Regarding ID Spring 2013 by AVISIAN

s s e l e h t T c m a t u r n d o c o n un ?

A SURVEY OF ID TECHNOLOGY - SPRING 2013 - ISSUE 33

x o r p m o r f e t a gr i m y h W do i need more security? can i aff ord it?

LEGACY 125-KILOHERTZ PROXIMITY TECHNOLOGY IS STILL IN PLACE AT 70% TO 80% OF ALL PHYSICAL ACCESS CONTROL DEPLOYMENTS IN THE U.S. BUT IT LACKS THE SECURITY OF CONTACTLESS SMART CARDS

Bringing security to your world

Delivering ID programs that fit your country Government identity solutions from HID Global. The right interoperable products, the right field-proven brands like LaserCard® Optical Security Media (OSM), ActivIdentity® Credential Management System and FARGO® ID card printers and encoders. Tailored processes backed by years of the right design and integration expertise. We power the world’s most secure ID credential programs — including the US Green Card. We’re HID Global. Learn more at hidglobal.com/citizen-ID

SALTO Electronic Locking System

THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description

Features & Beneﬁts

The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.

· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates

The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com

i n s p ir edaccess

WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®

Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

CONTENTS

24 Cover Story Contactless conundrum In the U.S. prox cards are the legacy physical access control technology. Contactless smart cards offer added security and functionality but uptake has been slower than expected – even though price is often comparable.

32 FIPS 201’s physical access problems Federal agencies are finally deploying PIV-enabled physical access control systems but there are stumbling blocks. The systems and the credentials aren’t always working well together and these problems have the GSA changing the entire way it certifies PIV products.

40 Choosing the right token Enterprises in key verticals are deploying strong authentication technologies, not always by choice, but by mandate. But what are the options? How does an organization choose the right token to fit its needs?

32 40

45 Biometrics in the field Biometrics for time and attendance isn’t new but sugar cane producers in the Dominican Republic are adding a new twist using fingerprints to identify migrant workers before handing out payroll.

45 Spring 2013

t u r n d o n c u n co

? X O R P M O R F E T A GR I M Y H W DO I NEED MORE SECURITY? CAN I AFF ORD IT?

125-KILOHERTZ48 PROXIMITY TECHNOLOGY IS STILL IN PLACE AT Uproar in the mobile fingerprint market 70% 80% OF ALL PHYSICALMergers, ACCESS CONTROL DEPLOYMENTS IN tech giants and massive THE U.S. BUT IT LACKS THE SECURITY OF CONTACTLESS SMART CARDS opportunity defines space Solving the online ID problem

6 Tough decisions and physical access Plenty of blame to go around

LEGACY 35 Expert panel The evolution of credentials AROUND TO and data management

8 ID Shorts News and posts from the web

Myriad of solutions vie to fill internet’s mega gap

56 Expert panel I AM the future

9 Calendar Industry events from the identity and security worlds

39 Expert panel Identity in an always-on world

59 Expert panel Protecting you identity investment

17 Podcasts FIME tests NFC-enabled devices to make sure they meet industry standards

40 Organizations replace usernames and passwords with one-time passcodes More than the football-shaped tokens to choose

60 Voice biometrics cranks up the volume Public safety, financial, health find real-world applications

18 Videos The latest news and trends from the 2012 Smart Card Alliance Government Conference 24 The contactless conundrum Physical access control system managers face the issue of migrating from prox 30 Before prox, before magstripe, there was Wiegand 31 Where is PKI at the door? Federal Agencies taking phased approach to deployment 32 Problems plague gov physical access deployments GSA: out with individual product approvals, in with ‘system’ approvals

CONTENTS

Spring 2013

44 Biometrics helps sugarcane producer pay workers in the field 46 Match-on-card biometrics Use grows rapidly for this privacyprotecting technology 48 The marriage of biometrics and contactless: A ‘natural’ match Payment, access and identity may soon benefit from union

62 NFC, mobile highlighted among 2012 Sesames winners 64 At University of Southern California Fingerprint scanners secure student residences 65 Expert panel Identity’s Constant Challenge: Addressing Change 66 Washington Nationals go contactless for season tickets Other baseball teams on deck

Get security and convenience... along with reliability and a compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multi-imaging approach to identiﬁcation and authentication is the best there is. Lumidigm technology was speciﬁcally developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272-7057 and sales@lumidigm.com to answer your questions.

AdvantageTM

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Andrew Hudson, Jill Jaracz, Gina Jordan, Ross Mathis, Denise Trowbridge, Jeff Wurfel ART DIRECTION TEAM Franco Castillo, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2013 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Spring 2013

TOUGH DECISIONS AND PHYSICAL ACCESS PLENTY OF BLAME TO GO AROUND ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Hard to believe it’s been eight-years since President George W. Bush signed HSPD-12, mandating secure, interoperable credentials for federal employees and contractors. Outside of the decision to use contactless smart cards for electronic passports, I can’t think of another action that has had a bigger effect on the identity and security market. Since the signing, more than 5 million credentials have been issued, but the number of systems using the credential is disappointing. While eight-years is a long time, it’s also been more than twoyears since a White House memorandum mandated that all new physical and logical access systems must take advantage of the PIV credential. Still progress has been slow. The memo did elicit some new system deployments but the latest problem is that these new physical access systems aren’t always working with the existing credentials. In some cases, the cards were not properly encoded or have expired. In other cases the physical access systems is at fault. When the system is to blame, the finger is frequently pointing back to problems with the General Services Administration’s Approved Products List for FIPS 201. Agencies have used the approved

products list to choose component parts for their access systems assuming this would make them compliant. But agencies have learned the hard way that just because a component is on the list doesn’t guarantee it will work with the existing infrastructure and cards. The GSA lists approved products but doesn’t take a holistic, system-wide approach. The GSA is in the process of revising the approved products list to include interoperability testing of individual components with systems. This should help agencies pick parts that will work with their other parts … but it will likely be a year before the testing protocols are released and even longer before products can be retested and approved. Federal agencies aren’t the only ones making questionable decisions when it comes to physical access control systems. Corporate enterprises are frequently

PERSPECTIVE

deciding not to decide … sticking with decades-old proximity technology knowing it’s less than secure. The common refrain on why corporations stick with prox? “It just works.” But surprising to me was that some contactless smart cards are cheaper than prox cards and yet the older technology is still dominant. The added functionality and increased security of contactless should be enough to justify re-carding and swapping out the readers, but the pace seems almost glacial. So if the cost is right and security is improved, why haven’t we witnessed a virtual mass migration? The not-so-dirty secret seems to be that parts of the access control supply chain find it easier to push the old technology.

Local dealers and integrators know prox in and out. They can sell and deploy systems quickly and cheaply, which means they can maximize their profits. Deploying a new technology can take longer and require more effort, which means more time and potentially less money. Some also fear the loss of recurring card sales that could come with a customer’s adoption of open standard technology. Both federal agencies and corporate enterprises need to start making the tough decisions when it comes to physical access control technology. Take the time to do research and implement technologies that will work properly and increase security.

Spring 2013

ID SHORTS

ID SHORTS SHORT STORIES FROM THE WEB

HID BUYS CODEBENCH HID Global acquired Codebench, a provider of physical security identity management solutions that focuses on the government sector. The acquisition brings new validation software and solutions for government credentials and will enable HID Global to offer solutions that ease deployment for its federal agency and contractor customers. The Codebench offering joins HID Global’s federal identity portfolio and

will provide customers a one-stop-shop to upgrade their physical access control system in accordance with FIPS-201 guidelines for PIV. HID Global will now be better positioned to serve the Transportation Worker Identification Card market as well as emerging markets for commercial identity verification (CIV) in health

Spring 2013

care, local and state government, first responder groups and a range of other organizations. Codebench remains located in Coconut Creek, Fla. and the company’s products, executives and staff become part of HID Global’s Identity Access Management business.

WASHINGTON POLICE DEPARTMENT DEPLOYS CJIS-APPROVED TOKENS The Marysville, Wash., Police Department deployed GoldKey flash tokens in order to meet FBI Criminal Justice Information System (CJIS) requirements for authentication and encryption of sensitive data. Law enforcement officers who wish to access FBI data must now have the ability to secure it with a minimum 128-bit encryption key during access or if the data is carried outside of secure facilities. The Marysville Police Department opted to use GoldKey’s flash tokens to meet the requirements, as the tokens contain a secure method of advanced

authentication and can automatically store encrypted CJIS files. Each officer in the department now has a GoldKey to unlock laptop computers, access the CJIS System and store encrypted files. Upon leaving a patrol car, the officer is able to securely transport files on the token. The FBI requires all law enforcement organizations to implement such levels of security technology by October 2013.

ID SHORTS

CALENDAR

SMART CARDS GIVE REFUGEES CHOICES IN HUMANITARIAN AID

ISC West 2013 April 9-12, 2013 Sands Expo and Convention Center Las Vegas, Nev.

APRIL

The United Nations World Food Program and the Turkish Red Crescent have teamed up for a new way to provide humanitarian aid to Syrian refugees in Turkey. Refugees will now receive smart cards loaded with 80 Turkish lira ($45) a month, with which they can purchase goods, including fresh vegetables, meat and staples in certain stores. This system will give the refugees the option to choose what goods they need and will replace the system where refugees received boxes of supplies. About 22,000 Syrian refugees located in camps near the Turkish border now have the cards.

CARTES America April 23-25, 2013 Las Vegas, Nev.

SEPTEMBER OCTOBER

The Mongolian Ministry of Justice and Home Affairs selected Gemalto’s Sealys ID cards for their national identity program. This new eID program will secure Mongolian citizens’ identities as well as pave the way for new eGovernment services. Mongolia has approximately 3 million inhabitants and all citizens above 18 years of age are required to use these smart cards as their national identity document. Gemalto worked with Bodi International, the program’s prime contractor on this project, to issue the smart cards. Gemalto software manages the citizen’s personal data, including the holder’s digital photograph and fingerprints. The Mongolia national eID card also features the Sealys Clear Window, a transparent section created in the pure polycarbon-

NFC Solutions Summit 2013 Smart Secure Mobile Payments and Non-Financial NFC Apps May 15-16, 2013 Hyatt Regency San Francisco Airport Burlingame, Calif. CTIA Wireless 2013 May 21 - May 23, 2013 Las Vegas, Nev.

NOVEMBER

MONGOLIA TAPS GEMALTO FOR NATIONAL IDS

MAY

TOKENWORKS LAUNCHES BLUETOOTH PORTABLE CARD SCANNER TokenWorks, a Bronxville, N.Y.-based provider of portable card scanners, rolled out IDWedgeBT, a Bluetooth ID Card Scanner that can speed electronic form entry using driver licenses, credit cards, student and military IDs and membership and loyalty cards, thus eliminating keypunch errors. The information is sent via Bluetooth to computers running Apple, Android and Windows operating systems. Unlike traditional card scanners that send raw card data, IDWedgeBT’s software recognizes different card types, extracts relevant field data and executes a user-defined script to enter card data directly into an electronic form. Once IDWedgeBT is configured for a specific form and paired via Bluetooth, the user scans or swipes a card. IDWedgeBT then automatically completes the form’s contact and/or payment sections.

NACCU Annual Conference April 14-17, 2013 Disney Contemporary Resort Orlando, Fla.

2013 Biometric Consortium Conference September 17-19 Tampa, Fla. ASIS 2013 September 24-27 Chicago, IL

Smart Card Allaince Smart Cards in Government Oct. 15-16 Walter E. Washington Conventio Center Washington, D.C.

CARTES Nov. 19-21 Paris, France

Spring 2013

ID SHORTS

ate card body structure for enhanced protection against forgery.

EVOLIS PRINTER STREAMLINES ACCESS CONTROL AT FRENCH SWIMMING CHAMPIONSHIPS Card personalization company Evolis provided the printing and personalization of event badges for the French National Swimming Championships. Organizers used Evolis’ Primacy printers to create more than 1,000 personalized badges prior to the event as well as on-site. The badges displayed the holder’s personal information and identified the holder’s role, such as a swimmer, journalist, jury or coach. Badges were also color-coded to enable quick visual confirmation for access to the swimming arena.

Spring 2013

FTC RELEASES BEST PRACTICES FOR FACIAL RECOGNITION The Federal Trade Commission released a report called “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies.” Geared toward companies using facial recognition, it aims to help these users protect consumers’ privacy as the technology is implemented. Facial technology brings up a variety of privacy concerns from identifying anonymous people in public settings to the possibility of hackers obtaining the data. Since the technology is still relatively new in the marketplace, the FTC saw an opportunity to educate companies on their use of facial recognition. It recommends a focus on end-user privacy and development of security measures for the collection and disposal of personal information.

GET GROUP OPENS D.C. OFFICE TO MEET GROWING DEMAND FOR CARD AND PASSPORT PRINTING GET Group, a provider of passport and ID card systems, announced the opening of its new office in Washington, D.C. to accommodate the growing government demand for card and passport printing solutions. GET Group’s printing technology is suited for government environments with security features that include a tamper-evident seal to protect against image or data alteration, as well as the ability to incorporate holograms, bar codes, and micro-text. The new location will support GET Group’s effort to build passport and ID business with the federal government, as well as provide technical support and sales contact for government agencies and their contractors.

ID SHORTS

GET Group is the worldwide distributor of Toppan’s security passport printing technology. For nearly two decades, the United States’ Department of State Passport Services has utilized GET/Toppan passport printing solutions.

INDIAN PRISONERS TO RECEIVE SMART CARDS Beur Central Model Jail is going to be the first prison to implement India’s new e-prisons program that registers all prisoners and issues them smart cards. The cards contain the prisoner’s name, father’s name, permanent address, fingerprints, photos, identity proof and case details. Additionally, prisoners’ daily wages can be added to the cards, as well as any money that their families send to them. Prisons will have kiosks to read the cards. Prisoners will use the cards for identification, for cashless transactions in the prison canteens and as a health card that would hold medical and treatment histories.

DIGITAL ID AWARD WINNERS UNVEILED The 4 Bridges Forum announced the recipients of the 2012 awards for innovative uses of high-assurance digital identities utilizing public key infrastructure in the public and private sectors. The selection committee was made up of a representative from each of the four participating bridges – the Federal PKI Policy Authority, SAFE-BioPharma, CertiPath and the Research and Education Bridge Certification Authority. One winner for each of four categories was selected from submitted nominations. Category winners include: For innovation, Monitor Dynamics was selected for its Trusted FICAM Platform, a high-assurance physical ac-

cess control system delivering trust by leveraging PKI-based identity credentials across the PKI Bridge. For business value, John Hannan of the U.S. Government Printing Office was honored for leading the agency’s drive to enable fully electronic submissions to the Federal Register. Utilizing GPO’s PKIenabled electronic document submission

THE BIOMETRIC DATA ON FILE WILL BE COMPARED WITH DATA COLLECTED AT THE TIME OF ENTRY TO ENSURE THE INDIVIDUAL APPROVED TO ENTER THE COUNTRY IS ACTUALLY DOING THE TRAVELING system, agencies submitting documents for publication convert them to PDF format, digitally sign them and then submit to the Federal Register via email, thus eliminating daily delivery fees. For federation, the Defense Manpower Data Center was awarded for the transition of the Joint Personnel Adjudication System from username/password to acceptance of all Department of Defense approved external PKI credentials of medium hardware or equivalent assurance. For collaboration, the National Cancer Institute’s Cancer Therapy Evaluation Program was recognized for its use of PKI-based interoperable digital identities. This system enables government and industry cancer researchers to accelerate the start-up phase of clinical trials by securely accessing, reviewing, signing and exchanging cloud-based documents. In addition to speeding the process, the

use of digital identities dramatically reduces costs.

CANADA REQUIRING BIOMETRICS FROM CERTAIN FOREIGN NATIONALS The Canadian government is requiring nationals of 29 countries and one territory to provide fingerprints and a photograph in order to enter Canada. People from these locations must provide fingerprints and a photograph when they apply for visitor visas, study permits or work permits. The biometric data on file will be compared with data collected at the time of entry to ensure the individual approved to enter the country is actually doing the traveling. This initiative will bring Canada on par with many other countries that use biometrics in immigration and border management.

CHANGES TO AUSTRALIAN PRIVACY LAW FACILITATE BIOMETRIC DATA STORAGE New privacy legislation in Australia lifted the ban on law enforcement obtaining access to biometric facial scans taken for passports, driver licenses or entry to nightclubs. Police departments will now be able to ask private companies to turn over any facial scans they possess in order to identify suspects in crimes. The language in the Privacy Act wouldn’t mandate that these companies turn over their information to law enforcement agencies. The federal Information Commissioner will create guidelines for how companies will submit their biometric data. The legislation will go into effect in late 2013 in order to allow time for parties to comply with the regulations.

Spring 2013

ID SHORTS

MASTERCARD TO LAUNCH ‘DISPLAY CARD’ WITH LCD SCREEN, KEYBOARD MasterCard is launching a next-generation credit card that features an LCD display and built-in keyboard. Accompanying MasterCard on the endeavor is Standard Chartered’s Asian branch and NagraID Security. The MasterCard Display Card is designed to alleviate the burden of carrying portable card readers to conduct a range of online transactions. The new cards will maintain credit, debit and ATM functionalities, but will also feature touch-sensitive buttons for inputting data and an LCD screen to show authentication codes. This will effectively make the card a dual functionality security solution. If initial efforts prove effective and are met with positive feedback, MasterCard will likely incorporate additional functionalities – displaying transaction history, balances, etc. – to the next-gen cards.

PROBARIS UPDATES ID MANAGEMENT SOFTWARE Probaris updated its identity management system software, Probaris ID 4.1, to include several new features that support strong digital identities based on a variety of tokens, smart cards and mobile devices. Probaris ID is identity registration and enrollment software that can produce and track credentials at the individual level by associating them with a single identity record. It can create a history of credential activity for an applicant and track the steps involved with issuing and managing that person’s credentials. For auditing purposes, the credentialing transactions are digitally signed. Other new features in this product release support tokens, smart cards and mobile devices. These features included administration capabilities to support segmented configurations for

THE LCD SCREEN WILL EFFECTIVELY MAKE THE CARD A DUAL FUNCTIONALITY SECURITY SOLUTION

Spring 2013

multiple clients and multiple organizations. It also has an online digital identity marketplace, support for multiple issuance models, tracking and inventory controls and integration with a variety of physical and logical access systems. Probaris ID also is fully compliant with the Identity Management System standards specified in FIPS 201, PIV, PIVI and related publications.

TENNESSEE BUREAU OF INVESTIGATION UPGRADES FINGERPRINT COLLECTION The Tennessee Bureau of Investigation signed a contract with MorphoTrak to upgrade its biometric fingerprint system.

Under the terms of the contract, MorphoTrak will provide the bureau with the Morpho Biometric Identification Solution to increase matching accuracy through advanced algorithms and a larger fingerprint database capacity. Agents will also be able to check if a DNA sample is required when they book individuals on criminal charges. The bureau says that it chose this system because its service-oriented architecture easily fit into the agency’s existing IT architecture. The Bureau will also be able to incorporate additional features such as face, tattoo and iris recognition, as it sees fit.

ID SHORTS

PRIVACY VISOR COULD THWART FACIAL RECOGNITION

EUROSMART: 7.7 BILLION SECURE DEVICES TO SHIP IN 2013

Japanese researchers developed a “privacy visor” that could help wearers become “invisible” to the facial recognition technology used in surveillance efforts. Researchers Isao Echizen, of Tokyo’s National Institute of Informatics, and Seiichi Gohshi, of Kogakuin University, spent months researching ways to prevent facial recognition software from tracking ordinary citizens. They came up with a pair of high-tech glasses that emit near infrared light to block a facial recognition camera’s ability to capture the wearer’s image. The privacy visor looks like a clear shield that contains small circular lights that can be seen only by cameras. The lights are wired and battery-operated. This invention is one of a number of products that are popping up that attempt to hide people from surveillance cameras and facial recognition technology.

Eurosmart announced that the total shipment of microcontroller-based smart secure devices topped 7 billion units in 2012. To put this number into perspective, it means close to 20 million people are receiving a secure and personalized device worldwide every day. Eurosmart expects strong growth to continue in all major segments in 2013, bringing the total Smart Secure Devices forecast to nearly 7.7 billion units. The major growth drivers seen by Eurosmart are: Telecom Continuous demand in developing markets M2M technology is expanding the smart security market Deployment of 4G with more than 50 commercial LTE networks globally, enabling feature rich IP services Banking-Retail EMV migration is driving growth in Latin America and China and is confirmed in the U.S. Continued growth of dual interface devices – combining both contact and contactless technology

Near infrared LED not lit (detection successful)

Government ID-Health care Steady growth in National eID programs Rollout of several health care programs New countries are starting to adopt eDriver licenses NFC Eurosmart expected close to 100 million NFC secure elements to be shipped in 2012 and twice as many in 2013. Major handset manufacturers have started to include NFC in their smart phones Mobile network operators, banks and merchants have started to market secure NFC services Industry alliances and partnerships are rolling-out several projects worldwide

KNEE SCANS AS THE NEXT BIG BIOMETRIC IDENTIFIER? What is the next big possibility in biometric identifiers? One computer scientist believes the knees might have it. Lior Shamir, a computer scientist at Lawrence Technological University in Southfield, Mich., says knees are just as unique as fingerprints and could be a valid identifier. He says that biometric knee scans could be used to detect people as they are moving, for example, into a building or in a line at passport control. Tests to date show a 93% accuracy rate. While knees can be manipulated and changed, Shamir says that takes a great deal of effort. Shamir believes that knee scans along with another identifier could prove to be a good multi-modal identification system.

Near infrared LED lit (detection failed) Spring 2013

ID SHORTS

Spring 2013

ID SHORTS

PRESIDENTIAL INAUGURATION INCORPORATES XTEC’S MOBILE SECURITY MEASURES

6,000 NATIONAL GUARD MEMBERS USED THE READERS AT 20 LOCATIONS THROUGHOUT THE DISTRICT AND LOGGED MORE THAN 13,000 TRANSACTIONS DURING THE WEEKEND’S EVENTS

At this year’s Presidential Inauguration, XTec helped provide mobile accountability, identity validation and tracking for the District of Columbia’s Homeland Security and Emergency Management Agency and the National Guard. The two groups used XTec’s XNodes and AuthentX physical access control readers for identity capture and authentication. XTec set up AuthentX Accountability Stations at the Emergency Operation Center. These stations captured identity from Common Access Cards, PIV and PIV-I cards for those entering and leaving the facility. Additionally, 6,000 National Guard members used XTec’s accountability readers and XNodes at 20 locations throughout the District. These members logged more than 13,000 transactions during the weekend’s events. The mobile stations provided live reports during the weekend and the National Guard used the system to create reports of size and location of troop activity throughout the weekend. The District government plans to continue to use these readers after the Inauguration.

Spring 2013

ID SHORTS

OSLO AIRPORT IMPLEMENTS SELF-SERVICE PASSPORT CONTROL Oslo Airport implemented EasyPass, a self-service passport control available to travelers who have Norwegian biometric passports arriving from Non-Schengen countries. The airport collaborated with the National Police Directorate on the system, which is made up of two automated units at the Non-Schengen arrival gate. The automated units have a two-step process. A traveler scans his passport at the entrance

Spring 2013

of the unit. When validated, a turnstile opens. The traveler passes through it to a second section where a photograph is taken and compared with the holder’s passport photo. If this matches, a second turnstile opens, and the traveler is free to leave the border control area.

BIOMETRIC ACCESS NOT JUST FOR THE HIGHLY SECURE A Texas retirement community is employing a biometric access control system based on facial, voice and behavioral

recognition. The access system works in conjunction with CCTV to act as a virtual concierge for residents. Similar high-level security systems have traditionally been reserved for sensitive government, pharmaceutical or commercial establishments – locations where security was an obvious premium – not retirement facilities. But administrators at the Pasadena Interfaith Manor Apartments in Texas feel differently and have installed the SafeRise biometric system. Facial recognition is the primary biometric as residents simply look into the camera to gain access

ID SHORTS

to the building, with voice recognition acting as a secondary means of access. The SafeRise system is a product of Israeli manufacturer FST21 and employs an easy-to-use facial recognition feature. Garcia contracted Alabamabased ion247 to install the system in conjunction with their In Motion Identification system. Ion247 offers its In Motion Identification system, which quickly identifies anyone who approaches the door enabling only approved users access after running a combination of biometric scans – face, behavioral, voice and even license plate recognition. The system eliminates the need for keys, cards or access codes.

UIDAI PROGRAM ADDS IRIS SCAN AUTHENTICATION In an effort to deal with the problem of poor fingerprint quality, the Unique Identification Authority of India is adding iris-based authentication. When residents enroll for the Aadhaar benefits program, they give both fingerprint and iris scans. Now the iris scans can be used as a second form of authentication. The program originally didn’t include iris-based authentication because the cost of scanners was prohibitive. Equipment prices have since decreased, making it more feasible.

MEDICAL MARIJUANA DISPENSING SYSTEM LEVERAGES BIOMETRICS California-based Medbox launched its medical marijuana dispensing system in Massachusetts. The system leverages biometrics to provide safe

and secure distribution of cannabis. Medbox’s patented technology uses fingerprinting to verify a physician’s authorization and ensure that a patient hasn’t exceeded state dispensing limits. The system tracks this information through HIPPA-compliant methods.

HID CERTIFIES APERIO WIRELESS LOCKS HID Global announced that ASSA ABLOY´s Aperio wireless lock family has been certified as Genuine HID and is interoperable with Seos credentials and the iCLASS SE reader platform. Aperio lock technology enables doors to be integrated into an access control system without having to install wiring, make structural changes to the doors or modify existing access control credentials or system software. It provides organizations with a way to wirelessly link mechanical door locks to new or existing access control systems. As a certified Genuine HID Technology, Aperio now supports HID Global’s iCLASS SE platform for adaptable, interoperable and secure access control solutions. Aperio locks support Seos credentials, iCLASS, MIFARE, DESFire, as well as prox technologies.

PODCASTS EPISODE 104: NFC AND STANDARDIZATION As more NFC-enabled devices are introduced into the market it’s important to make sure they all work the same way. FIME tests these devices to make sure they meet industry standards. The company has been testing systems for Isis, the NFC project underway in Austin and Salt Lake City. Stephanie El Rhomri, new services marketing manager at FIME, talks about the work the company is doing with Isis and the importance of testing and certification.

Spring 2013

ID SHORTS

VIDEOS HP DISCUSSES CONTEMPORARY HACKING, OFFERS BEST PRACTICE ADVICE As identification technologies evolve, so too do hackers. “If you don’t first know who’s on your network, you don’t really know if they’re supposed to be there,” says Betsy Hight, vice president of the Cybersecurity Practice at HP. “Identity is key to understanding who is authorized to be on a network, whether they should be on and what activities they are conducting,” says Hight. She implores users to always be aware, “There are entities out there who are looking to do you harm.”

CERTIPATH BRINGS ASSURANCE TO DIGITALLY SIGNED EMAILS

MICROSOFT FILES REAL-TIME BIOMETRIC GAMING PATENT Microsoft has been issued a patent that could enable real-time biometrics for multi-player gaming. The patent describes a technology to enable gamers to quickly and easily join a video game session using biometrics. The biometric capture method includes a temporal sequence of the user’s facial images at different locations within a three-dimensional interaction area. The interactive 3D area is a major component of Microsoft’s new game console. The XBOX Kinect camera observes the 3D interaction space by capturing images and could subsequently identify users via one or more of their biometric features.

VA TAPS 3M FOR ID DOC VERIFICATION

The Department of Defense and other federal agencies that employ the strong authentication credentials for daily use may have found an email assurance solution. “Digitally signed emails don’t have a lot of info about the assurance level tied to that credential,” explains Jeff Barry, senior technical analyst at Certipath. “You can’t really be sure about the identity proofing that was done on that person.” Certipath models the extended validation SSO seen on Web browsers, with high assurance messages turning the inbox green. Additionally, cloud-based validation makes Certipath a future-proof solution that is extendable to other platforms.

THURSBY SOFTWARE, SILANIS, JUNIPER NETWORKS USE SMART CARDS ON IOS DEVICES Silanis and Juniper Networks demonstrated solutions for the use of smart cards on Apple iOS devices, ideal for Federal agencies using PIV or Common Access Cards to access “We are enabling applications like picking up documents via email, signing them, and automatically triggering an email to the next person in the queue,” explains Anthony Moncada, Federal and DOD Client executive with Silanis. Moncada demonstrated the secure authentication solution using a Common Access Card and an Apple iPad. “We are demonstrating the integration with Juniper Pulse VPN client and smart card reader,” explains Jay Dineshkumar, systems engineer with Juniper Networks. Apple iOS support is a new concept to the mobile authentication market, especially on the Federal front. “This is the first time you can use a smart card on an iOS device to connect to the Juniper VPN appliance,” says Dineshkumar.

Spring 2013

The U.S. Department of Veterans Affairs selected 3M to provide Identification Document Verification for its FIPS 201 PIV program. The 3M solution includes 300 AT9000 Full Page Readers and document authentication software deployed at approximately 284 PIV site locations, throughout a range of Veterans Affairs facilities across the United States. According to the Department of Veterans Affairs, it required a common, verifiable, and traceable solution deployed to all PIV Registrar sites that complies with the FIPS 201 requirement. HSPD-12 PIV identity proofing with the 3M reader and software helps PIV Registrars ensure that applicants are

ID SHORTS

issued credentials based on electronically validated I-9 documents, and that the resulting data is available for audit and reporting purposes.

100K NEXUS CARD ISSUED IN THE BUFFALO/NIAGARA AREA U.S. Customs and Border Protection announced that more than 100,000 trusted travelers have been issued NEXUS cards in the Buffalo/Niagara region of New York. The applicant who became the 100,000th regional NEXUS cardholder

was a local youth hockey player from Niagara Falls, Ontario. The NEXUS cardholder and his family became aware of the NEXUS program through a joint communication effort involving CBP, Canada Border Services Agency, the Fort Erie Public Bridge Authority and the Niagara Falls Bridge Commission. Cross-border travelers are encouraged to participate in the NEXUS program, which allows pre-screened, low-risk travelers to proceed with little or no delay into the United States and Canada. In compliance with the Western Hemisphere Travel Initiative implemented June 1, 2009, all travelers, including U.S. and Canadian citizens, need to pres-

ent an approved travel document to enter the U.S. by land and sea. These documents include a valid Passport, U.S. Passport Card, Trusted Traveler card (NEXUS, SENTRI or FAST) or an Enhanced Driver License. Children under the age of 16 can present an original or copy of their birth certificate.

LUMIDIGM ADDS CERTIFIED SAP CONNECTION TO FINGERPRINT READERS Lumidigm added bioLock software to its fingerprint readers, making them certified by SAP for authentication purposes. The bioLock software manages SAP user identities with biometrics to help prevent insider fraud in areas such as inventory shrinkage, payroll, financial fraud or data loss. The software can manage both the log-on process, as well as re-authentication at more granular levels within an SAP environment. The software works with fingerprint readers in either a desktop USB version or in a kiosk application. It’s targeted toward customers in SAP banking and mission-critical applications that require strong authentication.

NEW REPORT EXAMINES BANKING AUTHENTICATION, THE FFIEC AND BIOMETRICS Javelin Strategy & Research released “Banking Authentication and the FFIEC:

Business Customers Crave Biometrics,” which looks at how financial services companies are deploying authentication technologies. The report gives financial institutions insight into different types of authentication technologies and how to find the balance between security and customer satisfaction. It looks at the regulatory expectations around the 2011 FFIEC supplemental guidance, as applied to authentication. It explores strengths and vulnerabilities of various types of authentication as well as which types lend themselves well to specific consumer interactions. Finally, the report shows financial institutions how to implement secure authentication that’s consumer-friendly, yet meets regulatory approval. The report is targeted to the marketing and security departments at financial institutions, as well as online and mobilebanking platform providers, vendors and marketing companies, and third party authentication vendors.

NEW NIST SOFTWARE TESTS BIOMETRIC APPS The National Institute of Standards and Technology released a new software suite called Biometric Conformance Test Software for Data Interchange Formats (BioCTS2012) for users to test biometrics apps. The software tests against the ANSI/ NIST-ITL 1-2011 standard, which provides a defined method for digitally encoding and storing biometric data. The standard enables agencies across law enforcement, military and homeland security to be able to share data within their ID systems. The standard also enables for biometric data sharing for identification purposes. NIST researchers developed this testing software because if standards aren’t implemented correctly in software ap-

Spring 2013

ID SHORTS

plications, they wonâ&#x20AC;&#x2122;t work. The BioCTS checks if the record of an image has the correct data captured in the order specified by the standard. If it does, it can be sent, received and filed correctly and accurately. NIST has also published two support publications for the software. Special Publication 500-295 gives computer programmers methodology to develop a conformance test tool for the ANSI/NIST standard while NIST Interagency Report 7877 has information on the conformance test architecture and implementation details of BioCTS 2012. The software test suite covers many types of biometric data including fingerprints, facial images, iris images, scars,

Spring 2013

marks and tattoos. NIST has plans to expand the testing tools to include other biometric record types and other international biometric standards in future revisions.

SAUDI ARABIA TO ACCEPT U.S. GLOBAL ENTRY The Kingdom of Saudi Arabia signed an agreement with the U.S. Department of Homeland Security to implement the U.S. Customs and Border Protectionâ&#x20AC;&#x2122;s Global Entry program in Saudi Arabia. Global Entry is designed to streamline the airport screening process for trusted travelers and allow customs authori-

ties to better handle unknown travelers and potential threats. The Department of Homeland Security and the Saudi Arabian Interior Ministry are also in talks about establishing a reciprocal program for Saudi Arabians entering the U.S.

ECUADOR EXPANDS FOR NATIONAL EID PROGRAM VIA NEW INFRASTRUCTURE The government of Ecuador has placed an order with On Track Innovations for infrastructure, support and maintenance for its national eID program. Ecuador has ordered elements of its eID program from OTI since 2009 and this order brings

ID SHORTS

the total placed with the company to $4 million. OTI has helped the country modernize and increase the security of its eID cards. Itâ&#x20AC;&#x2122;s system supports online and offline communication enabling citizens in all areas of the country to apply for an ID card without needing to go to a particular location capable of supporting a highend communication infrastructure.

GEMALTO DELIVERS 25 MILLION SMART CARD IDS TO INDIA Gemalto announced that it has delivered more than 25 million e-driver licenses and vehicle registration certificates to India. Gemalto has been providing these Sealys secure e-documents to multiple states across India since 2003. The Sealys smart card solution enables the Indian government to consolidate driver and vehicle registration information across the population in a central repository, improving the administrative

burdens of the transport authority and other government departments. The secure e-documents contain a microprocessor that stores the driver or vehicleâ&#x20AC;&#x2122;s data. The document enables on-the-fly verification of driving credentials by authorities and prevents identity theft. The Vehicle Registration Certificate contains data about the vehicle, such as its registration, owner, insurance and pollution control certificate. The smart card technology also helps the government handle interstate vehicle movement.

HID UNVEILS LASER ENGRAVER HID Global released the FARGO HDP 8500LE Industrial Card Laser Engraver, a new module in its FARGO Industrial Series for high-security state and government eID programs and other applications requiring advanced visual security. The high-security HDP8500LE system permanently engraves a range of personalization attributes into cards, making forgery and alteration virtually impos-

sible. With the HDP8500LE hardware and Asure ID Software, HID delivers a solution for simultaneously printing, encoding, engraving and laminating IDs. Asure ID software provides users with a single card template that integrates data to be printed, programmed and engraved into a card. The HDP8500LE delivers overt and covert visual security elements together with high levels of security. Precision laser engravers enable program designers to add custom security features, which may be authenticated with the human eye, as well as covert and forensic features, which require tools such as a magnifying glass or ultraviolet light to enable authentication. HID laser engraving technology creates surface relief in the form of raised lettering that enables verification of authenticity at the touch of a finger. The HDP8500LE system can also produce multiple and/or changeable laser images, which counterfeiters are unable to mimic using regular printers.

Spring 2013

ID SHORTS

ATHENA SMARTCARD COMPLETES ITALIAN DELIVERY This year Athena delivered 15 million smart cards to the Italian health ID program for its eHealth and Digital Signature/Authentication and eGovernment card project. Actalis, the Italian Certificate Authority, is managing this project and is responsible for supplying digital certificates, card production, personalization and fulfillment. The eHealth card’s digital certificates permit legitimate cardholders to have access to health services. The cards aim to reduce fraud and automate local government IT functions. Emergency data stored on the card may be used in other countries in the EU. It’s expected that by the end of 2013 more than 20 million Italian citizens will be using an Athena card for health insurance purposes. This includes all citizens in the Lombardy and Tuscany regions.

GLOBAL MULTI-FACTOR AUTHENTICATION MARKET TO TOUCH $5.45 BILLION BY 2017 A report reveals that the global multifactor authentication market could reach $5.45 billion by 2017. The Companies & Markets report estimates an compound annual growth rate of 17.3% from 2012 to 2017. Smart cards and PINs and one-time passwords are the top multi-factor authentication models, but biometric-based solutions are growing at a fast rate. North America and Europe constitute a majority of the biometric market, with APAC as the fastest growing region. The report notes key developments in the authentication industry including Microsoft’s October 2012 purchase of PhoneFactor, Apple’s July 2012 purchase of AuthenTec and Sagem Morpho’s purchase of biometric technology company

Spring 2013

L1 Identity. The two-factor authentication model constitutes nearly 90% of the multi-factor authentication market, with a majority of applications falling in the banking/ finance, travel/immigration and commercial security sectors. Though much more rare, three-factor authentication is used in private access settings like bank lockers, secure data access, defense and immigration.

TWITTER REPORTEDLY ADDING EXTRA SECURITY Twitter will reportedly add a twofactor authentication option to its login process in an attempt to fend off hacking attacks. Reports state that Twitter is going to use a two-factor authentication system, like Google currently employs for its Gmail system. It will require users to re-authenticate whenever logging in from a new device or Internet address, even when knowing the account’s correct password. “The introduction of two-factor authentication for Twitter users will be a much welcomed security improvement. It will help them reduce the number of hijacked accounts – something that is all too frequent especially with high profile celebrity accounts,” says Ian Shaw, managing director of MWR InfoSecurity, a U.K.-based security consultancy. In the two-factor authentication system, the user provides the site with a mobile phone number. Whenever a log in is attempted from a new device or a new Internet address, the system will block access until the user inputs the correct password and the numeric code that’s sent to the account holder’s mobile phone. Although this strengthens the authentication process, it’s not foolproof, says Shaw.

“The process does require you to have a separate device but unlike other implementations of two-factor authentication the device receives a code rather than generating it independently,” Shaw says. “Therefore there is the potential for this code to be intercepted or the user tricked into registering an attackers device to receive the code.” There are other concerns with this type of two-factor authentication as well. “It usually only protects the initial login to the site, therefore if users are connected for long periods of time, their session could still be open to attack. To reduce this risk, two-factor authentication is often implemented with a timeout configured so that users are required to login at regular intervals to revalidate their identity. However, this timeout can be very unpopular with users and therefore may not be implemented by Twitter,” says Shaw. This news came just days after Twitter experienced an attack that forced them to reset passwords on at least 250,000 accounts because hackers had accessed users’ e-mail addresses and encrypted passwords. However, Shaw notes that even extra security measures could not have prevented this attack. “Their personal information and password would still have been compromised but the usefulness of this information would be limited for users who choose two-factor authentication,” he says.

REPORT: SECURITY CONCERNS TO DRIVE FINGERPRINT BIOMETRICS MARKET Increasing security concerns, such as terrorist attacks, mass shootings and other criminal activity will be a factor in the growth of the fingerprint biometrics market, says Global Industry Analysts Inc. (GIA) in a new report entitled “Fin-

ID SHORTS

gerprint Biometrics: A Global Strategic Business Report.” GIA projects this market to reach $10 billion globally by 2018, with physical access control applications driving the growth. Investment by governments to increase security infrastructure will drive the AFIS fingerprint biometrics market, and continued growth in m-commerce should bolster the non-AFIS fingerprint market. The report states that silicon-based fingerprint sensors will see gains in the nonAFIS fingerprint biometrics sector. Recent advancements include miniaturization of sensors and extending their applications in other devices. Swipe sensors are also becoming more prominent in mobile phones and notebooks. Regionally, the U.S. is the largest market in terms of global sales, but AsiaPacific is growing quickly, with a 20% compound annual growth, says GIA.

ID TECHNOLOGY NEWS ONLINE EVERY DAY OR VIA A FREE WEEKLY EMAIL Explore online for up-to-the-minute news and insight on identity and security technologies. Articles, podcasts and videos from Re:ID Magazine’s editorial team are added daily to the sites below. Sign-up to receive weekly updates via our free email newsletters. Visit any of the sites below and enter your email in the box at the top left corner of the page to register. ContactlessNews.com: Contactless smart cards, identity, access, payment and transit solutions. CR80News.com: Campus cards for primary and university ID, security and payment solutions.

MANILA PILOTING BIOMETRIC BUS DRIVER MONITORING

DigitalIDNews.com: Online and Digital ID, securing Web ID’s, PKI and digital certificates.

The Metropolitan Manila Development Authority in the Philippines is piloting a Bus Management and Dispatch System that will monitor the bus drivers through biometric fingerprint scans. The program will be implemented at the Metropolitan Manila Development Authority bus terminal at Fairview, Quezon City. Over this year, the authority plans to set up twelve more satellite stations throughout the metro area. The system requires public utility buses drivers to sign in with their fingerprint before taking over their routes. It matches drivers in the driver’s database that contains personal information of registered drivers, the company that employs him and the number of unsettled traffic violations he has. Drivers with more than three pending traffic violations will not be allowed to drive.

EnterpriseIdNews.com: Identity management systems, cloud-based and financial applications. FIPS201.com: Approved product listings for the FIPS 201 identity standard, PIV and PIV-I solutions. GovernmentIDNews.com: Government ID solutions for citizen ID, driver license, border control and more. HealthIDNews.com: Secure ID for health care payers, patients and providers. IDNoticias.com: ID and security news and insight translated for the Spanish speaking audiences. NFCNews.com: Near Field Communiation technology, handsetsm tags, applications and projects. RFIDNews.org: RFID and sensor technology for logistics, pharma, animal and product tagging. SecureIDNews.com: Government and large enterprise ID, smart cards, identification and authentication. ThirdFactor.com: Biometric identification and authentication solutions for crossindustry applications.

Spring 2013

TE IREC

MA K C A YZ

PU N A I VIS A , IN

TIO LICA

s s e l e h t T c m a t u r n d o c o n un ? c

x o r p m o r f e t a r g i m y h W more security? do i need can i aff ord it?

LEGACY 125-KILOHERTZ PROXIMITY TECHNOLOGY IS STILL IN PLACE AT 70% TO 80% OF ALL PHYSICAL ACCESS CONTROL DEPLOYMENTS IN THE U.S. BUT IT LACKS THE SECURITY OF CONTACTLESS SMART CARDS

Spring 2013

THE CONTACTLESS CONUNDRUM BUILDING ENCE ROOM IN AN OFFICE SCENE 1: TYPICAL CONFER undrum: prox. We’re facing a con “Thanks for coming in PACS but us, for you’ve been doing we appreciate the work Manager: ...” ng for same job I’ve been doi “No problem, just the Prox: more than 20 years.” re ted to talk, I think we’ “And that’s why we wan PACS logy” hno tec physical access moving on to a different Manager: Prox: PACS Manager: Prox:

Legacy 125-kilohertz proximity technology is still in place at around 70% to 80% of all physical access control deployments in the U.S. and it will be a long time before that changes, says Stephane Ardiley, product manager at HID Global. The above scene, however, is starting to play out more frequently as corporations, educational institutions and government agencies migrate from older technologies to contactless. Case in point, U.S. federal agencies are replacing prox or in some cases even magnetic stripes with contactless smart cards in order to comply with government mandates, Ardiley explains. Still, it will be years before contactless card shipments overtake proximity in the Americas. IMS Research predicts that in 2016 contactless shipments will eclipse proximity, says Paul Everett, senior manger for the security team at the consultancy. Obviously, obstacles to contactless adoption still remain, even more than a decade after international standards were first released and nearly two decades following wide scale product availability.

agape] [Stunned silence, mouth

ty, somelooking for more securi “It’s just that we’re that has ing eth ily copied, som thing that isn’t so eas ” a little ‘oomph’ to it. heads shoulder slumped, and [Gets up from his chair, for the door]

Opinions vary as to the root cause of the delay. Many cite high replacement costs for some enterprises. Others blame the supply chain, noting that physical access control dealers and local security integrators have been slow to push clients to new technology. They believe it is easier and more profitable to stick with the older solutions that they have been selling for years and fully understand. Still there are many reasons a migration from older access technologies is inevitable. The biggest is the increase in security. “Proximity cards and mag stripes are basic

Unlike prox technology, contactless smart cards are resistant – some would say impossible – to clone technologies when it comes to physical access control,” Ardiley says. “There is no security, they’ve been hacked, there’s no

protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks.” In most cases the cards have the ID number printed on the back. If someone obtains the card they can take that number, encode a new card and use it to gain access, Ardiley says. Unlike prox technology, contactless smart cards are resistant – some would say impossible – to clone. The data in the card is encrypted and the communication between a card and reader is secure, says Ardiley. Despite the security risks, prox isn’t going away anytime soon, says Jason Hart, executive vice president for identity management and cloud solutions division at the Identive Group. “Some people are oblivious to the risk and those who aren’t accept prox as a convenience tool rather than a physical security tool,” he explains. Many of the enterprises that feel this way deployed prox a long time ago and simply haven’t looked back since, Hart explains. “Customers were sold on that fact that it’s

Spring 2013

Conundrum: Why switch when prox just works? Contactless smart cards and the ISO 14443 technology are far from new technologies as electronic passports that use the same technology have been in circulation for almost six years and the technology had deployment even prior to that. The existing, entrenched prox infrastructure is the main reason the technology has been slow to spread in the U.S., says Paul Everett senior manager for the security team at IMS Research. Prox technology accounts for about 40% of revenue for physical access control technologies and represents 45% of the unique shipments. Contactless smart card shipments will overtake prox by 2016, Everett predicts. Most enterprises aren’t making the switch now because the systems they have work. Until those systems reach end-of-life there’s not a lot of need to upgrade a system that is still functional. “New installations will use smart cards but those with a large installed base of prox are not going to swap out unless there’s another reason to do so,” he adds. Physical access control provider, Quantum Secure, sees U.S. interest in contactless smart card mainly within the federal government and its contractors, says Vic Ghai, vice president and chief technology officer for products at the company. In other sectors, it has been more pilots than installs. “Historically we have seen many pilots for contactless smart cards but it doesn’t go beyond that,” he adds. Quantum Secure has more than 80 customers in the U.S., 10% of which use contactless smart cards, Ghai says. Those customers are either federal agencies or enterprises that have contracts with the government. Outside of federal agencies and contractors, interest has been primarily from health care and airport sectors, says Ghai.

Spring 2013

secure and they never really questioned it,” he says. “They deployed in the early 1990s and haven’t done any assessment of the security technology since then.” The lengthy lifecycle of a physical access control system is another reason prox remains prominent, Hart says. Physical access systems can have life spans as long as 20 years and swapping out can be time consuming and expensive. IMS Research puts the life spans anywhere between 10 and 15 years, Everett says. When new systems are deployed they typically choose smart cards, so at least enterprises are not replacing old prox systems with more prox technology, he notes. Some enterprises don’t feel the need to move because the security profile doesn’t demand it, says Dave Helbock, a senior security specialist at XTec. “Do you want to keep the local populace out or do you want high security?” he asks. “Do you need to card into every door or suite or do you just have one on the front door and in the garage?” Depending on an

says Everett. “People are resistant to change because it does the job on the low security side.” So why switch? A security breach can lead to change. Hart says the use of prox technology – due to either cloning or lax access rules – has enabled unauthorized individuals to access facilities. Often such breaches lead to a discussion about high-security credentials, but so too can an IT department’s desire for convergence of credentials, Hart says. In addition to greater security, smart cards create opportunities for additional applications such as logical or network access control. “Enterprises need to think about physical access control as one piece of a larger ecosystem,” Hart says. “Pick one point and then grow from it.” The same contactless technology that gets an employee in the front door securely could also then be used to make purchases from a cafeteria or vending machines. Even more importantly, the credential could be used

SOME CONTACTLESS CARDS ARE COMPARABLE IN PRICE TO PROX SO THE MAIN ISSUE COMES DOWN TO THE COST TO SWAP OUT READERS enterprise’s answers to questions like these, they may find prox sufficient for their current needs. The other factor is that prox technology still works very well for its intended function – passing a short numeric string to a reader quickly and reliably. “Prox is very well established and the problem you face is that if it works, why change it?”

for logical access to secure networks and web sites, Ardiley says.

THE ISSUE OF COST These reasons would seem on the surface to be enough to encourage mass migration if other factors were not at play. But factors such as replacement cost fight against migra-

tion at every turn. Vendors are understandably hesitant to talk about cost as quantity and a host of other variables can factor in, but this does not remove the reality of the issue. Typically, prox cards cost $3 to $5 each, sources say, though it is not uncommon for small volume issuers to pay double this amount. Price can vary depending on printing options, lead times, quantity and other features. Pricing for contactless cards runs the gamut. Contactless smart cards with small

memory and older technology are often cheaper than prox at just $1 to $2 per card, sources say. There are many mid-range options that are comparable in price to prox as well. At the expensive end of the spectrum, contactless smart cards with large memory, high-end cryptographic capabilities and the latest security features can cost $8 to $12 or more, sources say. Some may scoff at the cost of the higher end cards but vendors say the tangible and intangible benefits of increased functionality and security warrant the added

expense. As for the readers, again, on the low end the cost for contactless readers is often lower than or comparable to prox, sources say. Multi-technology readers with different features are more expensive but can provide greater longevity and the flexibility to support legacy cards as the migration to contactless proceeds. Since some contactless cards are comparable in price to prox, the main issue for an enterprise often comes down to the costs to swap out readers. A smaller organization

Do you know your physical security access infrastructure may be open to insider and outsider threats? Take Control of your Physical Security Infrastructure with SAFE Solutions Our SAFE Software Suite is a Physical Identity and Access Management System that enables a global approach to automate and streamline your Physical Security Infrastructure. With SAFE Solutions from Quantum Secure, automate and streamline physical access management, gain visibility and take control of on/off boarding processes across global facilities, and closely manage restricted areas to ensure compliance and reduce corporate risks. SAFE delivers attestation reports for compliance to regulations such as SOX, NERC, PCI, HIPAA and more. SAFE also performs insider risk assessment with facility access analytics, and will operate with disparate physical access (PACS) and HR systems. The SAFE Software Suite is designed to create unprecedented efficiencies and lower all physical access related risks.

SAFE is ideal for: Government Airports and Ports Telecom Energy and Utilities HealthCare, Pharmaceuticals High Technology Financial Higher Education Transportation

Spring 2013

Conundrum: Where does mobile, NFC fit in? Just as contactless takes hold in the U.S, near field communication is coming quickly on its heels purporting to do away with the plastic card format all together. Most agree that if this is to become reality, it is still many years away. It’s will be years before NFC becomes a standard feature, like Bluetooth, in handsets, says Paul Everett senior manager for the security team at IMS Research. NFC has to find its way into the majority of devices for it to be a viable option. Even then there are some concerns with how one handset manufacturer may deploy the technology versus another, says Jason Hart, executive vice president for identity management and cloud solutions division at the Identive Group. There have been issues with some of the early NFC handset antennas and problems with data transmission. There are also the ever-present issues with “bring your own device,” such as who owns the data on the handset and how can we manage the security issues when one device is used for both personal and corporate access, Hart says. Enterprises that opt for contactless smart cards based on open standards, however, should be better prepared to make the transition from cards to handsets down the road as both technologies use the same family of ISO standards. While widespread use of NFC for physical access is certainly a ways off, it hasn’t stopped vendors from creating applications, Hart says. Identive has a PIV applet that can mimic the same functions as the government credential and another that uses the PLAID contactless standard for mutual authentication of credentials and readers.

Spring 2013

with a handful of doors might not think twice, but for an enterprise with hundreds or even thousands of doors the cost of readers can be intimidating.

STANDARDS-BASED TECHNOLOGY While the capital investment up front may be daunting, there are potential long-term savings from making the switch to an open-standard contactless smart card. Theoretically, open standard products free end users from being locked into a single vendor for cards and readers. “Contactless smart cards enable a move away from a proprietary to a vendor neutral position,” Ardiley says. Contactless smart cards operate on the ISO 14443 or ISO 15693 standards. If an enterprise deploys technology that uses one of these technologies it should be able buy cards and readers from any vendors as long as the standards are supported. “You don’t want to get locked into one technology,” Hart says. “We’ve seen a lot of problems sticking with a one vendor implementation.” Using standards-based technology also means a certain amount of future proofing. As long as the new technology adheres to the same standard, enterprises should be able to upgrade without ripping and replacing, Hart says. The access control supply chain has grown accustomed to proprietary technology and, sources say, the idea of open standards and open

sourcing makes some dealers and system integrators nervous. They want to protect the lucrative recurring sale of cards and readers into their client base, but they fear that the switch to open standards – where these products could be purchased anywhere – could hurt business, insiders say. “Prox is easy and repeatable and they are making handsome profits on legacy systems and repeat sales,” says one security source. “Replacing a physical access system is a big deal and usually stays in place for a decade or more. Where is the incentive to move to new, more secure system? Prox works today for physical access – even though it’s a weak system.” There’s also a comfort level with prox that many dealers may not have with contactless technology, sources say. They know how it works and how to deploy the system quickly and easily. With contactless there is still a learning curve some are struggling to get over. These same industry sources, however, stress that the progressive dealers and integrators who are embracing contactless and other new technologies stand to benefit in the long run. Like with any other supply chain, in the end the laggards are ultimately left behind.

DEPLOYMENT TIPS For an enterprise considering a switch from prox to contactless there are a number of issues to consider. To start an organization should conduct

Defining the terms Proximity (prox) cards operate at a low frequency (125 kHz) and store a small, fixed numeric string that is used frequently in access control environments as an ID number. Prox is not a security technology but rather a storage and convenience technology, and as such offers little protection against unauthorized reading or duplicating of cards. Contactless smart cards operate at a high frequency (13.56 MHz) and are capable of storing a volume of data, including one or more ID numbers. The volume of data, number of applications and on-board cryptographic and other processing capabilities are dependent on the size of the card’s chip. Contactless cards are designed for security offering a variety of advanced features to guard against unauthorized reading of data held in secure areas and unauthorized card creation or counterfieting.

a thorough site survey to find out what kind of card technologies and formats are already deployed, Hart says. “A lot of times it’s difficult for an organization to know all the different card technologies deployed,” Hart says. “A satellite office might use a different technology and the car park might use something else.” Depending on the technologies deployed and the vendor’s involved this can be a difficult task. “Sometimes the vendor will have proprietary information and won’t want to provide it,” Hart says. There are inexpensive software and hardware tools available that can enable an enterprise to independently check the card formats and systems they have deployed. Next an organization needs to determine where they want the new technology to be

deployed, Hart says. Are there additional doors or areas that need to be secured, and if so, what needs to be done to enable those locations? The next step is either a pilot or full rollout, depending on how an enterprise wants to move forward. XTec recommends having a small group of employees with new cards tap against a reader for a period of time just to make sure the cards are working correctly, says Helbock. “You can do a storage room or other space just to make sure everything works,” he says. Once the proof of concept is completed and bugs are worked out, Helbock recommends a phased rollout. “It’s difficult to convert all cards and switch out all readers at one time,” he says. Once a population has the new contact-

less cards, it’s best to make the switch as quickly as possible. “There will be a little bit of pain but the quicker you do it the better off you’ll be,” Helbock says. Some organizations will opt for new readers that can accommodate both contactless and prox to ease transition, Hart says. On the back end, if the prox physical access system uses the Wiegand Protocol it will work with the new contactless smart cards and readers, Ardiley says. “It’s changing the physical reader but the rest of the components should be able to accommodate the changes,” he adds. There are some exceptions, says John Schiefer, manager for system deployment at XTec. In the case of a federal PIV deployment the legacy infrastructure will work.

Spring 2013

If PIV-I is being used with the same system, however, an additional physical access controller might be necessary to handle and check the other data.

USABILITY An issue that too often goes unnoticed when making the switch from prox to contactless is the end user’s experience, Ardiley says. Whereas the prox credentials could come in the general vicinity of the readers and open the door, contactless smart cards might require a tap and hold before the transaction is completed. Enterprises need to educate employees on how the technology is different than prox so that they use it properly. If there are complaints of cards not working it may well be a simple case of user error. Making the switch from prox to contactless is a big step but it offers users the ability to accomplish more with a lesser risk of intrusion. With contactless credentials enterprises can achieve additional functionality, flexibilty and increased security. The perception of higher cost is often a misperception, but it continues to inhibit deployment. It’s really a matter of educating enterprise on the true costs and benefits of these systems, and then finding a progressive local dealer to assist with rollout.

Before prox, before mag-stripe, there was Wiegand When the term Wiegand is mentioned in the physical access control space most people think of the back-end protocol used to communicate the card data to a controller. But Wiegand Cards – one of the earliest access control technologies dating back to the 1970s – preceded the Wiegand Protocol, says Bob Holland, marketing manager at Secura Key. While this technology has been around for more than 30 years it’s still used because it works well. Its days, however, may wel be numbered. At the end of 2012, HID Global announced that it would no longer manufacture the Wiegand cards and readers. This leaves Secura Key as the remaining supplier for the cards in the U.S., says Holland. Some may not think there would be much of a market for a decades-old access control technology, but Wiegand cards are still a mainstay in manufacturing facilities in the Rust Belt, South and Midwest, Holland explains. “A lot of these old manufacturing companies have tens of thousand of cards and countless readers, and it’s too traumatic for them to tear it out,” Holland says. John Wiegand was attempting to create technology for the automotive industry when he developed the identification tool. It never worked in that instance but took off in access control. Wiegand cards use two pieces of wire placed on a strip and arranged in two rows. Prior to being placed on the strip and

Spring 2013

Wiegand cards utilize a row of magetically charged pieces of wire to store a short numeric string that can be used as an ID number within an access control system.

into the cards, the wires are twisted and pulled through a special device, heated and then spooled. This treatment embeds magnetic properties into the wires. “After it’s treated there is an outer shell and inner core and a magnetic difference between the two,” Holland says. When the wires are placed on the strip that goes into the card they are done so in two rows, one row represents zeros and the other ones, Holland explains. After manufacture, a card has an unalterable number, which is linked to an individual in a physical access control system. The cards are not personalized with a number, but rather an individual is registered to a card. The technology has been popular because the cards and readers are durable. The cards are sealed, weatherproof. They are virtually impossible to clone because of the complicated manufacturing process and the design of the readers, Holland adds. “You have a card where the data is not

exposed to the outside,” Holland says. “Unlike a mag stripe you can’t scratch it, you can’t read it because a Wiegand reader is an unusual thing and if you open it up you destroy the card.” Secura Key will continue to manufacture Wiegand Cards but the company recommends that enterprises consider making the switch to contactless, Holland says. To ease in the transition, they also offer cards containing both Wiegand and contactless technologies. “We want to transition people out of the Wiegand and into high-frequency technology (contactless),” Holland says. “But the thought of recarding and rewiring the infrastructure is very intimidating to some people.” The biggest issue facing enterprises that rely on Wiegand is not the card technology but rather the readers, Holland says. Secura Key has no plans to manufacture them and doesn’t know anyone who will.

WHERE IS PKI AT THE DOOR? FEDERAL AGENCIES TAKING PHASED APPROACH TO DEPLOYMENT BOB DULUDE, DIRECTOR, FEDERAL IDENTITY INITIATIVE, HID GLOBAL

FIPS 201 has primarily been used for logical access and Administration. These read the unique identifier from digital document signing using PKI-based validation. the card and match it with the enrolled cardholder With PKI multifactor authentication, a digital certificate without using any FIPS-201 authentication techniques. including the user’s public key is placed on their PIV These transitional readers can later be reconfigured credential and leverages smart card and biometric techin the field to support multifactor authentication. This nology – a digitally signed fingerprint template – that ability to upgrade in the field to FIPS 201 is not possupports multifactor authentication methods. sible with transparent readers. It’s important to To use a PIV card to enter a building, note that GSA-approved transparent readers the PIV card’s digital certificates are listed on the APL do not, by themselves, checked against a Certificate Revocation constitute an “Authentication System” List, which is provided by certificate as defined by the GSA, and do not, in authorities. Rather than relying on a and of themselves, provide the required shared, secret key for authentication, validation mechanisms. a pair of public and private keys is used It is expected that PKI at the door will and these keys are linked such that inbecome more widely adopted as FIPS 201 formation processed with one key can only evolves and there are more products availbe decoded or validated using the other key. able on the market to support it. We also see PHYSICAL SECURITY The Federal Bridge is used to establish trust PIV credentials – and strong authentication for between cross-certified agencies’ PKIs – sepaboth logical and physical access control – movrate and independent infrastructures, each ing to NFC-enabled mobile phones. FIPS-201-2 with its own root certificate authority – thus specifications are expected to include extensions, CRYPTOGRAPHY enabling secure information exchange of digital such as the concept of derived credentials that signatures and certificates sent from and bewill enable a credential derived from the PIV tween various other participating government card to be carried in the devices’ secure element, organizations. PKI authentication is a highly with the digital version providing the same efficient and interoperable method for both cryptographic services as the card. logical access control to protect data and for FIPS 201-2 is also expected to allow the use physical access control to protect facilities, the latter of the Open Protocol for Access Control Identificareferred to as “PKI at the door.” tion and Ticketing with privacY (OPACITY) suite of U.S. federal agencies are taking a phased approach to authentication and key agreement protocols which implementing PKI at the door, as budget becomes availadds two important things: able. To ensure that this is possible, they are configuring 1. Much better performance, by a factor of approxitheir infrastructure so that it can be quickly and easily mately four for critical tasks upgraded to PKI strong authentication for physical 2. Secure wireless communications, which will enable access control when they are ready. For instance, they the use of PIN and biometrics on the contactless are first enrolling all of their PIV cardholders into interface and further strengthen authentication their head-end system and then simply deploying alongside PKI for both physical and logical access transitional readers as defined by the General Services control. Physical access systems are undergoing the most radical transformation since the switch from keys to cards and tumblers to electronics. Because physical access control systems typically have a lifespan of 10 years, this won’t happen overnight, but industry visionaries agree that it will happen. Leading the charge for these next generation systems is the U.S. federal government. PKI is typically associated with logical access and digitally signing documents. When it was proposed for physical access it was something of a first. Making the leap wasn’t that difficult though, says Bill MacGregor, a computer scientist at the National Institute of Standards and Technology. There were simply too many points of potential vulnerability with existing physical access systems. The cardholder ‘s unique ID number is stored on the contactless portion of the card and it’s possible for it to be read and copied. This is more or less a step above a prox reader. To get the real benefit of FIPS 201 you need to do better than a basic read of the cardholder unique ID, you need to go to PKI. Since FIPS 201 was already using smart cards and PKI for logical access it seemed like a logical leap to use it on the physical side of things too. PKI is a fully standardized, mature technology and it’s deployed through the Federal Bridge. And it forms the core of the trust model for the PIV credential. While using PKI for physical access control might be new, the technology is not. That it’s been around for some time and there are standards around it means not having to reinvent the wheel. But there are still serious questions, including how long it takes to process a transaction and how it will affect existing physical access control infrastructures. In a PKI at the door implementation, as in traditional access control systems, the first thing that will happen is registration into the system. At this point in the FIPS 201 environment, the contact interface of the credential will be used to check the PKI certificate, PIN and fingerprint biometric template stored on the card. This process currently takes between 13 and 30 seconds and will have to be performed whenever the credential is to be used in another physical access system. For example, a State Department employee going to a Homeland Security office will need to have his credential registered into the system before it can be used. After that initial registration the cardholder can use the contactless interface to have the PIV authentication key, one of the four PKI certificate on the card, checked. This process, along with the usual challenge and response that takes place with contactless smart card transactions, currently takes one to three seconds. First, however, the existing infrastructure for most physical access systems would have to be upgraded. Typical access control systems use the Weigand protocol to communicate with controllers. Weigand is a one way communication. But for PKI to work there needs to be a back and forth with the system. Current systems are designed to send an ID number and not much more. But if you want to do authentication you need bi-directional protocols which you get with a network. PKI at the door will require Internet Protocol-based access control devices. Putting physical access control systems online raises security concerns to some, but just because you IP-enable a system doesn’t mean it’s available via open networks. The physical access readers and controllers will also have to undergo a makeover with PKI at the door.

PKI AT THE DOOR

There will be two choices for the architecture of new physical access systems: do the processing of PKI certificates at the reader or do it at the controller. Either way the processor on the device that is chosen will need additional cryptographic certification. Most likely the choice will be to go with a smart controller instead of a smart reader. The argument is that there’s too much risk in putting the intelligence on the unsecure side of the wall. While upgrading the infrastructure for physical access control systems will be time consuming and costly, a bigger concern with PKI at the door is how long the transaction will take. Experts say it could take as long as a second and a half to open a door. This may not seem excessive but imagine trying to get through a turnstile with hundreds of other employees in the morning. Some fear that transaction duration could be the deal breaker in many environments. Others disagree. It’s the difference between wave and go and touch and go. It does require some crowd behavior effort, but just as people learned how to get on and off an escalator they’ll learn how the system works. To deal with the time issue some are suggesting a switch from PKI, or asymmetric keys, to a symmetric key scheme. People say that symmetric keys are faster than PKI at the door. But PKI is more secure and may actually be easier to deploy and manage than symmetric keys. With PKI the secret is stored on the card and it never leaves that card. There is a public certificate on the physical access control system but it’s not a secret. It’s widely distributed and there is no security vulnerability. With symmetric keys the same certificate stored on the card also has to be stored on the physical access control system. This leads to more complex key management than with PKI. Public keys don’t need to be protected, but all these symmetric keys need to find their way to a reader on a door and must be protected in transit, in use and at the reader. This results in far more vulnerable situations and more opportunities for system compromise. Symmetric key management can be expensive and complex, especially when dealing with something the size of the federal government. A fact of large scale use is that key management drives the cost. It’s expensive. While symmetric keys may bring a speed advantage the complexity of key management may be too much of a detractor. The General Services Administration has been pursing an expedited PKI at the door solution. The agency contracted with Exostar, a provider of collaboration solutions for the aerospace and defense manufacturers and their 40,000 supply chain partners and CertiPath, a credentialing authority for aviation, aerospace and defense organizations. The concept demonstrates how a single-credential system can provide secure access for both physical and logical assets, while also providing interoperability for employees, customers and partners. The need for the system arose for the greater security needed for federal physical access control systems. The system demonstrates the ability to perform the challenge response to the card authentication key on the contactless portion, but also how the system works with the contact portion including use of the biometrics and PIN. Additionally, it addresses ways to handle guests with and without PIV credentials. A visitor with a trusted credential can use it to pre-register via a Web site for a remote visit request. Upon arrival at the site the card has already been verified and after checking in the visitor can gain access to protected areas. Guests that do not have a trusted credential check in at an attended area and are issued a credential with an operational biometric and PKI certificate stored on the card. Now every defined population is using PKI for physical access control. HID Global is working to improve the speed of PKI at the door via caching. The company’s caching status controller checks the certificate on the card once and then conducts

periodic checks back to the revocation list to make sure the certificate is still valid. Initially the cardholder taps the badge on a reader and the PKI certificate on the card is checked against the Federal Bridge, a process that takes a couple seconds. From that point forward, the certificate is checked against the stored cache that is updated every hour against the Federal Bridge. In essence, at set time intervals the system validates the certificates from all cards commonly used in that specific access control environment. When a card is presented at an access reader, it need only be validated against the local cache, a process that is much quicker than validating against the remote system. You’re extending the Federal Bridge right out to the door. Then you get virtually the same card performance as you do with a standard transparent reader and you’re going with a smart, very secure edge appliance to do it. ID Technology Partners has created a solution for physical access control called Mutual Registration PIV, or MR-PIV, that speeds up transactions and potentially makes them more secure. The solution enables a credential holder to register the card in the local physical access control system and also register that system with the card. That way if anyone tries to sniff information off the card and the system doesn’t have that

mutual registration the card won’t give up any information. Also, since it’s a local identifier and not the global identifier the process is quicker. Rather than register the global identifier of the card we register the local identifier and a key to the physical access control system. This mutual registration speeds up the transaction to around half a second. The throughput is a five or six times performance increase. While it seems clear that PKI at the door is coming, not as clear is the role that biometrics will play with these new systems. Biometric authentication is the single best way to truly tie the credential to the holder. Biometrics are an intrinsic property of the owner. It adds to the high assurance and the non-transferability of the credential. This will become increasingly important as other weaknesses in physical access control systems are alleviated. In a PIV card system the contact interface of the card contains two fingerprint templates that can be used to confirm identity. These would be used to register into a new physical access control system. However, since the contactless interface doesn’t have access to these templates, it would be difficult to use the biometric anywhere that high throughput is necessary. When a biometric authentication is required, would depend on the security policy of the particular agency. They wouldn’t have to be used by credential holders on a daily basis. While general consensus seems to be that PKI at the door is the future for physical access control there are still challenges. One of the biggest maybe convincing those on the IT side and those on the physical security side to cooperate. But change is happening as the industry works to make it easier for the authorized to gain entry and make it more difficult for unauthorized

Spring 2013

PROBLEMS PLAGUE GOV PHYSICAL ACCESS DEPLOYMENTS GSA: OUT WITH INDIVIDUAL PRODUCT APPROVALS, IN WITH ‘SYSTEM’ APPROVALS HSPD-12 was first signed more than eight years ago and since then some 5 million credentials have been issued to federal employees and contractors. Few would argue that the credentials are prevalent, but many bemoan the level of utilization. Two years ago, the White House Office of Management and Budget – the agency tasked with policing HSPD-12 progress – issued a memorandum mandating use of systems that comply with the credentials. Known simply as M-11-11, the memoran-

Spring 2013

dum stated that any new systems used for logical or physical access must use the PIV credential. 2012 saw federal agencies begin to deploy physical access control systems that use the PIV credential, however, the implementations have not been without problems. The deployed physical access control systems don’t always work with the credentials and this has lead to finger pointing between card manufacturers and physical access providers. While the fault can be shared by all parties including the agencies that deployed the credentials, the larger issue lies with the General Services Administration’s Approved Products List for FIPS 201.

It seems that while individual products may be compliant in a standalone environment, some cease to function when implemented alongside other components. This has forced the GSA to rethink the way it evaluated products for the list. Instead of testing individual components for compliance, in the future the GSA plans to instead test the interoperability of entire systems. The GSA FIPS 201 Evaluation Program is being migrated to the Federal Identity, Credential, and Access Management (FICAM) Testing Program with a “spiraled” approach, according to a statement from GSA. The first spiral will focus on enhancing the physical access control system catego-

Defining the terms HSPD-12: The Homeland Security Presidential Directive signed by President George W. Bush in August 2004 that called for a common identification standard for all executive branch employees. The common credentials are to be used for access to physical facilities and computer networks to thwart terrorist attacks and prevent identity theft. FIPS 201: The National Institute of Standards and Technology created the FIPS 201 standard to help agencies meet HSPD-12. It is the technical specification for credentials used by executive branch employees and is accompanied by numerous special publications that define different parts of the credential. PIV: Personal Identity Verification – or PIV – is the name FIPS 201 gave to the specific credentials issued by federal agencies to employees. PIV and PIV cards adhere to and rely upon the FIPS 201 standard in order meet the mission laid out by HSPD-12.

ries. Four new categories will be added to the program: Transitional Reader, FICAM Reader, Head-end and Validation System. The Testing and Approval procedures for the four categories are under a review and evaluation process by federal agencies, vendors that belong to the Smart Card Alliance Access Control Council and the Security Industry Association. The Identity Credential and Access Management Steering Committee is working on a document called PIV in E-PACS that will provide a set of security controls that the GSA FICAM Testing Program will use as their security baseline for Federal physical access systems. The goal of the FICAM testing program is to provide an all-encompassing evaluation capability so that agencies can select products for a federated and interoperable architecture. The objectives of the FICAM testing program are to: Provide a common government-wide

testing capability for ICAM products and services Provide compliance, consistency and alignment of commercially available products and services with the requirements and needs of government implementers Ensure availability and choice among vendor products to support different ICAM components Coordinate interaction and coordination with the vendor community to improve the inclusion of ICAM requirements into product offerings Promote cost effective ICAM implementation with qualified products and services that perform successfully. A timeline on when the Identity Credential and Access Management Steering Committee will release the guidance and when the new testing protocols will go into effect has not been released by the GSA. These changes are going to help but it will be a while before the full effect is

noticed. It will most likely be 2014 before the new FICAM testing protocols are completed and only then can vendors begin the process of testing systems. Throwing another wrench into the works is that a finalized draft of the revised FIPS 201 standard is also due in 2013, sources say. The first FIPS 201-2 draft was released in 2012. It proposes significant changes for physical access that include deprecating the cardholder unique identifier – which has been the primary identifier for physical access – and requiring additional digital certificates to be verified. A new draft of FIPS 201-2 is expected to be released in early 2013.

TOO LITTLE TOO LATE? The changes being considered aren’t going to alleviate the problems with existing systems. With the OMB mandate many agencies upgraded physical access systems and many experienced problems rooted

Spring 2013

both in how they selected systems and how they used the existing approved products list. “People need to be educated on what the approved products list means,” says Geri B. Castaldo, vice president of business development for Federal Identity at Codebench Inc., an HID Global Company. You can’t just buy one piece off that list; it doesn’t get you compliant with HSPD-12. “It leads you down the path but doesn’t mean your system is compliant.” Agencies need to look at the physical access control system deployed and then go to the manufacturer or systems integrator to find out what they need to do to make the system compliant, Castaldo explains. While integrators in the DC area are familiar with FIPS 201, she says problems often arise when dealing with those outside of the beltway who are not as familiar with the specification. Problems can also arise with the credentials themselves. The cards might be expired, on the revocation list for some reason or not encoded properly, Castaldo says. “In many cases these cards have been out there for awhile but are being checked (or used) for the first time,” she says. Gemalto has been dealing with a myriad of complaints about cards not working when physical access systems are upgraded, says Neville Pattinson, senior vice president for government programs at Gemalto. There are numerous reasons the systems might not be working but often the first call is to the card vendor. Gemalto has a list it sends to agencies when these problems arise to determine whether it’s the card or the physical access system. One problem is that agencies assume they can just swap out the reader and be ready to go, but this is not always the case. “The entire system might have to be upgraded – software, card readers and firmware,” Pattinson says. There’s always a possibility that the entire system won’t have to be upgraded, but a site survey is necessary to find out what needs to be done. The physical access controllers could pose another problem. If the agency is migrating from prox to contactless smart cards the amount of data these controllers have to handle is much greater, Pattinson explains. The system may work fine for a while but as more employees are enrolled they could be dropped off the list as the controller’s library fills.

Spring 2013

In response to the issues arising from physical access systems and credentials, the Smart Card Alliance released a white paper with tips on how to troubleshoot such problems. “This document categorizes observed symptoms, lists some probable causes, and suggests corrective actions as well as some basic troubleshooting techniques that may easily be performed on site,” the paper states. “This white paper is intended to help users diagnose the cause of the different issues and quickly identify corrective actions. The goals of the recommended procedures are to minimize interruption of daily operations and reduce the need to replace system components such as cards and/or readers.” The reported usage difficulties with PIV cards and contactless readers covered in this white paper include: Intermittent operation, such as the reader not reading the PIV card or only sometimes reading the card The card and card reader interaction producing inconsistent numbers or a noncompliant data stream The reader shutting down after unsuccessful attempts to read the card The physical access systems failing to register some cards The possible errors and issues associated with the systems reading of the credentials can be numerous and obscure. There can be card reader installation issues where the card reader is installed too close to metal beams or on other metallic objects. Metallic objects may cause radio frequency reflections and distortions that have a greater impact on PIV cards due to their use of the 13.56 MHz frequency than on legacy proximity cards that operate at the 125 KHz frequency. There are also training issues for cardholders. A frequent complaint is that a card is not working when in reality it is simply not being used properly. Prox technology typically works quickly when the card is placed near the reader, but contactless smart cards may require a bit more time and proper alignment in the reader’s field to complete the transaction. With changes coming to the approved product list and a new FIPS 201 specification expected in 2013, it’s going to be interesting to see how agencies negotiate these issues. “This has to be managed carefully,” Pattinson says. “We don’t want to see another round of frustration when cards are working one day but not the next because of a system upgrade.”

EXPERT PANEL

The evolution of credentials and data management CHRISTOPH WIESINGER, PRINCIPAL BUSINESS ARCHITECT FOR BORDER AND IMMIGRATION SOLUTIONS CENTER OF EXCELLENCE, CSC

“We are Federales … you know, the mounted police.” “If you’re the police, where are your badges?” “Badges? We ain’t got no badges. We don’t need no badges! I don’t have to show you any stinkin’ badges!” The next number of years will see the continued evolution of our thinking about identity. We will shift from twentieth century understandings and physical manifestations towards something more subtle and pervasive: a new experience of identification and how identification and identity intermediates between the individual and the myriad of physical and logical assets to which they have been granted access. This shift is being driven by serious business concerns arising from the emergence of cyberspace as a domain of human activity and the intensification of globalization. The weaknesses of classical identification methods and memes create areas of vulnerability ranging from internet safety for children, to supply chain and financial transaction integrity, to national security. At the same time, issues around cost, convenience and privacy make traditional, stove piped identification systems clearly unsustainable. We must make a dramatic shift in our approach to identification and individual privacy. The old approach tackles identification as an enterprise or program function, collecting and storing extensive personally identifying information (PII) as an integrated part of the process of authorizing access to specific physical or logical assets. The individual is then provisioned with

a least-costly means – a physical card with their picture, a username and password – of proving their connection to the original enrollment and authorization process. As we know, the least costly means usually do not deliver the best results. Consequently, personal information is scattered in systems of highly variable security across the world, to the great dismay of privacy advocates. Its misuse only becomes apparent when we are notified of breaches and we all pay the price. Although enterprises – particularly in the financial world – have created the impression that we as individuals are shielded from the costs of these breaches, this is patently not so: we pay for them in the form of service charges. The new approach, consistent with the National Strategy for Trusted Identities in Cyberspace and its international counterparts, addresses identification as a business process performed on behalf of the individual. It encompasses: The gathering of identification claims The assessment of evidence for claims The storage of personal information for subsequent re-use and discrete sharing – for example, instead of sharing Date of Birth, share a certified statement like “over the age of 18”

The provisioning of a means that enable the individual to establish a physical connection with those claims. By shifting to the new approach, we can reduce the aggregate cost of identity, raise the overall level of security and integrity of identity-mediated programs, and most importantly, help individuals recover practical privacy: the ability to control and govern the use of personal information. At the same time that we reduce the unnecessary proliferation of PII, we will enable secure methods of highly personalized service from commercial and government enterprises. In the new world, identity is not a credential. It is a process that generates a myriad of context-specific permission credentials, each of which is associated with the identity, but minimizes the collection and storage of personally identifying information. The national strategy and its counterparts point the way. Executives in business and government need to pay close attention, and get their operations and enterprise architectures ready to benefit from smarter, individualized identity solutions provided by third party services. The way enterprises treat data will enable them to strengthen their brands and build trust with clients. Data management practices will become a differentiator.

Spring 2013

SOLVING THE ONLINE ID PROBLEM MYRIAD OF SOLUTIONS VIE TO FILL INTERNET’S MEGA GAP JILL JARACZ, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

One-time passcodes, biometrics, smart cards, mobile devices … the list of possible digital authentication technologies is long. Still, usernames and passwords are the pervasive means to access information and conduct transactions on the Web. Consumers, however, are frustrated with the ever-growing list of complicated passwords, images and security questions guarding both high-security transactions like banking or bill pay as well as basic web site access. Efforts are underway to remedy the problem. The U.S. federal

Spring 2013

government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative funded a round of five pilots in 2012 and will fund a second round this year. The additional pilots will further explore the creation of an identity ecosystem with strong digital identities and trusted credentials for citizens. In the meantime, existing solutions are already vying to fill the gap in online identity.

IMPROVING EXISTING SOLUTIONS

Glazer, research vice president and agenda manager at Gartner.

This identity ecosystem would help bolster the current forms of digital identity, such as “the trusted username and password, which is totally un-trusted,” says Randy Vanderhoof, executive director of the Smart Card Alliance. Additionally, there’s two-factor authentication with a card or token used in conjunction with a PIN or password, and three-factor authentication, which adds biometrics to the equation, explains Vanderhoof. As individuals are forced to juggle lists of usernames and passwords along with multiple tokens, these tools for online identification have become overwhelming.

FROM WALLED GARDENS TO TRUST ANCHORS A basic need for digital identity exists within closed systems such as iTunes or Amazon accounts. These are often called “walled gardens,” because they recognize a user and hold user information, but only for use on that specific site, explains Don Thibeau, executive director of the Open ID Foundation and chair of Open Identity Exchange (OIX). “The great lesson of iTunes is that Don Thibeau – as an iTunes user – can buy another song or a piece of software on

ORGANIZATIONS ARE EXPLORING THE CONCEPT OF REUSING A CREDENTIAL FROM ANOTHER PROVIDER. WE CAN’T END UP WITH ONE IDENTITY AND A NECKLACE OF DIFFERENT TOKENS “What used to be viewed as a solution to the problem has become another part of the problem,” says Vanderhoof. To help solve that, government agencies and business organizations are exploring the concept of reusing an identity credential from another provider. “We can’t end up with one identity and a necklace of different tokens. The (NSTIC) Identity Ecosystem Steering Group is working to make sure that doesn’t happen,” says Ian

the spur of the moment, and I can do so without creating a username and password. I can do so without reaching for my credit card. I can do so without authenticating myself to any number of sites,” says Thibeau. Another form of a digital online identity is a multi-purposed account. For example extending the Facebook or Google login to other services, such as the music site Spotify, removes the need to create, manage

and remember another login combination. In this type of architecture, Facebook or Google serves as a trust anchor for other accepting service providers. “The advantage is that I don’t have to create another username and password and Spotify doesn’t have to protect a password that I give them,” says Glazer. “But the downside is that I put one more egg in my Facebook basket and I’m using that account to unlock more and more resources.”

IDENTITY IN THE CLOUD PKI in the cloud is another technology that can be leveraged for use as a digital identity for higher levels of security. “PKI has a strong capability to say whether or not you actually performed the transaction,” says Gordon Hannah, principal at Deloitte & Touche LLP. Thus digital signatures may come to the forefront as a viable digital identity. “All the legal things we do require wet signatures today, but a trusted digital signature could really accelerate capabilities,” Hannah says. “Refinancing or getting loans require a lot of wet signature type documents being shipped around … the ability to put that all online is very interesting.” In the creation of these systems, the digital identity technology is only part of the solution. Developers also have to consider the identity proofing that works in conjunction with the identity technology. “A lot of folks forget about that piece, which is just as important, if not more important than the technology,” says Hannah. Identity proofing maps back to NIST

Spring 2013

Special Publication 800-63, which defines the four levels of authentication used by the federal government. While the national strategy addresses all levels of authentication, it has a larger focus on levels two and three. Level two and level three authentication enable remote identity proofing while the highest level requires in-person vetting, Hannah explains. These levels also enable softwarebased authentication technologies, such as one-time password or even biometrics on mobile devices, while level four requires hardware-based solutions. The move to EMV compliance in the United States may also help digital identity to take hold, as consumers will have cards with smart chips that can hold identity information. “It’s intended for financial applications, but it’s very conceivable that we could download an identity application to it that could also be used to authenticate our identity at a very strong level,” Hannah says. “It’s essentially a hardware token that could even be mapped to level 4, the highest authentication level (specified in NIST 800-63).” With payments moving to mobile devices there’s the possibility of identity also moving that same direction. “We might be able to use our phones to validate our identity in a very strong and trusted means,” says Hannah.

MOBILE’S ROLE

NSTIC pilot with AAAE goes live

Mobile technology may also propel the development of digital identities. “Mobile phones are connected to the Internet, so identity credentials securely stored on the phone could enable access to services that one would normally access from a PC,” says Vanderhoof. Add NFC technology to the mix and identity information can be transferred from a phone to a physical reader. “Mobile could break through the challenges of carrying and storing multiple identities. It could solve some of the challenges with physically issuing a card, token or some other type of carrier of your digital information,” adds Vanderhoof. While work is just beginning on the NSTIC pilots, the technology may reach the market in the next two years. “I believe by 2014 or 2015, we’ll really begin to see these NSTIC-related initiatives and technologies take off,” says Hannah. He acknowledges that hardware development could take a while, but the advancing nature of payment cards and other pilot technologies may accelerate the process. “It’s a bit of a chicken and egg situation. You’ve got to have the market demand for the capabilities, but you’ve also have to have the technologies implemented that can support them.”

Daon and the American Association of Airport Executives (AAAE) announced that association is the initial pilot participant to go live as part of the National Strategy for Trusted Identities in Cyberspace initiative. Enrollment of AAAE airport executive members taking part in the Daon-led pilot has begun. Participating AAAE members will use credentials based on Daon’s IdentityX risk-based, multi-factor, mobile authentication technology to access restricted, member-only areas of the association’s web site. They will utilize their smart phones or tablets to verify their identity each time they access the web site sections that house sensitive data. TrustX, a Daon affiliate, hosts the identity management services in the cloud. This is the first relying party participating in a NSTIC pilot to go live. In addition to piloting the use of strong authentication credentials, Daon’s pilot focuses on the movement of relying party partners to external identity providers and trust frameworks as well as cross-sector credential interoperability. Following AAAE, other partners scheduled to go live include AARP, PayPal, Purdue University and a major bank. With the inaugural NSTIC pilot underway, the Daon team including researchers at Purdue University, will be providing the initiative with important feedback about how identity verification via smart phone or tablet works in a real-world environment.

Spring 2013

EXPERT PANEL

Identity in an always-on world NEVILLE PATTINSON, SENIOR VICE PRESIDENT OF GOVERNMENT PROGRAMS, GEMALTO

The Internet, technology and innovation move quickly and can change directions just as fast. The forecast is showing more – more devices, more connectivity, more data – and with that, the need for better, trusted security. Everyone wants the ability to use and benefit from the Internet, devices and new technologies without sacrificing personal identities, privacy and security. In today’s Digital USA, 62% of Americans bank online, an estimated 54.8 million have tablets, with more 234 million cell phone subscribers. This connected world of convenience and functionality also comes with dangers. The National Cyber Security Alliance reported 90% of Americans do not feel safe from viruses, malware and hackers. As technology advances, so must the identity credential. Steps have already been taken in this direction with the Government Printing Office producing more than 80 million electronic passports since its inception in 2005. Similar upgrades – to protect an individual’s identity by storing personal information in an embedded chip on the ID card – are in discussion with the electronic drivers license and Medicare Common Access Card Act. The identity credential is changing, and advancements are coming within government and for its citizens. Secure identification is already making headway in the government sector. The Department of Defense Common Access Card is part of an ongoing effort to provide government personnel with the most secure, reliable forms of identification. After banning usernames and passwords, the DOD’s cyber attacks were eliminated by 46%. By

2014, all federal agencies will follow suit. Smart card credentials will increase with the Personal Identity Verification cards required for all government employees and contractors for both physical and logical access. In five years, government personnel will have a comprehensive way of using that ID credential in their mobile devices, leveraging the cost savings and convenience of bring your own device (BYOD). The smart phone credential is already moving forward because the technology already exists to address the mobile issues of security, diversity of devices and standardization: UICC SIM cards. The biggest opportunity for the identity credential lies with the citizens. Within two years, a proliferation of mobile device identity apps will appear, enabling consumers to put an identity on their smart devices, pick the credential, launch it through the app and present it to the service that needs its verification. No more trying to remember username and passwords. With the mobile apps, more federated login capabilities will also be arriving – enabling users to bypass creating a new credential when opening a new Web account and simply use one that’s already created and provide permission for its use. Facebook, Google, Microsoft and others have already started the move. Currently, the credentialing authentication process results in the creation and maintenance of several different identities used for different services. With federated logins, a user’s many cyber personas will

be managed through this one credential presented to a Web site to access any protected information from e-mails, financial accounts, retail Web sites to other services. The next, essential element needed will be a real trust in those credentials and an ecosystem of identities that can be crosstrusted. On the five-year horizon, users will have an identity credential that is trusted by many services and Web sites. The proliferation of identity credential providers and services will come together and work cohesively within a common ecosystem, which can be provided by the National Strategy for Trusted Identities in Cyberspace (NSTIC) and its certification process. NSTIC will define the ecosystem and its rules of engagement in the next two years, and a critical mass of identity ecosystem participants will gather over five years. Therefore, when a user signs up with a provider for a credential, it will be recognized by another system in that connected community. The identity credential Holy Grail is that relationship of managing identities – securely and trusted. Innovative technology will continue to provide risks and opportunities for the Internet, devices and security in two, five, 10, 20 years. The ease of identity authentication should not come at the price of privacy, and the convenience of technology cannot replace a real insurance of security.

Spring 2013

HOW TO:

ORGANIZATIONS REPLACE USERNAMES AND PASSWORDS WITH ONE-TIME PASSCODES MORE THAN THE FOOTBALL-SHAPED TOKENS TO CHOOSE Regulatory requirements are pushing strong authentication technologies into enterprises that, in the past, relied only on usernames and passwords. From educational institutions to law enforcement bodies, these new mandates often cause growing pains as a side effect of increased security. Pivot Point Academy, a beauty school with three locations in the Chicago area and schools across the U.S., found itself in this situation when the U.S. Department of Education started requiring the school’s financial aid associates to use strong authentication to access financial aid web sites. The Department of Education wants

Spring 2013

financial aid advisors at schools to use strong authentication so the agency knows who is accessing the different systems, says Phil Ascareggi, financial aid manager at Pivot Point Academy. These advisors can access a lot of personal data for students and the agency wants to keep track of who is accessing it. While many programs leave it up to the organization to deploy the tokens, in this instance the Department of Education actually issued them for the institution, Ascareggi explains. Pivot Point ordered the tokens from the agency and then assigned each token to a financial aid representative. If the individual leaves, the token remains at the school as property of the Department

of Education. Previously, if an employee left the school they would still be able to access the sites with their user name and passwords. Even if the school notified the agency that the employee had left, there was still no guarantee that the access would be revoked. Ascareggi has worked in financial aid at a number of schools over the years and he says identity management has always been a challenge. “I was gone from one school for three years and they hadn’t disabled my account,” he explains. This new solution is designed to make that simpler because the tokens will be reassigned. Pivot Point’s fix was relatively simple thanks in part to the lack of choice, but

for other enterprises it’s not always that way. Some have to figure out what type of solution and credential to deploy, and determine how it will work with current systems. Such is the case in law enforcement, says Ray Wizbowski, global senior director of marketing for the Security Business Unit at Gemalto. The Justice Department is requiring law enforcement agencies to use strong authentication for access to the Criminal Justice Information Service databases, but the specifics are left up to the various agencies. When an enterprise is looking to add strong authentication the conversation begins by looking at the infrastructure that’s deployed. “We want to get a sense of their environment,” Wizbowski says. “Is there any type of strong authentication in place? Where are the identities stored?” Law enforcement agencies have typically gravitated to one-time passcodes. “OTP is the gateway drug of online authentication, easy and quick to deploy,” Wizbowski says. Depending on the infrastructure that’s already in place, another solution could be a better fit, Wizbowski says. “Is it simple login or something broader?” he asks. “Will you want to add physical access and logical access? Where do you see this implementation in three to five years?”

solution for every user within an enterprise, explains Andrew Young, vice president of product management at SafeNet. He recommends looking at the use cases for users and then making a decision. “My system administrator might use smart cards to access routers and domain controllers, my general employee base use OTP for remote access and my sales staff use a soft token on a mobile to access cloud-based application,” he explains.

SOFTWARE-BASED OTP IS A CHEAPER OPTION BECAUSE ENTERPRISES DON’T HAVE TO PAY FOR HARDWARE TOKENS OR SHIPPING

DEFINING THE OPTIONS The keyfob-style one-time passcode token is considered the lowest common denominator for adding strong authentication, says Julian Lovelock, vice president of marketing at HID Global Identity Assurance. “These solutions have been around for a long time and are well proven,” he says. “The flipside is they tend to be expensive costing $50 to $60 for each token. Then there’s the cost of getting tokens to the end users and replacing them. There are cost factors from both a capital expenditure perspective and a logistical perspective.” Costs can be reduced using software-based OTP on a mobile device, tablet or PC, Lovelock says. “This is a cheaper option because you don’t have to pay for hardware or the logistics of shipping tokens,” he adds. End users often prefer this option because they don’t have to carry an extra token, Lovelock says. Another option in the same vein as onetime passcode is out-of-band authentica-

WITH TRANSPARENT OTP USERS DON’T NEED TO DO ANYTHING TO GENERATE A PASSCODE Depending on the answers to those questions one-time passcode tokens might not be sufficient. Smart cards and mobile devices may be technologies that enterprises want to consider. Additionally, OTP may not be the right

tion, Lovelock explains. This doesn’t require any software on a device and doesn’t even require a user have a smart phone. Instead a user receives a text message with the passcode to enter. There are systems

that will even call the individual and speak the code if texting in not an option. Out-of-band systems are typically priced on a per transaction basis so they’re often used when no other options are available or for very high-value transactions. “If you have many users logging in many times throughout the day the cost will add up,” Lovelock says. Another option has emerged that doesn’t require users to do anything. Called transparent OTP, this solution uses a piece of script to generate a passcode without user interaction. It runs in the background of a browser and communicates with the servers for authentication to a system. “Individuals have a user name and password in place but the organization has put this transparent OTP under the covers so that the access is bound to the device and user,” says Lovelock. “The individual can only login to the site with that device.”

DEPLOYMENT OTP can also be relatively quick to deploy, taking two to three days at most and in some cases can be done in half a day with little to no interruptions of the network, Gemalto’s Wizbowski says. The backend infrastructure for all types of OTP is similar, Lovelock says. The bigger time issue will be adding the OTP hooks into the different applications, depending

Spring 2013

CHOOSE A SOLUTION THAT GIVES YOU THE FLEXIBILITY TO DEPLOY DIFFERENT AUTHENTICATION TECHNOLOGY FOR DIFFERENT USERS

on where the enterprise wants it used. Depending on the size of the deployment, the longest time may be getting tokens to the users, Lovelock says. Organizations may also want to keep in mind that one type of OTP might not be best for every employee. “You might have some that are techsavvy and can give the mobile software while others might do better with hardware (tokens) or an out-of-band solution,” he explains. An enterprise will also want to think about user experience. In years past IT would implement security controls regardless of the load on the end users, says SafeNet’s Young. “They weren’t concerned about the usability,” he says. “Smart phones and Apple products have made individuals less tolerant of dramatic user experiences.” Deploying a cloud-based infrastruc-

Spring 2013

ture will also make deployment quicker, Young says. SafeNet has a cloud-based authentication system that can get users up and running in the time it takes to show an organization a demonstration of the system. “A demo can turn into a proof of concept and by the end of the meeting, it’s a live environment and they can get up and running,” he adds. An enterprise can also opt to have SafeNet run the infrastructure rather than dedicate employee time to doing it, Young says. Lovelock agrees that cloud-based systems can reduce the cost of deployment. “It removes the need to deploy a server on premise,” he says.

COST Size of the deployment is what impacts the cost most, Lovelock says. A large organiza-

tion, like a bank rolling out a softwarebased OTP to its customers, would pay less than $1 per user. The cost would be about the same for a transparent OTP. A small enterprise, 50 to 60 users, would pay $20 to $40 a users, including infrastructure costs, Lovelock explains. An out-ofband solution will charge based on the number of messages sent throughout the course of the year, which typically works out to less than a nickel each. Regardless of the solution an enterprise selects, Lovelock cautions to leave room for growth and choose an infrastructure that will enable other technologies down the road. “Choose a solution that gives you the flexibility to deploy different authentication technology for different users,” he explains. “Don’t tie yourself into one … you’re requirements today might be very different than tomorrow.”

BIOMETRICS HELPS SUGARCANE PRODUCER PAY WORKERS IN THE FIELD Christopher Columbus and his Spanish colonizers brought sugarcane into the Dominican Republic at the end of the 15th century. Today, agriculture is one of the most important sectors of the Dominican Republic’s national economy and sugarcane is the country’s most important agricultural product. The processing of the sugarcane stalk produces sucrose, the main product of sugarcane. Cane accounts for about 80% of the world’s sugar production. Named after the man credited with bringing the crop into the Dominican Republic, the Cristobal Colon Company is the second largest producer of sugarcane in the country. The company owns 57,000 acres of land and employs 3,500 migrant workers during the harvesting season from December to May. Off-season, the company continues to employ about 1,000 workers. With such a busy harvesting season and employees that are paid in cash, Cristobal Colon was having difficulty making sure workers were paid properly. The company, like many others that have large amounts of migrant workers, was relying on IDs and management’s visual verification of each person to make sure that the correct individuals received their cash wages. In some cases workers did not have their IDs and in other cases people were fraudulently providing IDs to collect wages belonging to others. “It’s a very weak way to identify people. Sometimes we just had to trust that the worker was identifying himself correctly,” said Edgar Espinal, information technology manager at Cristobal Colon.

IDENTIFYING A SOLUTION A few years ago, Espinal and his team began investigating better ways to identify workers for cash payments in the field. He came upon Codebench via the Internet and asked them to develop a custom solution to biometrically authenticate employees before handing them their money, without the use of cards or certificates.

Spring 2013

Rather than a one-to-many match process to verify a person, Cristobal Colon needed a way to identify a person via one-to-one match. Managers in the field needed to know if the individual providing the fingerprint was in fact the person they claimed to be. “We need to know who the person giving us their fingerprint is,” Espinal said. “It took about four months to fully develop.”

Once Codebench developed the software, Cristobal Colon IT staff built an interface with the company’s human resources and payment systems. “It is of great importance to know we are paying the right people, regardless of whether they have a personal ID with them or not,” says Espinal. Employees are first enrolled on a desktop computer at the company’s headquarters by taking their

fingerprints and making sure there are no duplicates in the system. The fingerprints are stored in the company’s HR database along with a PIN for each person. That data is pushed to Intermec handheld devices equipped with Edgeline fingerprint scanners for use in the field. Managers on the plantation sites then use the handheld devices to take fingerprints and PIN numbers before paying the migrant workers. Initially, Espinal and his team were worried that the system would struggle to identify workers with worn out fingerprints or calluses from manual labor. “We were expecting violations and a lower rate of positive ID because of the nature of them working with their hands,” Espinal explains. “We have had a few people try to misidentify themselves, but it hasn’t been possible. We have had 100% validation with no false positives or non-validations. It has exceeded our expectations.” The sugarcane producer started out with 10 mobile devices but quickly increased the count to 30. Cristobal Colon is in the process of adding eight more mobile devices, and more tablet PCs and desktop stations running the software to keep up with new applications that IT staff continue to develop. One of those new applications that Cristobal Colon has found useful is tying the biometric information into its cafeteria payment system. “Employees validate with their fingerprints in the cafeteria and it goes directly into our payroll system,” Espinal explains.

FUTURE APPLICATIONS Cristobal Colon is gearing up to use the software for a Census application that will expand biometric enrollment to family members of employees and people living in the community. The company provides a number of services to community members, such as sanitation, education and medical care. The company wants a way to make sure they are providing the appropriate people with allotted services while ensuring delivery is not duplicated.

Spring 2013

TECH 101: MATCH-ON-CARD BIOMETRICS USE GROWS RAPIDLY FOR THIS PRIVACY-PROTECTING TECHNOLOGY JILL JARACZ, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Match-on-card technology marries biometrics with smart cards, enabling users to not only carry their biometric with them but also match it on the card. This means greater privacy for the cardholder and the ability to authenticate without connection to a backend database. In a traditional fingerprint biometric implementation, a user first establishes an identity in order to be added to the system. To do so, personal information is provided and fingerprints are scanned to create a template or vectorized representation of the image. The template captures the core aspects of the image and turns them into a representation that is much smaller and can be matched quicker, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology (NIST). In traditional biometric systems, templates are then stored in a central system along with the identifying information, says Shahram Orandi, supervisory computer scientist at the National Institute for Standards and Technology. When a person is challenged to prove his identity, a finger has to be scanned

and sent to the server. A template is then created and checked against the previously enrolled template. The fundamental difference between this traditional biometric process and a match-on-card process is all about location. With match on card, the template is locked on the smart card and never leaves, explains Orandi. To conduct the verification process, a user presents the card to either a contact or contactless card reader. On the other end of that communications channel is a biometric sensor. Typically this is an integrated fingerprint reader or peripherally attached fingerprint sensor, says Patrick Grother, computer scientist at NIST’s Information Technology Laboratory. When a user places his finger on the sensor, it produces an image of the finger. The reader then extracts information from that fingerprint image in the form of minutiae points, and those points are bundled up into data packet and sent to the card for matching, says Grother. The card executes a fingerprint comparison algorithm and produces a score revealing how similar the fingerprint sent to the card is with the one stored on the card. The card then renders a decision as to whether or not it’s the same person, explains Grother. A difference between matchon-card architecture and traditional match-on-server architecture comes in the type of algorithm you can run. “Sometimes with a remote server you’ve got

IT IS ALL ABOUT LOCATION. WITH MATCH ON CARD, THE TEMPLATE IS LOCKED ON THE SMART CARD AND NEVER LEAVES

Spring 2013

more computational power, so you can run a different class of algorithms. Richer algorithms can run on computers than on cards,” says Grother. This is due to the fact that smart cards have limited computational capability. Grother explains that over time cards have gotten faster and more capable, but so to have desktop computers. “A card has a limited amount of working memory, and that turns out to be important for certain algorithms,” says Grother. Two standards oversee the majority of match-on-card functionality, ISO/IEC 19794-2 and ISO-7816, Grother says. ISO/ IEC 19794-2 defines the bits and bytes for fingerprints in both match on card and match off card, says Grother. Commands must be used to send and receive data from cards. The ISO 7816-11 and 7816-4 standards regulate this transmission, Grother says.

PROPRIETARY OPTIONS Although standards exist for biometrics and match on card, organizations can utilize proprietary closed systems that do not abide by standards at all, says Grother. An integrator can help an organization implement the match-on-card process. To do this, an integrator needs to be aware of and perform smart card personalization for biometric data. The fingerprint live capture devices for both enrollment and verification need template conversion tools in order to convert the live template into a viable match-on-card template. Integrators also need to be aware that fingerprint templates still need to be

THE CARD EXECUTES A FINGERPRINT COMPARISON ALGORITHM AND PRODUCES A SCORE SAYING HOW SIMILAR THE FINGERPRINT SENT TO THE CARD IS WITH THE ONE STORED ON THE CARD captured in standard RAW formats for safekeeping. Also, depending on the application, an integrator may need to develop or procure an AFIS or ABIS to perform de-duplication at enrollment, says Jonah Adams, strategy and group coordination at Nigerian-based Interswitch.

MATCH ON CARD ADVANTAGES A challenge with traditional match on server, says Orandi, is what happens if the biometric image is stolen or intercepted along the communication channel. Because biometric identifiers are permanently attached to a person, the credential can’t be cancelled once it’s compromised. “It’s the biggest risk of a biometric system,” says Orandi. Because match on card locks the data in the chip, lost or stolen cards pose minimal risks. Additionally, the biometric is never stored on a backend database so compromise at this level is also a non-issue. With match on card the likelihood of data being intercepted is virtually eliminated. Because there is still communication between the card and the reader, Orandi says it is still possible but greatly diminished. Still, match on card does presents some challenges. Once the biometrics are on the card, there’s no way to change them. The digital representation is stored and locked up in a way that it can’t be reset, says Orandi. The computer on the card is also not as powerful as a full blown computer so the speed to establish the identity is reduced. Servers operate much more quickly, 10to-100 times faster than a smart card, says Orandi. “Smart cards lose the speed race,”

he says. “But to counter that, you are able to make a match even if you can’t reach the server.” A potential problem with this method, however, is that in the case of offline matching, there is no central authority to dictate permissions. Orandi gives the example of 9/11 and different people trying to gain access to the site, from legitimate first responders to unscrupulous individuals. Match on card would verify the person is who they say they are, but without tapping into a central authority, it would not be able to say whether the person was allowed to be there. A card would be able to hold permissions, says Orandi, but it can’t revoke the information. “The server has the revocation list or hotlist,” says Orandi. NIST has determined that algorithms are not quite as good for match on card as they are for match on server. NIST’s MINEX, or Minutiae Exchange, program looked at the commercial viability, accuracy and speed associated with off-card and on-card matching. “The answer is ‘not quite, but almost,’” says Grother. “There are algorithms, fewer of them, commercially available that run with accuracy approaching that of off-card matching.” In places where lack of infrastructure poses a problem, match on card can be an ideal solution. “In markets where infrastructure challenges impact a customer’s ability to fully explore a server-side implementation, the preference is for the match-on-card options,” says Interswitch’s Adams. “Especially where flexibility of use and mobility in deployment is a critical factor.”

Spring 2013

THE MARRIAGE OF BIOMETRICS AND CONTACTLESS: A ‘NATURAL’ MATCH PAYMENT, ACCESS AND IDENTITY MAY SOON BENEFIT FROM UNION ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Near Field Communication is working to make contactless transactions more convenient, and with solutions flooding the market the technology holds a great deal of promise. However, there’s some reluctance to wander from the standard NFC formula – tapping a mobile device to a point of sale terminal or NFC tag to conduct a transaction.

Spring 2013

France-based Natural Security is focusing on user authentication through the marriage of contactless personal devices and biometrics. It is looking to offer a different take on that formula with its mobile banking solution.

PICK A HAND Dominique Pierre, business development manager at Natural Security, says the company has developed a contactless and NFC-based solution that uses fingerprint and finger-vein biometrics with a

smart payment token and accompanying secure element. The Natural Security smart card contains biometric data, applications, a comparison algorithm and personal data, explains Pierre. “Acting as a mid-range contactless device – operating from approximately five feet – the card can communication with a biometric reader without physically removing it from a purse, bag or pocket,” he says. In other words, the consumer device no longer needs to be manipulated in order to execute a transaction. Pierre explains that the card must be on the customer’s person at the time of transaction, but by simply placing a finger to a fingerprint scanner – attached to any point-of-sale terminal – the customer can complete the transaction. Multiple cardholders can be within range of a single scanner but only the user who supplies a fingerprint will be charged for the transaction. For example, a customer is at a bar with some friends and it comes time to settle the tab. If the bar has a Natural Security merchant device and everyone in the group has a Natural Security smart card, each could choose to pay the tab. But the transaction is only completed when a fingerprint – that of the generous friend – is applied to the scanner. The tab gets paid quickly and no payment card is removed or swiped.

THE PILOT Along with some of France’s top financial institutions, Natural Security is piloting its biometric NFC solution. The pilot is being deployed in the north and south of France in the Lille and Bordeaux regions. To facilitate the pilot initiative, Natural Security has worked to make it easy for interested customers to obtain a card. “The customer can use any available distribution bank channel to apply for a Natural Security payment token,” says Pierre. Pilot institutions include Banque Accord, BNP Paribas, Crédit Agricole, Crédit Mutuel Arkéa, Groupe Auchan, Ingenico and Leroy Merlin. Pilot participants must enroll their biometric data to receive the Natural Securityissued token. “Enrollment can be securely performed at a local bank branch or other locations where customer credentials can be verified,” explains Pierre. “The device can take multiple form fac-

modification on their point of sale terminals to connect the Natural Security merchant device,” explains Pierre.

MORE THAN JUST PAYMENTS Natural Security’s solution joins a mobile payments marketplace that is bursting with ideas and new technologies. So how does Natural Security differentiate itself from the likes of Google Wallet and the newly piloted ISIS mobile wallet? “Natural Security’s solution enables a consumer to make a payment very fast – less than 6 seconds – because they no longer need to manipulate their consumer device or provide a PIN or signature,” says Pierre. Speed and efficiency seem to be the gold standards to which every mobile banking and payments solution is held, but Pierre feels that there is more to Natural security’s offering. “It can be used as a wallet to store different payment applications from different schemes,” says Pierre. “The solution provides a unique user experience regardless of the amount or type of transaction.” Natural Security’s technology will enable cash withdrawal, electronic signature and further down the road, could support payments on a TV. “The technology can be used for a wide range of services such as face-to-face payment, payment via Internet, cash withdrawal on ATM, logical and physical access control and secure access to a Web server,” says Pierre.

THE TECHNOLOGY CAN BE USED FOR A WIDE RANGE OF SERVICES: FACETO-FACE PAYMENT, ONLINE PAYMENT, ATM WITHDRAWAL, LOGICAL AND PHYSICAL ACCESS CONTROL AND SECURE ACCESS TO A WEB SERVER tors; a fob, a standard debit/credit card with a sleeve, a card all-in-one or a microSD,” says Pierre. On the retailer side the aim was to try and make deployment as easy as possible. “A retailer only needs to make a slight

STANDARDS-BASED It is paramount for any emerging technology, especially those in the mobile payments sector, to adhere to trusted and proven standards. “Natural Security is based on open standard ISO/IEEE 802.15.4 and ZigBee,” explains Pierre. ZigBee is a wireless networking standard that enables communication using low-cost, low-power digital sensors. It utilizes the IEEE 802.15.4 physical radio standard and operates at the 2.4 GHz frequency. ZigBee transmits data over long distances without the need for centralized, high-power transmitters and receivers. Instead, each Zigbee device acts as a node in a communication daisy chain. It has frequently been used in commercial building and energy management solutions as well as home automation and telecommunications initiatives. In the Natural Security solution, it offers longer distance communication between the consumer token and the reader.

ACROSS THE POND Natural Security’s not only piloting in France but also has a U.S. project. Credit giant Discover Financial sees merit in the solution, and has started its own pilot with the French company at its Riverwoods, Ill. campus. “We will invite 300 to 350 Discover employees to participate in the pilot utilizing the fob form factor,” says Troy Bernard, global head of Emerging Payments at Discover. Discover sees the value in the marriage of biometrics and NFC, and with more mo-

Spring 2013

bile wallet apps flooding the marketplace Bernard feels that now is a good time to test the waters. “Google and Isis are gaining momentum, and now it is time to test what may be next,” says Bernard. “That is our role in emerging payments, to find the next payment technology that makes payments easier and safer.”

BIOMETRICS: PRIVATE AND SECURE Natural Security adds biometric security to NFC, storing the biometric data on the payment device rather than in a central database. This gives Bernard confidence in the security of the solution because it makes use of a time-tested architecture. “Biometrics are secured on the card using proven smart card technology, leveraged by chip and PIN and government IDs for the past decade or longer,” says Bernard. Part and parcel to security is privacy. Privacy is always a major consideration, namely with regards to who controls the

Spring 2013

sensitive biometric data. Natural Security has taken this into consideration. “The biometric data is exclusively owned by the consumer and is always under their control,” explains Pierre. To further ensure the privacy and security of sensitive customer biometric data, Natural Security has developed a number of measures to guarantee that sensitive customer data is protected. First is the mutual authentication of the payment device to the merchant terminal, explains Pierre. Next a secure channel is established to provide confidentiality in the data exchange. Then the biometric data is sent from the terminal to the payment device to be authenticated on the device using match-on-card technology. Once stored, biometric data cannot be extracted from the consumer device, so a lost or stolen device will not result in compromised data. “No consumer data will be provided by the consumer’s device to the merchant unless all previous security conditions are met and the consumer biometrics data has been verified success-

fully,” explains Pierre. The final privacy measure, according to Pierre, prevents consumer device tracking by generating a random device address every time a merchant scans the consumer devices within range.

WHAT’S NEXT? Though Natural Security is knee-deep in pilots on two continents, it is keeping an eye on the horizon. “We are discussing with universities, health care organizations and large retailers to use our technology to enable fast, convenient, secure authentication of consumers while guaranteeing their privacy,” says Pierre. “We see university campus environments as a logical first step,” says Bernard. “A college campus can leverage many of the features of Natural Security including payment, building access, logical access and more.”

SIA WITH ISC SUPPORTING THE SECURITY INDUSTRY

SETTING DIRECTION FOR THE GLOBAL SECURITY INDUSTRY

APRIL

10-1 2

2013

SCAN HERE

S A N D S CONVENTION C E N T E R LAS VEGAS

S I A E D U C AT I O N

I SC

R E G I S T E R N O W AT I S C W E S T. C O M / R I D FOR THE FUTURE-FORWARD SECURITY SHOW IN VEGAS •1000+ Exhibitors •Informative Education •Non-Stop Networking + Events •Hundreds of New Product Unveils Spring 2013

UPROAR IN THE MOBILE FINGERPRINT MARKET MERGERS, TECH GIANTS AND MASSIVE OPPORTUNITY DEFINES SPACE ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

obile payments saw a major push in 2012 thanks largely to increasing NFC adoption, growing interest in contactless payments and mobile wallet initiatives like Isis. With the addition more and more, high value functionalities comes the need for secure and reliable mobile authentication. Mobile contactless functionality is certainly in our future – in many ways it’s already here – but the technology has been met with skepticism in some circles due to weaknesses in authentication and identity verification. PINs and passwords simply are not enough as mobile becomes the next target for hackers. Enter biometrics. Many believe the answer will be found in the marriage of biometrics and mobile devices. But which biometric modality should be used? Walter Hamilton, executive director at the International Biometrics & Identification Association, says there are several frontrunners. Fingerprints have been a staple of biometrics from the beginning and though flashier modalities have surfaced, the fingerprint continues to hit above its weight class.

Spring 2013

“Fingerprint, iris, and facial recognition are the ‘Big 3’, with fingerprint being the most common and popular modality,” says Hamilton. “They are quick, reliable, easy to use, highly accurate and are not adversely affected by environmental conditions.”

GIVING MOBILE THE FINGER Most mobile devices already contain the audio and camera components required to authenticate voiceprint and facial recognition. Still many experts feel fingerprint is the best way tool for mobile security because it can offer an added level of verification and consent.

The challenge is that today few devices possess fingerprint scanner hardware. “Durability against shock, vibration and impacts that may affect the sensor surface are serious concerns,” explains Hamilton. “Implementations need to be small because real estate and power consumption in the mobile platform are at a premium.” Sebastien Taveau, chief technology officer with California-based fingerprint sensor manufacturer Validity, echoes this sentiment. “It must be small enough that it doesn’t take up too much space, doesn’t use too many processing cycles and doesn’t add friction to consumer interaction with the device.”

APPLE PATENT HIDES SCANNER BEHIND DISPLAY Apple has been granted a patent for a new, two-step screen-unlocking feature that incorporates biometrics and may lay the groundwork for the next generation of its devices. The patent involves a polymer dispersed liquid crystal (PDLC) window, which could alternate between opaque and transparent to conceal the components of an electronic device behind it. This configuration would allow for the fingerprint sensor to be seamlessly housed within the device’s screen, visible only during transactions and undetectable when not in use.

“Technology is like a diet,” says Taveau. “It is always easier to gain weight than drop it – the same holds true for technology, it’s hard to shrink it down to something that’s consumer-acceptable.”

AUTHENTEC: THE APPLE OF THE MARKET’S EYE Prior to 2012, the market resembled something of a two horse race between the Melbourne, Fla.-based AuthenTec and San Francisco’s UPEK. The competition saw the market split between two solutions: AuthenTec’s area sensor and UPEK’s swipe sensor. An area sensor is a silicon-based scanner that did not use optical characteristics; rather it required the use of a light source, which proved to be heavy on power consumption – a concern for mobile implementation. With this method, because the silicon is the sensor, a finger has to be physically applied to its surface to conduct the authentication. Swipe sensors like that provided by UPEK use a silicon scanner shaped like a thin bar of sensor pixels. This method sees the user swipe their finger over the bar while the sensor takes successive images of the finger and reconstructs them using

a complex algorithm. This competition between UPEK and AuthenTec continued until 2010 when the companies merged under the AuthenTec name, bringing the two most viable fingerprint scanner solutions under one roof. The merger and the subsequent ripples it sent changed the fingerprint sensor landscape and captured the attention of mobile device giant Samsung, followed shortly by Apple.

Technology is like a diet, it is always easier to gain weight than drop it – it’s hard to shrink it down to something that’s consumer-acceptable. Apple bought AuthenTec in July of 2012, a move that at $356 million ranks it among the most expensive acquisitions Apple has made to date. While Apple’s purchase of AuthenTec was certainly driven by the desire to possess the fingerprint scanner technology,

insiders suggest it was just as much about keeping the technology out of Samsung’s hands. Prohibiting Samsung from incorporating AuthenTec sensors in its devices was certainly a blow to mobile fingerprint implementation, but as one door closes another often opens.

A NEW MARKET STRUCTURE With AuthenTec within Apple, the fingerprint scanner market has entered something of a Renaissance. Companies like Validity and Sweden-based Fingerprint Cards AB are gaining a foothold and are bringing with them new solutions. “Following the acquisition, suddenly everyone wanted to move at the same time,” explains Taveau. It has allowed Validity to reach the rest of market, he explains, beginning with PCs and expanding to other consumer electronics. Apple’s involvement not only created an opportunity for newcomers to grab market share, its high profile presence is also elevating consumer awareness of fingerprint technology. “Apple’s acquisition of Authentec has certainly put focus on biometrics and opened up new opportunities in the bio-

Spring 2013

metric market,” says Alexander Blomquist, regional sales director with Fingerprint Cards AB.

NEW SOLUTIONS While the new market landscape certainly favors the likes of Validity and Fingerprint Cards AB, the burden still falls to these companies to produce viable solutions. In the mobile market, Validity touts its Chip on Flex technology. The solution separates the logic from the fingerprint sensor. This gives manufacturers more play in terms of physical implementation of the scanner. The technology uses a flexible Kapton material – think a reel of movie film – to connect the sensor and logic chip. The fingerprint chip is attached to this flexible circuit board, and in addition to taking up less real estate in the device, the Flex solution is also cheaper to build because it uses less silicon than previous scanner solutions. Real estate is a primary concern with mobile implementation and as Taveau explains the next step may well bring back a forgotten staple of mobile devices; the button. The current Validity solution is a swipestyle reader with a thin sensor bar. A button, however, could make the swipe method a thing of the past, according to Taveau. “When you add another sensor layer perpendicular to the first, you do away with the swipe motion,” he says. “You have the equivalent of a touch technology, you can just touch the sensor area and get the acquisition of a fingerprint template.”

the logic behind using the button as a fingerprint scanner seems practical. “Waking up your device is a natural thing that every mobile device user does,” explains Taveau. “When you wake up your phone you touch the home or on/off button – an ideal location to implement a fingerprint scanner.” Consumer interaction with the device is another crucial element to mobile implementation. While the button is one possible solution moving forward, Taveau remains mindful of the touch screen. Taveau believes that a fully integrated sensor within the heart of the touch screen is the Holy Grail, much better than proposed implementations that locate it beneath the darker perimeter at a device’s bottom edge. It’s a solution that he believes could be a reality in a year or two. For the immediate future, however, swipe and area sensor solutions remain the viable options for mobile implementation. “Everyone is in a race,” says Taveau. “By the end of the year we will see the first phones coming out.” Blomquist echoes this sentiment as Fingerprint Cards AB boasts its own line of both area and swipe sensors. “We see 2013 as the breakthrough year for fingerprint sensors in a number of consumer products, in particular smart phones and mobile phones,” says Blomquist. “Solutions for mobile payment are turning into reality and using fingerprint biometrics will enhance security and convenience for the user.” Fingerprint Cards AB offers two types of sensors, an area or touch sensor and a swipe sensor. Part and parcel to the company’s sensor offerings is an application-specific processor circuit used for fingerprint matching.

At the end of the day, authentication is moving. Before mobile, authentication was done on the service provider side but all that is changing The advantage, however, is that this can be accomplished using far less silicon so costs could be minimized compared to standard area sensors. Buttons on mobile devices have gone the way of the dodo in recent years, but

Spring 2013

NOK NOK LABS USES EXISTING CONSUMER DEVICES TO ENABLE BIOMETRIC ID Nok Nok Labs is working to enable individuals to use authentication and security technologies they already possess but have been unable to put to good use. The company’s Unified Authentication Infrastructure will leverage existing technologies such as fingerprint sensors, webcams, Trusted Platform Module chips or voice biometrics to enable stronger and easier login with laptops, mobile devices and PCs. The system could soon enable PayPal customers and others to use different authentication technologies. “By creating an authentication infrastructure that leverages existing technologies, Nok Nok Labs is giving businesses the opportunity to authenticate anyone, anywhere and on any device,” said Michael Barrett, chief information security officer at PayPal. “Given the billions of connected Internet devices and future growth of online commerce, PayPal sees a critical need to implement strong yet flexible authentication solutions.” The premise is relatively simple. Nok Nok Labs is providing a back end that uses a consumer’s existing technology to better secure identities. If a laptop has a fingerprint scanner and the particular Web site has the Nok Nok Labs back end it will recognize the technology, says Phillip Dunkelberger, CEO at the company. The individual will be asked for the usual user name and password if an account already exists but will then be asked if they want to use the fingerprint sensor in the future. The user will swipe their fingerprint two to three times and then will be registered, storing the biometric data on their device not at the site. When the individual returns to the site they will then be able to use their fingerprint to login. The use will be similar with a mobile device. If the Nok Nok Labs technology is built into the specific mobile app, voice or face biometrics can be enabled for access to data. The app will ask the individual if they want to use either face or voice biometrics and will then initiate enrollment. From then on the biometric modality can be used for subsequent logins. Founder and Chief Alliance Officer, Ramesh Kesanupalli started the vision behind Nok Nok Labs. He worked together with PayPal’s Barrett and Taher Elgamal, the “Father of SSL,” to crystallize the vision for the company. The group recognized the limits of today’s authentication technology and brought together payments companies, authentication providers and device manufacturers to deliver on this new approach.

FIDO ALLIANCE BARKS UP THE ID TREE Industry leaders such as PayPal, Lenovo, Validity, Nok Nok Labs, Agnitio and Infineon established the non-profit FIDO Alliance to address the lack of interoperability among existing authentication solutions. The goal is to develop new open standards for strong authentication to enable any web site or cloud application to interface with a variety of FIDO-enabled biometric devices that a user might have at his disposal. “Our purpose is to create a local standard for payment service providers – PayPal for example,” explains Sebastien Taveau, chief technology officer at Validity. “The focus is on the consumer device and gererating the final authentication token using a fingerprint or other biometric modality.”

All Fingerprint Cards solutions are capacitive, metal-oxide semiconductor (CMOS) sensors that measure the electrical characteristics of the finger to form a 3D finger pattern image.

HARDER FOR HACKERS The strides being made in the integration of biometrics to mobile devices has Taveau – who joined Validity from payments giant PayPal last year – excited for the future. “Working at PayPal, I saw that mobile authentication was the next big thing,” says Taveau. “The key to mobile security is mobile identity – and mobile identity goes way beyond payments and commerce. It will allow you to do everything.” With mobile the hope is that security breaches will be better contained, but the introduction of a biometric takes security

a step further. “By adding a fingerprint element, every single attack can be linked to one fingerprint on one sensor on one device,” says Taveau. “The mobile device is the lock to the cloud and you are the key.” This is good news for mobile payments and retailers alike. “Transaction replication is the worst nightmare for retailers as well as for payment providers,” says Taveau. “It costs a lot of time, effort and above all money.”

THE POWER IS AT YOUR FINGERTIP Mobile devices equipped with fingerprint scanners are a natural progression for an industry that – along with NFC technology – has put authentication into the hands of the user. “At the end of the day, authentication is moving,” says Taveau.

Before mobile, authentication was done on the service provider side but all that is changing, he explains. “Authentication is shifting to the consumer and consumer devices, leaving service providers to grant the devices access.” It’s an important trend that will likely reshape mobile wallets, but could affect change beyond payments. With the surge of bring your own device programs as well as access control initiatives in schools and universities, the use cases for a robust mobile fingerprint solution are certainly evident. By providing a secure and convenient mobile fingerprint solution, the user can achieve a new level of authority and independence – transcending the traditional notion of identification and moving into the realm of mobile identity.

Spring 2013

EXPERT PANEL

IAM the future TIM MOSES, DIRECTOR OF ADVANCED SECURITY, ENTRUST

The discipline of Identity and Access Management (IAM) has continuously evolved to accommodate changes in mainstream information system architecture. Most recently Web 2.0 and social media brought in the OpenID and OAuth protocols to enable mash-ups built on personal information. The latest trend to mobile and cloud computing will, likewise, bring about new approaches to IAM design. Each new information system architecture development introduces its own set of security vulnerabilities against which attackers quickly develop tactics and tools. Identity and Access Management solutions must anticipate those tactics and exhibit the resilience necessary to thwart them. The password has been a mainstay of Identity and Access Management solutions from the very beginning. But, its effectiveness has been eroded over time by data breaches resulting from SQL injection, spear phishing, key-logging, passwordreuse and similar practices. Those who set the security standards for government and financial information systems have recognized the inadequacy of passwords as a means for authenticating end-users and have demanded that system designers augment their password-based authentication solutions. But, until the smart phone became nearly ubiquitous in the developed world, available alternatives had a detrimental impact on user experience and system deployment

Spring 2013

that disqualified them for all but the most sensitive applications. Therefore, designers were forced to augment passwords with â&#x20AC;&#x153;detective-styleâ&#x20AC;? safeguards such as AntiVirus, Intrusion Detection and Prevention, Security Incident and Event Management and behavioral transaction monitoring. Requiring users to carry and authenticate by means of a strong authentication token was generally unpalatable for reasons of cost and poor user acceptance. Detective-style safeguards can be deployed with no impact on the user and comparatively little impact on deployed systems. However, they are reactive and probabilistic, some estimates place the effectiveness of anti-virus solutions at around 25%, because viruses evolve rapidly and unpatched vulnerabilities are commonplace. By contrast, a strong authentication solution can be proactive and deterministic, ensuring that a user and her transactions are reliably authenticated even in the face of weaknesses in the design and implementation of the information system. Historically, though, strong authentication solutions have placed a burden on the user and on system developers that each found difficult to accept. Meanwhile, the cost associated with passwords for both users and system operators has grown. Users are encouraged to choose random passwords, unique to each site, change them periodically and com-

mit them to memory. This ignores the fact that this formula is so clearly unrealistic and system operators have to pick up the significant cost of repeatedly resetting user passwords in a secure way. One-Time Password tokens became accepted as a way of addressing some of the shortcomings of passwords, certainly in enterprise VPN applications and in some high-value financial settings. Nevertheless, OTPs remain susceptible to Man-In-TheMiddle and session-riding attacks. So, they too are starting to reach the limits of their ability to protect against identity theft. On the other hand, the smart phone provides a secure container for cryptographic credentials with a trusted interface for user input and output. These features can provide the support necessary for strong authentication of both users and transactions. The economics of authentication are getting shaken up. As the smart phone becomes as ubiquitous in the developed world as the wallet or purse, the opportunity emerges for users to authenticate and authorize strongly in financial services and other sensitive applications requiring the exchange of personal information, with no incremental per-user cost and in a way that is convenient and even fun to use. Mooreâ&#x20AC;&#x2122;s Law still has many more surprises up its sleeve for us. The next ten years will bring a further 50-fold increase in computing density. While it would be foolhardy to predict precisely how we will take advantage of the improvements in power consumption and functional integration that this will enable, what is clear is that user authentication is approaching a crisis, and mobile technology offers our best hope of overcoming the Identity and Access Management challenges of the present day.

Fall 2011

Winter 2010

Winter 2011

Fall 2010

Summer 2009

Spring 2011

Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification tecÚology • SecureIDNews • ContactlessNews CR80News RFIDNews Regarding ID•Magazine – a •survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

ID AS A SERVICE

Biometrics FOR PHYSICAL ACCESS CONTROL Match-on-card, spoofing, gait and more

Outsourcing identity and credentialing matures

✽ Visa: ‘Yes’ to U.S. chip-and-pin ✽ Phones replace cards for access ✽ New mandate puts PIV to work

HACKING The impact of smart card and security hackers

BIOMETRICS

Making the Case FOR FIRST RESPONDER IDS

• 2010: The year that wasn’t • Health care’s security breach • Germany’s contactless national ID

IDENTITY

TOP TRENDS IN

• Beyond the NFC hype • ePassports spread to half the globe • Voter IDs, Health IDs, Traveler IDs ... reid_fall10.indd 1

Iris at-a-distance takes biometric center stage

• Biometric social security cards • White House pushes online ID • Next generation e-passports

Health care mulls identity options EMV takes aim at U.S.

The

MOBILE AS A CREDENTIAL

Is the handset the ID of the future? • Contactless pickpocketing • INTERPOL’s converged ID • Facial recognition gets real

8/31/10 11:06:28 AM

Own the entire collection

Get 1000+ pages of ID insight Receive 70% off for a limited time (just $60)

- Educate new employees - Refresh your industry knowledge - Research for presentations - Review best practices - Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industry leading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 25 issues of re:ID and six issues of CR80News magazine. Plus you get password-protected access to our online library with more than 20,000 articles and 1200 members-only articles.

visit store.avisian.com | select re:ID back issue collection | enter discount code “SAVE70”

Subscribe today Regarding ID Magazine features the best editorial insight from across the ID technology landscape.

Sign me up for a 1 year subscription for just $39 Own the entire collection ( 1000 + pages of ID technology ) for $60 Shipping Adrdress

Billing Address ( If different )

Name

Job Title

Address

Company

City / State / Zip

Address

Country

City / State / Zip

Credit Card Information

Country

Credit Card #

CVV

MY ORGANIZATION

Uses ID Technology Sells / Provides ID Technology

I WORK FOR

Financial Industry Educational Institution Government Entity Corporation Other

Fax this form to 850-222-4477 or purchase online at http://store.avisian.com

Expiration Date

MY PRIMARY AREA OF INTEREST IS

Physical Security Logical / Computer Security Identification / ID Management Payments Other

EXPERT PANEL

Protecting you identity investment KATHLEEN PHILLIPS, VICE PRESIDENT OF DISTRIBUTED ISSUANCE, DATACARD GROUP

One of the challenges companies face with establishing or upgrading an identity system is that there is no single “right” solution. Needs change from larger enterprises to smaller organizations. Will the system protect physical property and people only or will it also protect intellectual property? It is in a company’s best interest to perform a thorough analysis of the current situation to understand what the needs are for a successful program and implementation. Organizations should do this analysis in partnership with identity solution providers and/or consultants. Here are some areas to explore as you determine the right solution for your organization:

SITUATION ANALYSIS What legacy security system(s) is used, if any, for physical security and logical security? What, if any, technologies are currently used for the three factors of authentication: “What you have,” such as a card, fob or mobile device “What you know,” such as a PIN or password “Who you are,” such as fingerprint, face recognition or other biometric What do the various stakeholders like about the current system? Dislike? What problem(s) are to be solved?

NEEDS ANALYSIS Document a list of goals with a new identity solution, in priority order,

based on feedback from various types of stakeholders in your organization Determine any limitations needing to be taken into account, such as budget, security vs. user privacy, current infrastructure, a desire to utilize as much of the legacy system as possible in the new solution Evaluate the Return on Investment (ROI). Costs are relatively easy to identify. Quantifying the benefits, however, is more difficult and subjective. Work with those in your organization responsible for risk management to arrive at the payback components and amount. Your identity solutions partner and/or consultant will also be of great value in documenting a defendable ROI. Be sure to list all assumptions in your ROI document. Keep in mind that there are trade-offs based on the type of solution. Some to consider include: Privacy vs. security – a higher level of security can increase privacy concerns of the user. Security vs. cost – the greater the security, the higher the cost. Protecting IP in addition to physical security will cost more than physical security alone. However, the benefit might well outweigh the additional cost. An example of this includes requiring multi-factor authentication, which will usually cost more than single factor authentication. For instance, having a card (“what you have”) and a PIN (“what you know”) twofactor authentication for physical security requires the additional cost of PIN pads on all readers. Another two-factor example includes pairing a fingerprint scanner

(‘who you are”) with a PIN pad (“what you know”), which is also a higher cost than a PIN-only entry device at each door. Even with a single-factor solution, there can be a security vs. cost tradeoff. The vast majority of single-factor solutions utilize a card which has either proximity or contactless/RFID embedded in the card and there is a reader at the door with the same proximity or RFID technology. Adding card personalization features (e.g. digital photos, micro text printing, secure overlays) and/ or technologies (e.g. contact or contactless smart card) to the card will greatly increase the level of security. They will also increase cost, which is often justified.

PROTECT YOUR INVESTMENT As we all know, technology, market and consumer demands, and industry trends continuously evolve. And, as these things continue to change, it’s important for companies to integrate technology for their identity programs that will help them protect their investment as well as grow and change with their needs. The backbone to any program is the technology that helps support the personalization, security and issuance. Find a trusted partner to help evaluate needs and select solutions that can seamlessly integrate into existing systems, scale to fit issuance needs, and efficiently be deployed. This will ensure that the company are getting the best return on investment.

Spring 2013

VOICE BIOMETRICS CRANKS UP THE VOLUME PUBLIC SAFETY, FINANCIAL, HEALTH FIND REAL-WORLD APPLICATIONS JILL JARACZ, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

In the TV show Knight Rider, an agent fights crime with the help of his talking car. While the cars of today aren’t able to converse, voice biometrics could soon enable cars and other systems to recognize voices and authenticate individuals. “Voice biometrics uses the physical characteristics of the voice process in a human for identity verification,” says Walter Hamilton, senior consultant, ID Technology Partners and vice chairman for the International Biometrics and Identification Association. The technology works not by simply analyzing a person’s voice, but the process by which one makes the sound of their

Spring 2013

voice. “It uses matching algorithms that analyze the speech patterns that your body creates, so it’s not about the sound of your voice but the spectrum of sounds that your body is making,” explains Nik Stanbridge, vice president of product marketing at Voice Vault. “That’s from the diaphragm to your lungs, the shape of your throat and your tongue and your larynx and your palate … to make the sound of your voice, you use all of those different components.” A standup comedian impersonating President Obama might sounds a like him, but the odds are he could not pass a voice biometric test. “That’s why biometrics is quite differ-

ent to the analysis of just the sound of the voice,” says Stanbridge. “It’s the matching patterns relating to the spectrum of how the voice is created.” To use voice biometrics for recognition, a speech sample is used to create a model against which future utterances are compared. For future authentications, the original sample is compared to a present one and scored to see if there’s enough of a similarity, says Hamilton. The information stored in the computer is not a digital recording of the voice; rather, it’s a biometric template. “It’s a series of ones and zeroes with a complex algorithmic processing of a sample that

you hear and understand through your ears into something that the computer understands,” says Hamilton. A person cannot take a template and recreate someone’s voice with it in order to pretend to be someone else. “You can’t reverse engineer a voice template and recreate the recorded phrase for play back on a tape recorder,” says Hamilton.

ENROLLING AND VERIFYING VOICE TEMPLATES Creating a voice template requires a voice sample. “You only need 30 seconds of speech to create a voiceprint,” says Emilio Martinez, CEO and co-founder of Agnitio S.L., a company that specializes in forensic and intelligence voice biometric solutions. Repeating digits provides a large amount of data for voice biometric template creation, Stanbridge says. Enrollment may have an individual repeating four digits multiple times in order to build a good template. After enrollment, the voiceprint is then tied to an identity and stored in a database. When a person tries to verify himself, he provides the utterance or passphrase. That utterance is sent to the biometric engine, which then compares it with the enrolled voiceprint and verifies whether or not it’s a match, says Stanbridge. As users interact with the voice biometrics system over time, the technology can adapt and account for changes in an individual’s environment, health and age. “The way that your body makes the sound of your voice doesn’t change very much, even if you’re sick and even as you age,” says Stanbridge.

Voice biometrics technology can also adapt to a voiceprint so that every time a person authenticates, it adds more data to the system, which the algorithms can use to create future matches. It can adapt to verifications made in different environments, such as a landline in an office or a smart phone in a car. Accuracy rates differ significantly depending on the application. For law

wallets or mobile banking, voice lends itself very well,” says Stanbridge. The home health care industry also uses voice biometrics for verification. The industry leverages the technology to verify that employees are where they are supposed to be and patients can use it to approve services. “Our agency clients use biometric voice verification when the employee gets to the home, they can have the patient iden-

A standup comedian impersonating President Obama might sounds a like him, but the odds are he could not pass a voice biometric test enforcement using voice biometrics for surveillance or monitoring phone calls, the accuracy rates can be much lower. “In this case, there’s no enrolled pass phrase, you’re just looking for speech patterns. Certainly the accuracy’s going to be less than in a structured environment where you enroll a pass phrase and then verify against it,” says Hamilton.

CROSS-MARKET IMPLICATIONS Law enforcement relies on voice biometrics in a number of ways including the interception and analysis of conversations to be used in court and the building of voiceprint databases for future identification of criminals, says Martinez. The financial services market leverages voice biometrics particularly for authentication via smart phones. “The financial services industry is moving rapidly toward smart devices. So, whether it is mobile

tify themselves,” says Donald O’Rourke, president of Dial-n-Document, which is a partner of Voice Vault. “Now they know that the employee is in the presence of the patient through a biometric voiceprint (of the patient).” Even though the voice modality has been slow to take off in health care, the industry may yet embrace it as it learns how much fraud and abuse the system prevents or if insurance companies start demanding it as part of operational activities, says O’Rourke. Health care can also use the technology as one of the authentication factors doctors would need to provide in order to write electronic prescriptions, says Hamilton. “There’s a lot of potential for this technology to be used in a variety of applications.” As for you Knight Rider fans, Hamilton adds, “you can use voice in lieu of a key … speak to the car and it’ll start the engine.”

Spring 2013

NFC, MOBILE HIGHLIGHTED AMONG 2012 SESAMES WINNERS Mobile and near field communication technologies were in the spotlight as frequent winners at the 2012 SESAMES awards at the CARTES Exhibition and Conference. Six of 11 winners were NFC technologies while two others were mobile security related. Morpho, Infineon and Gemalto were winners that had solutions dealing with card technology. NXP Semiconductors was the only company to win multiple awards with two.

HARDWARE

IT SECURITY

NXP Semiconductors with “Next Generation NFC Radio Controller” NXP’s PN547 improves performance over previous iterations of its NFC radio controller offering a doubled radio frequency range, a smaller footprint, an improvement in wireless data throughput and 50% lower power consumption. It also delivers interoperability working with any contactless reader and NFC tag.

Morpho with “EMV Pro Digit” Morpho’s EMV Pro Digit not only provides payments but also enables consumer access to strong, multi-factor authentication. The solution allows postissuance personalization and management of PKI and biometric services so issuers can deploy EMV cards and activate the additional services later without the need to reissue. Available as contact and dual-interface cards, as well as contactless tokens, Morpho’s Digit range aims to be the bridge to secure online services and e-ID on payment smart cards.

SOFTWARE Intrinsic-ID with “Saturnus” Saturnus is a cloud security application that gives users secure access to their data in the cloud. The application runs on mobile phones, tablets and PCs providing two-factor protection and a hardware intrinsic security architecture to ensure secure key management.

IDENTIFICATION/ID CARDS/ HEALTH Sunward Telecom Ltd with “13.56MHz RF-SIM” This technology integrates a secure element and an NFC booster with antenna into a SIM card to turn any handset into NFC device. It is designed to be a lowcost alternative to NFC handsets and it enables mobile network operators to rollout contactless mobile payment services easily due to its handset-independent nature.

Spring 2013

TRANSPORTATION Infineon Technologies AG with “Security Controller for Transport Applications” Infineon’s SLS 32TLC100 is a security controller that is compliant with CIPURSE V2 and features Mifare compatibility. It is a migration product to upgrade existing transport solutions to more advanced security based on AES 128 encryption protocol. The SLS 32TLC100 is based on Infineon’s SLE 7x SOLID FLASH family.

BANKING / RETAIL / LOYALTY Toro Development Ltd. with “Akami suite” Akami suite is a front-end platform to port and distribute NFC applications. Its widget-based architecture enables fast

and cross OS-platform deployment of NFC services. The suite includes a mobile client NFC wallet, a widget system SDK, application servers, tag management and an app store for end-users.

up to 10 payment cards, including both Visa and MasterCard, and enables users to pay on contactless terminals anywhere in the world. This wallet also can also be extended to other applications such as loyalty.

TRUSTED INTERNET / AUTHENTICATION

MANUFACTURING AND TESTS

NXP Semiconductors with “Mobile POS for eTicket and stored value reload” Cubic’s mobile point-of-sale application combines NFC technology from NXP with contactless e-Ticketing for public transportation. Passengers can reload their transit smart cards from NFC-enabled devices. This can also save transit agencies money when rolling out stationary ticket vending machines.

Gemalto with “PrintPixel” PrintPixel is an algorithm-based solution used to personalize a blank ID document with a color photo while keeping the same security, durability and cost efficiency of laser engraving technology. Special layers react with lasers to irreversibly create white and black pixels and cover a 3-color registered pattern, revealing a color photo.

MOBILITY

E-TRANSACTIONS

Oberthur Technologies with “Multibrand NFC payment wallet” This NFC payment wallet virtualizes

Giesecke & Devrient with “Portigo” Portigo is a framework that enables the deployment of various services beyond

NFC. It enables banks or mobile network operators to provide their customers with a platform for all mobile services. These services put not only various payment media, such as debit and credit cards, but also ID cards, loyalty cards, public transport tickets, and access keys for buildings and vehicles in the electronic wallet. Customers can use the applications for these services securely and conveniently from their smart phones.

DISCOVERY RCDEVS SARL with “OpenOTP/TiQR Authentication Server” OpenOTP/TiQR Server is an enterprise solution for securing Web access, VPN, Citrix, Microsoft, Unix with OTP Standards and QR code login. It supports a variety of technologies including hard and soft tokens, SMS, Email, Yubikey, QRCode Scan, and federation with OpenID and SAML.

Spring 2013

AT UNIVERSITY OF SOUTHERN CALIFORNIA

FINGERPRINT SCANNERS

SECURE STUDENT RESIDENCES

he University of Southern California, a private, not-for-profit school in central Los Angeles, recently installed fingerprint scanners in each of its 14 dormitories to better secure access.

Prior to the fingerprint scanner installation, a simple swipe of the student’s ID card was all it took to gain entry to a dorm, says Keenan Cheung, housing director at USC. Some students had no problem letting others “tailgate,” a process by which persons gain entry by following immediately behind a valid entrant. “One will swipe and four people will walk in behind him,” explains Cheung. The theft of laptops, cameras and other valuables from dorm rooms led to the need for the added security. Thanks to surveillance cameras some burglars

vember 2012, 16 fingerprint scanners were deployed at 14 dormitories. Two dorms have two entry points, Cheung explains, while the other dozen buildings have just a single entry point. USC purchased fingerprint scanners from Virdi, and opted to use campus staff rather an outside contractor for installation to keep costs down, explains Cheung. After the scanners were installed, students were given one week to enroll their fingerprints and photo in the system. Though there are 17,000 undergraduate students, only about 3,500 live on campus – a manageable pool of enrollees. I CAN TELL YOU I FEEL When a student enters a VERY COMFORTABLE THAT dorm, the ID card is swiped (SINCE DEPLOYMENT) WE to gain entry to the lobby. HAVEN’T HAD A LAPTOP An additional fingerprint scan is required for access STOLEN BY SOMEONE beyond the lobby. Students OUTSIDE THE UNIVERSITY don’t need to pass fingerprint inspection to check were caught but it demonstrated that mail in the lobby or access common areas. tailgating by non-students was a real “But if you want to get into the residenand present danger. tial portion of the dorm, then you need a Cheung knew they needed to do more fingerprint,” says Cheung. The process to secure the residences. takes about three seconds, he explains. After researching and visiting other Each entry point is monitored by a memcampuses around the country, USC staff ber of Cheung’s staff on weekdays from 8 opted for fingerprint biometrics. In Noa.m. to 8 p.m. At night and on weekends

Spring 2013

a private staffing company mans the fingerprint scanner locations. Guests are welcome but must be accompanied by a resident. Each guest must sign in and leave an ID in exchange for a guest pass, with the ID only returned upon checkout. Seeing the success, other facilities have jumped on board with the technology as well. The new athletics center has a fingerprint reader and several sororities have deployed them as well, says Cheung. Not surprisingly, there was some push back from students on the new access procedures. “We’re changing student behavior, and requiring them to get fingerprinted,” he says. “Students tend to rebel against authority.” “Most students have accepted it,” says Cheung. “They realize we’ve put a lot of time and money into trying to make their environment as secure as possible. As an urban university, we need to do it.” Though promising, it’s still too early to determine how well the new program is working. “We don’t have stats back yet on number of thefts since the scanners were first installed, but I can tell you I feel very comfortable that (since deployment) we haven’t had a laptop stolen by someone outside the university,” says Cheung.

EXPERT PANEL Identity’s Constant Challenge: Addressing Change KEVIN KOZLOWSKI, VICE PRESIDENT, XTEC INCORPORATED

A single identity can be simple. But, as all enterprises eventually realize, the lifecycle maintenance of those identities proves decidedly complicated. The responsibility of keeping identities current, accurate and securely linked to functioning credentials – for the long term – presents the most significant challenge to current enterprises. At inception, identities represent a straightforward equation. To support the needs of an enterprise, a single identity is affiliated with a credential(s) and assigned specific permissions. An identity management solution supports the identities’ functionality en masse, handling attributes, permissions, identifiers and credentials. But then the needs of the enterprise change. The responsibilities of individual staff evolve. Employees leave, new employees arrive. Incidents or new threats require security to be enhanced or expanded. Lost or compromised credentials may need to be revoked while others expire. Permissions require adjusting, names need changing and security clearance levels fluctuate. In short, life happens. And the result is a litany of changes to affected identities. Fluctuation this constant requires a flexible – but unified – identity management

system. It demands, in a word, scalability. As the role and related permissions of a single employee evolve over time, that individual’s identity must also expand. Scalability, applied to a single identity, requires an identity management system to keep the full development of the identity intact from inception to termination. Let’s look at an entry-level employee. When she arrives at the enterprise, she may require few permissions or access to only a limited number of the enterprise’s physical facilities. But as her responsibilities at the enterprise expand, she may require access to more spaces and logical access to an increasing number of applications. Life changes may require a name change. This sort of virtual shape shifting is not uncommon. But the lifecycle maintenance required to support it can strain the enterprise. An identity management system that offers scalability will ease these complications. To fully – and securely – support evolving identities, a system should also organize identity attributes in a logical fashion. After all, we know maintenance measures are forthcoming. Why not organize our identities in a way that anticipates them?

First and foremost, identity attributes belong together. Properly linked, these attributes can be addressed as a single entity – a single identity, which they do comprise, after all. One way to orchestrate such grouping is by leveraging an identity management system that is accustomed to credential management. This is especially important in the federal or PIV-Interoperable arena, where the credential effectively becomes the digital representation of the identity. Another major benefit to an identity management system is having functionality that supports permission structures. However enterprises choose to handle their identities, they must acknowledge the challenge presented by lifecycle maintenance. And they would do well to equip themselves with an identity management system whose scalability is flexible to our evolving security world and whose approach to identities adequately groups related attributes from day one. Because, as the old adage reminds us, the only true constant is change.

Spring 2013

WASHINGTON NATIONALS GO CONTACTLESS FOR SEASON TICKETS OTHER BASEBALL TEAMS ON DECK The crack of the bat, the pop of the ball and the roar of the crowd signal opening day for Major League Baseball teams across the country. Over the years walking through the turnstile on game day was preceded first by the tearing of tickets and more recently by the scanning of bar codes. This year, however, the Washington Nationals franchise are taking it a step further issuing contactless smart cards for season ticket holders. The Nationals are using a system from UK-based Fortress GB, which has deployed system for English Premier League teams including Liverpool, Manchester City and Arsenal. The goal of the system is to offer a complete fan experience, says a Nationals spokesperson. Season ticket holders will simply tap-and-go to enter the park using

Spring 2013

high-speed turnstiles. An online management system enables cardholders to manage and transfer tickets via the Internet. The cards include a loyalty and marketing component as well. The Red Carpet Rewards program enables fans to redeem points for seats, suites and parking passes. They can also choose to participate in online auctions for merchandise and experiences. The Nationals are also working on an electronic purse application so fans can use their card for the purchase of concessions or souvenirs at the ballpark. Much like a debit card, fans could add money via the online account and even authorize an “auto-top up” feature. The delivery of real-time offers via email or text message as soon as ticket holders enter Nationals Park could revolutionize communication between the franchise and

its most loyal customers. “We could, for example, reward fans who arrive one hour before first pitch with a special offer via email or text as they enter the ballpark,” the spokesperson says. It’s possible other applications could be added to the cards down the road. The infrastructure enables use of these cards at non-baseball events hosted at Nationals Park. “Future ideas include using access cards in lieu of SmarTrip cards on the DC Metro or redeeming exclusive offers from Nationals corporate partners away from the ballpark,” the spokesperson explains. Since the program was announced, other teams have also shown interest. The Boston Red Sox are reportedly launching a pilot for the cards and the Tampa Bay Rays have also been in contact with Nationals representatives.