellency Dr. Gamawan Fauzi Minister of Home Affairs Republic of Indonesia Dr. Charles H. Romine Director, NIST/ITL 60,000 sq. ft. Biometric Technology Expo: • 80+ national and international technology exhibitors/demonstrations • wide range of hardware and software solutions to biometric and identity management challenges, including: ∙ fingerprint recognition ∙ voice verification ∙ face recognition ∙ iris recognition ∙ rapid DNA ∙ novel biometrics

Sessions and Workshops include: • AFCEA Identity Management Focus (New this year!) • Department of Justice (DOJ) • National Institute of Standards and Technology (NIST) • Department of Defense (DoD) • Department of Homeland Security (DHS) • Biometric Standards • International • Rapid DNA • Face Technology • Iris Technology • IEEE Biometrics, Identity & Security (BIdS) Research Showcase • In-Q-Tel • Challenges of IdM in a Smart Phone Equipped, Cloud Enabled World • IEEE Certified Biometrics Professional (CBP) • MITRE Biometrics - FFRDC Support to the Federal Biometrics Enterprise • Round Table Discussion of MorphoTrust USA’s Strategic Vision • Game Changers in DoD Biometrics - The Value of TMi

many environments, but one-to-one authentication is proving to be the modality’s strong suit. Financial services and other high-value transaction industries are putting it to use today, for example, when individuals call stockbrokers and are verified before initiating a trade. Voice can be an ideal complement alongside other biometric modalities, Mears says. Multi-modal biometrics, which has long been discussed but seen few deployments, is another trend he sees on the horizon, especially when it comes to no-touch biometrics. The combination of face and iris biometrics is one that could gain popularity, especially at border crossing and in airport security settings, Mears says. “This is good for a number of reasons, cultural issues, not wanting to transmit disease,” he adds. “It is less invasive that can be done at a distance before they get to a checkpoint.” Additionally, it doesn’t require a user to cooperate with the system. While waiting in line the biometrics could be collected and run before they reach a checkpoint. They could even be used in covert situations, says Ichikawa.

A new wrinkle on fingerprint The idea of identification at a distance was also behind the technology for IDair, a long-range fingerprint biometric company that spun off from Advanced Optical Systems, says Joel Burcham, president at IDair. Originally, Burcham was looking at capturing face, fingerprints and iris all at once with a single sensor. “A lot of people were doing iris and face but fingerprint from a distance wasn’t there,” he says. After a couple of years a system was able to capture fingerprints from more than six feet and Advanced Optical Systems decided to spin the company off forming IDair with Burcham at the helm. The company is selling two products, AIRprint and ONEprint. The former

Fall 2012

captures all ten fingerprints from more than six feet away, Burcham says. While AIRprint has received significant interest from potential users, it has not yet found its niche. Part of the reason is that individuals would have to hold their hands in front of them with the palms up when approaching a sensor. “It’s just a step too far ahead,” he says. The ONEprint system is a different story. The physical access control reader is beta testing with a handful of end users and one full deployment, Burcham says. Because it’s a no-touch sensor the technology is seeing a lot of interest outside the U.S. where hygiene concerns are heightened. The scanner is different from other fingerprint scanners because the user never touches anything. Instead of placing a finger on an optical or silicon fingerprint scanner the individual places the index finger under a scanner which captures the image from a few inches away. The device uses a proprietary algorithm but the optics are not proprietary. They are the equivalent of an iPhone 3G camera, Burcham explains.

New modalities and the changing nature of authentication While interesting new modalities – from DNA and bioimpedance to ears, odor and voice – are moving beyond the lab and into real use, it may well be transparency that proves to be the real game changer. Between no touch and standoff biometrics there’s the possibility that individuals may have little to no interaction when authenticating an identity in the future. And as biometrics become more commonplace in everyday life, it may be that individuals don’t even know they’re being verified as they walk into an office building or sit at their desk.

IDair develops products that can capture fingerprint images with no-touch sensors, from distances ranging from several inches to 6 feet.

an event by Fall 2012

Can CIV be trusted? New ID standard lacks vetting of PIV, PIV-I but expands options for enterprises

Late last year a new acronym joined the alphabet soup that makes up the federal

identity landscape when CIV, or Commercial Identity Verification, was announced. CIV is a relative – some say a sibling while others argue a distant cousin – to the Personal Identity Verification (PIV) credential that is used by federal employees for physical and logical access to facilities and networks. PIV was mandated out of the Homeland Security Presidential Directive 12 back in 2004 and the FIPS 201 specifications that followed. Years later, the need for contractors to access to federal buildings and networks gave rise to the Personal Identity Verification-Interoperable (PIV-I) specification. PIV-I credentials are technically interoperable with the PIV infrastructure, and issuers must comply with the identity proofing, registration and issuance policies described in FIPS 201. PIV-I cards are cross certified for PKI with the Federal Bridge to enable the contractor employees to securely access protected resources. Commercial Identity Verification and the CIV cards are the new kid on the block. CIV leverages the PIV-I specifications, technology and data model but it does not require cross certification to the Federal Bridge. Any enterprise can create, issue and use CIV credentials according to their own requirements.

Fall 2012

Some say CIV is a positive, necessary step and another option for enterprises to secure networks and facilities. Others, however, are adamant that credentials that use the spec cannot be trusted. “To get very high-assurance you have to do a number of things, it’s technology and it’s policy,” says Tony Cieri, principle with Cieri Consulting. To receive a PIV credential an individual has to go through an identity screening against a criminal database and a suitability check to make sure they can work for the federal government. This enables an individual to receive a PIV, a cryptographic token that meets the four levels of identity assurance used by the federal government. Background checks for PIV-I holders vary depending on the access level required, but these are typically level three, cryptographic tokens, Cieri says. “If there’s PIV and PIV-I what does CIV get you?” Cieri asks. “You can be using a smart card, you can be using cryptography but you have no assurance that the person is who they claim to be. It’s the technology of PIV without the processes that go with it.”

A CIV credential is a level one token – self-asserted identity – at best level two, Cieri says. There are many other credentials that individuals can use for levels one or two assurance so he questions why an organization would go to the expense of issuing a cryptographic token. PIV-I credentials have the ability to be provisioned to work on government networks, Cieri says. There is uncertainty regarding this type of use for CIV credentials, because the credential holder has not been vetted. “Why would you trust it?” Cieri asks. The cost associated with CIV would be similar to that with issuing a PIV-I credential so it makes more sense to issue the credential with more assurance around the identity, Cieri says. “If the cost is commiserate go a step further and go with PIV-I,” he adds. Cost is what it may all come down to, says Peter Catteneo, vice president at Intercede Ltd. CIV credentials, because they wouldn’t be cross-certified with the federal bridge, would be less expensive because providers wouldn’t have to go through that process. Other than cost it is simply a policy difference between CIV and PIV-I, Catteneo

says. “PIV-I comes with well defined policy requirements and for some people those polices meet their business requirements,” he explains. “CIV provides a way to create cards that are technically interoperable but express different policies.” Intercede has deployed CIV credentials in different enterprise environments, Catteneo says. Those organizations wanted to use a standardized technology credential that would only be used within that environment. For that purpose, cross certification and in-depth identity vetting weren’t important. “There are two dimensions to authentication, one is how strong is the background check and the other is how strong is the authentication tool being presented,” Catteneo says For a closed enterprise environment a CIV credential is an alternative, he says. “PIV did a good job with identity enrollment for federal employees and PIV-I leveraged that for non-federal employees,” he adds. “But there are some industries that want high-assurance credentials but don’t want to follow the PIV validation processes.” While trust with a CIV credential may be an issue outside of the issuer ’s network, if it’s never used outside the network it is not a problem, Catteneo says. “The intention of PIV and PIV-I are to be part of one ecosystem,” he says. “They CIV may not be part of the same ecosystem.” CIV gives an enterprise options when looking for credentialing technology, Catteneo explains. In the past enterprises had to go with vendor specific applets, but CIV uses a standardized card body and data structure so end users aren’t locked into one vendor. So which specification should an organization choose? It comes down to how the credential will be used. If it’s for an internal network, CIV may be the right choice. But if trust is required outside the enterprise another option may be necessary.

A Comparison of PIV, PIV-I and CIV credentials PIV

PIV-I

CIV

Policy Breeder documents

Follows FIPS 201

Follows the issuing organization’s policies

Background checks

National Agency Check with Investigation

None required, directly impacts level of suitability for access

Follows the issuing organization’s policies

Follows FIPS 201, including separation of roles, strong biometric binding

Follows Federal Bridge crosscertification certificate policies

Follows the issuing organization’s policies

Follows SP 800-63-1 for Federal issuance

For Federal relying parties, follows SP 800-63-1

Process Application, Adjudication, Enrollment, Issuance, Activation

Based on FIPS 201, including separation of roles, strong biometric binding Technology Card data model

Must follow SP 800-73

“Follows” SP 800-73 (recommended)

Current primary credential number

FASC-N (requires Federal agency code)

UUID (no Federal agency code required)

UUID (recommended) (no Federal agency code required)

Object identifiers

Federal Bridge

Organization Internet Assigned Number Authority (IANA) (if exists)

Types of Federation and Levels of Assurance Trustworthiness

Trusted identity, credential and suitability

Trusted basic identity and credential but not suitability

Trusted credential only within the issuing organization.

Trust among organizations

Federal Bridge

Clustered through Federal Bridge

Clustered alone

Organization

NIST

Federal CIO Council

Smart Card Alliance Access Control Council

Defining documents

FIPS 201, SP 800-73 and other related NIST publications

Personal Identity Verification Interoperability for Non-Federal Issuers FICAM PIV-I FAQ

The Commercial Identity Verification (CIV) Credential – Leveraging FIPS 201 and the PIV Specifications

HSPD-12

Interoperable credential for organizations doing business with the government and for first responders

Commercial credential that could take advantage of the PIV infrastructure

Federal agencies

Federal agencies; Federal contractors; Commercial organizations doing business with the Federal government; State and local governments; Critical infrastructure providers; First responder organizations; Commercial organizations who are part of an industry initiative and require an interoperable, trusted credential

Commercial organizations seeking a credential for use for their employees, subcontractors, non-employee visitors and customers

Origin

Motivation

Markets Organizations that may issue and/or use the credential

Resources that the credential may be used for

Federal agencies who accept credentials with medium hardware assurance

Credential can be used in a wide range of both employment-related and consumer-based transactions. Examples include physical access, logical access, mass transit, and closed loop payments.

Source: Smart Card Alliance

Fall 2012

Campuses pilot NFC for access control Villanova, University of San Francisco expanding trials in fall Andy Williams, Associate Editor, Avisian Publications

Near field communication is going to college and finding the campus to be an ideal testing ground full of students hungry for the newest technology. NFC’s promise – to let users do just about anything with a single mobile device – is a little hard to pass up. But like their business counterparts that have tested NFC, universities admit that its promise will remain unfulfilled until more NFC handsets are available. Both the University of San Francisco and Villanova University near Philadelphia are piloting NFC programs with the help of campus card provider CBORD. The results so far show that the technology works, students like it and they want to use it more. Ingersoll Rand developed the app and provided the hardware that turned an iPhone into an NFC-capable device, says Jeremy Earles, product marketing manager for readers and credentials at Ingersoll Rand.

How NFC works at Villanova To begin, the participant connects a specially designed hardware accessory to the iPhone 4 or 4s. This hardware ‘sleeve’ slides over the phone and connects to the port at the bottom of the handset. The sleeve, manufactured by Wireless Dynamics, turns a non-NFC equipped iPhone into an NFC-capable device. Currently no other type of phone is supported, although Earles says Ingersoll Rand is considering developing the app for Android handsets as well. For the

Fall 2012

pilot, iPhones were selected because of their popularity on campus. With the sleeve connected, the participant requests an electronic credential for the phone. He receives an email with a link to download the dedicated app from Apple’s App Store. The app is launched, a password is presented, and the cloud then sends the credential to the iPhone, explains Earles. Now that the credential is securely in place in the handset, the student simply opens the app and taps the phone against the reader, says Earles.

The birth of a pilot Offering NFC was the brainchild of Max Steinhardt, CBORD’s new president, says Bob Lemley, CBORD’s director of software development. “Max came to me a year and a half ago and said he wanted to do something with NFC. CBORD then went to its partner Ingersoll Rand. “They really got aggressive finding and managing pilot implementations,” says Lemley. Villanova was chosen for two reasons, says Lemley. “First, they’ve been a leading partner with us, they’ve done a lot of new software implementations,” he says. “We’ve worked with their student government to design and build a laundry

notification feature among other projects. We have a long and rich history of working with Villanova for creative technologies.” The second reason is technical and made it easier to roll out an NFC project there. “They had just switched over to MIFARE contactless cards on campus,” he says. Thus they were already deploying contactless card readers to read the MIFARE technology, and these readers are also capable of reading NFC. “The NFC technology works with MIFARE readers right out of the box,” explains Earles. “It’s a plug-and-play type implementation … the reader communicates with the NFC phone in the same way it would communicate with a MIFARE smart card, so no additional configuration is necessary.” Kathy Gallagher, director of University Card Systems for Villanova’s Wildcard, says the school was looking for new technology that would enhance the student experience. “There was something exciting about being a pilot and our students are always looking for technically-advanced projects,” she adds. She says there were 54 participants including 22 staff members and 32 students. Seven locations, mostly dorms, were equipped with NFC readers. “We didn’t open this up to everyone on campus. We just wanted a small pilot,”

says Gallagher. It involved students in three dorms covering exterior doors only. “We also had four locations for academic offices and buildings; my office was one of the four,” she adds. Villanova’s phase two will begin with the fall semester in August and will include the school’s two larger dorms, says Gallagher. The phase two pilot will also

instead of their cards. And we project it will reduce costs by reducing the number of lost cards, meaning we won’t have to carry as extensive an inventory of replacement smart cards.” Rossi says that USF students cannot get by for more than an hour on campus without their smart card and the same goes for their phone.

results. From a technical implementation, everything worked flawlessly.” “Students loved it,” adds Gallagher. “They want to use it in other areas. I consider the pilot a real success.” She says Villanova was “looking for the good, bad and ugly in the pilot but there was no bad or ugly. It was a very simple pilot and it went very well. One thing you

Students loved it for access control and want to use it for other purposes focus on laundry and point of sale in addition to the dorms, says Lemley. “We’ll be firing that up soon. It will have different participants and a larger population.”

NFC pilot goes bi-coastal As soon as the opportunity became available, the University of San Francisco jumped on the NFC pilot opportunity, says Jason Rossi, the director of One Card and Campus Security Systems at the school. “NFC is the wave of the future. Students need their smart card and their smart phone to get through the day. Why not make them the same? Our students are very tech savvy, so we knew this would be right up their alley.” Rossi says that NFC hits three main criteria: increasing security, improving service and reducing costs. “It increases security by acting as a de facto tool for secure access and transactions. It improves service because students enjoy the convenience of using their phones

Phase one at USF focused on traditional undergraduate students in a residence hall, says Rossi. Twenty students participated along with several staff members. The second phase will test NFC at the point-of-sale in addition to continued use in access control. The participant base will include a larger number of staff members and will also incorporate graduate students. “We want to see how working professionals are susceptible to it,” says Rossi.

Reactions positive from participants, organizers The feedback to both pilots has been positive. “Students loved it for access control and want to use it for other purposes,” says Earles. “We need to make sure we’re meeting all their needs before we commercialize the product,” he says, adding, “this will be a viable product.” The pilot saw heavy usage, says Lemley. “We’re extremely happy with the

always have on you is your phone.” Reactions from USF students were also positive, says Rossi. “There are some barriers in its current incarnation. For one thing, NFC is currently not native to the phone,” he adds. “Students loved it but they wanted it to be native so they could use their own handsets,” says Rossi. “And they wanted to use it everywhere. We didn’t make it clear to them when we started that we were testing it in one building.” He believes that when NFC becomes more widely available, universities will have an advantage with its implementation. “We don’t have the barriers that exist in the private sector,” says Rossi. “I am the merchant, the bank, the transaction processing system. We don’t have to worry about getting Walgreens or other businesses signed up.” The pilots have increased Rossi’s desire for more NFC activities. “I know it works, it’s proven. Now we’re waiting for the industry to give us the next step.”

Fall 2012

Contactless access to lockers and safes Enabling access anywhere, anytime increases ROI for ID systems Denise Trowbridge, contributing editor, Avisian Publications

Organizations with deployed contactless IDs and access control systems have a range of opportunities available to further benefit from the investment in technology. Logical access and closed loop payments are often discussed, but another type of security can prove advantageous. Electronic control of lockers, safes, cabinets and other non-traditional openings is a rapidly growing trend made possible by contactless systems. When the Unified Fire Authority in Salt Lake City needed to securely and easily

store and track the narcotics that firefighters and paramedics carry with them to emergency calls, they turned to Salto’s i-Locker and XS4 lock systems for lockers and cabinets. Now, 22 fire stations have secure drug boxes and safes outfitted with batteryoperated locks, accessible through the use of a contactless smart card. Access privileges are controlled from the central computer system in the main office. “We know who enters the safe, when they open and close it, so we have exact documentation of everybody who goes into and out of the safe,” says Mike Bohling, captain of the Unified Fire Authority. The i-Locker and XS4-Locker are batterypowered locks that can be installed on just about any locker, cabinet or door. They can

Salto software or software provided by a security partner, such as Honeywell or Sielox. The individual locks are not hardwired to a network but rather controlled via data and access rights held on the user’s contactless ID card. Both the lock and user access cards produce an audit trail. “All of the user rights are on the card,” Mahon says. “There is no need to update or change the access on each lock manually with a handheld device, as with other systems.” Both the i-Locker and the XS4-locker are battery powered, simplifying installation. “You can install them on a preprepped door in seven minutes,” Mahon says. “There is no hard-wiring and just two screws, so you can use it on any locker, mortis door, cylindrical door, exit device, deadbolt or on glass doors.” They’re powered by three AAA batteries that last for about 60,000 openings, which is usually two to three years of standard use, Mahon explains. When the batteries are low, the locker sends a signal to the network alerting the operator that it’s time to change them. The technology is attractive to a wide range of industries. Compared to key or combination locks, contactless smart locks have audit trail capability. “And you don’t have to worry about lost keys,” Mahon said. “Replacing lost master keys can cost thousands up to hundreds of thousands of dollars, depending on the size of the facility. With these, you never have to rekey

The Fire Authority now has an audit trail of everyone accessing narcotics-supply safes be used with key fobs, wristbands or smart cards containing DESfire, Mifare, HID iClass and Legic contactless technologies. They can also read smart phones outfitted NFC. “We’re compatible with just about all of the smart credentials in the world,” says Mike Mahon, senior vice president of sales at Atlanta-based Salto. This makes the product easier to integrate into a clients alreadyexisting security and credential system. Access privileges are managed from the client’s central computer system using

Fall 2012

the facility, and you can control and restrict zones 24 hours a day.” Salto locks are used in a range of industries including universities, elementary and high schools, hospitals and nursing homes. Fitness centers can better manage their locker inventory, preventing guests from using more than one and leaving other guests without, Mahon said. “It also produces an audit trail if anything were to go missing.” Other providers are also helping their clients to smart card-enable non-traditional openings. HID, in concert with Traka Plc, sells smart card accessible locker systems and key cabinets to help clients manage master keys, pharmaceuticals and computer equipment. Users of contactless technology from Legic can deploy n-tree’s Quicklox keyless entry system for lockers, which is primarily used in fitness centers. Most organizations still can’t live without keys. No matter how far industry and government move toward keyless products, the need to manage keys will remain a fact of life. To bridge the gap, many companies offer keyless locker products to hold – ironically enough -- keys. Traka Plc and HID Global recently

Replacing lost master keys can cost thousands up to hundreds of thousands of dollars. With these, you never have to rekey the facility installed a keyless system for the city of Honolulu to help manage physical key access for 44,000 employees. “They had an access control system already deployed, with badges and secure credentials and IDs already in use,” says Bill Davis, channel distribution manager for Traka plc. Employees now use the same badge that opens doors to facilities to open a key cabinet for the motor pool. Employees use

their credentials to check out vehicles via a Web-based front end. “The user can log in and reserve a car just like they would at a car rental company, and they can only reserve the types of vehicles they’re authorized to check out,” Davis says. When the user returns the keys, the system prompts him or her to record mileage, and report any vehicle malfunctions to the fleet managers. Middleware installed on the client’s network controls key access also ensures keys don’t accidentally go home with employees at the end of the day.

“All transactions are recorded to the database or access control system, so the organization has an audit trail of the keys,” Davis says. “This is a classic application for key control.” Creative solutions like control of nontraditional openings can help organizations meet business needs and increase the return on investment for contactless systems. The increased convenience, security and flexibility offered by these electronic lockers, safes and cabinets make life easier for both facility managers and employees.

Fall 2012

Is FIPS 201-2 future proof? New government ID spec Adds mobile use, expands contactless, biometrics

The latest draft of FIPS 201-2 has been much anticipated. The first revision was released in March 2011 and was met with groans as it also received more than 1,200 submitted public comments. Some 15-months later another draft has been released by the National Institute of Standards and Technology, and this version is seeing a much more positive reaction. Additions include both improvements to the contactless interface and the use of mobile devices as credentials. There are, however, lingering questions as special publications need to be written to detail how the new credentials and infrastructure will work. “These are good revisions that will move us into the next five to 10 years of functionality,” says Neville Pattinson, senior vice president for government sales at Gemalto. The emphasis on the new draft is on strong authentication, says Rick Uhrig, manager of identity and access management at XTec. Visual inspection of the

Fall 2012

are changes that will bind the holder to the credential. Iris is an option that issuing agencies can choose to add to the card, Uhrig says. But, he adds, it’s likely to be mandatory in five years when FIPS 201-3 is developed. “There’s nothing in FIPS 201-2 that wasn’t optional in FIPS 201-1,” he explains. This is a trend that has been seen between the two drafts. Previously it was mandatory to have the PIV authentication certificate and other certificates were optional. The PIV must contain PIV authentication data and Those optional certificates would card authentication data, each of which includes an now be mandatory under the new asymmetric key pair and corresponding certificates. draft. If the applicant already has a federal governcard and the cardholder unique identifier (CHUID) on the contactless portion of the card has been deprecated in favor of the new Universal Unique Identifier. “The message is that agencies need to use strong cryptography for each and

Certificate changes for FIPS 201-2

ment email address the credential will also have an asymmetric key pair and corresponding certificate for digital signatures and another for key management. Optional keys include a symmetric card authentication key for supporting physical access applications and a symmetric PIV Card Application Administration key associated with the card management system.

every transaction,” he says. Adding to that strong authentication is additional use of biometrics, says Pattinson. Enabling on card matching of fingerprints and the addition of iris

Expanded contactless Other changes have been suggested that would enable more functionality on the contactless interface, Pattinson says. The new spec states that most functions on the contact interface will also be available via contactless. The revised draft introduces the concept of a virtual contact interface, a contactless mode via which all functionality of the PIV would be accessible. “Cryptographic functions over the contactless

interface had been limited and it was missed greatly,” Pattinson adds.

Mobile PIV The add-on to the contactless interface is also opening up the use of PIV with mobile devices, Pattinson says. The concept of derived credentials has been introduced that would enable a PIV holder to spawn credentials on their mobile devices. This derived credential has the PIV presented to a mobile device manager that then assigns a sub-credential to a device using a parent/child model. The derived credential would be placed on

After the U.S. Commerce Department secretary signs the new FIPS 201-2 specification, which is expected by early 2013, agencies will have to start implementing new systems within 12 months. “It will be a challenge for the industry to respond to these needs in that timeframe,” Pattinson says. Vendors will need to produce products that are interoperable with the existing generation of cards, Pattinson says. “There are some major revision in terms of functionality and we need to worry about the installed infrastructure as well as move to the new generation,” he explains. Some of these changes will be more

These are good revisions that will move us into the next five to 10 years of functionality a secure element within the handset or tablet. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary. Derived credentials were mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication. But this prior mention of derived credentials was in a generic form and not specific to PIV. Special publications will flesh out the details of how derived credentials, the virtual contact interface and other changes from the spec will work, Uhrig says. These publications will be needed so that vendors can create new products conforming to the revised spec.

difficult than others. XTec has physical access control readers in place at the U.S. State Department, Uhrig says. “What we have been able to do when the standards change in the past is upgrade the firmware,” he explains. “It’s been pretty painless.” Other changes won’t be as painless and may call for changes to the U.S. General Services Administration Approved Products List, Pattinson says. To get new products to the market in time, changes will have to be made to how products are certified. “We have to have the changes ripple down so everything is set in concrete and people can implement the next generation of cards and infrastructure,” he adds.

Changes to PIV-I? Because the PIV-I specification is built on FIPS 201, these the changes will impact these deployments as well, says Rick Uhrig, manager of identity and access management at XTec. PIV-I issuers should pay close attention to the revisions NIST puts in place, Uhrig says. The deadline for them to deploy systems and new credentials that adhere to the new standard will be the same as the one federal agencies must meet.

Significant changes in FIPS 201-2 •

A mandatory facial image added to the card

•

Additional functionality to the contactless interface including optional biometric match on card

•

Improved interoperability of the contactless interface by mandating the previously optional card authentication certificate and keys

•

Less reliance on the Cardholder Unique Identifier

•

General movement away from visual inspection to electronic authentication

Fall 2012

Report: Card market tops $17 billion, 30 billion units in 2011 The global card market reached $17 billion in 2011, jumping almost 14% from 2010, according to the 2011 International Card Manufacturers Association Global Card Market Statistics Report. Higher value chip-based cards used in mobile phones and other electronic transactions as well as expanded production in the Asia-Pacific region led market growth as more than 30 billion cards were manufactured worldwide in 2011. The report points out, however, that the global card market will experience slower growth through 2015. Traditional magnetic cards will continue to be replaced by chip cards while smart phone apps and NFC technology will impact growth of card markets beyond 2015. Other key highlights of the report include: The volume of non-technology cards – magnetic stripe cards, bar coded cards and plain cards – exceeded the number of smart cards by 36%. The dollar value, however, tipped tremendously in favor of the smaller segment as smart cards accounted for 87% of the $17 billion dollar card market. In sheer volume of cards produced, low-end Telephone Scratch-off cards led the market with 6.8 billion cards produced. Mobile phone SIM cards were second in volume with 4.6 billion units but were by far the dominant sector in terms of dollar value at $7.3 billion. While financial cards trailed only slightly behind SIM cards in terms of volume, the segment was just half the size in terms of dollar value at $3.6 billion. The gap between the volume of traditional and chip-based cards manufactured was smallest in the Asia-Pacific region (51.7% and 48.3%) and Europe (54.2% and 45.8%). Asia-Pacific leads the regions as the largest producer of cards, with more than 10 billion cards manufactured in 2011. North America was second with 8.3 billion units manufactured. Europe is in the third position with 4.9 billion units manufactured and Middle East Africa in fourth with 4.2 billion cards. Latin America stayed close to last year’s figures at 1.9 billion units manufactured.

Fall 2012

Number of cards manufactured in North america by market segment, 2011 (millions) North american Total 8.63 Billion

275

170 Access Control

ID/Memberships Unprinted Blank

490

Transportation

950

Loyalty Programs

1432

235

Retail/Gas Government/Health

750

Gift Card

860

Financial

3050

Mobile Phone Other

365

Number of cards manufactured by region, 2011 (billions) global Total 30.5 Billion 10.7 8.6

North America

Europe

4.2

Middle East and Africa

1.9

Latin America 0

Source: 2011 Global Market Statistics Report, ICMA The report is available to ICMA members. Non-members can purchase the report for $1500. Visit www.icma.com for details.

Fall 2012

Contactless ticketing catching on at festivals The Bonnaroo Music and Arts Festival sold more than 80,000 passes to the four-day event in Manchester, Tenn. Bonnaroo is different from other multi-day concert events because attendees camp out at the site. Instead of issuing tickets and scanning bar codes, Bonnaroo tickets were wristbands containing 13.56 MHz contactless chips that concertgoers used to gain access to the grounds and related venues. This was the second year Bonnaroo used the wristbands for access and this year added social media features as well, according to Chad Issaq, executive vice president for business development and partnerships at SuperFly Marketing Group, which produces the festival. Bonnaroo is just one of many music festivals and events that have started using contactless technology for ticketing, social media updates and even in some cases payments. Of the 80,000 tickets sold, some 74,000 individuals went online before the event

Fall 2012

and personalized the wristband with social media information, Issaq says. Bonnaroo enticed fans to customize by entering them for drawings to win VIP upgrades, merchandise packages, escort to the front row and other prizes.

More than 200,000 check ins were recorded using the wristbands at different stages and venues, Issaq says. Locations near each stage and venue enabled individuals to tap to automatically update Facebook status indicating that they were at a certain stage seeing a specific performer. At the end of the day the in-

dividual would have a summary of the day posted on Facebook. The concertgoers’ friends could click on the events to access the playlists of the specific artists, listen to the songs on Spotify and with receive a free 30day subscription to the streaming music service, Issaq says. Event promoters are considering expanding the wristband’s use to include a payment application for the 2013 event, Issaq says. Intellitix, the solution developer for Bonnaroo, has also supplied similar technology for other high profile events. The company helped power exclusive aftershow parties at the London 2012 Games using its suite of RFID technologies to enhance guests’ experience. Using the wristbands, an online audience of 2 million was generated as ticket holders linked their bands with Facebook to check in and post photos from the party locations. Produced by sportswear provider Adidas in collaboration with Sparklestreet, the events welcomed celebrities, VIPs, competition winners and Olympic medalists to pop-up venue “Adidas Underground” in East London.