Regarding ID Spring 2011 by AVISIAN

Spring 2011

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

The

MOBILE AS A CREDENTIAL

Is the handset the ID of the future? • Contactless pickpocketing • INTERPOL’s converged ID • Facial recognition gets real

Deliver multi-applications without compromise Identification solutions for security, convenience, and design productivity

Systems that support multiple applications are the new reality for electronic identification. NXP is already there, building on 15 years of innovation and an unmatched understanding of applications across segments and ecosystems. Our identification solutions are designed for the future, with features that let you create multi-application systems without forcing you to compromise on security, convenience, or design productivity. NXP is an innovative leader in High Performance Mixed Signal, seamlessly uniting RF, Analog, Power and Digital Processing technologies. Our in-house processing capabilities, application insights and expertise in sub-system design will help you excel in complex, ever-changing markets. Leading solutions in High Performance Mixed Signal and Standard Products

www.nxp.com

Contents 22

Cover Story

The mobile as a credential Will the ubiquitous handset become the ID of the future?

Issuance

ID lifecycle 101: Understanding enrollment

Convergence

INTERPOL converges travel and employee IDs

Innovation

2010 SESAMES Winners

Security

Visitor management crucial to physical security

30 38 49 60

INDEX OF ADVERTISERS AOptix www.aoptix.com/iris-recognition CPI Card Group www.cpicardgroup.com CSC www.csc.com/nps CSCIP www.smartcardalliance.org Digital Identification Solutions www.dis-usa.com/Re-ID Entrust www.entrust.com Evolis www.evolis.com FIPS201.com www.fips201.com Gemalto www.gemalto.com HID Global www.hidglobal.com/ fargo-dtc-REID IEEE www.IEEEBiometricsCertification.org ISC West www.ISCWest.com/AVSIAN LaserCard www.lasercard.com NXP www.nxp.com Smart Card Alliance Conference www.smartcardalliance.org

55 39 67 57 7 3 33 45 29 68 53 61 27 2 63

19 | CALENDAR | Industry events from the identity and security worlds

23 | TECH | New technologies improve security for mobile devices

21 | VIDEOS | Interviews with leading vendors from events in the identity and security worlds

25 | MOBILE | Challenges with the mobile as an ID

22 | COVER STORY | The mobile as a credential

28 | OPINION | ID for the continuouslyconnected future

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Jill Jaracz, Gina Jordan, Autumn Giusti, Ross Mathis ART DIRECTION TEAM Darius Barnes, Ryan Kline

Where oh where is my mobile ID?

ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com

Zack Martin Editor, AVISIAN Publications

SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301.

I have a bad habit of forgetting my wallet when I leave the house.

ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301.

And I am squarely in Generation X, so I didn’t grow up with mobile phones and didn’t own a computer until I was in college. Imagine how ingrained that tie must be for the current generation of Millennials.

Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors.

It’s already starting to happen. Airlines are enabling boarding passes to be downloaded on to smart phones. Hotel guests are downloading room keys and bypassing the registration desk. Loyalty and payment cards are going mobile.

EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.

The payment world is taking the first steps to get rid of the wallet, as we know it. The tougher challenge will be using the mobile device as an ID.

The folks at the gym are kind enough to let me in without my ID, but Walgreens doesn’t trust me when I tell them I’ll be back to pay in a few minutes. I’m also sure the local police department would be less than thrilled if I was pulled over for some reason. It has become a cliché that people don’t leave home without their cell phones, but I am going to take it a step further. I am not sure that I could even walk right without the weight of that phone in my pocket.

This is why it seems obvious that the handset should be the next identity document.

Near field communication will enable some of this to happen. A flurry of announcements in late 2010 and more still in early 2011, suggest that the technology is coming quickly. Google released an NFC handset and rumors are that Apple will do the same with its iPhone 5. NFC may be looking at the perfect storm. Manufacturers are putting the technology into their devices and financial industry is showing strong support for mobile payments. Bank of America has been testing a number of different NFC solutions and other U.S. financial institutions are doing the same. Banks could send out microSD cards to be used in smart phones to bridge the gap until mass handset availability.

Can you imagine getting pulled over and pulling up a driver license app on your smart phone? Launching a passport app when going through customs? Using your mobile to log on to secure computer networks and file federal taxes? Think of the money that could be saved by not issuing all those separate credentials and documents. All of this is possible … but probably a few years off. Trust issues have to be established. Security must be put in place to make sure the credential that was downloaded was not altered. Identity via the mobile will be happen. It’s not a matter of if but when. I, for one, can’t wait for the day when I forget my wallet and it no longer requires a trip back home.

Near field communication is not a catchy term and shortening it to NFC does little but confuse American football fans (á la National Football Conference). This industry has come up with some great names for products … remember the smart card? The name may be the chip card industry’s greatest marketing feat. Who can argue against using one? Nobody wants a dumb card. I admit near field communication is an apt description, but we need to bring out the marketing big guns here and come up with something better – something a little less on the nose, less academic. Visa and MasterCard with PayWave and PayPass respectively, found pretty good names for their contactless payment solutions. Now phone based transactions could use some love too.

What’s in a name? Let me know what you have. zack@avisian.com Before NFC reaches critical mass, I would like to make a suggestion: Let’s come up with a new name for it.

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 67: ID standard series: Vetting and proofing

Episode 68: NSTIC is not a national ID

Standards for proofing and vetting an identity vary by different jurisdictions. With many projects underway designed to offer individuals a better way to assert an identity there are also efforts to standardize how it is proofed and vetted. Dan Combs, CEO at the eCitizen Foundation and member of the Harvard Policy Group-Leadership for a Networked World, is leading the current drafting work that may lead to a U.S. standard for identity proofing and vetting. Combs details the group’s work and how it relates to other projects.

In this first in a series of podcasts discussing the National Strategy for Trusted Identities in Cyberspace (NSTIC), Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, describes the strategy and obstacles for the government and private sector.

“The process started several years ago. We have been through a variety of different work on related efforts around identity proofing and verification. Over the last year we started a drafting process. We created a consensus group of 30-40 organizations that are participating in different ways and the group is in favor of moving forward as quickly as possible.” If all goes well a standard will be published around September or October 2011. To listen, visit ContactlessNews.com/Podcasts and select “Episode 67” 8

Spring 2011

“Those who say that this administration wants a national ID card for the Internet need to look at what’s happening in the private sector and see if they would rather have them doing it with no policy framework, no privacy, no transparency, with no true user control? You have the administration coming forward and saying we want to play a leadership role to create the policy and be a relying party and not an issuing party, and immediately people jump on the administration for trying to bring some rationality to the debate.” Leaving online identity to the private sector won’t work. “There won’t be an identity. You’ll have something unregulated with very little attention to security, very little attention to privacy.” To listen, visit SecureIDNews.com/Podcasts and select “Episode 68”

Episode 69: Using knowledge-based authentication

Episode 70: Creating the ‘national strategy’

Shared secrets, such as your first pet’s name or a high school mascot, are a common way to retrieve passwords and reset accounts. With the explosion of social networking these secrets are easier for fraudsters to find. To combat these problems IDology has developed a knowledgebased authentication (KBA) solution that uses a company’s data on an individual to create custom questions. John Dancu, CEO at IDology, explains KBA and his company’s new product.

Ely Kahn was a member of the White House National Security Staff when the idea of creating a more secure identity management system for the Internet was formed. This eventually led to the National Strategy for Trusted Identities in Cyberspace (NSTIC). Kahn talks about where NSTIC came from and the process that created the strategy.

“We solve a very horizontal problem in the marketplace and that is helping all types of industries and businesses validate that when a consumer is not present, that they are who they say they are.”

“The actual name of the document changed a few times as we were developing. Initially we had decided on the National Strategy for Secure Online Transactions. There were a lot of proponents for that title because it really spoke to the end result that we were going towards.”

“We ask some specific questions relating to places you’ve lived, cars that you’ve owned, etc. The reaction today in the market is very positive to that. The reaction five, six years ago would have been this stuff is kind of creepy because people are just more attuned to the fact that their identity needs to be protected.”

“Identity management, effective identity management processes and technologies are really aimed at securing online transactions. However, we decided that the scope the title indicated was too big because there’s lots of other things that go into securing online transactions other than identity issues and online trust issues. So we decided to scope down both the title and the actual content of the strategy.”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 69”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 70” Spring 2011

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Ingersoll Rand, Gemalto partner for converged solution

Ingersoll Rand Security Technologies is partnering with Gemalto to provide advanced identification solutions to Ingersoll Rand’s Schlage customers. The agreement enables Schlage to deliver a secure, converged badge that will let users take advantage of contactless access control technology and secure contact technology from Gemalto for logical security.

CertiPath introduced the architecture and operational systems for a single credential in 2009. Credential issuers who apply at the PIVI level of assurance with CertiPath Bridge or the U.S. Federal Bridge, operated by the General Services Administration, must submit a sample credential for evaluation and testing in a real-world configuration.

CertiPath said the partnership with the government provides technical credential conformance testing for both bridges and ensures a more consistent result will be achieved.

Paired with Schlage’s multi-technology readers, the offering provides customers with a credential that enables transition away from legacy, proprietary technologies to higher security, open solutions including aptiQ smart cards from Schlage using MIFARE DESFire EV1 technology.

Once certified, applicants can sell these credentials as approved by both the U.S. Federal Bridge and the CertiPath Bridge communities. To date, the companies that have applied include Citibank, Digicert, Entrust, ORC-Widepoint, VeriSign and Verizon.

Both proximity and smart credentials are available with the Gemalto logical access technology.

Entrust PKI available in Italy

Feds, CertiPath testing PIV-I CertiPath and the U.S. government’s Public Key Infrastructure Policy Authority are testing identity access credentials for sensitive sites. The PIV-I cards enable non-executive branch federal employees, customers, partners, first responders and state and local officials to access facilities and systems to which they have explicitly been granted access. CertiPath said that in 2009 the U.S. Department of Homeland Security estimated there were 25.3 million first-responders requiring PIV-I credentials. With the proliferation of credential issuers, there is a need to ensure that these systems meet the standards required in highly sensitive environments.

Spring 2011

Entrust’s public key infrastructure technology is now available to the Italian market as a hosted service. Intesa, a certification authority and subsidiary of IBM, is offering Entrust Managed Services PKI products and capabilities. The Entrust PKI, whether deployed on customer premises or as a software-as-a-service, enables organizations to establish and maintain a trustworthy environment by providing certificates that secure many off-the-shelf applications using encryption, digital signatures and strong authentication. This PKI platform helps control access to resources, prevent theft of information and comply with privacy and digital signature regulations.

SCA: Two-factor authentication needed in health care The Smart Card Alliance is urging the Department of Health and Human Services to push organizations that provide personal health records to offer two-factor authentication so

consumers can securely access their information.

According to the industry group, strong authentication options such as smart cards, tokens or one-time password devices should be required to access electronic personal health records.

HID unveils sticker format HID Global announced the addition of a mobile sticker format to its family of contactless payment and identification cards. The stickers aim to make it easier to add closed-loop payment and loyalty systems to existing automatic fare collection or retail systems, or to augment campus identification systems with new access control capabilities. They also can be affixed to mobile phones as a bridge to coming NFC mobile payment services. Unlike other stickers, HID’s stickers include an internal ferrite layer that shields electronics from interference even when attached to items containing metal, such as mobile phones. They come in a breakout ID-1 card format and can be printed with customer information including serial numbers, activation codes and promotional artwork. HID Global offers print customization in low quantities, providing companies with an economical way to extend their brand presence. To meet existing customer environments, HID’s contactless payment and identification stickers are available with DESFire, MIFARE and iCLASS technologies.

RSA releases SecurID for Android The new RSA SecurID Software Token for Android is engineered to enable an Android powered device to be used as an RSA SecurID

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com authenticator. Using RSA’s new software development kit for the Android platform, developers can embed RSA SecurID two-factor authentication directly into Android applications. Mobile applications that directly integrate RSA SecurID technology provide organizations with the assurance that their resources are protected from unauthorized access without any usability impact to the end user. The development kit is available free of charge for all RSA Secured partners. The SecurID Software Token for Android is engineered to generate a one-time password that changes every 60 seconds, enabling secure access to corporate resources. It can be installed directly onto Android enabled devices at no cost via a simple download from Android Market.

Chinese university expands LEGIC’s campus card solution Tianjin Polytechnic University (TJPU) is partnering with Switzerland’s LEGIC Identsystems to expand its contactless ID sys-

PhoneFactor adds support for ISO payment standard PhoneFactor announced support for ISO 8583, the standard protocol that financial institutions use to process credit and debit card transactions. Both MasterCard and Visa base their authorization communications on the ISO 8583 standard as do most Automated Teller Machines. By adding PhoneFactor to the transaction path using the ISO 8583 protocol, card issuers can authenticate transactions with a phone call or text message. When a protected transaction is initiated, PhoneFactor places an automated phone call or sends a text message to the cardholder asking them to verify the transaction details. The user simply answers the call and presses #, enters a PIN or replies to the text message to approve the transaction. PhoneFactor uses the cardholder’s existing phone so it can enable the service for large numbers of geographically diverse customers easily and cost-effectively.

tem. TJPU has been using LEGIC’s technology to manage payments and access control on its campus, but the new agreement enables the School of Computer Science and Software Engineering to upgrade more than 3,000 POS terminals to LEGIC advant technology as well as develop new terminals and access control readers for the entire campus. Zhenkai Wan, president of Academy of Computer Science and Software Engineering at TJPU, comments: “Year after year, we issue more than 5,000 new campus cards. Thanks to the flexible expandability of the LEGIC smart card platform we can now enhance our identification system independently and adapt it to future demands.”

D.C.’s Metro looks for a new open fare payment system The Washington Metropolitan Area Transit Authority (WMATA) is accepting proposals to replace its SmarTrip fare system. The Metro, which provides rapid transit services to Washington D.C. and its suburbs, is looking for an open fare system that uses “contactless, chip-enabled debit and credit cards, federal ID cards, or smart phones equipped with NFC capability, as well as existing SmarTrip cards,” reports tbd.com.

According to Metro spokeswoman Angela Gates, the new system is intended to offer additional forms of payment, but it will not end usage of the 1.8 million SmarTrip cards already in circulation.

Grants bring biometric widentification to Ohio police The Washington County Sheriff’s Office in Ohio has deployed new fingerprint-based biometric devices to better identify persons of interest who officers are otherwise unable to identify. A mobile device and desktop model are expected to be particularly useful when someone in custody uses a false name or is unable to communicate with the officer. According to a Marietta Times article, all police departments and prisons in Ohio are receiving the new technology through a grant from the Ohio Attorney General’s Office. In total, outfitting departments across the state cost $720,000. Beyond better access to their own records, the biometric devices connect to and access the Ohio Bureau of Identification and Investigation Automated Fingerprint Identification System and the FBI’s sex offender, known and suspected terrorist, persons of special interest and wants and warrants lists.

Lumidigm technology secures campus recreation facilities Lumidigm is providing fingerprint-imaging technology to secure the recreation facilities at Free Amsterdam University, a European college with roughly 8,000 staff and students. The school employed the new biometric solution to eliminate card pass-backs, a process that enables unauthorized people to gain access to the recreations facilities. The administration expects to break even on the system costs within 3 to 5 years.

Spring 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The solution is provided by biometric integrator EasySecure and includes four desk systems for enrollment and seven biometric access control gates at the facility.

point of sale. The sticker allows customers to buy 12 HUMO magazines for the price of 10. Flair readers will be able to register online to earn loyalty points every time they use the sticker to purchase a magazine.

Starbucks launches nationwide mobile payment service

According to destinationcrm.com, the pilot involves about 700 HUMO and Flair customers, who can buy the magazines at seven stores equipped with contactless readers in Antwerp, Belgium. Customers can also pay for other items at the stores using the stickers.

Starbucks is rolling out a new mobile payment service that allows customers to load credit onto their smart phones for in-store payments. iPhone, iPod Touch and Blackberry users in the U.S. can download the Starbucks Mobile app and enter their Starbucks Card number. Then they can load value to their phone from debit accounts, credit cards or Paypal. At the register, the customer selects the “Touch to Pay” option, prompting the phone to produce a bar code that the barista scans to complete the purchase. While the new system does not use NFC, it could lay the groundwork for NFC’s arrival, says FoneHome.co.uk. The rollout will involve nearly 6,800 Starbucks stores in the U.S.

Belgian publisher pilots contactless payment and loyalty for magazine readers Alcatel-Lucent has launched a contactless payment and loyalty points program with Sanoma Magazines to help the Belgiumbased publisher gain insight into the buying habits of its non-subscription customers. In the pilot, customers use prepaid NFC stickers affixed to their mobile phones to buy Sanoma’s ‘HUMO’ and ‘Flair’ magazines by holding the mobile phone to a reader at the

Spring 2011

Alcatel-Lucent supplied the contactless technology for the pilot, as well as the payment vouchers and loyalty points program.

Australian bar collects biometrics at the door The Coogee Bay Hotel bar in Australia is among a growing number of pubs in the country scanning fingerprints and taking digital photographs of its customers in an effort to keep individuals out who have been known to incite fights or exhibit other bad behavior. But many feel that such systems violate privacy. While some are calling for the bars to stop using such technology, others such as the Biometrics Institute of Australia are calling for changes to the country’s Privacy Act to include privacy impact assessments and audits for such systems. Even without alterations to the privacy act, some of the bars may already be in breach. The biometric system provider ID Tect shares a list of troublemakers with all its users, an practice that is illegal under the privacy act without making the individual in question aware first.

While some fear that such an unregulated system could be open to attack by hackers looking to steal biometric data, the system does not store any actual fingerprints. Instead templates, mathematical representation of prints, are kept in the database for just 28 days.

Precise releases product line aimed at banking sector Precise Biometrics released a series of fingerprint readers designed to meet specific needs of enterprise clients. The name of the group of new offerings is Precise Sense. It includes six different variations of the fingerprint reader to offer solutions with different functionality and cost so a customer can find a perfect match. Options include smart card readers and swipe or touch authentication.

Nuance launches new biometric offerings Nuance Communications released new versions of its VocalPassword and FreeSpeech voice biometric solutions. The products are designed for use as security and work flow solutions in industries such as banking, telecom service, health care and law enforcement. Both VocalPassword and FreeSpeech are solutions that Nuance brought into its collection of product offerings when it acquired voice biometric technology developer PerSay in 2010. Both solutions offer the ability to authenticate individuals over the phone by their unique voiceprint. VocalPassword performs the authentication in an automated setting while FreeSpeech works in the background of conversations.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Ontario casinos look to facial recognition The Ontario Lottery and Gaming Corporation (OLG), a group that controls 27 gambling facilities in Ontario, Canada, is installing facial recognition surveillance technology in all of its establishments. Unlike most surveillance technology in casinos, however, these systems are not designed for security purposes, but rather to help identify and remove problem gamblers before they are able to gamble. In an effort to keep the new systems as far from privacy invasion as possible, if a visitor’s face does not match one on file, the image is discarded. According to an article in The Star, those in the system are self-enrolled.

Scientists discover new technology or facial recognition Scientists, Xin Guan and Hanqi Zhuang, from Florida Atlantic University in Boca Raton developed a computer algorithm that analyzes two-dimensional pictures of faces and renders the face as a three-dimensional picture. The technology looks at the viewing angle and lighting in a regular image to pull out the necessary data to recreate the image as a three-dimensional model. Guan and Zhuang believe their new algorithm could be a huge leg up for facial recognition systems used in identity management, information security and homeland security programs, according to a Sify News article. While they have focused on the technology’s capability to reduce false negatives in facial recognition systems and used in conjunction with surveillance to better identify and search for missing persons, non-security alternatives have been discussed such as the

ability to render deceased actors with computer graphics to insert them into modern works.

eral identity and security programs. He then spent three years with Washington Research Group as the firm’s identity and cybersecurity market analyst.

SecuGen and Lucky partner for biometric solution for schools

Most recently, Jeremy served as Chief Development Officer for ASI Government (formerly Acquisition Solutions), a consulting firm that helps government agencies improve results through the application of better acquisition, organizational and program management practices. Grant is also former co-chair of the Identity Management Committee at TechAmerica.

SecuGen announced a technology and marketing partnership with access control developer Lucky Technology to develop biometric access solutions for North American schools. The solution integrates Lucky’s iGuard Access Control device and SecuGen’s SDA03M fingerprint module. It is ideal, the companies say, for schools because the system is capable of locking down specific areas or all doors in the case of any incidents requiring the lock down of the school while still allowing total access to preregistered first-respondents such as police or paramedics.

NIST appoints NSTIC senior advisor The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) announced that Jeremy Grant is joining the team as a senior executive advisor. Grant will manage the establishment of a National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC). Grant comes to NIST with a diverse background and understanding of identity and cybersecurity issues, having served in a range of leadership positions spanning government and industry. He began his career as a legislative aide in the U.S. Senate, where he drafted the legislation that laid the groundwork for the Department of Defense and GSA smart card and PKI efforts. Grant then joined the Intelligent Technologies Division at MAXIMUS, a government services firm, where he led the division’s Security and Identity Management practice and played a major role in a number of major fed-

Department of State adopts RFID for weapons tracking The U.S. Department of State’s Bureau of Diplomatic Security has deployed an RFID weapons tracking solution by ODIN to track a variety of weapons in and out of a key armory. ODIN’s EasyArms is an RFID hardware and software solution that automatically logs weapons and users into and out of the armory without the need for manual recording. In addition, it alerts the users and other interested parties if a weapon moves in an unauthorized manner or with an unauthorized individual and sends movement data to a centralized database. Part of ODIN’s Intelligent Asset Management solution, EasyArms improves the accuracy and speed of weapon logging and enhances asset security. In addition, the system does away with conventional paper-based weapon logs that can be inaccurate and easily lost.

Australian agency plans for more facial biometrics The Australian Department of Foreign Affairs and Trade sees an increasing role for facial Spring 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com recognition technology in the country’s biometric programs, according to a TechWorld article. The department is forming a panel to provide specialized biometric technology assistance to government entities already using the technology such as the Australian Passport Office. The announcement of the creation of the biometric panel follows other announcements of biometric program expansion in the country including the Department of Immigration and Citizenship’s extension of biometric data collection to include all onshore visa applicants and the Sydney Airport’s expanded use of facial recognition in its SmartGates and biometric security check point kiosks.

NXP launches Android app NXP Semiconductors has launched its new NXP Android application, enabling engineers to search, buy and share information on more than 10,000 products from NXP’s portfolio. With the free app, engineers can browse and search NXP’s product database by product function, application area and part numbers to get product specifications, product datasheets, application notes and packaging information. The app connects customers to NXP’s global distribution partners to complete purchases within minutes. Engineers are also able to share product information with peers via email or social media channels like Facebook or Twitter. Additionally, the “My Favorite” function allows engineers to keep track of products they are interested in for future reference. The app runs on all Android smart phones and tablets supported by Android 1.6, 2.1, 2.2 and 2.3. 14

Spring 2011

Lumidigm, i-Evo partner Lumidigm announced that i-Evo is using the company’s multispectral imaging sensors to produce a line of fingerprint readers that can be used indoors and outdoors in harsh environments that render most biometric readers inoperable. The i-Evo team has kept the design of the biometric fingerprint readers simple, resulting in small units that require minimal training, are easy to install and are inexpensive. Lumidigm multispectral fingerprint sensors capture fingerprint data beneath the surface of the skin so that dryness or even damaged or worn fingers are reliably read. Using multiple wavelengths of light and advanced polarization techniques to extract unique fingerprint characteristics from both the surface and subsurface of the skin, Lumidigm’s sensors provide results that are more consistent, more inclusive and more tamper resistant than conventional biometric readers. i-Evo biometric readers are employed by a variety of customers including schools, corporations and hospital.

IATA proposes new low-risk biometric checkpoint The International Air Transport Association (IATA), an airline trade group, has proposed a new type of security checkpoint that would speed up waiting times for low-risk travelers.

ers” where they would be subject to quicker minimal inspections by agents. Travelers for whom less information is known present a larger security risk. They would be diverted to the other tunnels. Fingerprint biometrics would be used to verify travelers’ identities prior to entering the security checkpoint, according to the USAToday. The system the IATA is hoping for is very similar to the U.S. Customs and Border Protection’s Global Entry program. Global Entry allows individual who have submitted biometric information to bypass standard security and instead use automated kiosks. The IATA proposal is currently under review by the IATA’s North American division.

Fingerprint Cards releases new sensor for mobile devices Fingerprint Cards has developed a new miniature and p owe r - e f fe c t i ve fingerprint-sensing device for use with mobile phones, laptops, smart cards and USB keys. In addition to its small footprint and low power consumption, the company touts the new technology’s ability to utilize finger navigation and its 508 DPI resolution.

Facebook uses face recognition in photo tagging upgrades

The proposal involves sets of three tunnels or enclosed pathways that include sensors, x-ray machines, cameras and other standard airport security equipment. Travelers would be assigned to a specific tunnel based on their risk level.

In an effort to improve the act of tagging pictures users upload to their profiles on Facebook, the company has integrated facial recognition that will remember past tags and suggest tags for pictures rather than forcing users to manually attach names to faces for each picture they upload.

In the scenario the IATA drew out, one of the tunnels would be reserved for “known travel-

In an effort to address privacy concerns with the new feature, Facebook allows users to

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com disallow their own face being tagged automatically. All other aspects such as manually tagging and detagging pictures will remain as they were with the change being mostly aimed at those importing large numbers of pictures at once. The new face-recognition tagging feature is expected to be available to U.S. users this spring.

Victorinox releases new biometric multi-tool Victorinox, maker of the Swiss Army series of pocketknives and multi-tools, has developed a new multi-tool that includes a 32GB biometrically secured flash drive. In addition to the flash drive, tucked into the usual red tool are the blades and scissors that are a standard in Victorinox’s offerings. According to an article from The Gadgeteer, it also includes a Bluetooth remote control for computers and a laser pointer. The tool, called the Swiss Army Presentation Master Knife, is available on Amazon for $234.

Biometric security solutions coming to Android Mobile application developer, BluePlanet Apps, is developing a biometric security application for the Android mobile operating system. Officials from the developer presented their new app, called BioLock, at the Apps World Conference where representatives from Samsung, who have expressed interest in having the app on their phones, were present. BioLock operates via face recognition, iris recognition or password input to secure the phone or specific apps on the phone. The face recognition feature utilizes blink and pu-

pil dilatation detection to prohibit someone from using a picture of the phone’s owner to gain access to sensitive areas. The company plans to release versions for Windows Phone 7 and the Apple mobile OS as well.

According to MBNA, the number of retailers supporting contactless technology is rapidly increasing in the UK, and the number of issued contactless cards has reached ten million. This figure is expected to hit 25 million by 2012 as more card issuers adopt the technology.

Javelin report points to increased acceptance of biometrics

Current contactless retailers in the UK include Subway, Pret a Manger, Cafe Nero, Clinton Cards, Boots, Spar, National Trust gift shops and Little Chef restaurants.

A new report released by Javelin Strategy and Research reveals that while American consumers still prefer challenge questions or other knowledge-based authentication methods for their online banking, the use of biometrics is gaining support.

Citi card gives rewards with the push of a button

Biometric authentication for online banking is closing in on challenge questions, according to Information Week, as 64% see questions as effective and 58% believe biometrics to be effective. Robert Vamosi, the report’s author, believes this is because of the rising familiarity with biometrics due to more consumers using the technologies at work.

MBNA switching 6 million customers to contactless by 2012 MBNA, the UK’s largest credit card provider, is kicking off its initiative to move its 6 million customers to contactless cards by January 2012. MBNA says it will start by issuing a contactless credit card each time a new or replacement card request is made by a customer. Ian O’Doherty, Europe Card executive for Bank of America, operator of the MBNA brand, comments: “With this two-year rollout of new and replacement contactless enabled cards we are reinforcing our support for the evolution of contactless technology in the UK.”

Citibank is adding a new rewards credit card to its smart card pilot, according to bankrate.com, giving customers the option to redeem reward points with the push of a button at the time of checkout. The Citi ThankYou Prestige 2G Card features two buttons on the front. One reads “Regular Credit” for making purchases just as you normally would. A second button marked “Request Rewards” redeems rewards points or cash rewards, and applies them to your purchase. Each time a button is pressed, the card is activated and a corresponding light will turn on to confirm the option selected. The Citi ThankYou Prestige 2G pilot card will be launched later this year. Each 2G credit card will come with a battery, an embedded chip, a card-programmable magnetic stripe as well as the two buttons on the front of the card allowing you to choose between paying with credit or applying rewards cash or points toward the purchase. Using technology from Dynamics Inc., the 2G cards are the same size and shape as other credit cards, but feature an electronic magnetic stripe that programs itself with the corresponding data once you select a payment option. Spring 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

EK Ekcessories releases new FIPS 201 cardholder EK Ekcessories launched its new Patriot Card Holder for federal employee credentials. The cardholder has been designed to keep government issued Common Access Cards or other FIPS 201 cards safe from unauthorized data skimming. The Patriot Card holder features a durable impact resistant construction and can hold two cards that slide in and out easily but lock tightly to prevent loss. The Patriot cardholder connects to all EK safety breakaway lanyards and retails for $21.99.

LaserCard introduces new smart card platform LaserCard introduced its new Smart Card ID platform designed to complement the company’s optical security media offering or to be used in standalone mode in contact, contactless or dual interface chip configurations. The integrated Smart Card ID platform is designed to help partners improve the efficiency and reduce the complexity of delivering sophisticated secure ID projects. It is designed to meet the requirements for compliance with the most exacting international standards across a range of smart card applications including government ID, driver license, health care and more. The platform leverages LaserCard’s experience in delivering multi-technology, multifunctional secure ID programs for high-profile clients including the U.S. Permanent Resident Card, the Italian National Police Force ID Card and the Kingdom of Saudi Arabia National ID Card.

Spring 2011

DESKO taps HID Global for biometric passport system HID Global’s RFID reader module was chosen by German airline security provider DESKO for its Personal Identification Mini Dock (PIMD) identity-checking system.

The Lobby Track visitor management system accommodates the fast registration of visitors through a driver license scan and a watch list check. A custom visitor badge is automatically printed, the visitor’s host is notified, and a log of each visit is recorded.

Jointly developed with Panasonic, the “3in-1” system is designed for border-control, policing and other security applications. It includes a DESKO-designed optical character recognition (OCR) unit and a fingerprint scanner, both connected to Panasonic’s Toughbook CF-U1 ultra-mobile PC device.

Through this new integration, access cards may be distributed to specific visitors through a simple card number entry during the registration process. The visitor’s information and access group are automatically sent to the Brivo access system, so front-desk receptionists or security personnel aren’t required to log into the access control system to assign credentials.

Featuring data transfer rates of 848kbps, HID’s PIMD RFID reader module is designed for reading biometric passports or ID cards and other RF documents that require support for MIFARE Type A/B protocols.

The integrated product will be distributed by Jolly and the company’s network of dealers. Brivo ACS WebService is sold through Brivo’s own authorized resellers.

According to HID, PIMD supports both BAC and EAC standards, and also complies with International Civil Aviation Organization (ICAO) 9303, International Standardization Organization (ISO) 14443 and ISO 15693 standards, and follows German Federal Ministry for Security in the Information Technology (BSI) specifications for biometric passport reading.

Jolly, Brivo integrate systems Jolly Technologies and Brivo Systems announced that Brivo’s ACS WebService Software as a Service access control solution has been integrated with Jolly’s Lobby Track visitor management software. The integration will enable customers to issue access control credentials directly from the Lobby Track visitor management system and assign credentials to visitors, contractors and employees. The implementation requires only the entry of the customer’s Brivo account name and password into the Lobby Track system.

GSA approves two new DIS card printers for FIPS 201 Digital Identification Solutions received notification from the U.S. General Services Administration that its two recent submissions to the FIPS 201 product list have been approved.  The company’s EDIsecure XID 8300 Retransfer ID Card Printer and its EDIsecure DCP 360+ Direct ID Card Printer have been added to the Approved Products List. The EDIsecure XID 590ie Retransfer Printer was approved in August 2006. Digital Identification Solutions and its reseller partners now can offer three FIPS 201 certified solutions to federal departments, integrators and contractors to create secure interoperable cards for employees.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Oman taps HJP for e-passport help Royal Oman Police, in its role as passport issuing authority for the Sultanate of Oman, awarded a consulting contract for the new Omani e-passport project to HJP Consulting. This is HJP’s fourth electronic ID consultancy contract in the Middle East region.

The iDL500 is a multi-modal, mobile computer that offers a complete set of features – including QWERTY keyboard, contact card, contactless card, barcode, optical fingerprint, and optional magnetic swipe and MRZ readers with a digital camera, GPS, and comprehensive communications capabilities such as 3G GSM and WiFi.

HJP will support Royal Oman Police in the planning, procurement and implementation of the new Omani e-passport project.

SCM unveils converged ID product

The company will develop a set of requirement specifications that will lead to an international public tender process inviting bidders to submit proposals. HJP will support the Royal Oman Police during the evaluation of bids and will also help during the ramp up phase of the implementation project.

MaxID announces additional sales MaxID has announced the sale of the MaxIDentity Suite and the iDL500 multi-modal handheld TWIC readers to the Delaware River Port Authority, The Port Shreveport-Bossier, Virginia International Terminals Inc. and Citgo Petroleum Corp. The MaxIDentity Suite contains a series of ready-to-use applications to read PIV, PIV-I, TWIC, CAC, FiXS, and FRAC smart cards as well as passports, e-passports, Seafarer ID cards, and driver’s licenses. The product can be purchased using the Software-As-A-Service model, so organizations can pay a low monthly fee for the application suite as an alternative to purchasing outright. The suite is available on the MaxID line of multi-modal portable devices including the iDL500, iDL502, and iDL520 today. The MaxIDentity Suite was jointly developed by MaxID Corp based in Fairfax, Virginia and MultiModal ID, LLC based in Falls Church, Virginia.

SCM Microsystems has introduced ConCERTO, a solution that enables the addition of logical access security to existing physical access systems. The new solution combines SCM’s new ConCERTO LOGON Manager, the company’s SCL series contactless card readers, and the widely used MIFARE DESFire EV1 platform from NXP Semiconductors to enable a single credential to be used both for building access and PC/network logon. The ConCERTO LOGON Manager and SCM hardware work together with the data structure on the MIFARE DESFire EV1 platform to enable employees to use one identification card to physically access the building and log on to the company’s network. Based on Microsoft Windows, ConCERTO LOGON manages the enrollment and logon process for users, including writing privileges onto the cards when they are issued and saving data onto Windows or the company’s network systems for subsequent lookup and verification. Consequently, the physical presence of an employee can be verified before enabling access to the company’s network. ConCERTO LOGON keeps each logon transaction protected using AES-128 encryption, which is the preferred method of the National Institute of Security and Technology for encrypting contactless communications.

The ConCERTO solution can be installed onto existing networks without other changes to the infrastructure. The solution’s use of ISO 14443 compliant technology and open standards and specifications means that enterprise clients will be able to leverage the reuse of smart cards or key fobs, from SCM and other physical access vendors embracing open standards. ConCERTO LOGON Manager is available now in both desktop and mobile offerings.

L-1 debuts long-lasting smart card L-1 Identity Solutions has announced the release of its new ExianSmart, a contactless identification card designed to last 15 years. According to L-1, the ExianSmart lasts fiveyears longer than the industry standard 10year smart card lifespan, and is intended for international electronic documents such as driver licenses, national and voter identification cards and biometric-based entitlement cards. L-1 also claims that recent tests show that the new card offers greater flexibility over standard polycarbonate eID documents. Using industry standard ANSI INCITS 322 testing for determining card durability, L-1 lab tests found that when the two card types were bent repeatedly at a 7% angle, the polycarbonate cards failed 28% faster than ExianSmart. When the two card types were bent repeatedly at a 25% angle, polycarbonate cards failed 95% faster than ExianSmart, according to L-1.

INSIDE Contactless changes name to INSIDE Secure INSIDE Contactless has changed its name to INSIDE Secure to better reflect its business strategy after the acquisition of Atmel Corporation’s Secure Microcontroller Solutions. According to INSIDE, the new name represents the company’s 100%-focus on secure semiconductors for transactions and digital identity. Spring 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com INSIDE Secure’s portfolio of secure semiconductors serve mobile phones, passports and ID cards, payment cards, set top boxes, transit fare collection systems, physical access control systems and other embedded security applications.

Australia man dumps the key ring for RFID A man in Perth, Australia placed an RFID implant in his right hand to give him keyless entry to his home and automobiles. Joe Wooller, a 28-year old father of two, had a passive RFID chip surgically implanted in June of this year, reports The Sydney Morning Herald. “The goal was really just to get rid of keys and to try to minimize the amount of clutter one would have in their pockets,” he said. With just a swipe of his hand, Mr. Wooller can open the doors to his house, his car and even start his motorcycle. “Just being able to jump on it and go for a ride (without keys) is pretty good,” he said. He does however still need a key to take the fuel cap off his motorcycle.

This per share price represents a premium of approximately 38% over the closing price of LaserCard shares on Dec. 17 and a premium of 42% over the 20-day average of closing prices. LaserCard will become part of ASSA ABLOY’s HID Global business with LaserCard’s secure identity products, solutions and services complementing HID Global’s identity solution offering. Imperial Capital LLC acted as exclusive financial adviser to LaserCard. O’Melveny & Myers LLP acted as counsel to LaserCard.

Visa program encourages EMV as path toward dynamic authentication In an effort to encourage dynamic data authentication through merchant deployment of EMV-compatible chip terminals, Visa announced a new Payment Card Industry Data Security Standard (PCI DSS) compliance program. Under the program, Visa will eliminate merchant’s requirement to validate their compliance with the PCI DSS for any year in which at least 75% of their Visa transactions originate from chip-enabled terminals.

ASSA ABLOY buys LaserCard for $80 million

“EMV chip is a proven technology platform that can offer the industry the ability to facilitate dynamic data as well as enable payment innovations,” said Jim McCarthy, global head of product, Visa Inc. “In addition, merchant adoption of dual interface contact/ contactless terminals will support the emergence of near field communication (NFC) payment form factors, including mobile devices.”

LaserCard entered into a definitive agreement to be acquired by ASSA ABLOY AB at a price of $6.25 per share through a cash tender offer. The total transaction value is approximately $80 million.

To qualify for the program, terminals must be enabled for contact or dual contact and contactless interface chip acceptance. All merchants outside of the United States are eligible and may begin qualifying for the new program from March 31, 2011. As long as they have not been involved in a recent material breach of cardholder data, international merchants can qualify for the program

The process of getting the chip implanted was said to be fairly simple. A doctor administered a local anesthetic and the procedure was performed while Wooller watched.

Spring 2011

if they have either previously validated PCI DSS compliance or provided a plan to come into compliance. Merchants that do not meet the program’s EMV terminalization requirements, including merchants whose transaction volume is primarily from eCommerce and MO/TO acceptance channels, are still required to validate their PCI DSS compliance annually in accordance with Visa compliance programs.

Blackboard: Momentum building for contactless on campus Since its announced launch less than a year ago, more than 50 institutions have adopted the Blackboard and Sony Electronics contactless FeliCa-powered platform developed specifically for U.S. higher education institutions. Students at these 50 schools use contactless ID cards to access secure buildings, pay for books, meals and laundry and even attend campus events, all at faster speeds than with traditional identification technologies. Florida State University in Tallahassee recently issued nearly 50,000 new contactless campus ID cards to students, faculty and staff and has deployed hundreds of new contactless readers. Tulane University, New Orleans, the University of Texas at Tyler, and Georgia’s Mercer University are among the other institutions to go contactless.

Group pushes for biometrics with E-Verify The U.S. Government Accountability Office (GAO) released a report detailing the need for additional verification measures in E-Verify, the federal program for employee eligibility to combat fraud.

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The report specifies that the E-Verify program is vulnerable to fraud. Employers can help ineligible employees be passed off as legal citizens and an illegal citizen can use false documents to pass as legal. The GAO’s primary recommendation for curbing the fraud in the E-Verify system doesn’t include the introduction of biometrics despite recommendations by the Security Industry Association. However, the GAO does acknowledge the benefit of a biometrics providing a verifiable link between documents and identity.

McDonald’s plans massive contactless rollout in UK McDonald’s has confirmed the rollout of contactless payment technology in all 1,200 of its UK restaurants. The fast-food giant is introducing special contactless readers that will allow customers to pay for orders of £15 or less with contactless credit or debit cards. According to The Mirror, the £1.5million initiative is set for launch this summer.

N.Y. health care provider to deploy patient smart cards

2011 APRIL 2011

SEPTEMBER 2011 (continued)

8th Annual World Health Care Congress April 4 – 6, 2011 Gaylord Hotel & Convention Center Washington, DC

ASIS Intl Seminar and Exhibits September 12-15, 2011 Orlando, FL

ISC West April 5 – 8, 2011 Sands Expo and Convention Center Las Vegas, NV RFID Journal LIVE! April 12 – 14, 2011 Orange County Convention Center Orlando, Florida 18th Annual NACCU Conference April 17 – 20, 2011 Baltimore, MD

2011 Biometric Consortium Conference and Technology Expo September 27 – 29, 2011 Tampa Convention Center Tampa, Florida

OCTOBER 2011 CTIA Enterprise and Applications October 11 – 13, 2011 San Diego Convention Center San Diego, CA

NOVEMBER 2011 MAY 2011

LifeMed ID and the Wyckoff Heights Medical Center in New York City plan to issue smart cards to more than 110,000 patients to help enhance continuity of care throughout the New York City area.

Smart Card Alliance Annual Conference May 2 – 5, 2011 Hyatt Regency – McCormick Place Chicago, IL

These smart cards will serve to protect patient identities and health care records, provide secure authentication for access to medical information and contain portable patient data that can be securely accessed in an emergency by authorized first responders and health care providers.

SEPTEMBER 2011 7th Symposium and Exhibition on ICAO MRTDs, Biometrics and Security September 12 – 15, 2011 ICAO Headquarters Montréal, Canada

Smart Cards in Government Conference November 1 – 4, 2011 Washington D.C. ISC Solutions (formerly ISC East) November 3 – 4, 2011 Jacob Javits Convention Center New York City, New York CARTES & IDentification November 15 – 17, 2011 Paris – Nord Villepinte Exhibition Center Paris, France

Spring 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The system also provides paperless check-in and patient registration to reduce wait times. The patient simply presents their smart card, enters an optional PIN or biometric identifier, and is instantly signed in throughout the entire organization. The LifeMed ID system provides secure patient identity management, meets dual authentication requirements for HIPAA privacy best practices compliance, and provides ongoing connectivity to the patients’ medical records, ensuring accuracy and helping to avoid expensive administrative errors.

Animetrics releases iPhone, Android face-recognition apps Animetrics, developer of three-dimensional face recognition solutions, announced the release of two new smart phone applications that use facial recognition for access. The first, called FaceR CredentialME, is available on Apple’s App Store for the iPhone and the second, called FaceR CredentialME AppLock, is available on Google’s Android Market. While both offerings authenticate an individual’s identity via face recognition and have the option to add a password onto the biometric authentication for an additional layer of security, the Android offering enables a user to specify the app to secure on the phone. Additionally, both options are powered by Animetrics’ 2D-3D FACEngine Facial Recognition Technology and are offered to other app developers to be integrated into their own authentication methods.

CARTES coming to North America in 2012 The team of CARTES & IDentification and CARTES in ASIA has announced the launch of 20

Spring 2011

a new event: CARTES in North America, which will take place from March 5 to March 7, 2012, in Las Vegas. CARTES in North America is intended to aid companies and organizations in the smart card, digital security and smart technologies sector develop their business in the large and dynamic North American market. CARTES in North America will be an event encompassing a trade show and conferences covering digital security and smart technologies for the North American market. For its first edition in March 2012, CARTES in North America will bring together international exhibitors to present technologies in card manufacturing, payment solutions, identification and authentication solutions, mobility and digital security.

Replacement for IAFIS reaches initial operating capability A replacement for the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) has been completed and has reached operating capability by its developer Lockheed Martin. The new solution, called the Next Generation Identification System (NGI), provides the same capabilities as IAFIS as far as automated fingerprint search capabilities, image storage and sharing of fingerprints with other federal agencies and state and local law enforcement departments. But it will also be capable of more effective and accurate matching and collecting of fingerprints. While FBI officials are quick to point out that the IAFIS was an effective tool in fighting crime and terrorism for the agency, it has been in use since 1999 and is in need of advancements to stay as effective. Beyond simply providing the framework and software for storing and searching fingerprints, the NGI program is also expected to provide Advanced Technology Workstations to the FBI’s fingerprint examiner staff which

will give examiners access to larger screens, higher resolution and better color for viewing better details of the fingerprints.

Missouri university uses CBORD, HID for first one-card program Missouri Southern State University in Joplin has implemented its new campus-wide, onecard program utilizing the CBORD Group’s CS Gold that will power door access, dining purchases, snack/beverage vending, printing, bookstore purchases, health center charges, recreation center privileges and other transactions across campus. Previously, the school’s magnetic stripe ID card was used only for identification and dining purchases. With the implementation of CS Gold, the school opted for contactless HID iCLASS credentials, improving security and convenience with its tap and go functionality. “We saw this as a chance to invest in emerging technologies which we expect to become even more pervasive in the coming years,” said Jeff Gibson, the university’s director of budgeting and operations. “We looked at multiple vendors, and we were most comfortable with the line of CBORD products available to us. Particularly after deciding to move forward with HID Global’s iCLASS technology, we felt CBORD could best meet our needs.” “Yesterday’s student IDs that were used just to enter a campus building or earn a discount now function as integrated cards for security and commerce,” said Mark Doi, director of education market strategies for HID Global. “HID is pleased to see our iCLASS smart card technology optimized as a single-credential solution that improves cost efficiencies for the university while simplifying campus life for students.” “CS Gold’s campus card management software, combined with the added security and convenience of iCLASS credentials, creates a campus solution that is a sound investment now and into the future,” said Cindy McCall, CBORD’s vice president of marketing.

SecureIDNews.com/VIDEOS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Direct-to-card printer adds dual-sided lam, security

Digital Identification Solutions’ new EDIsecure DCP 360+ Direct Card Printer, adds dual-sided lamination, explains Jonathan Bowen, product marketing manager. “More of the market, is wanting to laminate the backside of the card to protect it against abrasion, dye migration and wear and tear.”

Aware provides the ‘building blocks’ for biometric systems

Aware provides customers with solutions that work well with partners, said David Benini, senior director of marketing for Aware. “Aware provides discreet image and data processing building blocks that customers can use to fill holes in their solution or use build a solution.”

WCC: It’s all in the algorithm

WCC Smart Search & Match is in the algorithm business, says Tarvinder Sembhi, vice president of sales for WCC. “We have multiple biometrics plus biographical systems that can scale to a national or even international basis.”

HP Assured Identity provides PIV IdMS

The Assured Identity Plus solution is an end-to-end suite of services that builds on our PIV card deployments, says Ellen Hamlin, program manager at HP. It adds logical and physical access and integrates it with identity management so you can manage the central resources in one place.”

NXP ships 25 million SmartMX chips to Feds

NXP is seeing strong demand for its secure contactless smart card chips, says James Sheire, manager of government programs at NXP. “We have now shipped more than 25 million SmartMX high-security chips for a variety of applications in U.S. government.”

AOptix builds on previous model

AOptix has a new iris camera aimed at the customs and immigration market, says Phil Tusa, vice president of biometrics at AOptix. Future devices likely include handhelds for law enforcement and a wall-mounted system for shorter-range access control applications.

Making secure cards primary focus for CPI Card Group

Keeping cards secured against fraud is a constant battle, says Benoit Guez, director of smart cards and new technologies for CPI Card Group. “You have a lot of new features that are coming in to make the card construction more difficult (to counterfeit).”

3D photos as a security feature

MorphoTrak’s 3D photo enables the portrait on the document to look like a 3D image. “Now you can verify that this card has a security feature that is valid, but you can also connect it to the owner of the document,” says Brett Tally, identity solutions for MorphoTrak. Spring 2011

The

MOBILE AS A CREDENTIAL

Will the ubiquitous handset become the ID of the future? Zack Martin Editor, AVISIAN Publications

Spring 2011

From the bag phone, to the brick phone to the flip phone, the mobile phone has evolved quite a bit in the last 25 years. The overarching trend had been toward smaller and smaller devices, but this preoccupation with size seems to have reached a plateau. The focus now is squarely on adding capabilities. For many using the mobile device as a phone has become secondary to e-mail and Internet-enabled applications. Individuals will walk out of their homes without keys or a wallet, but seldom will they leave without their phone. “The mobile phone is closely bound to you,” says Steve Dispenza, CTO and co-founder at PhoneFactor. “At the end of the day the phone is a good solution to a difficult problem … because of the variety of attacks, you can’t trust the Internet.” New smart phones have the processing capabilities of computers, and they going to play a significant role as an identification token as identity applications evolve, experts says. Airlines already enable travelers to download boarding passes to smart phones. Hotels enable guests with to download room keys and bypass the front desk. Corporate users generate one-time passcodes on handsets to gain access to computer networks and authorize transactions. But this is just the beginning. While it’s not likely that we’ll see passports and driver license credentials on mobile phones anytime soon, many believe it’s not an if but a when. There are complex issues to resolve – such as issuance, interoperability and trust – but the technology is, or will be, capable. Near field communication, which only seemed like a dream in North America months ago, is on the verge with virtually every mobile carrier, handset manufacturer and payment processor announcing plans for 2011. Handsets equipped with NFC chips could readily be used for physical or logical access tokens with the addition of some software. But could existing smart phones without NFC be used in place of smart cards to secure access to Web sites and computer networks? There are only a handful of computers shipping with embedded contactless smart card

readers, but Bluetooth is another option to tether PCs and devices, and there is the ubiquitous USB port that could be used to connect the mobile phone to a computer. The U.S. Department of Defense is looking at the potential use of mobile phones in place of its Common Access Card, Defense Department officials told Re:ID in the Fall 2010 issue. Sources also say that the federal government’s Interagency Advisory Board is evaluating how mobile devices could be used in place of government employees’ PIV credentials.

New technologies improve security for mobile devices Using the mobile device as an identity token may seem like a no brainer, but there are some concerns about how the device itself is secured. PINs and pattern-based systems are common on many devices but they are typically optional. If the device is going to be used for more high-security applications additional access control measures need to be put in place. When one-time passcode generators are deployed for use on smart phones, an additional PIN is often required to gain access to the application, says Alan Goode, director at the UK-based consultancy Goode Intelligence. But this depends on the particular deployment.

Other technologies could be used to secure the mobile, Goode says. Location-based technology using the GPS in smart phones could be used to detect fraudulent activity. If, for example, someone is trying to login to an individual’s account from a PC in New York while the individual’s smart phone is in Chicago, the system could flag the session for likely fraud and deny the transaction. “We’ll see more technology change and adapt for the unique characteristics of the mobile phone,” Goode says.

There are a number of options for securing the mobile device, Goode says, including biometrics. Virtually all mobile phones come equipped with a camera that could be used for facial or iris recognition. Some handset manufacturers are also equipping mobile phones with fingerprint swipe sensors for access to the device and specific applications, Goode says. “It’s working for the military and law enforcement but whether it’ll work for the enterprise will depend on how fallible the technology is,” he says.

Spring 2011

Smartphones half of handsets shipped by 2012

As efforts to secure online identities increase (See Schmidt, page 40) the government and private sector will be looking at a variety of solutions for consumers. With mobile phones at the saturation point, many think the form factor will be tapped for online identity. Despite all the positive progress, mobile devices aren’t without issues. There are numerous platforms and operating systems to support, and the possibility for new categories of viruses and malware looms large.

With a plethora of apps, their large screens, built-in cameras and plenty of processing power – more than 50% of U.S. handset shipments will be smartphones by 2012, according to research firm In-Stat. Globally, shipments are projected to reach 850 million units by 2015.

Two-factor authentication already happening For many using the mobile phone for an extra level of authentication may seem futuristic, but it’s already here for some. The use of one-time passcodes with mobile devices is commonplace. Smart phone owners can download an app to generate the codes while other providers send codes via text messages.

By December 2010, U.S. smartphone adoption had surged to 27% penetration, according to comScore. There was rapid adoption of Google Android devices, making Google the second largest operating system by the end of the year.

RSA, Gemalto, Anakam and PhoneFactor are among the companies already offering these solutions. “There’s quite a lot of uptake because most or all phones support text messages,” says Alan Goode, director at the UK-based consultancy Goode Intelligence.

RIM still held its top spot with 31.6% market share, although this was a drop from the previous year. Nearly a photo finish, Google came in at 28.7%, followed by Apple’s flat 25%, and Microsoft with 8.4%.

The one-time passcodes provide an extra authentication factor for login to Web sites or to verify transactions, Goode says. In the past the passcodes had been generated by fobs that individuals would keep on their key rings. Migrating this function to mobile devices gives users one less thing to carry and removes the organization’s role in hardware token management.

When looking exclusively at the smartphone market, AT&T held a solid lead with 38.3% market share, compared to Verizon’s 26.7%. However, comScore added that AT&T saw its smartphone share decline 6% points since December 2009 while Verizon climbed 3.5% points during the period.

2010 U.S. Smartphone Penetration (actual)

PhoneFactor offers two and three factor authentication via the mobile, says Dispenza. The majority of interest for the product has come from the financial services sector in order to secure and verify identities and transactions.

2012 U.S. Smartphone Penetration (projected)

2010 U.S. Smartphone OS Market Share (actual) 3.7% 2.5%

27%

8.4%

50%

31.6% 50%

73%

25%

28.7% Smartphone

Non-Smartphone

Source: comScore MobiLens, 3 month avgerage ending Dec. 2010

Spring 2011

RIM Google Apple Microsoft Palm Symbian

Source: comScore MobiLens, 3 month avgerage ending Dec. 2010

PhoneFactor doesn’t require a user to install any software or even have a smart phone, Dispenza says. The system can work in a couple of different ways. For verification, after a user enters a user name and password to login to a site the system will call that individual’s phone and require a PIN before access is granted. The system can also be used to verify transactions. If transferring money between accounts the system will call and request a PIN before the funds are moved. “Even if someone steals your user name and password they won’t have your phone,” Dispenza says. Anakam offers a similar solution that takes advantage of the text capabilities of mobile phones, says Dr. Bill Braithwaite, chief medical officer at Anakam. The company’s basic service sends a text message with a passcode to the user’s mobile phone after they enter a user name and password on a site. But users wanted options beyond the text message, Braithwaite says. Anakam responded with a product that calls the phone and reads a passcode to the user and another option that requires voice biometric authentication before the passcode is provided. Some one-time passcode systems have been vulnerable to man-in-the-middle attacks, says Jim Zok, director of identity services at CSC. There is an array of these attacks but they all have the same basic premise – a hacker eavesdrops on an individual’s Web activity and changes information or forges a Web site to gain access. PKI on the phone Security experts say that these attacks can be thwarted using PKI. There’s some debate in the identity industry whether or not PKI is capable on existing mobile devices while others say it’s already being done.

Challenges with the mobile as an ID While some see the mobile phone as the next generation credential, others have concerns about using the device for identification. With different standards for approving smart phone applications it is unclear whether some may be vulnerable to attacks. Critics say progress needs to be made to secure the apps and platforms before the devices are used to enable additional secure transactions. Since companies don’t always supply mobile devices to employees, it’s hard to control them, unlike a company-issued laptop. “Smart phones are disruptive to IT environments,” says Sam Curry, CTO, global marketing at RSA. “How do you secure it? And how do you use it for security?” Part of the problem is the rate of innovation. With new software and new technology constantly released, it’s hard for organizations to keep up, Curry says. RSA has one-time passcode generators for smart phones and has a text message program that supplies the codes as well, but otherwise the company isn’t focusing on use of the mobile as an identity credential. RSA has certificate authorities but Curry says nobody has approached them about using digital certificates on the mobile device. “People have talked about putting the pieces together but I don’t know if there’s any commercially-viable offerings out there,” he says. Digital certificates have a high level of trust and are difficult to hack. But, they are expensive, Curry says. Instead of focusing on using the mobile as a credential RSA is looking at how to secure the end user environment, Curry says. “We’re working on the premise that the device itself is compromised,” he says. “How do you give a person a more secure environment? Also how do you monitor the user’s behavior so you can tell when someone is doing something unusual?” Curry says the notion of an online credential is interesting but there’s a lot that needs to happen to make it a reality. “It’s the double critical mass problem,” he says. “Everyone would like to have a cheap, easy to use credential but what’s needed behind the scenes is a critical mass of people who have that credential and a critical mass of those to accept the credential.”

Jean Louis Carrara, vice president of business development for the North American Telecommunications Business Unit at Gemalto, says that PKI is already being done on the mobile device in Turkey. “We have seen PKI in some countries for signing transactions,” he says. “The transactions are signed by the SIM.” Spring 2011

SIM cards are smart card chips that are used by mobile carriers to secure handsets and authenticate to mobile networks. To keep costs low, SIM chips often do not include the high-end cryptographic capabilities that would be necessary to perform PKI functions. But Gemalto is seeing interest in use of the SIM card to digitally sign transactions, Carrara says. The application in Turkey is used by the government’s customs office to allow Turkish citizens to sign their customs declaration with their phone. The PKI application is on the SIM card and is similar to a one-time passcode, Carrara says. Turkish banks are also considering the app as another authentication level for transactions. “The beauty of the cell phone is you can have applications in the SIM that are designed to be used for the authentication of the user,” Carrara says. Mobile carriers want to start monetizing the SIM card, he adds. Companies and organizations could pay to place an application on the SIM or it is possible even a user would pay for a compelling function.

While the technology exists for PKI-based identification with the mobile phone, it isn’t widely deployed. “The future is now, it exists, it’s just not well distributed,” says Jean Louis Carrara, vice president of business development for the North American Telecommunications Business Unit at Gemalto.

Spring 2011

Gemalto is working on a project where a PKI application is stored on the SIM to secure access to online resources via a smart phone, Carrara explains, “(to) use the smart phone’s resources to authenticate to the laptop.” Carrara admits that while the technology exists for PKI-based identification with the mobile phone, it isn’t widely deployed. “The future is now, it exists, it’s just not well distributed,” he says. CSC’s Zok says he’s spoken with device manufacturers and expects to see smart phones with all the capabilities of smart cards in the first half of 2011. Others say the technology for PKI authentication via the mobile devices isn’t ready yet. “The majority of SIM cards don’t have the capability,” says Goode. “You need to have cryptographic capability on the smart card.” PKI may not be the answer for identification with the mobile device, Goode says. “The issue with PKI in general is it’s costly and difficult to manage,” he adds. SIM cards also have limited memory and processing capabilities and it will be tough for the carriers to give up that space, Goode says. He believes the better alternative for

mobile-based authentication is to use a microSD card because the carrier isn’t involved in its issuance. However, using a microSD leads to the same problem as issuing tokens or smart cards as they require issuance and management functions. NFC an option? 2011 is shaping up to be a big year for NFC, and it’s possible that the technology could be used in identity applications, says Goode. Though largely touted as a tool to replace payment that use contactless systems, there’s no reason NFC handsets couldn’t be used where a converged credential infrastructure is in place. The credential could be provisioned over the air and enrollment would have to be done just once, Goode says. The chickenand-egg challenge is that few laptops and PCs are equipped with contactless readers today. Proliferation of NFC handsets, however, could change that situation. Until enabled computers are readily available, the NFC device could be used for physical access to facilities while the phone could be used for logical access via another connection, possibly WiFi or Bluetooth, says Gemalto’s Carrara. But, Carrara says, payments will be the first NFC application and identity will come later. “Payments is something we do everyday,” he adds. “Showing a driver license is something we do less so it will take longer to integrate.” He predicts that within two to four years use of the handset for payments and identity will be common. 2011 will be a transition time for mobile phones and what consumers do with them, says Goode. “The mobile is here to stay,” Goode says. “For identity and authentication we’re in that transition period, replacing what we do with smart cards and tokens … there will be some major changes in how we do authentication in the future.”

Secure ID programs are complex. Choosing the right partner doesn’t have to be.

LaserCard’s customized secure credential solutions have been trusted for decades by major governments and enterprises around the world. Find out why customers and partners look to LaserCard for secure, counterfeit-resistant credentials and solid ID solutions, implemented on time and on budget. ÊÊ Professional services and consulting to optimize Secure ID

program implementation and performance ÊÊ Innovative credential design and manufacturing services ÊÊ Advanced credential technologies incorporating leading physical,

visual and digital security ÊÊ ISO 9001 certified: secure credential manufacturing plants

in USA and Germany

w w w. l a s e r c a r d . c o m

ID for the continuously-connected future The world of information is undergoing convulsions on a tectonic scale. There is a growing expectation for access to all information and communications from anywhere and at any time. But, on the way to this continuously-connected information future the technological and societal forces are not yet fully aligned. Progress along the path awaits answers to some difficult security questions. How can the user conveniently assert identity and privileges across communication channels with an appropriate level of assurance and reasonable expectations for privacy? At the heart of the issue is the question of identity credentials. What do they look like and how do they work?

USB tokens, smart phones and electronic identity documents. These form-factors can more readily satisfy privacy and assurance requirements. But it is not possible to use a single walletstyle credential across a broad range of platforms. There just isn’t a common way – at least not yet – of interfacing the credential to all the necessary platform types.

One limitation of wallet-style credentials is that they can make it difficult to recover from a loss or damage. In this situation the user is faced with repeating the enrollment process from scratch, which is likely to cause frustration. Other … a credential must be approaches exist, such as an emergency cloud-based accepted on the Web, on back-up or duplicate credenthe move, over the phone tial.

and in person. It must

Credentials come in In order to fully open the door unlock devices, networks, many form-factors and to the continuously-connectapplications and doors. today the needs of varied information future, a creous information platdential must be accepted on forms result in having the Web, on the move, over too many credentials – passwords, passports, the phone and in person. It must unlock delicenses, access badges, payment cards, loyalvices, networks, applications and doors. ty cards and keys to the house, car and office. And, maybe most surprisingly, it must be fun While there are dangers in having a single to use. While that may be asking too much, it credential that we use across all platforms, we certainly must not be frustrating to use. Othcurrently have to deal with too many. erwise, users will continue to look for ways to avoid using it properly. Solutions are available to improve convenience but too often convenience must be There can be no single answer to the quesbought at the price of privacy and assurance. tion of an acceptable credential type for the And, privacy and assurance raise issues of licontinuously-connected information future. ability that can only be overcome with a suitIn addition to the platform interface differable business model. One popular solution is to host credentials “in the cloud.” This approach helps ensure that the associated identity attributes are accurate, up to date, consistent and available. While cloud-based solutions are capable of closing the convenience gap, there are currently no cloud-based business models that can satisfy the privacy and assurance needs. The alternative to cloud-based solutions is a wallet-style credential, including smart cards, 28

Spring 2011

ences, cultural and generational diversity make support for different credential types essential. The smart phone form-factor is attractive from several points of view; it has a keyboard, a display and an internal source of power. And its hardware cost is “sunk” by its primary use. But smart phones are still cost-prohibitive for many users and any multipurpose platform, like a smart phone, has the potential to be less secure than its dedicated counterpart. The smart card form-factor is also attractive – because as long as its carried in the user’s wallet – it does not represent an additional item that the user is required carry. It does lack a direct user-interface and usually has no internal source of power. But these limitations can be overcome. In addition, the hardware cost has to be borne entirely by its use as an identity credential. The future of identity credentials is becoming clear. Governments can play a key role in bringing about the continuously-connected information future. And while governments may be reluctant to get involved in what might otherwise be viewed as a commercial issue, they are in the best position to overcome the assurance, privacy and liability issues – thereby eliminating the obstacles to the emergence of suitable business models. Their involvement is essential in order to ensure the online safety of their citizens and to further stimulate the online economy.

Tim Moses is senior director of advanced security at Entrust. Moses has worked in the field of information security – both in product design and consulting – for the past twenty years. He has also been involved in the development of standards for electronic passports and his current research includes enhancing the credibility of SSL and riskbased authentication frameworks.

A world leader

in digital identity

CMY

IIIIII From DLs, to EDLs, to SDLs, Gemalto has the solution you need Gemalto is the world leader in digital security solutions specializing in the creation and deployment of identity and travel documents, including driver licenses. Gemalto has a robust offer to meet your driving license needs: • • • •

Enrollment Photo Capture Smart Driver License (SDL) Central and Local Issuance

www.gemalto.com

• • • •

Highly Durable Cards Signature Capture Enhanced Security Features eGovernment Services

State

DRIVER’S LICENSE Iss 04/21/2010

Exp 04/21/2015 DLN 555-444555 SAMPLE, JAMES 1234 MAIN STREET ANYTOWN, ST 12345 Date of Birth 11/15/1989 Sex Hgt Wgt Eyes M 5’ 10” 165lb Brown Class D Restrictions None DD AA99A99999

ID lifecycle 101: Understanding enrollment Part of a series on credential issuance and management Autumn C. Giusti Contributing Editor, AVISIAN Publications There was a time when enrolling in an ID system involved keying in some data, gluing a photo to a card and laminating it all together.

for Mountain View, Calif.-based LaserCard Corp. “Secure and tamperproof enrollment is key to the creation of a trustworthy secure ID system,” he says.

So much for your father’s ID badge. Ensuring accuracy Today, most enrollment systems are digital and new technologies are making the process more mobile, efficient and able to incorporate a multiple ID technologies. But amid the advances, enrollment remains the critical first step in the lifecycle of an ID system. “It’s your one chance to ensure you’ve completely validated this person’s information so now you can begin to establish that trust for the future,” says Steve Purdy, business development director for government affairs at Gemalto. The primary goal of enrollment is to ensure that there is only one identity for each individual, and that there is no opportunity for fraud or duplication during the enrollment process, says Robert Smith, general manager

Enrollment in and of itself requires a multistep process to ensure the quality and accuracy of the applicant’s data from the start. “As the (ID) lifecycle goes on, you’ll be looking at securing the credential itself to make sure no fraudulent activity has altered the ID in any way,” says Purdy, who works closely with driver license, airport security and passports for North America. A breeder document such as a passport, driver license, birth certificate or some other primary form of identification is needed to initiate enrollment. Depending on the type of ID being produced, the process might call for two or more of these documents. Some enrollment systems have software that will scan the breeder document to ensure it is

authentic. Others check breeder documents using external sources and databases to ensure legitimacy. Once a person establishes who they say they are, the next step is to capture the applicant’s demographic information such as address, date of birth, full name and phone number. In the past that meant manually entering information but modern digital systems have automated this process. “The sophistication of enrollment has really grown in the last 10plus years, so everything is all in one process,” Purdy says. He stresses, however, that while the digital age has brought about mobile and remote systems capable of capturing a person’s information, doing so face-to-face remains an effective way to verify documents. In addition to capturing demographic data, today’s enrollment systems often incorporate a camera to capture the applicant’s facial im-

Angola’s Mobile Enrollment & Issuance Truck “Because of the widely dispersed and rural nature of the majority of the population, the enrollment and issuance process relies on mobile data capture and card issuance units.” Robert Smith, LaserCard 30

Spring 2011

age and a signature capture pad to add an electronic signature to the record. “Depending on the program, you could also have biometrics – fingerprints, iris scans – and all of that gets tied to your ID as a way to verify your identity in the future,” Purdy says. Data quality is key Beyond just capturing the applicant’s data, it is essential to ensure its quality. Text, images and biometrics stored on the credential are only effective if they are accurate and usable for comparison in the field. In recent years, standards have been issued governing the quality of data captured for ID documents. This has long been true for passports, Purdy says, but driver licenses and federal ID programs are also following suit. Standards set forth by the International Civil Aviation Organization (ICAO) ensure the quality of an image, and the International Organization for Standardization (ISO) specifies proper lighting requirements. Such standards are designed to facilitate use in the field and to prevent an individual from obtaining multiple IDs with the same facial image but different name and demographic data. “There is a battery of tests that validate whether someone has their mouth closed or eyes open (and) that they have a standard background,” Purdy says. At the final stage of the enrollment process, an applicant often undergoes background checks and a unique applicant check to prevent duplicate identities. Until recently, these key steps were the exception – employed only in the most secure of enrollment environments. Today, however, more and more issuers are incorporating external watchlist-style checks to identify problem applicants as well as internal biometric searches to identify alreadyenrolled individuals before an ID in another name is issued. It is also crucial to protect against insider fraud in the enrollment process. “During every stage of enrollment, checks and doublechecks must be conducted to ensure that systems operatives are accountable and traceable,” Smith says.

Mobile enrollment helps West African country secure elections New technologies have allowed the enrollment process to go mobile in recent years. Case in point is Gemalto’s Coesys enrollment system, which the West African Republic of Benin selected to manage the secure biometric registration of voters for its presidential and legislative elections. The Coesys solution comes in multiple forms, including a desktop enrollment station for driver license and passport offices, a mobile option and an automated kiosk version.

time. “From what I understand, the government feels confident that they’re going to meet their target for the March elections,” Purdy says. Angola’s national ID goes mobile LaserCard also relied on mobile enrollment in providing Angola’s national ID card. In 2009, LaserCard delivered a decentralized card personalization system that was integrated with the country’s national database. “Because of the widely dispersed and rural nature of the

Benin chose Coesys’ mobile enrollment system that comes equipped with a laptop, camera, fingerprint scanner and signature pad. The entire system fits into a suitcase and is ruggedized for use in remote environments. The system is selfcontained and requires no external power or connectivity. Having a mobile enrollment system was of particular importance to Benin because of its lack of infrastructure in certain areas. Gemalto supplied the republic with 3,215 mobile units. “They’ll be able to register the vast majority of the population in months as opposed to years,” Purdy says. Benin has been holding Gemalto’s Coesys enrollment system is used by the Republic multi-party elections since of Benin to manage the secure biometric registration of voters. 1991, but hey didn’t have a sound database of registered voters. “The government basically said, majority of the population, the enrollment ‘We want to ensure that in the next election and issuance process relies on mobile data we have a valid, trustworthy system.’ Adding capture and card issuance units, in addition biometrics and going through this process to approximately 50 urban facilities,” Smith now gives them a database with a high desays. gree of confidence,” Purdy says. Data is securely uploaded in batches once Benin has enrolled about 80% of the repubthe mobile units return to a city data center lic’s population since it began the process in or sent back to a center via a real-time secure September. Purdy estimates 6 million people data transmission. The mobile units also issue will be registered in the system by election the finished credential in the outlying areas. Spring 2011

To obtain a new card, each cardholder must provide a fingerprint, which is matched against biometric data on the card. “Although the program is currently at a relatively early stage of issuance, this has already prevented a number of attempts at fraud,” Smith says. Enrollment evolves As credentials evolve, so too must enrollment systems. Enrollment processes are adapting to meet the growing trend of integrating multiple technologies on a single credential. Technologies such as integrated circuit chips, contactless chips and optical security media are being offered to provide more security and functionality, Smith says. “Enrollment systems therefore must mirror the complexity of the card design, capturing a variety of data from fingerprints, facial images and iris scans to unique ID numbers which will be stored in different media,” explains Smith, “to enable not only authentication but also access to systems ranging from health care to vehicle tax records.” Such is the case with the Kingdom of Saudi Arabia’s national ID card that combines a con-

Spring 2011

tact chip and optical security media. The chip enables storage of demographic data and fingerprint biometrics. It also incorporates a PIN application for online access to e-government programs enabling citizens to pay taxes and perform online transactions, Smith says. The optical security feature stores a high-resolution color photo of the cardholder, along with personal data, fingerprint images and a fingerprint biometric for automatic identity verification. In the case of Saudi Arabia, the enrollment system developed by LaserCard had to capture all the necessary data and prep it for encoding on the various ID media. The future of enrollment will certainly require continued flexibility and change. Already we see enrollment trending more toward self-service. That means more kiosks and online enrollment systems are becoming available so applicants don’t have to spend as much time in front of a staff member. Many systems are being designed to encourage pre-enrollment for certain data thus limiting the time required for actual face-to-face interaction.

There’s also a growing demand for verification in the enrollment process. “The importance of enrollment is growing because the government wants to establish more of a trust with the citizen. Validating someone’s identity up front in the enrollment process is becoming more and more critical as we add more virtual services,” Purdy says. Multi-modal portable biometrics will likely be the norm in secure ID documents. “The credential itself will store facial, finger and potentially iris scan data, providing a higher level of security and flexibility, making counterfeiting significantly more difficult,” Smith says. But as issuers strive to make fraud more difficult and documents more secure, the demands on the front end of the ID lifecycle process – the enrollment process – will continue to increase. Only with consistent improvements in both the processes and the equipment can we ensure that future ID documents will be able to meet future needs.

What do the Cannes Film

Festival and the Paris Metro have in common? Evolis card printers: their choice for ID card personalization For the past 5 years, the Cannes International Film Festival has relied on the Evolis solutions to manage and deliver accreditation and security badges. Over the last 10 years, Evolis has also provided the Paris Metro transportation network with card printers to personalize on-site contactless transportation cards called Navigo. The largest organizations confidently choose Evolis to manage their advanced and secure identification needs. Simply because the Evolis solutions are innovative, user-friendly, reliable and cost-efficient. To learn more, call us today at 954.777.9262 or visit us www.evolis.com.

CARIPASS: Multi-national border crossing for the Caribbean As the growing volume of international travel has demanded greater attention from border control authorities, governments and their immigration ministries face many decisions on how to design programs that process travelers more efficiently – without sacrificing security. The current system, in which customs and/or immigration officials manually process passengers at borders, calls for significant resources and infrastructure and is generally time consuming for passengers and border authorities. Passengers may be interviewed or examined, and their baggage and travel documentation is inspected. Public opinion is that this current system of processing travelers tends to be cumbersome and inefficient, and it further supports the growing need to accurately identify travelers in a more cost effective, efficient manner for security and border control purposes. New technologies, however, are enabling border security officials to address this problem, and some promising new systems are being implemented that may prove suitable for broader applications. One such model in the works has its roots in the 2007 Cricket World Cup (CWC). For that event, the participating host nations in the Caribbean Community (CARICOM) used

The CARIPASS process: • Image card and extract data. • Verify card is valid and holder is not on watchlist(s). • Capture facial image and using facial recognition compare live face to stored facial image. • Capture fingerprint and compare to extracted template from 2 D barcode • Print receipt • Gate opens

Spring 2011

a novel border security program to handle the high volume of travel between Barbados, Jamaica, Trinidad and Tobago and the other host countries. Consulates of the participating nations implemented a number of technologies and protocols to enhance visa security and issuance efficiency during the event and nearly 50,000 machine-readable visas were issued in the months leading up to the tournament. The security infrastructure put in place included an Advance Passenger Information System (APIS) for all in-bound and out-bound flights, a Joint Regional Communications Center, Regional Intelligence Fusion Center and a regional watch list, in addition to the machine-readable visa issuance system. This system eased congestion at the participating consulates and kept air travelers moving through the temporarily established Single Domestic Space (SDS) with minimal border crossing formalities. The evolution of CARIPASS Following the successful use of these systems during the cricket event, CARICOM began discussions about how to continue using the existing infrastructure for travel between the countries, and to expand its availability to additional CARICOM states. The result of these discussions came to fruition with the introduction of CARIPASS, a travel card program that provides secure, simple border crossings for citizens and legal residents of 10 CARICOM nations: Antigua and Barbuda, Barbados, Dominica, Grenada, Guyana, Jamaica, Saint Lucia, St. Kitts and Nevis, St. Vincent and the Grenadines, and Trinidad and Tobago. The region is in the process of deploying a multilateral border crossing program. And with the introduction of CARIPASS, participating governments aim to enhance regional security and support expedited travel throughout the member states.

To participate in the voluntary program, eligible travelers must preenroll and have a facial image and two fingerprint images captured. After successfully passing the security vetting stage and paying a nonrefundable processing fee, users are then issued a CARIPASS card with a 2D barcode, valid for either one or three years, which they can use to pass through self-service border crossing gates. At the gates, connected to the system’s user database, two biometric checks are conducted. Fingerprints captured at the time of passage are compared to the fingerprint templates stored on the card’s 2D barcode. Additionally, a photo taken at the gate is compared via facial recognition to the card holder’s image stored in the system database. If matched, the gates open allowing the traveler to pass through. The gate prints a receipt for the traveler to document his or her valid entry. Users may then proceed directly to baggage and customs halls. Aligning to design an ideal solution The CARIPASS system was designed by 3M Security Systems following CARICOM’s use of 3M’s Identity Document Issuance Systems for the Cricket World Cup. The CARIPASS program builds on those existing tools and uses several new technologies that 3M sourced and integrated in response to CARICOM’s needs. After gaining a thorough understanding of the nature of travel between the participating countries and CARICOM’s goals in expediting this traffic, 3M security experts were able to introduce a

Spring 2011

CARIPASS participants: • Antigua & Barbuda • Barbados • Dominica • Grenada • Guyana • Jamaica • St. Kitts & Nevis • St. Lucia • St. Vincent & the Grenadines • Trinidad & Tobago

complete solution, integrating the necessary peripherals and software to make CARIPASS a reality. One of the system’s most important components is the new electronic immigration gate, the 3M Autogate Solution. The technologically sophisticated design of the Autogate enables the rapid identification and external verification of travelers, with links to local and central database systems. Autogates automate the border clearance process, allowing CARICOM to focus its immigration resources on higher risk travelers, while low-risk travelers (CARIPASS holders) benefit from quick and convenient self-processing. In addition to the conventional Autogates, handheld “portable Autogates” are also being used at several smaller airports within the system. These devices connect to the same databases as the traditional Autogate but are designed for use in facilities with less available space. Border officials are able to read travelers’ CARIPASS cards through the machine and issue a receipt from a belt-mounted printer, enabling quick passage even in remote facilities. The concept of a self-service border control lane may initially raise concerns about security and oversight, however, CARICOM’s system is designed to thwart breach attempts

Spring 2011

during both the document issuance and border crossing steps. First, by only providing the CARIPASS to pre-screened, authorized citizens and residents, CARICOM controls the issuance process and has the ability to vet travelers in advance, helping to assure that only low-risk travelers receive access to the gates. Additionally, the Autogate incorporates several features to help ensure security while travelers pass through. The gates use an optical turnstile technology with multiple beams in the optical detection array, and a tailgate detection technology senses if a traveler is being followed through the gate. Furthermore, the barriers close as soon as a traveler has cleared the path, helping to ensure that only the verified passenger is allowed to pass through. Perhaps the most significant benefit to border control authorities is that by streaming travelers according to risk – and processing known, pre-screened travelers using selfservice gates – valuable human resources are freed up for other tasks such as processing higher risk and unknown travelers.

The future of border control Using systems similar to CARICOM’s, many other border control authorities stand to benefit. The enhancements brought about by CARIPASS are significant for the governments and travelers. Border control authorities can better manage increasing passenger numbers, even during peak periods, and can achieve enhanced border security without additional pressure on space and infrastructure. Travelers between the participating countries – even those not participating in CARIPASS – can enjoy enhanced efficiency and service, because the program diverts some passengers to Autogate processing. The multilateral cooperation of CARICOM states has enabled the implementation of a unique system, which can serve as a model for other governments and border control authorities. While each border is different, CARICOM’s program demonstrates that the technologies and expertise are available to customize solutions for individual applications, helping to ensure that other nations can achieve enhanced efficiency.

Steven Grant is business development manager for 3M’s security systems division. Grant has been with 3M for more than ten years working on projects related to passports and other identity documents, border management and biometrics. Grant spent several years as 3M’s delegate to the Simplifying Passenger Travel Interest Group, an organization managed by IATA.

NFC on the cusp in U.S.?

Partnerships, new handsets may signal a change in the payments landscape Ross Mathis Contributing Editor, AVISIAN Publications The mobile phone isn’t just for making phone calls anymore. In fact, voice is falling behind text messaging and e-mailing for many. And new functions such as mobile payment and near field communication applications are quickly entering the picture in the U.S. Some of the world’s leading handset manufacturers – including Samsung, Research in Motion and HTC – have all made it very clear that they plan to introduce NFC into their phones, turning them into mobile payment devices. HTC CEO Peter Chou says that the Taiwanbased company will introduce LTE smart phones and tablets featuring NFC chips for contactless mobile payments this year. Research in Motion recently unveiled two new BlackBerry phones, also set to release later this year, that support NFC. It’s not just the manufacturers who are getting involved. The technology has grabbed the attention of companies like Google, whose CEO Eric Schmidt announced that Android 2.3 operating system called “Gingerbread,” would support NFC mobile payments. Google then launched the Samsung Nexus S, the first Android phone supporting NFC. Equipped with NXP Semiconductor’s PN544 NFC chip, the phone is able to communicate wirelessly with nearby passive and low-power devices. The Nexus S has its NFC chip configured to read-only, enabling users to scan tags and access associated data on their phone. However, NXP expects full NFC functionality, beyond the current read-only mode, to become available in the next full Android release. To improve its support for NFC in Android phones, Google acquired mobile payment startup Zetawire at the close of 2010. Shortly before the acquisition, Toronto-based Zetawire was awarded a U.S. patent for an end-to-end mobile payments platform allowing users to pay for goods with a smart phone at the point of sale.

Enter ISIS Three of the largest U.S. wireless carriers – AT&T Mobility, T-Mobile USA and Verizon Wireless – announced a joint venture in November 2010 to bring a national mobile payments network to U.S. consumers. The stated timeline for the project included a launch within the next 18 months. Dubbed ISIS, the initial focus will be on building a mobile payment network that uses mobile phones and NFC technology for point-of-sale purchases. ISIS is working with Discover Financial Services’ payment network to develop the payment infrastructure. Barclaycard US, part of Barclays PLC, is expected to be the first issuer on the network, offering different mobile payment products. Formerly with GE Capital, Michael Abbott has been named as CEO of ISIS. “Our mobile commerce network, through relationships with merchants, will provide an enhanced, more convenient, more personalized shopping experience for consumers,” says Abbott. “While mobile payments will be at the core of our offering, it is only the start.”

He says ISIS will create a mobile wallet that can be used for payments, reward cards, coupons, tickets and transit passes. To make a purchase users simply tap their phones to pay, no cards or coupons needed. Users can customize their preferences to receive offers and savings that are meaningful to them and track their spending by viewing recent transactions and balances. “We have been working with manufacturers and feel confident that we can bring the devices across a wide array of mobile devices and operating systems,” says Jaymee Johnson, a spokesperson for ISIS and senior manager new business development at T-Mobile USA Inc. Neither the type of handsets nor the NFC form – embedded, stickers, microSD cards – was announced. California-based market research group iSuppli predicts an “explosive” growth for NFC technology over the next few years, stating that the worldwide shipment of 52.6 million NFC-equipped phones in 2010 will quadruple to 220 million units in 2014. This means that 13.1% of all phones shipped in 2014 will feature NFC, up from just 4.1% in 2010. Spring 2011

INTERPOL converges travel and employee IDs Combined passport and smart card credential empowers globetrotting police Autumn C. Giusti Contributing Editor, AVISIAN Publications When you’re chasing down international criminals, the last thing you need is a passport inspection slowing you down at the border. That’s the idea behind the new travel documents issued to officers of the International Criminal Police Organization, or INTERPOL. With the new secure IDs, they can assist in transnational investigations or urgent deployments without the need for visas. At its November 2010 general assembly meeting in Qatar, INTERPOL voted to enable its 188 member countries to provide special visa status for holders of the new travel document on official business for the organization. Normally, visa requirements have a lead time of two to three weeks. But under the initiative, INTERPOL officers with valid travel documents can have the visa requirements waived or have the visa automatically issued upon arrival. “Criminals can cross borders swiftly and effortlessly,” said INTERPOL Secretary General Ronald K. Noble, “while our (officers) are slowed down or stopped because of bureaucratic international red tape, which constitutes a major impediment to keeping the world safe.” Identity and security provider Entrust partnered with EDAPS, a Ukrainian consortium 38

Spring 2011

of high-tech companies, to provide the set of ID documents. The officer receives both an e-identification smart card and an e-passport booklet. The travel documents are compliant with International Civil Aviation Organization (ICAO) standards and serves as identification at border checkpoints around the world. In addition, the e-ID can be used to authenticate physical and logical access to INTERPOL facilities and computer networks. “I think you’ll find that this is the first time that physical and logical access has been tied into a machine-readable travel document,” says Mark Joynes, director of product management for Entrust. When used in tandem with the international passport, the e-ID card identifies an officer to determine whether visa requirements can be waived. Additional features – including laser engraving and holographic, micrographic and optical elements – further secure the documents. Entrust developed the multipurpose smart card credential and provided the various software and electronic passport capabilities for the credential. EDAPS developed the card’s physical components, such as the plastic substrate, holograms and base physical security designs. EDAPS also produces the e-passport booklet.

Developing the documents INTERPOL saw a need for the e-ID card after developing the passport booklet for use by senior management officers and heads of INTERPOL bureaus. “We (recognized) a big problem in the world of communication with police officers who are working on the ground,” says Ralph Markert, manager of INTERPOL’s travel document initiative. In designing the e-ID credential, Entrust had to take into account the array of security requirements and access controls required by INTERPOL. The agency needed to set physical access controls for entry into its Lyon, France, headquarters, as well as logical controls for access to the organization’s complex system of computer networks. All of these needs coincide with INTERPOL’s mandate for combating criminal activity around the globe. Expediting the travel process was a major concern, as INTERPOL needed to be able to execute its passport documents in real time, especially when officers from multiple countries are called in as first responders for natural disasters such as the Haitian earthquake or to secure global events such as the FIFA World Cup. “You can have a team of six or seven different nationalities, all of which have different requirements for entering their countries,”

Markert says. To meet those needs, Entrust enabled the credential with a smart card logon for access to Windows-based systems. The cards can be placed on a smart card reader that wirelessly reads the chip and confirms the individual’s identity by asking the user for a PIN. Once authenticated, the card holder can use the digital identity on the card for logical functions such as securing applications, digitally signing e-mails and encrypting files. Previously, INTERPOL agents had to use a building access card and a separate token for logical access. Now, a single card controls access to buildings and computer networks. INTERPOL issued several hundred of the travel documents on site at the general assembly meeting and is encouraging all of its member countries to recognize the new IDs. In total, about 600 credentials have been issued and more will follow as additional member countries sign on to the program.

The credential complies with X.509 standards for public key infrastructure and challenge response capability, which allows INTERPOL to revoke a user’s systems access at a moment’s notice, should the need arise. On the passport side, the credentials comply with the Basic Access Control standards set by ICAO and the European Union requirements for Extended Access Control.

The documents are administered from INTERPOL’s Lyon headquarters, but Entrust hosts the data management out of its Washington facility. “That enables them to issue their cards and passports on the ground in Lyon, but it means Entrust can do the heavy lifting from a public key infrastructure perspective. It allows them to focus on the job at hand,” says Joynes, “combating global crime”

110 MILLION

Contactless Cards Delivered

Five countries have agreed to recognize the new travel document: Brazil, Egypt, Pakistan, Senegal and Swaziland. “We have also contacted various other countries that are in the recognition process,” adds Markert. Card capabilities Joynes calls the e-ID credential the strongest form of identity deployed today. It stores two biometric fingerprints, as well as digitally signed personal data. “From a logical standpoint, it’s designed to mitigate undetected forgery,” Joynes says. EDAPS employed highly modern holographic security elements in the card’s physical creation. “So on every front,” Joynes says, “it’s giving you the strongest possible credential.” The card contains two microchips, one for physical access to buildings and a second to manage applications including the e-passport capability. Today, document holders can access secure e-mail and document signing but other applications, including an electronic wallet, are expected.

Over the last 5 years CPI Card Group has become the largest global manufacturer of contactless cards having delivered over 110 million contactless financial cards to the North American market. With the emergence of EMV in North America, CPI is willing to take the same leadership position for our customer’s satisfaction.

Learn more at our website: www.cpicardgroup.com

Spring 2011

President Barack Obama greets White House Cyber Security Coordinator Howard Schmidt.

Schmidt: Private sector must lead ‘national strategy’ Legal framework required for trust in online IDs The National Strategy for Trusted Identities in Cyberspace was still being refined as of late February with sources expecting it to be released some time in March. Writers of the strategy were mum on its contents, but a forum held at Stanford University in January shed some new light on the progress. The forum included speeches from U.S. Department of Commerce Secretary Gary Locke and Howard A. Schmidt, White House Cybersecurity Coordinator. Both spoke on the importance of the strategy and the need for a partnership between the government and private sector in order to make it happen. Locke also reiterated that whatever type of identification system is used it “will not be a national ID,” though many reports in the mainstream media are labeling it as such. James Dempsey, vice president for public policy at the Center for Democracy and Technology, and nominee to the President’s Privacy and Civil Liberties Oversight Board, spoke at the forum and to Re:ID about the strategy and its perception to some as a national ID. Dempsey says the role the administration is taking is not leading to a national ID and is a better alternative than leaving it to the private sector. “Would you rather have them doing it with no policy framework, no privacy, no transparency, with no true user control?” he asks. “You have the administration coming forward and saying we want to play a leadership role and be a relying party and not an issuing party, and immediately people jump on them for trying to bring some rationality to the debate.” Leaving online identity solely to the discretion of the private sector is not the right answer, Dempsey says. “There won’t be an identity,” he says. “You’ll have something unregulated with very little attention to security, very little attention to privacy … you’ll have all the bad things associated with a ubiquitous identity and none of checks and balances,” he says. At the forum Locke and Schmidt laid the groundwork for the strategy and why it’s necessary. With trillions of dollars of transactions conducted online there is a need for a privacy enhancing feature so the Internet can reach its full potential, Locke said during the forum. Part of this will be better securing identities online.

Spring 2011

Schmidt described a scenario where someone would be able to go to a store, have his identity proofed and then receive some type of credential that could be used online to verify identity. He also stressed how the strategy will have to be a partnership between the public and private sectors with the latter guiding the way. “We need the private sector to lead the implementation,” Schmidt says. And while the strategy is about a credential it is also about enabling privacy, Schmidt says. When an individual walks into a bar they often have to show their driver license as proof of age, but the bar’s employee can also see the address and other private information that they don’t need. The strategy would put in place safeguards so that only the necessary information would be shared. “We seek to limit the amount of data that is used to conduct a transaction,” he says. Dempsey said the government needs an identity ecosystem as part of a broader security strategy but it cannot create it; the private sector needs to do that. He also noted that credentials cannot come from a single provider and multiple private sector organizations need to be involved. Establishing a legal framework for online identity But before the private sector can start creating credentialing services, some of the legal and operational issues around a credentialing system need to be answered. The American Bar Association (ABA) Federated Identity Management Legal Task Force is working on a trust framework that aims to deal with these issues. “It’s a critical component of any identity system,” says Tom Smedinghoff, a partner at Wildman Harrold and chairman of the ABA task force. “Whether design or technical standards, privacy rules or identity proofing, you need to understand how it all fits into the trust framework and the legal rules.” The operational requirements of a trust framework will likely consist of several different components addressing the key operational and policy issues. It’s likely that the content and structure of these components will vary from one identity system to another but will include common core components such as an identity proofing, authentication, credential management, privacy, security and an assessment/ audit component.

The legal rules complete the framework by rendering the various components of the operational requirements binding and enforceable. The legal rules consist of existing statutes, regulations and agreements between or among the participants. The legal rules affect the Trust Framework in three ways: • They make the specifications, standards, and rules comprising the various components of Operational Requirements legally binding on and enforceable against each of the participants. • They define the legal rights and responsibilities of the parties, clarify the legal risks parties assume by participating in the Trust Framework and provide remedies in the event of disputes among the parties. • In some cases, they also regulate the content of the Operational Requirements. With the national strategy needing a trust framework, Smedinghoff started looking at different examples out there. He wasn’t encouraged with what he found. “Things were getting pretty far afield,” he says. A trust framework is something identity systems use to make sure assertions are reliable and for intended purposes. The frameworks are made up of two components: the operational requirements and the legal rules. Different frameworks were concentrating on different aspects of an identity system, such as privacy or ID vetting, but not on the big picture. The task force wrote up a first draft that was given to a small group. Their feedback was taken into account and another draft was issued to a larger group. The task force is taking comments on that draft now. It’s likely that more drafts of the framework are coming, Smedinghoff says. “Based on the feedback we have so far I think we’re on the right track,” he says. The national strategy will need a trust framework, but whether that will be defined in the next set of documents isn’t clear. The ABA task force is aiming to provide some groundwork for officials to use and fill in the gaps where necessary.

Former White House staffer details the birth of NSTIC Ely Kahn was a member of the White House Security Staff when he was tapped to work on what eventually became the National Strategy for Trusted Identities in Cyberspace (NSTIC). The initiative came out of President Obama’s Cyberspace Policy Review, which cited identity management as one key to improving the security of the Internet. “We cannot improve cybersecurity without improving authentication, and identity management is not just about authenticating people,” the report stated. “Authentication mechanisms also can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices.” After that was released in May 2009 there was a 60-day review of ten near term action items, identity management and what would become the national strategy, was one of them, Kahn says. From there it went to the Interagency Policy Committee process. “For cyber security we had several different policy committees and we actually created a sub committee specifically focused on this identity management issue,” Kahn says. We looked for representation across all the various affected agencies. “For the subcommittee around the identity management issue, we had a very diverse set of representatives from across government,” Kahn says. “We had everyone from the postal service to the National Security Agency represented and everyone in between; both intelligence community, defense community and civilian sector agencies were represented. Kahn led the group to frame tasks around the ID management issue. “We had pretty much an open book to take this very broad requirement and scope it down into something that was manageable and would produce a useful result to help improve cyber security,” he says. Naming the document took some time because it covered the scope of the project, Kahn says. “Initially we had decided on the National Strategy for Secure Online Transactions. There were a lot of proponents for that title because it really spoke to the end result we were going towards. Identity management, effective identity management processes and technologies are really aimed at securing online transactions,” he says. But after more discussion the scope of that title seemed too large. “There’s lots of other things that go into securing online transactions other than identity issues and online trust issues,” Kahn says. “So we decided to scope down both the title and the actual content of the strategy into something that was more manageable in a relatively short amount of time.” That short time also lead to great secrecy around the strategy, Kahn says. “We were in a very rapid development cycle … we didn’t have time to make a big PR push before the document was ready,” he says. Kahn, now an MBA candidate at the University of Pennsylvania Wharton School, left the White House the same day the document was released to the public. He’s been tracking news of the strategy and is waiting for the final release. “Developing the strategy was a truly collaborative process across government,” Kahn says. “We had some of the best privacy experts in government working on this alongside some of the top intelligence officials, alongside homeland security officials. (It) brought together really unique perspectives that I think this will be a very valuable document. And it couldn’t have been developed without that interagency perspective.” Spring 2011

Biometrics, PIV-I on the horizon for airports Industry executives moving ahead with new ID technologies? After the Sept. 11 terrorist attacks airport security was of the utmost concern. There was a lot of discussion around personnel vetting and using biometrics and other high-tech security to enable access to secure areas. The Transportation Worker Identification Credential was originally envisioned for workers at all transportation hubs – seaports, railways and airports. But lobbying from airport executives killed the TWIC for that industry application. The common refrain about standardizing access control and credentialing at airports was, “if you’ve seen one airport, you’ve seen one airport.” And while many airport operators still take issue with an interoperable credential, there are efforts underway to deploy biometric and smart card systems, said Colleen Chamberlain, staff vice president for transportation security policy at the American Association of Airport Executives (AAAE).

Spring 2011

The AAAE’s Biometric Airport Security Identification Credential (BASIC) program is working to educate and bring new identification technologies to airports. The RTCA, a standards group for the airline and airport industry, is also working on new standards for airport access control systems. Insiders say that biometrics will be a part of the new standard, due for release in the first half of 2011. The RTCA standards will not be mandated for airports, something the AAAE wants to avoid, Chamberlain said. “We didn’t want a TSA mandated program,” she added. “We just want to build off standards in place and have an open vendor architecture.” Because airports are having struggling in the current economy, the AAAE didn’t want a mandate instead preferring to work with the TSA on a standards-based biometric system that could be phased in over time, Chamberlain said. “We have a commitment from the TSA for a voluntary approach,” she said.

BASIC is already being used at some airports exploring how biometrics could be used to automate processes, Chamberlain said. The next phase is to test a reference biometric that could be used for ID vetting and access. Phase three will be linking to the Federal PKI Bridge. “The ultimate goal is for PIV-I,” she adds. The TSA wants to move forward collaborating with the private sector on biometrics at airports, says a government insider who asked not to be named. There’s interest in using a new credential for expedited crew access so that they could avoid the ever-increasing number of full body scanners at airports. Crew members would provide the airline ID, a biometric sample and that information would be checked against a crew manifest to make sure that individual is working that day, the insider says. Testing of this type of system is underway in a number of different locations across the country.

PIV use mandated for federal agencies Physical and logical use cases required this spring There’s no denying that U.S. federal agencies have issued many PIV credentials, but the lingering question is whether the IDs are anything more than expensive flash badges. There are 4.5 million PIV cards in circulation, but are the being used? With that question in mind, the White House Office of Management and Budget (OMB) issued memo 11-11 that mandated that all agencies submit physical and logical access use cases for the credential by the end of March 2011. Up until now the dirty little secret has been that PIV credentials are primarily used as flash badges with just more than a handful of actual use cases in place. Government officials tout the number of credentials issued, but in the background someone would almost always whisper, “but is anyone actually reading the chip?” The OMB mandate is expected to curb the whispers. All new physical and logical access systems purchased in the 2012 fiscal year – starting in October 2011 – must be PIV-compliant in order for the agency to qualify for project funding.

In order to ensure government-wide interoperability, OMB Memorandum 06-18, “Acquisition of Products and Services for Implementation of HSPD-12,” requires agencies to acquire products and services that are approved as compliant with Federal policy, standards and supporting technical specifications. Lastly, the architecture and completion of agency transition plans must align as described in the Federal CIO Council’s “Federal Identity, Credential, and Access Management Roadmap and Implementation Guidance.” The U.S. Department of Homeland Security will be overseeing the initiative for OMB. Some government insiders found this an interesting choice as Homeland Security has been criticized by the Government Accountability Office for not meeting the HSPD-12 deadline for its internal programs. This mandate is also conjuring up memories from seven years ago when HSPD-12 was signed. Many criticized the program as an unfunded mandate. Agencies should expect no additional funding to comply with this new use case mandate, but expect the funding they have to be choked off if they don’t comply.

All new systems also must be enabled for PIV use prior to being operational and credentials issued by one agency must be accepted and electronically verified by other agencies.

Revised FIPS 201 spec proposes new biometrics, authentication keys The National Institute of Standards and Technology issued a draft of FIPS 201-2, the revised smart card specification for government employees. The revised standard includes changes to biometrics and other authentication mechanisms for physical access control. PKI at the door has long been discussed as an option for PIV and this standard would seem to embrace that. Card issuers would require an asymmetric card authentication key for the credentials. “The card authentication key – and certificate – are currently optional,” says Bob Fon-

tana, president at Codebench. “This allowed millions of cards to be issued that can’t be used at door readers because they lacked the necessary authentication components. As FIPS 201-2 compliant PIV and PIV-I cards begin to proliferate and replace expiring FIPS 201-1 cards, this problem will solve itself.”

There are also revisions to a section of the original standard that would enable inclusion of other applications. This may allow agencies to add other secure applications, such as transit or payment, to the PIV credentials. The U.S. Department of Defense is an advocate of adding both of these apps to the IDs.

The draft also paves the way for new biometrics. Match-on-card biometrics, where the identifiable information never leaves the card, is added as an authentication mechanism. Also, iris images can be used when reliable fingerprint images cannot be captured, the draft states.

While the additions seem positive, there are concerns in the industry that a revised standard could delay current deployments, says one industry source.

Spring 2011

Federal ID standards moving beyond government PIV, PIV-I and PIV-C to break new ground in 2011 It took the U.S. government more than six years to get behind FIPS 201 and figure out how to make it real – but it’s finally here. The market is seeing millions of PIV cards and there’s a whole lot to get excited about. The overarching theme behind much of what happens in identity technology and management in 2011 comes down to easier access to credentials that leverage PIV technology. This increased flexibility will in fact, significantly increase the value and use of high-assurance identity in controlling access to cyber and physical assets. PIV-I will roll out beyond intergovernmental agency environments. PIV-I will serve critical federal applications, such as contractors that support the U.S. Department of Defense and First Responders supporting the Federal Emergency Management Agency. In 2011, traction and demonstrated value will prove that PIV-I can go well beyond these limited applications, and it certainly will. The National Association of State CIO’s (NASCIO) is formulating plans for state-to-state and state-to-citizen applications. PIV-I credentials exponentially increase the trust in links to sensitive assets, such as Health Information Networks. Why would we allow our health records to be online and not have them protected to the highest levels? PIV-I is the only tool I would trust to protect access to my health records on the Internet. The call for Physical Access Control systems (PACS) that leverage highassurance credentials coming out of the Federal Identity, Credential and Access Management committee (FICAM), will go mainstream in 2011. In 2010, the U.S. General Services Administration and CertiPath successfully demonstrated a trusted PACS environment, where government personnel and contractors authenticated their identities as visi-

tors to other agencies’ facilities using secure, Public Key Infrastructure (PKI)-enabled Federal PIV cards. Trusted PACS treats the front door with the same high-assurance level as a Cyber Security strategy. Why rely on proximity technology that can be copied and cloned to protect facilities, when cyber security assets use the full capabilities of PIV and PKI? PIV-Compatible or PIV-C – the final frontier in applying PIV technology to identity management – will be defined. Currently, PIV-C is like the Wild West – lots of opportunity without a lot of regulation. The market will define uses for PIV technology beyond the current vision of PIV and PIV-I smart card credentials, specifically defining multiple variants of PIV-C making PIV technology one of the most highly adopted technology standards for both logical and physical access applications. When we’re talking about different communities and applications driven by common technology, the rules may need to change: Consider non-US markets for PIV technology where privacy reasons limit the use of biometrics. Consider a fully defined use of PIV technology with a medium-hardware credential that is based on a high-assurance in person identity proofing event, but without the biometric processes. Consider the use of the PIV-I application, but on a mobile device such as an iPhone or BlackBerry, not on a smart card. The bottom line is that while it’s taken a while, it’s definitely been worth the wait. As we continue to be buffeted by news – and the fallout – of access breaches – both physical and logical, by organizations and individuals, the need to truly know who’s asking for access, who’s trying to get access and who has recently accessed information or space is more imperative than ever. In this environment – and to meet this need – the applications for PIV and PIV-I technology are limitless, and that’s got me really looking forward to what’s next.

Steve Howard is vice president of credentials at CertiPath. Howard’s experience with cryptographic solutions, smart card systems, PKI and biometric technologies has contributed to several definitive standards, including FIPS 201 and RTCA DO230B which defines integrated security systems for all U.S. airports.

Spring 2011

Newly approved FIPS 201 products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727 and PIV products and services. CAK Authentication System

OMNICheck Plus Edition, Codebench, Inc.

Card Electronic Personalization Device Credential Create, Daon, Inc.

Card Graphical Personalization Service

Secure Fed 1, US Government Printing OďŹ&#x192;ce

Certificate Validator Path Builder, CoreStreet, Ltd. CHUID Card Reader (Contact/Conactless) MOBILE PIV, Salamander Technologies, Inc.

Fingerprint Capture Station Dactyscan84n, Green Bit Americas, Inc. FS61 USB2.0 Fingerprint Capture Station Module, Futronic Technology Co. Ltd. PIV Authentication System PIVCheck Mobile Edition, Codebench, Inc. PIV Card G&D StarSign Sm@rtCafe Expert 144K with PIV Applet, Giesecke & Devrient ID-One PIV (Type A) Large D, Oberthur Technologies PIV Card Printer Station

EDIsecure DCP360+ Direct Card Printer & Laminator Solution, Digital Identification Solutions LLC EDIsecure XID8300 Retransfer Printer & Laminator Solution, Digital Identification Solutions LLC

atsec accredited testing services atsec information security is an accredited General Services Administration (GSA) FIPS 201 Evaluation Program (EP) Laboratory, which performs evaluations to determine conformance of products and services to FIPS 201 requirements, on behalf of the GSA. Moreover, atsec also produces Vendor Test Data Reports for FIPS 201 products not evaluated by the laboratory. atsec is additionally accredited under the National Voluntary Laboratory Accreditation Program (NVLAP) for cryptographic module validation testing (NVLAP Lab code 200658), testing of Personal Identity Verification (PIV) smart card applications, and testing of PIV middleware under the National Institute of Standards and Technology Personal Identity Verification Program (NPIVP).

PIV Middleware

ActivClient (version n/1), ActivIdentity

FIPS201.com

Single Fingerprint Capture Device

Dactyscan40i, Green Bit Americas, Inc. Orion R301, Lumidigm, Inc. iDL500, MaxID Corp. Biometric Attachment-Finger Print Only (part MC7XFPR-01R), Motorola Solutions Biometric Attachment-Finger Print Only (part MC7XFPSCR-01R), Motorola Solutions

Template Generator

Suprema ANSI/INCITS 378 Template Generator, Suprema, Inc.

Template Matcher

the premiere resource for compliant credentialing

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information.

Contact:

Ryan Kline FIPS201.com Coordinator 850-391-2273 ryan@AVISIAN.com

Suprema ANSI/INCITS 378 Template Matcher, Suprema, Inc.

Transparent Card Reader

id technology resource

visit FIPS201.com to research and compare approved products

Truth or fiction:

Contactless pickpocketing It is possible to sniff data but what can thieves do with it?

Contactless smart cards have been touted for their speed and convenience. But does the technology make it easier for pickpockets to be contactless, too? Experts say that although it’s possible for a fraudster to buy a card reader on eBay and use it to scan people’s pockets on a subway, there are numerous protection mechanisms in place to keep stolen data from being used as well as new, emerging encryption standards that will further limit such threats. The pickpocket issue garnered media attention in December, when a CBS affiliate in Memphis, Tenn., followed a man who was able to swipe credit card information from unsuspecting passers-by. Using an offthe-shelf card reader that he bought online for less than $100 and a mini laptop, the man was able to obtain credit card numbers, expiration dates and some cardholder names. But that is likely as far as a thief will get, experts say. It is possible to use a contactless reader to pick up information from a card on the subway or in an elevator, but it is unlikely that he could use the information to go on a shopping spree. That is because the account number and other information obtained from a contactless card is not enough to complete a financial transaction. Unlike magnetic stripe cards, most contactless payment cards use a dynamic element to authenticate each transaction. 46

Spring 2011

Large payment brands employ dynamic card verification codes to ensure that transactions cannot be recorded and then simply replayed again and again. Data transmitted for each transaction is unique and can only be used once. Thus, the card number and expiration date alone are not enough to conduct contactless transactions. “It’s one thing to obtain the information. It’s another to be able to use it,” says Jack Jania, secure transactions general manager for North America for digital security provider Gemalto. The information is of even less use on encrypted cards. “If you look at the card’s memory, you’re just going to see a bunch of ones and zeroes. You need to know what to do with it,” says Kevin Graebel, product line manager for HID credentials at Irvine, Calif.-based HID Global. Several other variables come into play for potential pickpockets. To be able to even scan a contactless card’s information, a thief would first have to be at very close range, between one to four inches. “So someone would have to know where your card is and put the reader within about an inch of the contactless card,” Jania says. A thief would also need to buy a reader capable of reading the appropriate card technology, Graebel says. For instance, to read a MIFARE contactless smart card, a thief would need to have a MIFARE reader.

If it’s a dual-interface government PIV card, the thief could obtain the cardholder’s unique identifier, or CHUID, a number that uniquely identifies an individual within the PIV system, according to experts with Exponent, a Menlo Park, Calif.-based engineering and scientific consulting firm. The remaining chip information would only be accessible via the contact interface so it is not at risk from such attacks. On payment cards, a thief could obtain the card number, expiration date and in some cases the cardholder’s name. “This information will typically not allow a normal payment transaction,” says Brad McGoran, principal engineer of technology development for Exponent.

Although most contactless smart cards don’t offer thieves enough information to go on a shopping spree, experts acknowledge that this is not enough – they want to avoid having credit card numbers at risk in the first place. “The loss of such unencrypted information without the cardholder’s knowledge can present a privacy risk, notably in cases where additional efforts are made on behalf of an attacker to tie the unique identifier to a specific individual,” McGoran says.

Card verification codes curb usefulness of skimmed data card. In the case of American Express, it is a four-digit code on the front of the card.

CVC1 CVC2 CVC3

CVC1 – Encoded on mag stripe but not printed on card or transmitted by contactless CVC2 – Printed on card but not encoded on mag stripe or transmitted by contactless CVC3 – Dynamic code created with each contactless transaction but not printed on card or encoded on mag stripe

To secure contactless transactions, the large payment brands employ dynamic card verification codes that change for each transaction. In this way, the data that is sent from the card, through the POS and to the authorization system is unique for every transaction. This technique is known by different names including dCVC, CVC3 or CVV3.

already been processed. In short, it means transactions cannot be replayed.

Here’s how it works.

The card’s secret key that creates the dCVC is securely stored in the chip and never transmitted out of the card. Thus, even if a thief knew other data such as card number, expiration date and cardholder name, it would not be possible to generate additional valid dCVCs to use for other transactions.

A unique secret key stored in each card’s chip creates a unique value, called a dCVC, for each transaction. If a transaction is sniffed or copied, the dCVC makes the copied data unusable for future transactions because the backend authorization system will decline it when it recognizes that the transaction has

There are two older types of card verification codes used to secure payment transactions, and each still has value with new contactless systems. The best known of these is the CVC2 or CVV2 that is printed on the card itself. For MasterCard, Visa and Discover, it is a threedigit security code printed on the back of the

The CVC2 is intended to secure card-notpresent transactions such as mail order, telephone and online purchases. Reputable merchants require the code in addition to the card number and expiration date to complete transactions that do not occur face-to-face. The CVC2 is not encoded on the magnetic stripe nor stored on the contactless chip. Thus it cannot be skimmed surreptitiously or captured during normal card-present transactions. If a thief skimmed card data via the contactless interface, it could not be used for a card-not-present transaction because there would not be a CVC2. The CVC1 is a unique number that is encoded on the magnetic stripe but not printed on the face of the card. It is generated by applying a secret key known only to the card issuer to a string of cardholder data. The CVC1 was designed to enable backend systems to ensure that the card initiating a transaction is valid. It also helps to keep fraudsters from encoding a complete magnetic stripe using data obtained from a visual inspection of a valid card. If the card issuer did not use a CVC1 it would be possible for a thief to inspect a card and recreate a working copy of the magnetic stripe on a blank card. The CVC1 prevents this because it cannot be determined via visual inspection. Similarly, because the CVC1 is not transmitted during a contactless transaction it hinders the ability to create a working copy of a magnetic stripe from the data obtained in a contactless transaction. Spring 2011

Pinpointing weak spots To advance security levels, experts have identified a number of vulnerabilities that exist with contactless cards. That’s according to McGoran and a team of experts at Exponent. The first vulnerability is in the area of tracking. It would require physically large antennae to read a contactless card at distances greater

Augustinowicz: “Contactless payment threat is real” At the center of the controversy surrounding contactless pickpocketing is Walt Augustinowicz, founder and CEO of Identity Stronghold. Last fall, Augustinowicz appeared on a number of newscasts demonstrating his ability to obtain contactless payment card numbers on the sly. The video segments have been viewed by millions of consumers to the dismay of many in the payments industry. While consumers were shocked that their cards could be read without their knowledge, many industry observers were only surprised to see that the compromised data was apparently used to make actual transactions. It is widely known in the industry that cardholder data can be obtained via techniques such as those used by Augustinowicz. But payment experts downplay the ability to use that data to make fraudulent transactions. There is an array of protections in place designed to keep this from occurring. But the demonstrations themselves are not without controversy. Industry representatives express skepticism that the fraudulent transaction occurred as they appeared on camera, suggesting there might be a bit of smoke and mirrors involved. Augustinowicz, however, insists that all aspects of the demonstrations are real including his ability to encode data to a magnetic stripe and conduct a transaction at the point of sale. He says he wants the payments industry to admit the problem and offer a solution to keep consumers safe. Identity Stronghold sells card sleeves that shield contactless cards from unintended access. Because the company could benefit from consumer concern over electronic pickpocketing, some have suggested these demonstrations are financially motivated. Augustinowicz downplays this telling Re:ID that his team found this weakness and thinks it should be fixed. When asked to provide details on the weakness, he told Re:ID that he is opting not to publicly disclose details at this time. 48

Spring 2011

than a few inches. A mobile attacker would find it less than discreet to take to the subway with a giant antenna in an attempt to scan a large audience. But insiders at a facility might be able to pull this off, McGoran says. A large antenna could be concealed within an advertising billboard, doorway or other area where crowds bottleneck. “Such high-power concealed readers would allow adversaries to scan people passing through, not just tracking their movements within the facility but potentially collecting demographic information such as credit card data,” McGoran says. Still he stresses such scenarios are unlikely. Encryption levels can also dictate a card’s vulnerability. If a card’s encryption uses a weak algorithm or no encryption at all, the information may be easily read. Advanced techniques for extracting a card’s encryption key are possible, but they typically require the physical possession of the card and access to highly specialized equipment, McGoran says. For unencrypted air interfaces, data can be read by off-the-shelf readers and then programmed into a different physical card. Then an attacker could use the stolen card information to perform transactions that are identical to those performed by the legitimate card. In the case of payment cards, however, this process is complicated by the use of additional security mechanisms such as dCVCs. Adding security measures Efforts are under way to encrypt the data on contactless cards to further protect personal information. Encrypting the card adds another layer of safety. “If encrypted,” says McGoran, “the data snooped by an attacker is useless, as it appears as gibberish without the decryption key.” Shielding a card offers another level of security, reducing a fraudster’s ability to read a card from even a short distance. Shielding a card can be as simple as placing a card into a paper sleeve with a metal layer or mesh to interrupt the RF field. The sheer nature of being contactless is a security measure in and of itself because intelligence doesn’t exist for magnetic stripe cards, Jania says. “They were never designed to be secure. The data on a mag-stripe card is wide open, hence all the skimming attacks,” Jania says. As encryption standards evolve, experts expect continued growth in the contactless smart card segment. “PIN-protected smart cards incorporating encryption algorithms provide a much higher level of security (than) traditional magnetic stripe cards,” McGoran says. “Despite the vulnerabilities … smart cards, when implemented correctly, represent one of the best tools for greatly enhancing security and privacy.”

20I0 SESAMES WINNERS The organizers of the CARTES & IDentification trade show announced the winners of the annual SESAMES Awards in Paris at the close of 2010. Ten separate awards are given to global players in the sector – manufacturers, users, integrators and developers – each selected by an international panel of experts.

Spring 2011

IT SECURITY: The winner is Gemalto with eGo, a solution that enables secure service initiation simply by touching objects with any part of the body. eGo makes access to credentialbased services as intuitive as simply touching an eGocompliant object. The technology can be incorporated into many common items such as a watch, a belt, fabric or a piece of jewelry. It embeds a biometric sensor for initial identity verification. After user authentication, the eGo an individual wears communicates with the eGocompliant objects they touch, and the desired electronic transaction initiated. Users can, for example, log on to a PC by simply touching an eGo-compliant mouse.

SOFTWARE: The winner is Inside Secure with Open NFC, a protocol stack that provides a complete NFC middleware solution for mobile phones, embedded products and other devices. As an open-standards platform, Open NFC improves the interoperability of NFC devices to help accelerate market adoption. Open NFC supports several levels of functionality including low-level RF control, NFC forum-specified tag handling, peer-to-peer communications, Bluetooth and Wi-Fi pairing, interactions with single-wire protocol SIMs and other secure elements, compatibility with smart cards and RFID tags based on Felica, Mifare, and ISO 14443 standards. HARDWARE: The winner is Morpho E-Documents with ConnectSIM, a SIM card that enables WLAN capability. The ConnectSIM card becomes an integrated node in any wireless IP network, creating trust for TVs, laptops, games and mobile phones. It provides security and creates new business opportunities for mobile network operators giving them a key position in trusted services, mobile transactions, identity and web security.

Spring 2011

IDENTIFICATION – ID CARD: The winner is IDEX ASA with SmartFinger Film, an ultrathin and flexible fingerprint sensor for biometric system-on-card applications. Based on IDEX’s capacitive fingerprint sensing technology, the SmartFinger Film sensor incorporates real-time sensor optimization algorithms for all skin types under the widest range of environmental conditions. The images are reconstructed in real-time, compensating for variations in swiping speed and direction. The SmartFinger Film sensors are suited for stand-alone, embedded applications such as biometric tokens, biometric cards, remote controls, USB sticks, PC peripherals, locks, handheld devices and more.

TRANSPORTATION: The winner is Oberthur Technologies with Voox, a contact chip module with an embedded antenna for enabling contactless communication. Instead of embedding complex components in a contactless dual-interface card, the antenna is directly integrated inside the contact module.

MOBILITY: The winner is Oberthur Technologies with NFC Now, a complete suite of solutions to deploy mobile contactless services including payment, transport ticketing and loyalty programs. The solution has been selected by four of the major players participating in the NFC deployment in Nice, France.

BANKING/RETAIL/LOYALTY: The winner is Blackboard Inc. with its Multifunction Contactless Reader (MF 4100) that incorporates both contactless and magnetic stripe payment technologies in a single device with full color touch screen and wireless connectivity. It manages a range of campus commerce areas including printing/copying, vending, laundry and POS. The readerâ&#x20AC;&#x2122;s 5.7-inch LCD panel supports full video playback allowing for a rich video experience and cardholder messages via a full color touch screen.

TRUSTED INTERNET/AUTHENTICATION: The winner is Mediscs with IdĂŠPhone, a solution incorporating PKI and biometrics on mobile devices to provide a cost effective and usable way to implement secure authentication channels in e-banking, e-government, e-commerce and e-health.

E-TRANSACTIONS: The winner is Gematik GMBH with its practice-fee and receipt service that facilitates fee payments and pharmaceutical co-payments with the new German health card. With the electronic receipts it is possible to detect automatically the co-payment limit of the patient. MANUFACTURING & TESTS: The winner is STMicorelectronics with UTAMCIC, a UHF transponder in which the chip is magnetically coupled to its flexible antenna. This avoids the physical connection between the chip and the flexible antenna, improving TAG reliability and reducing assembling costs.

Spring 2011

Facial recognition finally living up to the hype? Biometric fulfilling decade-long expectations in law-enforcement and beyond Zack Martin Editor, AVISIAN Publications After the 9/11 terrorist attacks there were many claims about facial recognition biometrics. Some vendors claimed that if the technology had been deployed at airports, the hijackers could have been caught and the tragedy averted.

the most recent Multiple Biometric Evaluation 2010. He has witnessed first hand the modality’s improvements. “In 2002 the error rate was 20%, in 2006 it came down to about 1% and now it’s at a .26% false reject rate,” he says.

This was not one of the higher points for the technology as a number of factors show that statement to be false. First the hijackers would have had to have been known, included in the accessed database and the technology would have to work well enough to spot them in a crowd. None of these prerequisites were in place at the time.

This significant improvement in accuracy has led to increasing use of the modality. Facial recognition is now being used by agencies around the globe to expedite border crossings, Philips says.

Pilot facial recognition programs conducted shortly after 9/11 showed that the technology did not live up to hype. Almost a decade later, however, facial recognition has improved and is now showing viability as a standalone technology. Still, the idea of spotting and identifying an individual in a crowd remains science fiction. Jonathon Phillips, an electronic engineer at the National Institute of Standards and Technology (NIST), has been working with facial recognition technology since 1993. He has been involved in the various tests NIST has performed on facial systems over the years, including 52

Spring 2011

Australia has deployed smart gates that read the photo stored on an electronic passport and compare it to the individual at the gate. If the image and individual match, they can pass through customs more quickly. Other countries are piloting similar use cases for the technology. 3M has deployed systems where facial recognition is used as well, says David Starkie, international business manager at 3M. Lighting and camera quality are primary challenges with facial recognition, and depending on where the kiosks are placed special illumination may be needed. “The ideal is to match the lighting that the image was originally captured in,” he says.

Become an

IEEE Certified Biometrics Professional

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC

Garbage in, garbage out While image quality is important with all biometric technologies, it’s particularly important with face. Anything other than what someone would typically refer to as a mug shot with proper lighting and controls may lead to a false reject or false match. The images used in the NIST tests are mug shots: good quality, front facing still images. This is where vendors performed best, Phillips says. But when you take away the high quality images, facial systems start to fall off. NIST has not tested how the biometric performs outside of these ideal situations. As Phillips explains, “we have not tested facial recognition any time, any place.” This makes the possibility of using facial recognition to spot possible terrorists at sporting events or airports unlikely. Harry Wechsler, a professor of computer science at George Mason University, has been working with facial recognition biometrics for more than 15 years and has published a book on the topic. Facial recognition still needs to mature before it can be a viable modality due to the issues around lighting and positioning, Wechsler says. “What’s being done with still images isn’t enough,” he says. Biometric vendors need to work with video and develop systems that still function with incomplete data such as a portion of the face. They also must be able to match someone who may have a beard in one photo but be clean-shaven in another, Weshsler says. There are opportunities to add behavioral biometrics to facial recognition to improve chances of a match, Weshsler says. “If you take a video and capture the way a person moves the head it gives you more information,” he says. “We can use that data to improve performance.” As for low-quality still images, the likelihood of a match is around 65%, Wechsler says. While this may seem low, it’s better than a human’s ability to recognize individuals, which is at best just 50% accurate. The best solution for facial recognition when not using high-quality images may be to use it in conjunction with a human operator, Wechsler says. “There are things a machine can do (but) one would have to think about the best mix of machines and humans,” he says. 54

Spring 2011

Test shows maturation in facial recognition technology The Multiple Biometric Evaluation 2010 tested facial recognition algorithms from seven vendors and three universities. The tests used nearly 4 million images from three separate sources: a lab dataset, law enforcement and the U.S. Department of State. Accuracy was measured for three unique situations: • One-to-one verification, for example that of an e-passport holder. • One-to-one verification against a claimed identity in an enrolled database, for example driver license re-issuance. • One-to-many searching and verification, for example criminal identification or driver license duplicate detection. Facial recognition systems typically return a set of possible matches that a human operator then reviews. The most likely match as determined by the system is provided in the first position also known as rank one. Using the most accurate face recognition algorithm, the chance of identifying the unknown subject at rank one in a database of 1.6 million criminal records is 92%. Obviously, this accuracy rate decreases as the population size increases. In all cases a human adjudication process is necessary to verify that the top-rank hit is indeed the correct individual. When the most accurate algorithm is used to provide trained examiners with the top 50 ranked candidates, 97% of searches yield the correct identity in a fixed population of 1.6 million subjects. In cases where the top 200 candidates are searched, the correct match is present 97.5% of the time. Interestingly, it was observed that men are more easily recognized than women and that heavier individuals are more easily recognized than lighter subjects. Also Asian subjects are more easily recognized than Caucasian. Why systems have had this difficulty is hard to explain. That fact that men were more readily recognized than women could be because women are generally shorter than men. The height of the subject could create non-optimal imaging angles if the camera height is not adjusted. Test participants • Cognitec • Dalian University of Technology • L1 Identity Solutions • NEC • Neurotechnology

• Pittsburg Pattern Recognition • Sagem • Surrey University • Toshiba • Tsinghua University

Checkpoints. Not Chokepoints.

Fast. Accurate. Effortless. The AOptix InSightâ&#x201E;˘ VM iris recognition system brings truly high throughput, high confidence authentication to airports and borders. We're changing the way the world looks at biometrics. P. 408.558.3300 | www.aoptix.com/iris-recognition

What’s behind the biometric template?

Mathematical templates enhance privacy and usability of biometric systems Autumn C. Giusti Contributing Editor, AVISIAN Publications Privacy risk … or a fear of the biometrics boogey man? It’s a question that came up in Denver late last year when the health club chain, 24 Hour Fitness, introduced a fingerprint-based check-in system to replace its membership cards. The move added to the debate over whether systems that use fingerprint, face and eye images for identification can leak the information and create an invasion of privacy, according to a Denver Post article.

To set minds at ease, officials from 24 Hour Fitness pointed out a safeguard that biometric vendors often cite in defending their products: the system does not store actual fingerprint images but rather a numeric template that is a binary representation of specific points on the finger. Industry experts say that when used properly, templates provide a secure method for identification that is privacy enabling. “It’s not the technology, it’s how you use the technology that really matters at the end of the day,” says Phil Scarfo, senior vice president of sales and marketing for Lumidigm, an Albuquerque, N.M.-based biometric company specializing in fingerprint identification. Though most biometrics systems rely solely on templates, or mathematical representations of the physical characteristic, the general public is not aware of this fact. “It is the misperception that people are storing fingerprint images in databases that creates concerns related to privacy,” Scarfo says.

The first template? You might say the concept of biometric templates dates back to the 19th century, when fingerprints were first used for identification and law enforcement purposes. “If you have to look at two fingerprints side by side, that’s not a terribly daunting task. Think about comparing that to a file filled with 1,000 fingerprints.” says Michael Garris, supervisory computer scientist for the National Institute of Standards and Technology. To streamline the process, Sir Edward Henry in the late 1800s devised the Henry Classification System for criminal investigations in British India. The system categorized different types of fingerprints by defining common finger points and other descriptive features, such as whether a print had an arch or loop pattern. So instead of having to sort through thousands of fingerprints to find a match, a person might only have to search through the 100 that fit a particular category. The same idea applies to biometric templates, except now it’s computers instead of humans culling out matching fingerprint, iris and face characteristics. 56

Spring 2011

In every fingerprint, there are data points unique to that finger. “That constellation of points is what gets translated into this mathematical equation,” says Scarfo. The content for fingerprint, face and iris templates represents discreet visible artifacts or features, such as the corners of the mouth or shape of the eyes, says Michael Garris, supervisory computer scientist for the National Institute of Standards and Technology (NIST) in Gaithersburg, Md. “These points end up being feature points. Then you can compare the relative difference and displacement of those features between different samples,” Garris says. In its story on the 24 Hour Fitness debate, the Denver Post cites a September report by a blue-ribbon panel of the National Research Council calling biometric-identification techniques “inherently fallible.” Elaine Newton, senior adviser for identity technologies for NIST, disagrees with the statement. She says that it’s more accurate to say that biometrics are “probabilistic,” meaning that a biometric is not exactly the same each time it is collected. For instance, no two photographs of a person’s face are precisely the same. This fact can lead to a degree of uncertainty when establishing an identity with biometrics. Newton says that although templates on their own aren’t perfect, neither are they inherently flawed. “For biometrics to be successfully fielded, they do not need to be perfect,” she wrote in a 2009 report for Carnegie Mellon University. “Critical to their success is correctly designing the system.”

In every fingerprint, there are data points unique to that finger. “That constellation of points is what gets translated into this mathematical equation,” says Phil Scarfo, senior vice president of sales and marketing for Lumidigm. Fingerprint

Minutiae Data

Minutiae Map

Encryption standards Officials from 24 Hour Fitness said they took the extra step of encrypting the templates to provide an extra layer of privacy. Encryption is a standard practice biometrics vendors take to guard against unauthorized viewing and reverse engineering templates, says Jim Bergen, Sarnoff Corp., a Princeton, N.J.-based technology firm that offers iris imaging products. Whether encrypted or stored in the clear, most agree template data would be of very limited use to a hacker. “They wouldn’t be able to figure out who those codes belong to anyway. They’re just a bunch of ones and zeros,” Bergen says. The larger debate centers on the likelihood that an actual fingerprint, face, or iris image could be created from the limited number data

Encrypted Data

points stored in a template. While some say it is possible, what that actual reverse-engineered image would look like is in question. A reverse-engineered image that could pass the biometric system’s automated comparison would be far easier to create than one that would resemble a live sample that could pass human inspection. In the case of iris templates, only the structure of the iris itself – the region between the pupil and the white part of the eye – is represented, Bergen says. That excludes eye color, size, shape and other features people typically use to recognize a person. “It is technically possible with certain kinds of iris codes to generate a sort of image from it, but it’s an image that would be recognizable to an iris algorithm, not to a human being.” Still, some templates would be easier to crack than others. Proprietary templates rely on coding specific to an individual technology provider or vendor. Standard templates, however, contain information and cod-

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

Next test dates MAY 5, 2011 Chicago, IL JUNE 3, 2011 Gaithersburg, MD JUNE 15, 2011 Niagara Falls, Ontario CAN NOVEMBER 4, 2011 Washington, DC Visit the LEAP web site for future exam locations and dates in 2011.

Spring 2011

ing common to several vendors, thus potentially making them easier to crack. Template advantages Industry experts cite several advantages to using a biometric template instead of an image. For one, there’s dimensionality reduction, a reduction in the amount of space needed to store an image, Garris says. Templates make it easier to store biometric information on a smart card or other memory-restricted system. Whereas a 1x1-inch fingerprint scan would contain about 250,000 bytes of data, a template of that scan would be smaller than 2,000 bytes. “A computer could work with those 250,000 bytes individually and try to match it for similarities or differences between other images similar in size … but that’s a lot of data,” Garris says. “In terms of storing and matching lots and lots of fingerprints, (with templates) you’re dealing with a lot less data to have to store,” he says. Then there’s the issue of speed. Being able to reliably authenticate a person’s identity is significantly faster with templates. “Storing and transmitting images back and forth between a client device and a PC or back-end system is always a problem in terms of bandwidth and speed. Images are very large. Templates are very small,” Scarfo says. Another advantage is the privacy implications. Scarfo compares a biometric template to a constellation of stars. “How would you recreate an image or fingerprint from that constellation of points? You couldn’t redraw the finger image. It’s technically not possible.” Finally, experts say templates provide more opportunities for interoperability between systems. People may be using different devices from different vendors. By producing a standard template common to multiple vendors, a user can enroll in one system with one technology but authenticate in another system using a different technology. Privacy vs. anonymity While critics voice concerns that biometrics aren’t well protected, proponents say fingerprint, eye and facial images were never really private to begin with. “We leave fingerprints behind on virtually everything we touch. Our face is always in public areas,” Garris says. “Fingerprints and faces, they’re personal things. But they’re not private things.” Often, people confuse privacy with anonymity, Scarfo says. “People who want to fly on an airplane or enter a building have a right to privacy. But those granting us rights, for whatever reason, have a right to know who the heck we are,” he says. In the age of search engines and social networking, people are much more likely to give out private information – such as a social security number or an incriminating photo – that could be more damaging if it fell into the wrong hands than a fingerprint image would, Scarfo says. “There are all kinds of vulnerabilities we face these days, but I don’t think biometrics is the biggest one.”

Spring 2011

Cyberspace needs biometric match on card with PKI Public key infrastructure (PKI) authentication coupled with biometric match on card provides extremely attractive security benefits to those in the public and private sectors concerned about cyber attacks. PKI is a means to verify the digital identity of both the sender and receiver of electronically sent information. The sender and recipient obtain a pair of cryptographic keys – a public key and a private key – from a trusted authority. The sender uses the public key to encrypt a sent message, while the recipient uses the private key to decrypt the message received. This provides organizations and individuals with a means to confirm identity when conducting business electronically. Biometric match on card is technology using a biometric sensor, a smart card issued with the cardholder’s biometric encoded on the card, and an application on the card capable of matching the live biometric received from the sensor to the stored biometric on the card. The PKI key exchange verifies the authenticity of the card and provides assurance that the PC and connected biometric sensor/ smart card reader are mutually trusted entities. The match-oncard authentication provides assurance that the individual holding the card and operating the PC requesting access is a trusted entity. An important benefit inherent to this security workflow is that the entities used to create the circle of trust are never exposed to the network or beyond. This model works great for access to internal networks, inside the firewall. The real challenge is how to replicate this model for access from or to external networks without exposing the authentication and validation entities to hackers trolling cyberspace. From a security perspective biometric match on card technology is ideal for authentication because the biometric information is never revealed to the network, preventing exposure to cyberspace. Instead, a message is sent indicating that the authentication took place. This message would be sent as part of the PKI verification that takes place between the digital identities interacting in cyberspace. If the message is hijacked or intercepted the hacker receives nothing that can be used to assume a trusted identity.

By Consuelo Bangs, Senior Program Manager, Biometric Access Solutions at MorphoTrak, IEEE CBP

2005 2006 2007 2008 2009 Spring 2009

Spring 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

THE

COMING

STORM

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Airport IDs:

Grounded ... off? or ready for take

SECURING IDENTITY

converges Canadian telco logical ID physical and

in an online world

contactless Bank-issued te payments compe t for transit marke

Outsourcing ID programs Real ID becoming reality London trials NFC

renew Card fraud cases in US call for EMV e NFC global updat

Summer 2009

Summer 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

HACKING IDENTITY The impact of smart card and security hackers Iris at-a-distance takes biometric center stage Health care mulls identity options EMV takes aim at U.S.

Fall 2009

Fall 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

DIGITAL

IDENTITY and the ELECTION

IDENTITY The forces are aligning but

Will a new president scale back existing projects or add new ones?

is America

READY

BIOMETRICS On campus, in the military PLASTIC IDS Recycling & green options

Contactless payments: Floundering or burgeoning? Airport worker credential in the making New rules for biometric sharing

Winter 2009

Winter 2008

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Changing Perspectives?

BEYOND ISSUANCE … e-passports struggle to achieve usage

NATIONAL

IDs

Is identity broken? EU considers student ID Registered Traveler in flux Plus NFC, RFID, biometrics

OWN THE ENTIRE COLLECTION 1000+ pages of ID technology insight just $200 • Educate new employees • Refresh your industry knowledge • Research for presentations • Review best practices • Learn from the experience of other implementations • Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industryleading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 15 issues of re:ID and 6 issues of CR80News magazine. Plus you get password-protected access to our online library with more than 1000 feature articles. To order, visit http://store.AVISIAN.com.

Visitor management crucial to physical security Systems catching on from Fortune 500s to Major League Baseball Andy Williams Associate Editor, AVISIAN Publications Security checks have become a fact of life for entrance to public buildings. As government agencies, corporations and schools struggle to keep track of individuals within their facilities at any point in time, a new breed of visitor management systems has risen to the top. Though it may be more apparent today, visitor management is not a new function. For as long as organizations have sought to control access to facilities, there has been a need to manage visitors, vendors and other non-recurring guests. In the past, paper-based logs were managed by lobby attendants to ensure visitors had a legitimate reason to enter. Today’s electronic solutions automate these functions adding convenience and robust new security features to the process. There are a number of different visitor management solutions on the market. Some are available as a part of enterprise-level solutions while others are off-the-shelf software products. Regardless of the solution, it should enable better control over access to facilities and automate the visitor entry and exit process. Upon check-in, a badge should be printed on-the-spot for use by the visitor. And after the fact, the electronic visitor logs should be able to be queried for reporting purposes. The products can improve the first impression a visitor forms of the organization as well as improve both employee and visitors safety. When evaluating visitor management solutions, there are many features to consider including ability to: • Integrate with other systems within the organization such as human resources or access control 60

Spring 2011

• Check external databases for such as sex offender and terrorist watch lists • Design custom badges within the application • Capture photos via driver license scan or digital camera • Automate data entry by scanning driver licenses or business cards • Print on paper labels and plastic cards • Print on self-expiring materials to make it easy to spot old badges • Validate badges electronically via bar codes or other ID technologies • Incorporate self-service check-in via kiosks • Automatic host email notification upon visitor check-in • Automate non-disclosure agreement signature process • Include time and attendance functions for staff. Baseball teams take a cut at visitor management Two U.S. professional baseball teams – the Seattle Mariners and the Cleveland Indians – were trying to get a better handle on the people entering their facilities. “We wanted a more professional appearance at the front desk so we could track who’s coming in,” explains David R. Powell, senior director of information systems for the Cleveland Indians. “We wanted to move away from handwritten ID stickers,” he says. “We were looking for a canned package.” In addition to visitor tracking, the Indians also wanted to use the system with internal staff. “We needed a system to produce employee IDs

ISC Premier Education:

Location:

April 5–7, 2011

Sands Expo & Convention Center,

Largest U.S. Security Exhibit Hall:

Las Vegas, NV

April 6–8, 2011

CHANGE HAPPENS MANAGE THE RISK AT ISC WEST

Interact face-to-face Meet & learn from industry experts and peers Discover thousands of the latest products & technologies The largest U.S. security event to keep you ahead

ISC Premier Seminars Covering: Access Control • Biometrics • Hosted Security • Municipal Surveillance Physical Security Information Management (PSIM) • Video Surveillance & Analytics

E N D O R S E D BY :

C O R P O R ATE PARTN E R S :

CO-LOCATED WITH:

Interested in Exhibiting? Contact Fred Evanko at fevanko@reedexpo.com or (203) 840-5965

because the one we were using in-house was developed some ten-years earlier and it was just too cumbersome,” explains Powell. But the most important reason for the solution was the Indians’ need to track the vendors who visited the ball club often on a daily basis. They wanted to automate the paperbased sign in process being used to keep track of vendors. With an electronic version, the Indians could easily check to see when a specific vendor – an electrician, for example – was last in. But more importantly, it enabled system operators to store individual records in a database and easily replicate a new badge the next time the vendor arrived. “We have a lot of visitors and on any given day maybe 20 outside contractors. So we needed something to keep track of who was in the building at any one time,” Powell says. “In a two-week period we have about 300 visitor entries.” The Indians chose Lobby Track, a visitor management solution from San Carlos, Calif.based Jolly Technologies. “We found Jolly and we liked what we saw,” says Powell. Named after its founder and CEO, Sandeep Jolly, the company got its start a decade ago producing bar code label products. In 2003 Jolly released its Print Studio solution to pro-

duce bar code labels, but the program also gained acceptance in the ID card market due to those same bar code capabilities. This led them to develop ID Flow and Lobby Track, the company’s people-tracking solution, in 2008. Jolly’s biggest customers can be found in the defense industry, pharmaceuticals, oil and gas, retail, and now even baseball teams, says Kurt Bell, Jolly’s vice president of sales and marketing. The company is also seeing a need for its technology in other areas, including schools and college campuses. For the Seattle Mariners, Lobby Track was the next logical step to secure its facilities. “We were already using ID Flow, Jolly’s badgemaking program,” says Erik Hackmann, security supervisor for the Mariners. “We wanted something that would integrate with it.” He explains that they wanted to use the badging database as part of the company’s host lookup. “When a visitor comes in he has to have a host, someone in the organization that is their sponsor. We have a database of people who are authorized to be hosts,” says Hackmann. “You can look up the host and when an expected visitor arrives it can send an email that the visitor is here,” explains Bell. Like the Indians, the Mariners consider everybody that’s not an employee to be a visitor. “The Mariners did 8,000 visitors last year,” Hackmann says. “Right now, we’re in the off season so most are contractors who are doing all of our projects. We’re remodeling parts of the ballpark and everyone has to have a badge. We’re averaging between 40-50 a day,” says Hackmann. Robust features take visitor management systems beyond badging solutions

Many organizations choose to produce guest badges using light-sensitive paper that darkens over time due to the chemical reaction produced by the thermal printing process used to produce the badges. This enables badges more than a day old to be visibly identified if they are reused for entry.

Spring 2011

Lobby Track has the ability to check visitors against terrorist watch lists and, particularly important for schools, sexual offender databases, Bell says. Many organizations choose to produce guest badges using light-sensitive paper that darkens over time due to the chemical reaction produced by the thermal printing process

used to produce the badges. This enables badges more than a day old to be visibly identified if they are reused for entry to facilities. Most solutions enable both paper badges and plastic IDs to be produced. “If you’re going to be in seven times a year or more, we’ll issue a plastic badge, (but) temporary visitors get a paper badge,” says Powell. Lobby Track automates data entry by scanning a guest’s driver license or business card. Information can be entered manually, if need be, and a Web cam is used to take a photo. “In most cases I take a new photo of everyone rather than use the driver license photo,” says Powell. “We recently upgraded to the Enterprise version so we can run it here in Cleveland as well as at our spring training facility in Goodyear, Ariz.,” says Powell. Lobby Track’s Enterprise version is “faster and better suited to working in multiple locations,” he adds. Adding applications and markets Because of its tracking ability, Jolly’s software is useable in other venues, such as event tracking, lab access or even school attendance, says Bell. While visitor management could work with universities, it’s not an easy market to crack. “The university market has been very difficult for visitor management, primarily because campuses are wide open,” says Bell. “To do it effectively you need to have a single entrance point, and students would have to have a noticeable ID in plain sight.” But the K-12 market is different. “It’s more widely used,” says Bell. “Campuses aren’t as big and you have to get your badge at the office before proceeding on campus.” And it’s easy to distinguish adults from students, which is why K-12 students don’t need a visible badge. Tracking software like Jolly’s is pretty much a behind-the-scenes product that, if it does its job, no one knows it’s even there. As the Indians’ Powell put it: “Visitor management isn’t the most high profile thing out there. It simply works so we can worry about the things that are more important.”

CHICAGO

The Smart Card Alliance Annual Conference

Roadmap to EMV Payments and SecureID May 3 – 5, 2011 • Chicago, Illinois • Hyatt Regency McCormick Place

The 2011 Smart Card Alliance Annual Conference heads to the exciting Mid West this year – to Chicago and the Hyatt Regency McCormick Place, May 3 - 5, 2011. 2011 is expected to be a breakthrough year for the smart card industry as the first EMV payment cards reach the marketplace in the United States; joining Canada, Latin America, and the rest of the global payments market in the adoption of the EMV global payments standard. In addition, exciting changes are taking place in the identity and security markets as cybersecurity becomes the focus of a national strategy and standards based secure ID cards rapidly expand into the healthcare markets, government eCommerce, and commercial enterprise physical and logical security.

www.SmartCardAlliance.org 1-800-556-6828

Join us for what the Smart Card Alliance does best – bringing experienced smart card practitioners and suppliers together with innovative solutions developers and end users across the payments and security markets. Network and share information on smart card-based identity management and authentication for the payments and security markets. Come and enjoy the best that the smart card industry has to offer.

Contactless payment scheme enables loyalty via Facebook Jill Jaracz Contributing Editor, AVISIAN Publications In a bid to become the mobile payment platform of choice, Bling Nation has launched a social media element to its contactless Bling Tag offering. Introduced in October 2010, FanConnect is a rewards and loyalty application that intertwines contactless payments, social marketing and the ubiquitous Facebook page. A Bling Tag is a contactless chip that affixes to a user’s mobile device to enable payments at the point of sale. When a purchase is made at a Bling-enabled merchant, the phone is tapped against a reader to initiate the transaction. User’s wishing to go beyond the payment experience can register their tag with

Spring 2011

Facebook. Each Bling tap is then emblazoned on their Facebook page for all their friends to see – something that can help a merchant market to loyal customers and their friends. With a Bling account, a user can make mobile payments, earn rewards, participate in loyalty programs and add a social media aspect to their purchasing behavior. Both customers and merchants can track purchases through a dashboard embedded in Facebook. Merchants can also send customers special offers and rewards via SMS or Facebook. “We’re using Facebook because (users) have an inbox and a treasure chest where offers exist,” says Matt Murphy, Bling Nation’s general manager for the Pacific region. “(Merchants) can

create meaningful offers that give you a real discount.” “We’re really trying to bridge this connection at the point of sale and use buzz and awareness to determine ROI. Businesses can advertise, but it’s hard to tie that into a return. With the redemption aspect, our platform is able to give them this,” says Murphy. No consumer information is stored directly on the tag. “Each product creates dynamic code for the transaction and authentication,” Murphy says. “All information is stored in the cloud. No consumer information travels on our rails.”

Bling Nation partnered with Merchant 360 to provide the hardware and support for their platform. The Bling Tag is an IC microchip with an antenna attached. Merchants use a Verifone POS terminal application written for the Verix Vx operating system. “We write an application for their platform that can be used for any Vx device,” says Steve McRae, CEO of Merchant 360. Merchant 360 also acts as the support and technical provider for Bling’s customer service needs. Consumers have the option to use the tag just for the FanConnect service or they can link their Bling Tag to a financial account to pay for goods at merchants offering the PayConnect service. When a user links a financial account, a PIN is selected to secure transactions. In addition, says Murphy, the system is intelligencebased and uses algorithms to determine abnormal spending behavior. Currently the service is available in Colorado, Texas, Tennessee, New York, Massachusetts, and California. Bling Nation has partnered with PayPal and several small banks to provide mobile payment services. Fifth Third Processing Services offers it as a turnkey solution to its processing customers. Merchant involvement

they’ve got PayPal involved, it makes the merchant acquiring easier.” Peabody sees the FanConnect service as a way to accelerate awareness. “The beauty of it is it’s really merchant-specific. You can tie it to your Facebook page. (The merchant) can control the message and [consumers] accrue points and use them at the point of transaction,” says Peabody, “not later or by looking at a catalog. Debit rewards are going away. Merchants want to issue the benefits directly instead of another merchant doing the fulfillment.” Although FanConnect can work with a variety of social media sites, Bling Nation chose to integrate itself with Facebook, going as far as to embed its company website into Facebook. “Having our whole web presence in Facebook helps merchants and consumers where the conversation occurs. They can link to real-life purchases and bridge that gap between online and oﬄine,” says Murphy. Merchants have seen mixed results with the Bling Tag. John Paul Coupa of Coupa Café has the system in all three of his northern California locations. “It gets used a lot,” says Coupa, “(even) more than American Express.” Coupa recently implemented the FanConnect system.

Other merchants have not enjoyed the same level of success. Charles Savas, president of Center Beverage in Stoneham, Mass., got rid of the system after just three months. “They were going to charge me $40 a month,” he says, “and I only had $35 in sales for the first three months.” Red Door Movies in Palo Alto, Calif., also stopped using the service. “Our store only has one or two customers using it,” says Sonny Park, manager. Murphy admits that businesses with more frequent users are likely to see more benefits from the system. However, he adds businesses from yoga studios to hotels have made the system work. With FanConnect, consumers can choose to gift their special deals to Facebook friends, and Bling Nation plans to introduce more features to expand its loyalty and payment features. “We will integrate more reasons for customers to tap their Bling Tag,” says Murphy. As handsets with embedded NFC come to the market, Bling Nation sees itself positioned ‘inside’ of the phone as well. “We don’t want to be a competing tag,” says Murphy. “We want to be the platform businesses use to connect … the ‘Intel inside’ to the NFC world.”

Merchants subscribe to the Bling Tag service for a 12-month period, which includes a twomonth free trial. For $199, they purchase the BlingBox, which includes a Verifone Verix Vx reader, Bling tags and marketing materials. For an additional $49 per month, the FanConnect service can be added. PayConnect, which includes all of the FanConnect social media features, is an additional $10 per month. The company hopes FanConnect will propel its mobile payments service. “I’ve worked with lots of companies that have come and gone (and) I have to say that the strategy here is a little different. There’s a lead on distribution and uptake … Bling has built a good brand people recognize,” says McRae. Partnering with PayPal dramatically increased its footprint and helped propel the product’s usefulness. “It’s a low friction way of getting a payment to happen,” says George Peabody, director of Mercator Advisory Group’s Emerging Technologies Advisory Service. “Now that

With a Bling account, a user can make mobile payments, earn rewards, participate in loyalty programs and add a social media aspect to their purchasing behavior.

Spring 2011

Iris biometric secures mobile app Zack Martin Editor, AVISIAN Publications Much of this issue examines use of the mobile device as an identity token. Key to this use is enabling biometric authentication on the handset to establish the identity of the user prior to initiating secure transactions. In the U.S. very few handsets are biometric enabled. But since most devices are equipped with cameras there has been a move to use them to capture the biometrics instead of adding dedicated hardware. WinkPass Creations did just that with its eyeD application for iPhone 4. The application uses the back facing camera on the handset to capture and then authenticate the user’s iris image. To enroll and begin to use the app, I captured my iris image three different times to create the template that would be stored for future comparison. Going forward, I had to authenticate by capturing my iris image and passing the comparison test, in order to gain access to the eyeD application. The application itself is really just a secured file that can be used to store important data – such as account information, user names and passwords – using AES 256-bit encryption. I used the eyeD application for more than a month and found it interesting but lacking in several key areas. My main criticism of it is its limited functionality. I am not convinced that it’s worth the effort simply to protect a file containing passwords and other data. Unfortunately it is not integrated to enable access to the iPhone itself or to restrict access to other applications. If I could use it as a strong authentication factor for access to a specific application, such as online banking, I would have a more use for it. But I suspect this isn’t the fault of the app or its developer; Apple would have to enable eyeD as an authentication factor and that process would likely be rigorous.

Spring 2011

As for its usability I didn’t have too many problems, though a novice might have some issues. It requires use of the rear-facing camera on the iPhone 4 because it needs the flash to capture a good image. Because you cannot view your target image on the screen using this camera, lining it up correctly and maintaining the necessary four to five inch distance from the face is a bit challenging. Once you get the hang of it it’s no big deal, though I never got used to the flash going off in my eye and the spots I’d see for a couple of minutes after authenticating. In future versions of the application, Winkpass wants to add voice prompts so the user will know where and how to hold the device in order to grab a good image, says Leon Atkinson-Derman, president at Winkpass Creations. I did test the app with some other people, and while it’s far from a scientific study, nobody else I tried to authenticate was able to access my system. What would make the biggest difference with this app? Clearly, the ability to use the front facing camera would help. If I could hold up the camera and align the iris to a specific place on the screen while watching in real time, the usability would increase tremendously. But because of the lack of a flash and the lower resolution of the front facing camera, it likely won’t happen unless the iPhone makes a change, says Atkinson-Derman. Winkpass is working on a separate application for facial recognition that would use the front facing camera, Atkinson-Derman says. And, he adds that the company will release a version of eyeD for Android powered devices later this year.

THERE ARE TWO SIDES TO EVERY SUCCESSFUL

IDENTITY MANAGEMENT SOLUTION

When it comes to identity management, trust is not a one-way street. You need a solution that not only establishes foolproof identities but also protects the personal information of every citizen. At CSC, we deliver integrated identity management and privacy assurance solutions that create confidence and earn public trust. You can count on us to seamlessly integrate the latest technology, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Public Sector CSC.COM/NPS

Printing as easy as 1,2,3.

A breakthrough in easy-to-use, powerful and secure card personalization The range of FARGO速 DTC printers are ideal for your customers who need a flexible and simple way to color personalize and encode technology cards, while protecting their investment with field-upgradable options whenever their needs expand. Backed by a two year warranty from HID Global, the world leader in secure identity solutions. *To learn more, contact an authorized Fargo Integrator hidglobal.com/fargo-dtc-REID