Regarding ID Winter 2011 by AVISIAN

Winter 2011

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Making the Case FOR FIRST RESPONDER IDS

• Beyond the NFC hype • ePassports spread to half the globe • Voter IDs, Health IDs, Traveler IDs ...

Now, the future really is wide open. Introducing iCLASS SE™, enabled with the Secure Identity Object (SIO) model.

Learn about SIO. hidglobal.com/sio or scan this with a QR reader

More portable, more flexible, and more secure than ever before. iCLASS SE — the platform that simplifies everything. iCLASS SE protects the integrity of your identities, regardless of the card platform. It’s also amazingly flexible — use multiple form factors with an access control solution to create your ideal product today, then change it down the road as your business needs evolve by simply re-programming it. Powerful, adaptable and designed to be energy efficient, iCLASS SE is truly the next generation in access control. For more information, visit hidglobal.com/future-REID

Government and business rely on trusted identities. Whether you are protecting vital information or securing a border or critical infrastructure, you need to establish, with absolute certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide foolproof identification but also rigorously protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy.

CSC Public Sector CSC.COM/IDENTITYMANAGEMENT

DELIVERING TRUSTED IDENTITIES THAT ARE

BEYOND A SHADOW

OF A DOUBT

â&#x201E;˘

Contents 24

Cover Story

Making the case for first responder credentials

Voter ID

Countries adopt biometrics for voter ID

Health ID

The business case for health IDs

Near Field Communication Beyond the NFC hype

Traveler ID

Homeland Securityâ&#x20AC;&#x2122;s Global Entry expanding

64 36 44 34

6 | OPINION | NFC, PIV use, online ID see major advancement in 2011 8 | PODCAST | Contracts and liability with credentials, Name wars, identity and Google+, PKI needs layered approach, Global Entry & biometrics at the border

Winter 2011

INDEX OF ADVERTISERS AOptix www.aoptix.com/iris-recognition CARTES & IDentification www.cartes.com CPI Card Group www.cpicardgroup.com CSC www.csc.com/identitymanagement CSCIP www.smartcardalliance.org Datacard Group www.datacard.com/id Digital Identification Solutions www.dis-usa.com/Re-ID Entrust www.entrust.com Evolis www.evolis.com FIPS201.com www.fips201.com HID Global www.hidglobal.com/future-REID IEEE www.IEEEBiometricsCertification.org Lumidigm www.lumidigm.com Oberthur Technologies www.oberthur.com

41 53 43 2

59 67 7 3 27 65 68 23 31 47

10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites

26 | FRAC | Homeland Security wants PIV-I for first responders

21 | CALENDAR | Industry events from the identity and security worlds

29 | ISSUANCE | Citi entering identity business

24 | COVER STORY | Making the case for first responder credentials

32 | PIV-I | What it takes to issue PIV-I credentials

66 | OPINION | Death knell for plastic cards? Don’t get the shovel quite yet

Winter 2011

Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Autumn Giusti, Jill Jaracz, Gina Jordan, Ross Mathis ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2011 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.

2011: A year of progress

NFC, PIV use, online ID see major advancement Zack Martin Editor, AVISIAN Publications A year ago I was disappointed. 2010 had been predicted to be a big year for identity and new payment technology, but while there was lots of banter most projects failed to deliver. The pace quickened in 2011. Of course there were more announcements, but this year actual technology was deployed and pilots launched. The biggest developments were around near field communication, though pressure exerted on U.S. agencies to implement systems that use the PIV credential was also major news. I’m even starting to see the very nascent stages of corporations preparing to offer strong identity credentials to consumers. Google Wallet and Offers dominated the headlines in the U.S. for NFC. First announced in May and rolled out in September the Internet giant didn’t waste any time getting the technology in consumer hands. Google is aiming to create an entire shopping experience on the mobile device through its payment application called Google Wallet and its marketing/loyalty program called Google Offers. Upon entering a store, a user’s NFC Android phone will automatically determine the location and begin working to tailor a shopping experience. A welcome screen will pop up along with a shopping list based on previous buying habits. Google will track down any deals in the store that align with the shopping history. When it’s time to check out, a customer simply taps the NFC-enabled phone against the reader and Google Wallet automatically assembles everything needed to pay -- including payment card, loyalty card and any coupons picked up along the way. All three items are passed to the terminal in a single tap. Google used a bit of guerilla marketing to help get the word out. Unlike many bank-issued contactless payment card rollouts where little to no consumer education was conducted, Google is out at retailers telling consumers about the technology. Groups from Google went to retailers and paid for purchases as part of an education and marketing campaign. The downside for Google is it rolled out on just one handset and with just one carrier. Another handset, however, will be on the market before the end of the year.

2012 promises more handsets. ISIS, the joint venture from AT&T, Verizon and T-Mobile, is launching pilots in the first half of 2012 and has agreements in place with HTC, LG, Motorola Mobility, RIM, Samsung Mobile and Sony Ericsson for NFC handsets. ISIS has been a bit of a disappointment to date, announcing the formation in late 2010 but making little visible progress other than a series of partnership announcements. Millions of credentials are in the hands of government employees and contractors but few are using them for more than just a flash badge. In 2011 this began to change. The White House Office of Management and Budget issued a memo stating that all new physical and logical access systems must be PIV enabled. This will help our nation’s cyber security and better secure government facilities. And considering it’s more than three-years after the PIV-issuance deadline it’s a long time overdue. At the same time it appears that the PIV-I specification is also gaining traction. The cover story in this issue looks at how first responders are deploying credentials, not just for disasters but other uses as well.

PIV-I is also gaining ground in the corporate market and may even be trickling down to the consumer. Citi announced that it is rolling out an identity service to customers and will offer high-assurance credentials. This is what the National Strategy for Trusted Identities in Cyberspace is all about. While Citi may be one of the first to offer credentials to consumers there are likely to be more coming soon. It’s not a stretch to imagine anyone who is issuing PIV-I credentials to staff to also offer them to consumers … for a fee. While there may not be a huge market now that will change as more retailers, government agencies and other web services accept the IDs for online access. 2011 has been a good year. I’m looking forward to a 2012 with more NFC handsets, more PIV card utilization and strong credentials for online identity.

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com

Episode 82: Contracts and liability with credentials

Episode 83: Name wars, identity and Google+

The American Bar Association’s Identity Management Legal Task Force and the Transglobal Secure Collaboration Project (TSCP) held a joint meeting to discuss ID management issues. Much of the discussion focused on liability, contracts and how an ID system should be structured. Tom Smedinghoff, a partner at Wildman Harrold and chairman of the ABA Task Force describes the meeting and explores how it will impact the National Strategy for Trusted Identities in Cyberspace.

Google+ wants members to use their real names when using the new social service, but for some pseudonyms may be more identifying than real names and others want anonymity online. Kaliya Hamlin, or Identity Woman, is one of these people but when she tried to use this moniker on the site she was suspended. Hamlin, who along with others runs the Internet Identity Workshop, tells the tale of identity with Google+ and why pseudonyms are an important part of the Internet.

“We spent a lot of time talking about liability and how the identity systems should structured from a contractual point of view? How are all the participants legally bound and how do we allocate liability among them if they don’t follow the rules?”

“They’re basically saying you have to put your first name and last name as it appears on your official government documents, or your wallet name, which may or may not be what people call you in everyday life.”

“It’s a major debate and we haven’t’ figure it out but we had a productive discussion. No one size fits all answer to the liability question in a large identity system.”

“There are many threads to this discussion, one is why did Google do this? Initial reason was that they don’t want trolls and spammers. Well, everyone who is advocating for the rights of pseudo-anonymous users agrees with that. You achieve that through good community moderation and filtering pools.”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 82”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 83”

Winter 2011

Episode 84: PKI needs layered approach

Episode 86: Global Entry & biometrics at the border

When PKI is mentioned there are three terms that often come to mind: complicated, expensive and secure. The past few years have seen PKI deployments become simpler and more affordable but at the same time its security has come in question. Mark Yakabuski, vice president of HSM Product Management at SafeNet, talks about how PKI on its own is not good enough to secure computer networks and why a layered approach, including hardware security modules, is necessary.

After three years as a pilot program, Global Entry is moving to permanent status. John Wagner, executive director of Admissibility and Passenger Programs with U.S. Customs and Border Protection, explains the program and how it works. Wagner also talks about the program’s reciprocity with other countries and how it’s even translating to the domestic trusted traveler program.

“PKI is a very effective infrastructure technology, and one that is required to allow businesses to drive the digital processing efficiencies that they’re looking for today. ”

“The basic premise is, once you’re a trusted traveler we’re not concerned with how you get to the U.S. or what environment you’re in. We want to be able to identify you as that trusted traveler and offer you some type of expedited and dedicated process to get on your way into the U.S.”

“PKI is based in software. And in software, one of its largest advantages is that it’s very flexible,” Yakabuski explains. “But software is inherently insecure for a few reasons. Software can be easily copied. Hardware devices that are designed to always manage the digital certificates and keys within a PKI infrastructure (positively) change that dynamic.”

“The kiosks are located at the top 20 airports in the U.S. and the kiosks are located in all the terminals in those locations. There’s maps of the kiosk locations at the website, so people can go online beforehand and see exactly where the kiosks are located. We have about 137 or so kiosks out there and we’ll be putting some more out in the coming months.”

To listen, visit DigitalIDNews.com/Podcasts and select “Episode 84”

To listen, visit ThiardFactor.com/Podcasts and select “Episode 86” Winter 2011

ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

New biometric policies go into effect in New Zealand

New Zealand’s government passed legislation to enable Immigration New Zealand (INZ) to store photos of all non-New Zealanders entering the country as well as require fingerprint samples in some circumstances. The new policies are expected to benefit INZ through increased data on travelers, but also benefit the travelers as well. INZ Minister Jonathan Coleman says that the new biometric data collection policies will help prevent identity theft and criminal misuse of passports at the borders as well as speed up visa application processing through quicker identity confirmation. The new policies enacted by New Zealand were developed with a privacy impact assessment performed in conjunction with the Office of the Privacy Commissioner in New Zealand as the data collected by INZ is not only available to their own government, but shared with the U.S., Canada, Australia and the UK as part of a Five Country Conference biometric program.

AOptix, HRS bring iris recognition to Gatwick Airport AOptix Technologies integrated its iris recognition system into 34 automated e-Gates at Gatwick Airport’s South Terminal. AOptix InSight VM technology was integrated into the gates supplied by Human recognition Systems (HRS) that were already in place at the airport. The resulting partnership finds travelers at Gatwick using their iris, which the InSight VM matches at a distance as opposed to right up next to the scanner, to match their identity to their boarding pass at automated gates utilizing HRS’ MFlow Track. 12

Winter 2011

Security officials at Gatwick report that travelers are already spending an average of five minutes less in security lines than they had before the technology and other physical upgrades were deployed.

NetSuite adds CA Technologies capabilities for cloud security NetSuite partnered with CA Technologies to bring an increased level of security to NetSuite’s cloud-based products. NetSuite will base its new authentication on CA Technologies’ Arcot WebFort product to offer two-factor authentication security. The additional security will support a variety of authentication methods and aims to offer enterprise-grade security for ERP, CRM, ecommerce and PSA. The two factors involved with this upgrade include a cryptographic token and a username/password combination. The product supports cryptographic tokens that comply with the Open Authentication standard. The security features utilize CA Technologies’ infrastructure and are provided by NetSuite.

GlobalPlatform prints new spec for app management over secure element GlobalPlatform published a new specification that enables mobile service providers to remotely manage applications residing on any type of secure element (SE) in a mobile phone. The single, standardized administration protocol defined by the new GlobalPlatform Device: Secure Element Remote Application Management v1.0 specification also features a retry policy designed to ensure that when connection to a network is lost due to poor network coverage or dead battery, management scripts continue to be present until they successfully reach the desired location within the SE.

The new protocol is fully compatible with the existing one used within the GlobalPlatform Card Specification v2.2 – Amendment B. This document, first published in 2008, enables service providers and application developers to remotely manage applets on a SE within a UICC using the HTTP communication and SSL cryptographic protocols.

According to GlobalPlatform, the new protocol should result in shorter time to market for service providers looking to expand support for their application through additional or new mobile phones that use varying SEs, such as a micro SD card, or embedded SE. “A standardized approach that enables one administration platform to remotely manage applications across all kinds of SEs will stimulate the mass deployment of SEs within mobile phones, and subsequently more secure mobile service applications,” said Gil Bernabeu, technical director at GlobalPlatform. “This technology addresses a real need among service providers in today’s market who are seeking a simplified and standardized approach to remote application management across different handset models.” According to Bernabeu, GlobalPlatform will aim to drive the deployment of this specification as standard within all phones that support SEs.

More retailers kick off Google Wallet Google has announced that The Container Store, Foot Locker, Guess, Jamba Juice, Macy’s, OfficeMax and Toys’R’Us have joined American Eagle in rolling out the full Google Wallet SingleTap solution. According to Google, shoppers at these locations can now pay for items, redeem coupons and earn rewards points all with a single tap of their NFC-enabled handset. All the cus-

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com tomer needs to do is take their items to the register and tap their phone, and the app will automatically sort through your digital wallet to find an appropriate coupon or loyalty card. Google has also announced a couple of updates to the service, including a new Featured Offers section that contains discounts exclusive to Google Wallet users. Google says they’ve also improved transaction details for the Google Prepaid Card by providing realtime transaction information including merchant name, location, dollar value and time of each transaction. A Google Wallet team has been dispatched to participating retailers to show customers how to use the new service and also pick up their tabs. Merchants currently offering digital loyalty cards for Google Wallet include: Foot Locker, Guess, OfficeMax and American Eagle Outfitters.

VingCard delivers contactless locks to Edinburgh hotel The Sheraton Grand Hotel & Spa in Edinburgh, Scotland has installed VingCard Elsafe’s Signature RFID contactless locking solution. Replacing the traditional magnetic stripe key card system, the new locks enable guests to tap to enter their room using a contactless card or fob. The system can also be adapted to support NFC technology, enabling guests to use their NFC-enabled mobile phone to check in remotely and receive an encrypted room key. Guests can go straight to their room and tap the phone against the lock to gain entry. Aside from guest convenience, the system also offers a 600-event audit trail and anticloning software to ensure guest safety, and

even uses less power than traditional magnetic key cards, according to VingCard. In addition to the locks, Sheraton Grand Edinburgh also implemented VingCard’s VISION software, which enables the locking system to be integrated with the hotel’s property management and point-of-sale systems.

Aware develops biometric software for Justice Department Aware has announced the development of its NextGeneration Universal Automated Booking Station (Universal ABS), a biometric enrollment application, for the U.S. Department of Justice. The new solution was built off of Aware’s BioCompnents product family resulting in a modular software solution rather than a hard-coded application, which means an organization, such as the Justice Department, would not have to rewrite the source code to use the same solution for different agencies and implementations within the department. The new solution works on either a Microsoft Windows operating system or in an Internet browser-based application. It ships in individual software modules with each having its own interface, biometric auto capture functionality, image processing, image analysis and peripheral capture device abstraction. Bundling the solution as individual modules enables customers to utilize, configure and customize their own software solution from the Universal ABS quickly.

ActivIdentity launches strong authentication for financial services ActivIdentity Corp. has launched the 4TRESS Authentication Appliance FT2911 model, a

product that offers multi-layered strong authentication, fraud detection and cloud security capabilities for the financial services industry. Geared toward enterprises, banks and ecommerce sites, the 4TRESS Authentication Appliance consists of more than 15 strong authentication methods users can integrate with its authentication and fraud detection capabilities. 4TRESS supports Web, mobile and PC soft tokens and provides Out-of-Band OTP for transaction-level authentication. In addition, it profiles PCs at time of registration and during each login to rate risk and allow access. For security within the cloud, 4TRESS provides OTP, OOB and smart card strong authentication in front of SAMI V2-enabled cloud applications. To expedite integration for online banking users, 4TRESS supports many industry standards, has flexible APIs and pre-configured templates. The product can be used with a centralized security management system, yet be fully localized.

NFC Forum, Continua Health Alliance collaborate on NFCenabled health care products Continua Health Alliance, an industry organization of health care and technology companies, is teaming up with the NFC Forum to expand NFC connectivity technology in the health IT industry. The agreement between the organizations will see the creation of personal connected health products and services that provide patients, caregivers and health care providers simpler and quicker access to the user’s health information through NFC connectivity. Winter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The organizations are now exchanging technical information to facilitate the development of related Continua specifications for the personal health care devices. The partners say they will also collaborate to streamline supporting vendor development and certification activities to speed products to market. According to the NFC Forum, the health care industry has been one of the earliest adopters of NFC technology and offers many opportunities for innovative NFC-based solutions. Chuck Parker, executive director of Continua, comments: “NFC technology has the potential to simplify the exchange of digital content for health care consumers and providers, permitting individuals and care teams to obtain information more readily and accurately.”

BioP@ss project speeds up passport control The BioP@ss project, a program funded through the EUREKA microelectronics cluster MEDEA+, has been working on a way to speed up passport control at European airports. Digital security specialists, European electronics makers and biometrics experts have been working together on this new technology to meet the air travel security standards for 2014. The project worked on contactless card scanning and high speed data interfacing to boost security, speed up passport control lines, reduce government administration costs and ease access to public European electronic services. Companies involved with the project had to find a solution that didn’t necessitate vast overhauls in current airport infrastructure. Gemalto partnered with 11 companies in five countries to develop e-passport and e-ID

Winter 2011

cards that incorporate a microprocessor chip that stores private information and personal biometrics. Extended EU security requirements mandated encryption and the need to have physical access to the card in order to read the chip. Beyond airport security, other applications were developed for health care, voting and other government services. The project also contributed to a proposed new ISO standard for contactless data transfer that’s currently under consideration, as well as the CEN IAS standard for the European Citizen Card.

Cubic’s Tri-Reader 3 approved for open fare payments Cubic Transportation Systems’ TriReader 3 has been approved by the top four bank card brands to process contactless EMV cards for use in public transit systems. According to Cubic, the Tri-Reader 3 is the first public transport reader that can process all industry standard contactless smart cards – including many transit cards as well as bank-issued contactless EMV cards from American Express, Discover, MasterCard and Visa. In London, for example, the Tri-Reader 3 will be able to read and process Oyster cards, contactless EMV cards and NFC mobile payments. The Tri-Reader 3 was developed on behalf of Transport for London, but Cubic says the device will be useful to all of its customers making a transition to open payment systems. Cubic’s customers currently include seven of the top ten largest public transit markets in the U.S., U.K., and Australia. “Our customers now have an open payment solution, which means that our technology

supports any contactless media that conforms to ISO 14443, whether in an account, card or NFC phone based system,” said Pradip Mistry, vice president of engineering at Cubic Transportation Systems. “At the same time, we have also ensured that the same levels of speed and reliability we have built into previous generations of card-based fare collection systems are achieved for open payment.” The Tri-Reader 3 is being deployed on London buses with future plans to expand across Transport for London’s entire network.

Clear Channel to put NFC in London advert screens Clear Channel announced plans to deploy a network of 100 NFC-enabled London Digital 6 (LD6) advertising screens in London’s busiest areas. Slated for launch on Nov. 28, the 72” HD screens will provide more interactivity with target audiences through social media and NFC, the company says. Presumably, the technology will allow NFC handset users to tap the displays to receive offers from merchants and advertisers. In addition to adverts, the screens may also be used for real-time updates such as news, weather, travel and links with social media, according to Clear Channel. The LD6 network will be deployed throughout London’s shopping areas (Oxford Street, Upper Street, Shepherds Bush Road, Victoria Street and Baker Street), entertainment districts (Cambridge Circus, Aldwych, Shoreditch High Street, Camden High Street and Clapham High Street), transport hubs (King’s Cross, Euston, Victoria and Clapham Junction) and wealthier neighborhoods (Wandsworth, Hammersmith, Islington and Westminster).

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

idOnDemand releases report on updating PACs

Northrup Grumman awarded Army contract

mechanical keys and bar codes for access control on campus versus new technologies.

idOnDemand announced the availability of a new white paper on physical access control systems. The white paper: “Physical Access Card Systems: Yesterday and Today” can assist organizations in recognizing the limitations of their proximity card-based building access systems and offers a secure, standards-based approach to modernize building security.

Northrup Grumman has been awarded a contract by the U.S. Army Biometrics Operations and Support Services – Unrestricted (BOSS-U) program to develop and supply DNA identification system developed by IntegenX.

Research showed that only 31% of colleges are using the newer, more secure technologies with 16% using proximity technology, 10% using biometrics and 9% using smart cards.

It gives an overview of building access systems, explains how the widely employed legacy approach does not address today’s security needs and offers considerations and strategies to move forward with a more secure smart card-based solution.

NYU intros new student ID, revamps campus access system New York University is doing away with its old, outdated swipe machines and replacing it entirely with new, modern and secure electronic card readers. Students will no longer have to swipe the magnetic stripe on their ID cards when entering certain NYU buildings. Instead, students will wave their new contactless smart cards at new card readers for access. Card readers have already been installed in most buildings, residence halls and libraries. The new issued ID cards coupled together with the electronic card readers provide a higher level security, in addition to enabling students quick and easy access to campus facilities. Even the university’s study abroad sites, NYU Abu Dhabi and NYU Florence, are using the new technology. All other sites are scheduled to receive the new readers by next January.

The DNA-authentication system, called IntegenX RapidHIT 200 Human DNA Identification System, was previously tested in a Department of Defense exercise that saw the system was able to continually deliver correct DNA identifications on-site in fewer than two hours as opposed to the standard 12 to 15 hour timeline common in labs. The DNA identifications the RapidHIT system performs requires user submit cheek swabs or tissue samples, creates a profile and either compares the profile to the domestic and international databases or adds the profile if there is no match in the databases. IntegenX officials say the contract will enable the company to get the products in the field quicker and give military operations new tactical advantages.

Study finds average college student uses ID card for 6.36 applications Ingersoll Rand Security Technologies announced that access to buildings, identification, cafeteria purchases, library, bookstore purchases, printing and vending, in that order, are the leading applications for which American college students use their school issued ID cards. Research also concluded that overall, the majority of college campuses are still using older technologies, such as magnetic stripe cards,

The company added that large colleges are most likely to use biometrics, proximity and smart cards, while small schools were less likely. Biometrics are more common at city and urban colleges.

Asian smart card manufacturers gaining ground on European rivals Major growth in developing markets over the last two years has allowed smaller Asian smart card vendors, such as Eastcompeace, Watchdata, Datang, and Wuhan Tianyu, to increase their market share to 16% in 2010, up from just 12.4% in 2009. Asian vendors are increasingly challenging the top four all European vendors, Gemalto, Giesecke & Devrient, Oberthur and Morpho, who saw their market share drop from 71.4% to 66.6% in 2010. Much of the growth in smart card shipments continues to come from the SIM market, which is expected to grow nearly 17% in 2011 with 500 million more SIM cards expected to be in use by the year’s end. Overall, African SIM shipments jumped to 40% in 2010 and are expected to be up at least 21% for 2011. Similarly, the Middle East has been strong, and Indian shipments increased 43% in 2010 and are expected to be up 35% for 2011. Beyond the SIM market, the uptake of smart cards in other sectors, particularly payment and banking, is also creating opportunities for the Asian manufacturers.

Winter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com “EMV is increasingly being adopted in emerging markets to reduce the risk of fraud and China is now looking to adopt the PBOC 2.0 chip and PIN standard. At the same time, we anticipate an upgrade to the existing national ID card rolling out within the next five years,” says John Devlin, group director, security and ID at ABI Research. “While the leading vendors have a strong presence in the identification and payments sectors, such moves will inevitably provide a platform and important experiences for domestic Chinese companies to leverage in other emerging markets.”

Asia tops e-ID list Asian countries will be the biggest consumers of electronic credentials, according to IMS Research’s electronic government and health care card Opportunity Matrix. IMS Research’s provides a ranking for the opportunity offered for suppliers of electronic government and healthcare ID cards for the leading 15 countries. The scores are calculated using a formula that is based on the projected number of smart cards/credentials shipped into national ID, passports, driver licenses and health care cards in 2016. The formula also takes into account the level of risk of cancellation/delay associated with each project. China tops the matrix due to its high scores for its massive citizen ID project, but also the opportunity it presents in terms of e-passports. India is ranked number two, driven by above average score in all of the four application areas. Asian countries hold the top four spots with Japan and Indonesia in third and fourth. The U.S. was the highest-ranking non-Asian country at number five. It scored zero for e-ID, but scored well above average in terms of epassports. Some localized deployments of e-driver licenses and e-health care cards also gave it an above average score.

Winter 2011

Germany was the highest-ranking European country at number six. Its long running health care card program was partly responsible for this, but its national e-ID card rollout and epassport rollout too contributed greatly to its score.

RIM reveals NFC content sharing on BlackBerry RIM has unveiled a new contactless content-shar ing system for NFC-enabled BlackBerry smart phones. “BlackBerry Tag” will enable users to share contact info, documents, URLs, photos and other media by simply tapping their NFCenabled BlackBerry handsets together. The service will also connect to BlackBerry Messenger (BBM), allowing users to tap phones to add each other as friends. RIM currently offers two NFC-enabled BlackBerry phones that will support BlackBerry Tag: the Bold 9900 and the Curve 9360. The service will be introduced with the next update for BlackBerry 7 OS. RIM says BlackBerry Tag will be open to thirdparty software developers, enabling them to add NFC sharing technology to future apps.

FBI planning facial recognition for local police suspect identification By early 2012 the FBI will begin a service providing facial recognition capabilities to local police agencies for identifying persons of interest via photos. The program is part of their larger Next-Generation Identification system that incorporates iris, voice and facial data in addition to the fingerprint data. The FBI is hoping to address the frequent case in which police investigating a case have a photo of a suspect but have nothing more.

With the new facial recognition software, police agencies would be able to find matching mug shots from a submitted photo. Michigan, Washington, Florida and North Carolina police agencies will test the equipment as an initial phase. If the pilot program is successful, FBI officials are expecting a full rollout across the country in 2014.

NFC Forum launches spec for peer-to-peer data exchange The NFC Forum released its 16th specification, the Simple NDEF Exchange Protocol (SNEP) for sending or receiving messages between two NFC-enabled devices. The free to download SNEP is an extension of the NFC Data Exchange Format (NDEF). Previously, NDEF was applicable only to NFC tags in reader/writer mode. Now, SNEP enables the use of the open standard NDEF in peerto-peer mode, allowing for seamless interchange of data. “Application developers no longer need to concern themselves with how their NDEF data gets transferred between NFC-enabled devices,” said the NFC Forum in a release. “This capability is similar to the way that NFC Forum Tag Type specifications encapsulate the differences between communication layers. By providing this capability, the SNEP specification makes the difference between reader-writer and peer-to-peer operation modes disappear - a major step towards global interoperability of NFC applications.” According to the NFC Forum, potential applications for NFC technology developed with the new SNEP specification include sending business card information between NFC devices via peer-to-peer connection or retrieving and storing NFC tag information for review at a later time.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Miami of Ohio taps Schlage, CBORD for campus security The CBORD Group teamed with Ingersoll Rand Security Technologies for a full campus deployment of physical access technology for the 16,000 students at Miami University of Ohio. The installation took only 90-days to complete and covered 40 buildings, including residence hall rooms and campus facilities. For the installation, more than 4,200 interior and 325 exterior doors were deployed. The integrated door access system uses the combination of CBORD’s CS Access access control solution, Schlage AD-Series locks, and the new technology-based Schlage aptiQ contactless secure student credential from Ingersoll Rand. CBORD’s CS Access provides staff with lock monitoring and deployment features including “door propped” reporting. If a student forgets their ID card, a text message can be sent from the student’s cell phone to receive instant building or room access using a new CBORD feature called “OpenMyDoor.”

this announcement, made in March, will have a “great effect” on smart card shipments from 2013 to 2015. IMS expects a mix of contact and contactless/ dual interface solutions to remain in the government and health care sectors. Even so, around three quarters of cards sold into this application in 2010 were estimated to have been contactless. Report author Don Tait comments: “The top contactless applications during the next five years are projected to be bank cards, government and health care ID cards, transportation and physical access cards. These four applications are projected to account for around 99% of units shipped in 2016.”

TSA to pilot ID verification The Transportation Security Administration will purchase and pilot new technologies designed to provide a greater ability to identify altered or fraudulent passenger identification credentials and boarding passes in order to further enhance travel safety.

The Schlage aptiQ contactless smart card credential is an open-standard solution based on MIFARE DESFire EV1.

TSA plans to test the technology at select airports in early 2012. The system will verify a passenger’s ID document and boarding pass at the same time.

Report: 2016 Contactless card shipments to hit 3.5 billion

The new system may be a result of fake IDs from China flooding the U.S. The fake driver licenses can only be spotted through a forensic analysis of the credential or by checking the document with the issuing agency.

IMS Research has released a new report predicting that global contactless smart card shipments will increase from 950 million in 2010 to 3.5 billion in 2016. According to “The World Market for Smart Cards and Smart Card ICs – 2011 Edition,” contactless bank cards will drive most of the growth – primarily from the Peoples Bank of China’s plan to convert all of China’s debit and credit payment cards to smart cards. IMS says

TSA’s new system, known as Credential Authentication Technology – Boarding Pass Scanning Systems (CAT-BPSS), will eventually replace the current procedure used by security officers to verify fraudulent or altered documents. The system will be incorporated into TSA’s risk-based pilot that is slated to begin at four airports in the near future. This

aligns with TSA’s latest efforts to enhance the passenger screening experience by moving toward a more risk-based, intelligence-driven counterterrorism agency. The approximately $3.2 million award includes the purchase of 30 systems from three different vendors. TSA began testing travel document authentication technology in July 2011. TSA continually tests the latest technologies available in an effort to stay ahead of evolving threats and improve the passenger screening experience.

Isis signs on six leading mobile phone makers Isis announced that six major phone manufacturers – HTC, LG, Motorola Mobility, RIM, Samsung Mobile and Sony Ericsson – will introduce NFC-enabled mobile devices that support Isis’ mobile wallet platform. According to the company, these phones will enable users to securely make payments, store and present loyalty cards and redeem offers at participating merchants with the tap of their handset. Isis says it is also working with DeviceFidelity, a developer of NFC-capable microSD cards, to add NFC functionality to mobile phones without built-in support, ensuring anyone can take part in the service. “Today’s announcement signals the growing acceptance of NFC technology by some of the world’s leading device makers,” said Kouji Kodera, chief product officer of HTC. “The key to widespread adoption of mobile commerce will be the broad availability of NFC-enabled handsets,” added Dale Sohn, president of Samsung Mobile. “Samsung will be working with Isis and the mobile carriers to ensure NFC-enabled handsets are widely available to consumers.” Winter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Isis, a joint venture between AT&T, T-Mobile and Verizon, says the announcement is in line with the company’s goal of developing an open mobile commerce platform that aligns the interests of all key stakeholders and provides consumers with freedom of choice. “Isis’ technology standards provide the direction and certainty needed for the development and deployment of NFC devices and the mobile commerce ecosystem,” said Scott Mulloy, chief technology officer of Isis. “Working together with the device makers and our founding mobile carriers, Isis can provide the consumer choice and scale necessary for widespread adoption of mobile commerce.” Isis is slated to launch mid-to-early next year in Salt Lake City.

AuthenTec sensors to be included in new Dell notebooks AuthenTec’s TouchChip line of fingerprint scanning modules will be implemented into Dell Computers’ new Latitude E6520 notebooks. The sensor is FIPS 201-certified so it can be used in conjunction with U.S. government projects. The Dell Latitude E6520 is a rugged laptop that features a military standard-tested metal case and highly durable display. It is the second generation of Dell notebooks to incorporate an AuthenTec TCS1-based TouchChip module with a PIV-compliant smart card reader enabling multi-factor authentication. The Dell Latitude E6520 offers government agencies and contractors a complete endpoint security solution for complying with U.S. government standards. AuthenTec’s new TCETB1 TouchChip module integrates a low profile conductive metal bezel, which reduces device thickness to approximately half of the prior generation allowing it to fit into more devices. 18

Winter 2011

Datacard Group’s limited edition card printer to support the fight against breast cancer To support the fight against breast cancer, Datacard Group introduced a limited edition pink SD260 Card Printer. The pink printer will be available for purchase from October 2011 to March 2012 as supplies last. Datacard will donate a portion of the proceeds from each printer sold to the Pink Ribbon Foundation. This foundation funds projects and supports charities that help people who suffer from or are affected by breast cancer.

SafeNet provides security guidelines for PKI-based transactions In light of recent security breaches that have attacked enterprises’ PKI infrastructure, Baltimore-based data protection provider SafeNet released security guidelines to enhance PKI-based transaction security.

Finally, SafeNet recommends planning ahead for the next generation of critical applications. As PKI end points have expanded and more advanced PKI applications have been developed, companies should be more diligent about establishing trust anchors to protect keys and certificates within these applications.

STOPware provides universal PIV compliance to federal agencies Visitor management identification and tracking software provider STOPware introduced a new module to its PassagePoint GLOBAL product. This module processes visitors using PIV-compliant credentials in accordance with FIPS 201. The module enables any federal agency with STOPware to use a single PIV card to verify and authenticate across agencies. It extracts cardholder information from any PIV, TWIC, FRAC or CAC card, then validates the holder’s PIN and matches the on-card biometric information. The module also verifies digital certificates and validates cards using FIPS 201 challengeresponse protocol.

SafeNet’s cryptographic experts first advise that companies consider securing their private keys in a hardware-based security module (HSM). While software-based security has the benefits of portability and flexibility, it’s also vulnerable to being copied and living in multiple locations simultaneously. The HSM can create a trust anchor to lock keys and grant access to key information from an authorized source.

Upon completion of the cardholder validation process, the cardholder’s information, photo and Federal Agency Smart Credential Number are automatically entered into PassagePoint Global v10 Visitor Management software.

Next, enterprises shouldn’t assume that their infrastructure is secure because they have a certificate authority. Should the certificate private key be compromised, the entire PKI is compromised. SafeNet recommends using multiple layers of secure cryptography and hardware-based options for securing PKI end points.

AOptix Technologies launched a multimodal biometric solution that authenticates an individual’s identity via both face recognition and iris recognition simultaneously.

AOptix develops new multimodal system

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The new product, called InSight Duo, is designed for the aviation security and border security industries. The technology is designed specifically for trusted traveler programs and immigration processing. In addition to being touted as efficient form the user point of view, the InSight Duo is user-friendly for operators as it’s fully automated and enables non-technically minded operators to use the system with ease.

PayPal unveils ‘Future of Shopping’ PayPal revealed its plan to re-imagine the way people shop enabling payments anytime, anywhere with any device, according to the company’s blog. The new system is designed to affect the entire “shopping lifecycle” – starting with location-based mobile advertising and ending with mobile payments at the point of sale. Customers can also scan in-store bar codes with their mobile devices to receive coupons, as well as scan items to compare prices around town or find the right size or color. Most intriguing of all, the new service lets you bypass the check out line entirely by scanning the item off the rack and paying for it right there with a mobile PayPal app. You can also use the app to place an order and pay ahead of time at your favorite coffee shop or restaurant and simply walk in and carry it out.

Visa joins Google Wallet Visa has announced that it will license its payWave contactless payment technology to Google for its mobile payments and loyalty service, Google Wallet.

The agreement sets the stage for banks worldwide to enable Visa account holders to add their credit, debit and prepaid accounts to Google Wallet – a mobile app that lets NFC-enabled smart phones carry payment and loyalty cards, digital coupons, tickets and more. As an open commerce ecosystem, both Citi and MasterCard already support Google Wallet. A partnership with Visa will add hundreds of thousands of acceptance points worldwide to the Google Wallet network, according to Visa. Earlier this year, Visa launched its own digital wallet that provides consumers with “clickto-buy” payment functionality and access to their Visa and non-Visa accounts using a personal computer or smart phone. The service can be used to make purchases online and at retail locations.

CBP developing new biometric system for pedestrian border crossers The U.S. Customs and Border Protection Agency at the Paso Del Norte Mexican border crossing in El Paso, Texas has initiated work on a system that would see the use of biometrics to help reduce wait times for those entering the country on foot. The new system, which will rely on fingerprint-based biometrics and RFID readers with Western Hemisphere Travel Initiative compliant documents, is being designed to automate all processing of individuals leading to a more efficient procedure. In addition to streamlining processes for Border Protection officers, the new system is expected to give CPB a better way to positively identify individuals and help stop suspected terrorists and wanted criminals from walking into the U.S.

A pilot of the new system is scheduled to begin in November 2011 in three of the existing pedestrian lanes at the Paso Del Norte.

Thursby brings smart card support to Apple’s OS X Lion Thursby Software Systems announced that it is providing Apple email support for the latest version of its PKard smart card authentication solution for U.S. government workers. According to Thursby, the solution provides the smart card support that Apple’s latest OS X Lion operating system lacks. PKard v1.1 adds secure mail signing, encryption and decryption in Apple Mail to the existing Apple Safari and Google Chrome secure web and web VPN access that cover all CAC and PIV smart cards. The update to PKard for Mac is free for existing users and $29.95 for new users.

DigitalPersona hardware popping up in KFC franchises in U.S. DigitalPersona announced that multiple KFC restaurants owned by franchisees are improving their loss prevention programs with fingerprint biometrics. At locations across the Midwest and Southeast, the new biometric solution is replacing a PIN-based authentication system in an effort to reduce payroll fraud due to buddy punching. It is also anticipated to reduce bogus transactions at the register as individuals can be held directly accountable for their actions on a register. Officials from the franchises implementing the new technology, West Quality Food Service and KBP Foods, are already reporting reductions in payroll and food costs due to the new systems. Winter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

HID releases Asure ID SDK HID Global announced the release of its Asure ID Software Development Kit (SDK) that enables more powerful card personalization software and integration for FARGO and desktop card ID printers. As part of the company’s Asure ID card personalization solutions used by organizations to design, manage, print and encode identification cards, the kit is a set of modules and tools for third-party developers to incorporate Asure ID card personalization features into their own credential management systems. Asure ID’s SDK enables developers to streamline the card personalization process by integrating technology card programming and card design templates into credential management systems. This allows end users to leverage one software interface to design, encode and print ID cards.

NFC-enabled Blackberry devices supporting HID iCLASS HID Global announced plans to support iCLASS digital keys and mobile secure identity on NFCenabled BlackBerry smart phones. The new BlackBerry Bold 9900/9930 and BlackBerry Curve 9350/9360 smart phones activated with iCLASS digital credentials will be compatible with the installed base of iCLASS readers. BlackBerry smart phone users will be able to present iCLASS digital credentials by holding their phone in front of a reader, just like they do today with a physical contactless card. Pilots using BlackBerry smart phones activated with iCLASS digital credentials will be conducted this year. HID Global expects that 20

Winter 2011

its embedded iCLASS technology will be generally available for the BlackBerry Bold 9900/9930 and BlackBerry Curve 9350/9360 smart phones in early 2012.

New Zealand moves forward on national livestock ID The New Zealand government is moving forward with its plan to deploy an electronic national livestock identification sys-

that card suppliers restocked their inventories in 2010, which contributed to the high growth levels. Over the last ten years, the industry has experienced an average annual growth rate of around 20%, with lows occurring in 2002 and 2009. 2009 experienced only a 5% growth rate, the second worst growth rate on record, according to IMS. Though forecasts predict double digit annual growth, IMS author Alex Green says it will have a difficult time sustaining a growth rate as high as 20%, due to lower growth in the cellular handset, and hence SIM card market.

tem. The proposed National Animal Identification and Tracking project states cattle producers will be required to tag cattle with NAITapproved RFID tags starting in July 2012. The program will officially launch in February, giving producers four months to get on the NAIT program. Deer producers will join the program in March 2013. The mandatory date was set after receiving cross-party support in Parliament. Executives said the project would assure overseas markets that livestock disease can be quickly contained in the event of any disease outbreak. The system could also be used by farmers to improve farm management and by retailers to provide consumers with more information about meat’s origin. It has been estimated that approximately 9.8 million cattle will have to be electronically tagged and registered online in the three years after July 1, 2012.

Smart card industry experienced double-digit growth in 2010 The smart card industry bounced back from a weak 2009, as smart card IC units increased by more than 20%, according to IMS Research. In its new report “Smart Cards and Smart Card ICs – World – 2011,” IMS Research discovered

Still, other applications, such as payment and banking cards and M2M, are projected to contribute more to the overall market growth.

Thai government pushes “Smart Thailand” plan In an effort to make high-speed broadband access available in all districts of the country, the Thai government started the “Smart Thailand” initiative that will enable rural residents to access e-government services locally in their tambons, rather than travel to the main district town for services. The plan will utilize smart card IDs to enable residents to submit their house registrations online and consult with doctors in Bangkok. Social welfare services will be tied to the cards, and residents will be able to get public information about other government initiatives. Students will be able to study in virtual classrooms. The Thai government has invested heavily in building a broadband network, spending 6.3% of gross national income per capita on the infrastructure. The government hopes to push the overall broadband penetration up from 5.7% of the population to 80% of the population by 2015.

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Integrated Biometrics creates FBI certified reader A new fingerprint sensor from Integrated Biometrics, called Watson, has been named the first non-optical scanner to receive FBI IAFIS Appendix F Certification. The technology the Watson uses to replace the more common optical sensors is LES technology wherein a polymer reads the prints and makes sure the sample comes from a live finger. Integrated Biometrics designed the Watson with military, law enforcement and border patrol applications in mind. It has a small footprint and light design in addition to its rugged build and has the ability to operate without a scan surface cleaning between scans.

Unisys “stealth solution” protects mobile workers Unisys released its Stealth Solution for Secure Virtual Terminal (SSVT) product, a USB device that secures a mobile user’s data and makes it available to only authorized users. The portable USB device is certified by the federal government and can be customized and dedicated to a user. With it, the user can boot up remotely and link to an enterprise network through a secure session. Stealth Solution for SSVT can also create a virtual and independently secure group in which members can safely share the same physical or virtual network. The device secures data through advanced cryptography. Each virtual community is locked down with its own cryptographic key that allows the group to “go dark” on a network and function undetected to anyone who does not have access to it.

Mobile users can also add and manage more secure end-points with the device, giving them the ability to isolate data from detection and theft by hackers. With the device’s SecureParser technology created by Security First Corporation, data is cryptographically split into multiple packets when traveling through a network. When the data reaches the storage device, it’s authenticated and reassembled. The product is geared to the financial services industry, as well as to government and enterprise tele-workers and emergency first responders.

Yale debuts first NFC lock for U.S. homes Yale Locks & Hardware, an ASSA ABLOY Group company, announced a new NFC-enabled version of its Real Living locks, calling it as the first U.S. brand of NFC-enabled residential locks designed to integrate seamlessly into the digital home. Compatible with the ASSA ABLOY Mobile Keys platform, the new lock system enables credentials to be distributed securely through NFC mobile phones as an alternative to mechanical keys and physical access cards. According to Yale, this makes Real Living the first line of residential locks that can be unlocked directly using an NFC-enabled mobile phone. The system also supports both Z-Wave and ZigBee, allowing the lock to be integrated into a range of home control and security systems.

Swedbank taps Gemalto for converged ID Gemalto announced that Swedbank is deploying the Protiva corporate solution across

its organization, as well as in 60 savings banks in Sweden. The result will be a single identity management system designed to provide better access protection for networks and cloud resources. Swedbank is a bank in Sweden and the Baltic countries, with 10 million private customers and nearly 700,000 corporate clients. The Protiva solution, part of Gemalto’s cloud computing security offer, will secure access to data networks and physical access for 20,000 employees, irrespective of country, branch or IT system. Implemented initially in Sweden, the solution is being deployed across the Baltic countries, as well as in a number of smaller representative offices internationally. In addition to providing Swedbanks’ employees with secure access to their company network remotely or on-site, the Protiva corporate badge will also enable email encryption and eSigning.

Macys sets to launch RFID nationwide Macys Inc. announced that its Macys and Bloomingdales stores are adopting RFID technology to manage item-level merchandise inventories. The company has been testing the technology for nearly two years in selected stores and distribution centers, tracking replenishment goods on-hand by size, color and style. The initial launch of RFID technology will be in size-intensive replenishment categories such as intimate apparel, men’s slacks, denim and women’s shoes in stores nationwide. By 2012, the company expects to begin using RFID in all of its stores nationwide to count replenishment goods, items regularly stocked and automatically resupplied as they are sold to customers. Winter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

AT&T, T-Mobile, Verizon pour $100 million into Isis Verizon, AT&T TMobile are providing more than $100 million in new funding for their mobile payments joint venture Isis. The exact amount of funding will be determined based on the number of banks and merchants that sign onto the service, scheduled to debut next year in Salt Lake City and Austin, Texas. Isis, which has signed deals with Visa, MasterCard, Discover and American Express, uses NFC technology to allow customers to make contactless purchases at the point of sale, as well as receive and redeem coupons using their mobile phone.

Keri adds wireless locks from ASSA ABLOY Wireless locks from ASSA ABLOY’s Aperio line can now be used within Keri Systems’ Doors. NET physical security offering. Customers can mix and match the Aperio wireless readers and the Keri TCP/IP-based NXT readers to get the ideal functionality at each door. Aperio brings a cost-effective way to connect additional openings to an existing electronic access control system. It communicates wirelessly using 802.15.4 and supports HID iCLASS credentials. More than 40 access control companies have adopted the technology globally.

Experian, Symantec credentialing solution government certified Experian and Symantec’s jointly developed two-factor credentialing system has received National Institute of Standards and Technology (NIST) Special Publication SP 800-63-1 Level 3 Assurance.

Winter 2011

The General Services Administration (GSA) Division of Identity Management evaluated the tool to determine its soundness and feasibility in accordance with the Special Publication’s electronic authentication guidelines. The Drug Enforcement Administration’s Interim Final Rule on Electronic Prescriptions mandated this formal review for Controlled Substances, which requires prescribers to obtain two-factor identity credentials from a GSA-approved provider. Experian and Symantec’s cloud-based credentialing system draws on Experian’s identity proofing capabilities and Symantec’s VeriSign Identity Protection Authentication Service. It’s designed for government agencies and health care organizations to provide security and minimize fraud risk when conducting sensitive, online transactions.

Gemalto authentication for ING Belgium’s eBanking platform ING Belgium is deploying Gemalto’s Ezio endto-end authentication product in its eBanking platform and its one million online banking customers. The Ezio service utilizes its Ezio Classic reader and ING customers’ current smart banking card to generate a one-time password that grants secure access to their bank account and online transaction signing. The system is fully compliant with Belgian regulations regarding online security and is designed to encourage customers to enroll in online banking. Gemalto will provide ING Belgium with additional services such as server integration, packaging and direct delivery of Ezio Classic card readers to ING Belgium’s customers.

EMV Training Academy founded in California An EMV Training Academy has been established in Pasadena, Calif. to facilitate the adoption of EMV chip and pin technology in the U.S. and Canadian banking industries.

Led by a group of veteran payment industry professionals and technology partners, the EMV Training Academy offers training courses, test tools and consultancy services covering the North American contact, contactless and NFC mobile payments markets. The EMV Academy has a faculty of experienced instructors to teach a wide range of courses geared towards banks, credit unions, acquirers, issuers and card manufacturers. The course list includes: Introduction to EMV; EMV For Banking Executives; EMV For Journalists; Mobile/NFC; Contactless; Card Payments Instant Card Issuance; Chip Training 1 & 2 day versions; and 3-Day EMV, Contactless & NFC Mobile Fundamentals. The Academy says its services, partner products and training are all developed in compliance with International Card Specifications including EMVCo, VISA, MasterCard, EPCA and MULTOS.

Innometriks, Lumidigm partner for DOD solution Lumidigm announced that fellow biometric technology developer Innometriks’ Rhino reader, which utilizes embedded multispectral fingerprint reader from Lumidigm, is being used by the U.S. Department of Defense to secure outdoor vehicles, pedestrian perimeters and interior access points. Among the reasons the joint solution from the two companies was chosen is due to its rugged capabilities as it is necessary for the units to be able to process identities in secure areas that are also occasionally in extreme weather conditions. In addition to the design of the Rhino readers meeting the needs of the Defense Department to remain operational in poor environments, the embedded Lumidigm multispectral fingerprint readers enables dirty or damaged fingerprints to be read.

CALENDAR

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com

Harman, Stollmann bring NFC to auto industry NFC software provider Stollmann is working with Harman, a global audio and infotainment group, to deliver NFC capabilities to the auto industry. According to Stollman, the partners will collaborate on a solution to connect the driver’s cell phone with in-vehicle components via Bluetooth and NFC hotspots. As an example, the technology could allow the driver to connect his or her phone to the car’s sound system in order to answer calls over the car’s speakers or play music wirelessly from the same device. All of these features would be accessible in just a click from an infotainment interface provided by Harman, according to Stollmann.

Refugees in India receive smart card identification The United Nations High Commissioner for Refugees (UNHCR) is distributing smart card IDs to refugees in India. The initiative began in July in New Delhi when the UNHCR started replacing refugees’ laminated certificates with smart cards. The smart card includes a photo and the chip holds encrypted personal information, including biographical data, address and registration date with the agency. For many, the card will serve as their only form of identification and can serve as a protection device against possible arrest and harassment. The UNHCR also hopes that switching to the smart card will give the identification more integrity and protect against fraud. The UNHCR has distributed about 1,500 cards so far to refugees and asylum-seekers ages 12 and up. It hopes to issue 18,000 cards by the end of the year. India has about 21,000 refugees and asylumseekers, mainly from Afghanistan, Myanmar and Somalia.

February 2012

April 2012

Smart Card Alliance 2012 Payments Summit February 8 – 10 Hilton Salt Lake City Center Salt Lake City, Utah

NACCU 19th Annual Conference, April 22- 25 Sheraton Seattle Hotel Seattle, Wash.

RSA Conference USA 2012 February 27 – March 2 Moscone Center San Francisco, Calif.

May 2012

March 2012

CTIA Wireless 2012 May 8 – 10 Ernest N. Morial Convention Center, New Orleans, La.

Cartes in North America March 5 – 7 The Mirage Hotel Las Vegas, Nev.

NFC Solutions Summit 2012 May 22 – 23 Hyatt Regency San Francisco Airport Burlingame, California.

ISC West 2012 March 27 – 30 Sands Expo and Convention Center Las Vegas, Nev.

September 2012

Datacard adds security features for financial card issuers Datacard launched several new software and hardware security enhancements designed to help financial card issuers comply with security audits. The new solutions, which are all configured for the Datacard MX Series card issuance systems, include a software security patch management service, a full suite of Identity Access Management (IAM) features, and other options to increase physical security.

ASIS 2012 September 10 – 13 Philadelphia Convention Center Philadelphia, Pa.

Designed to help card issuers meet PCI Data Security Standard (PCI-DSS), Datacard’s patch validation and management software service tests all relevant security patches from Microsoft before they are deployed to the field. According to Datacard, once the new software patches are added to the MX Series systems, the systems will support security requirements with no interruption or slowing of the card production process. Other physical security features include a topping foil destruction kit, as well as opWinter 2011

ID SHORTS

SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com tional locking tray covers and module hoods designed to prevent unauthorized access to card stock and card personalization supplies. Datacard says their system also provides assistance in securing endpoints to the card issuer’s network by logically disabling USB ports and CD/DVD ROM drives. All Datacard MX Series card issuance systems will now be shipped pre-configured with the recommended security settings.

Confident Technologies develops real-time hacking prevention Confident Technologies released a new authentication technology that prevents hacking attempts in real-time. Called Confident KillSwitch, it identifies and protects against hackers’ attempts to steal account logins and password resets. The technology collects information in real-time to help businesses quickly respond to attacks. From the user’s perspective, the KillSwitch incorporates the use of image-based secret categories rather than specific password reminder questions. When a user first registers with a Web site, he chooses categories of simple images, such as cats or trees. When logging into the site, pictures from these categories show up on the screen, and the user picks the ones that correspond with his secret categories in order to authenticate. From the Web site side, a merchant or service using Confident KillSwitch also has users choose “no pass” categories. If a hacker attempts to log in with the user’s account and guesses a “no pass” category to authenticate, the system can detect the fraud and automatically lock down the account. Behind the scenes, the technology also gathers information about the attacker to help the merchant fight the invasion. Confident KillSwitch is cloud-based and can be integrated with any of Confident’s imagebased authentication products for Web sites, mobile apps and mobile devices. 24

Winter 2011

Citi jumps into EMV fray Citi announced the launch of the Citi Corporate Chip and PIN card, an EMV compliant smart card designed for U.S. corporate cardholders traveling abroad. The cards were developed in direct response to clients’ need to use their U.S. commercial cards while traveling to regions that have migrated to EMV. Travelers have encountered merchants that will not accept magnetic stripe cards and have also experienced problems at unmanned kiosks where an agent is not available to run the transaction through a point of sale device. With more than one billion chip card users outside the U.S., chip cards are the dominant technology in many parts of the world. The new technology will be rolled out to U.S. clients in a phased approach beginning this month.

New ISO/IEC standard for online protection of biometric data The International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) released a new international standard to ensure security of biometric data processed online. The new ISO/IEC 24745 standard was created out of a concern for the increasing use of biometrics for online authentication in industries such as health care and banking where personal data could be accessed via one’s unchangeable biometric data. The worry is that if one’s biometric data is compromised, IT departments can no longer depend on the traditional reissuance of online credentials as they can with user names and passwords. One cannot reissue or require a user to change hi unique biometric characteristics.

ISO/IEC 24745 lists standards dealing with analysis of threats and countermeasures for biometric systems, security requirements for connecting a biometric profile with a user’s online data, models for different scenarios of the storage of data and models for the protection of biometric data during processing.

Codebench middleware integrates with IDenticard for HSPD-12 compliance In order to help federal agencies and government organizations comply with HSPD-12, Codebench has integrated its PIVCheck Plus software with IDenticard’s PremiSys access control system. With this integration, PIVCheck Plus now works with more than 23 physical access control software platforms. The PremiSys integration enables users and organizations to validate FIPS 201 compliant credentials in real-time and schedule ongoing compliance. The system also registers PIV, TWIC, CAC and FRAC cards without requiring additional data entry. PIVCheck’s client list includes agencies, ports, petrochemical and military facilities.

BlackBerry smart card reader achieves FIPS certification Research In Motion’s BlackBerry Smart Card Reader received FIPS 140-2 certification level 3. This Federal Information Processing Standard (FIPS) designation is the highest received to date by any wireless smart card reader on the market and signifies that the product meets advanced security standards such as tamper evidence and self destruction of critical security parameters if the device experiences a breach. The reader is light enough to be worn on a lanyard, and when an ID is inserted it uses two-factor authentication for secure access to BlackBerry smart phones, desktop computers and facilities.

Become an

IEEE Certified Biometrics Professional

Why CBP? The IEEE Certified Biometrics Professional® (CBP) program has two major components: Certification and Training. Professionals and organizations both can benefit from the IEEE CBP program. Key advantages are: ■ Prove

your knowledge

■ Increase ■ Learn

your credibility

a baseline of industry knowledge

■ Train

employees

■ Gain

a competitive advantage

“The IEEE CBP program delivered on its promises. It strengthened some of the areas and aspects of biometrics that are less familiar to me and made me more well-rounded.”

Learn more and register today! www.IEEEBiometricsCertification.org

—Gregory Johnson, CBP, BRTRC

Making the Case FOR FIRST RESPONDER IDS More states issuing high-tech IDs as business case, technical issues clarify Zack Martin Editor, AVISIAN Publications Officials in southwest Texas wanted to issue physicians a credential that they could use at emergency scenes to validate their identities. “We were going to issue a disaster card,” says Eric Epley, executive director at the Southwest Texas Regional Advisory Council (STRAC). “When a disaster happens your hospital might be cordoned off and we want to issue a card that would give doctors access to the facility.”

Winter 2011

This was 2002, shortly after the Sept. 11 terrorist attacks, and first responder organizations across the country were scrambling to figure out how qualified individuals would access future emergency scenes. In the decade that has passed the movement to get high assurance credentials into the hands of first responders has been slow. But that is changing as states and local governments are seeing benefit from the use of interoperable IDs for multiple functions and technology issues are being solved. STRAC is an advisory group for trauma and emergency health care workers in southwest Texas made up of 62 hospitals and 70 EMS agencies. It was among the first to actually issue IDs beginning way back in 2002. The organization found an interesting way to tackle the demand problem. When Epley approached the security directors at the hospitals they said a disaster card simply wouldn’t work. “Doctors come to the hospital at 2 am and don’t even have their driver license,” he says. But the doctors did always have their parking pass. Since the physicians often worked at multiple hospitals the sun visors in their cards would be filled with cards enabling access to different parking facilities, Epley explains. “Doctors would have anywhere from five to nine of these cards in their visors,” he says.

performing the tasks they were qualified to do because there was no way to confirm their training.

The first responder access credential could change all this. The smart card ID would store the cardholder’s biometric as well as other identifying information. In event of a disaster a first responder would show up at the scene, present the credential and authenticate with a biometric or PIN on a handheld device. Their identity and qualifications would be verified so their skills could be put to best use. State and local participants in the PIV-I/FRAC Technology This has been the idea behind the creTransition Working Group dential. Many states investigated the credentials, but it’s only been the last • Colorado couple of years where real progress has • Maryland occurred, especially with PIV-I. The final • Virginia PIV-I specification, which many jurisdic• District of Columbia tions wanted to use, was released in • Missouri May 2009 giving all those involved the • Southwest Texas same starting point. • Pennsylvania • Chester County, Pa. But budgets are tight and when it’s • Pittsburgh between a new fire truck or firefighter • West Virginia IDs, there seems to be just one choice. • Hawaii But monetary grants and additional use • Rhode Island cases are convincing more jurisdictions to deploy the IDs.

So in order to make the disaster card work, STRAC struck a deal with the hospitals in the region to have the credential used for access to all parking facilities. “We built a card management system that connects in real time with all the physical access control systems at the hospitals,” Epley says. STRAC realized an important aspect of a credential to the end user. “If you don’t make their life easier with the card … people won’t carry the card,” Epley says.

Throughout the entire process there has been the PIV-I/FRAC Technology Transition Working Group. Almost half a dozen agencies within Homeland Security partnered to bring the group together. It is comprised of federal, state and local emergency management representatives, many of whom have already implemented secure identitymanagement solutions in their own jurisdictions. The goals of the working group are to provide federal policy makers with a unified state emergency manager perspective on key areas including:

After the airplane hit the Pentagon numerous first responders from various jurisdictions arrived at the scene. There was no way to know what each was qualified to do or if they were qualified to be there at all.

• Federal Emergency Response Official attributes, • Baseline current identity infrastructure and best practices, • Technological gaps where Homeland Security’s Cyber Security Division can provide test bed research and development support, and • State-to-state, state-to-federal and federal-to-state information sharing.

In 2005 Hurricane Katrina reinforced the need for an interoperable ID. Physicians, nurses and other emergency workers were precluded from

There are other efforts pushing for interoperable credentials for first responders too. In July Homeland Security and FEMA released the

History lesson

Winter 2011

National Incident Management System (NIMS) Guideline for the Credentialing of Personnel. This isn’t the first guidance released but it takes a much stronger stance recommending that state and local first responder issue PIV-I credentials, says Mike Magrath, director of business development for government and health care at Gemalto. The guidance can’t mandate that states issue PIV-I credentials to first responders but it’s the strongest endorsement yet, Magrath says. “The underlying theme from the NIMS guidance is trust, consistency and interoperability,” he says. “You get all three of these things with PIV-I.” The key to convincing states and locals to adopt is making sure the credential has utility beyond the disaster scene, Macgrath says. If the token is used for more than one purpose and can address some of the jurisdiction’s other identity and credentialing concerns, the cost can be better justified. “The credential needs to be used for multiple purposes,” he explains. “Local governments won’t have to issue flash badges, prox cards or one-time passcode tokens anymore if they go with PIV-I.” This is the lesson the PIV-I/FRAC Technology Transition Working Group is preaching as well, says Craig Wilson, an employee at Unified Industries and a contractor to FEMA.

Having the credential used for more than one purpose can help justify the cost of the project, Wilson says. “States are able to save money by deploying standards-based technologies,” he explains. This is how STRAC was able to get the credentials in the hands of their first responders, says Epley. The parking pass resonated with the physicians because it eliminated complications for them. Epley reassured the individual hospital security directors that while the identity with the card would be “global” they would still control the local access. Typically the card enabled access to the parking structure and the physician’s lounge. “The card doesn’t automatically get them into every door,” Epley explains. “It doesn’t work at a hospital if you’re not affiliated, and hospitals can remove individuals from their access control system as needed.” The links between the systems had to be built because multiple access control systems and card technologies were in place at the time. Since the hospitals weren’t willing to swap out card readers, the new IDs relied on magnetic stripes and bar codes to facilitate physical access functions, Epley says. While physicians were the first to receive these cards they were eventually issued to 12,000 medical personnel and first responders.

Homeland Security wants PIV-I for first responders The Department of Homeland Security and the Federal Emergency Management Agency (FEMA) released the “National Incident Management System Guideline for the Credentialing of Personnel.” This document describes credentialing and processes and that emergency response officials and managers at all levels of government may use to facilitate multi-jurisdictional coordinated responses. Through this guideline, DHS and FEMA encourage interoperability among federal, state, local, territorial, tribal, and private sector officials in order to facilitate emergency responder deployment. The is an updated document from 2008, says Mike Magrath, director of business development for government and health care at Gemalto. One of the differences between 28

Winter 2011

this and the previous document is the endorsement of PIV-I. The previous guidance mentioned the standard but this one recommends that first responders actually use it. FEMA can’t mandate that anyone outside the federal government use PIV-I but this is the strongest recommendation thus far, Magrath says. The PIV and PIV-I solutions are recommended because it resolves four core process and technical barriers to establishing interoperability in identification and access control systems: • Common terminology • Technical requirements for how identity cards/media interact with controlling infrastructure

• A system of unique identifiers that enables individuals and organizations to be recognized across all identity cards and media • Processes that enable issuance that supports the requisite level of trust in the identity of the holder, as well as attributes and privileges where applicable. If jurisdictions deploy interoperable credentials it can help provide confidence that the personnel and resources provided under mutual aid match the request, the NIMS document states. Credentialing can also help ensure that both requester and supplier are using the same criteria to certify personnel. It can alleviate one concern from communities already struggling with the effects of a disaster.

Discover the genius of the world’s most Zen card printer!

Setting new standards in card printing! Evolis innovates to offer you a brand new solution to print and personalize plastic cards. Compact. Lightweight. Silent. This eco-designed printer offers unmatched print quality as well as multiple encoding options. It adapts to meet your needs: from a simple badge to the printing of technology cards. One card at a time or in small batches.

www.evolis.com

Combined with the Evolis High Trust® consumables and Evolis Premium Suite® software, Zenius guarantees you ease of use coupled with a level of performance that is unequalled on the market. Zenius is ENERGY STAR certified, and meets the requirements of the extremely demanding European ErP directive, which rewards efforts in the field of energy efficiency.

In 2008, six years after the initial magnetic stripe IDs were issued, STRAC started to look at smart cards that would use the FIPS 201 and PIV-I standards. Where the initial focus had been physical access, this time the driver was logical access. Since most physicians worked at more than one hospital they had to remember user names and passwords for the various systems. The idea of one credential to access all the different hospital networks was appealing to the doctors, Epley says. It was also appealing to the hospital CIOs who could grant or revoke access via a digital certificate.

cords and the barcode or magnetic stripe for physical access needs. Epley estimates the cost to produce each PIV-I STRAC-ID smart card between $25 and $30. Other hospitals in the region are following suit, sponsoring their staff so that STRAC can issue them IDs based on specific business rules. This standardized process ensures that all stakeholders trust the credentials, the asserted identity of the individual is correct and the system is credible. In all of this, STRAC plays the coordination role among the different health care systems. Penn. county drives FRAC use with IT login

STRAC is piloting the PIV-I credentials with 3,000 physicians who currently use the smart card for logical access to electronic health re-

Winter 2011

Chester County Pennsylvania has also issued credentials to first responders. Like its Texas counterpart, it too is working to ensure that

first responder’s don’t receive the ID and the throw it in a drawer until there’s an emergency, says Robert Kagel, deputy director for emergency management at the Chester County Department of Emergency Services. The county is still in the process of getting credentials on the street, but officials are already working on policies to encourage first responders to use the cards, Kagel explains. Police officers will be using the ID to logon to the Pennsylvania law enforcement databases using certificate-based authentication. The county will also change some of the IT systems so the credential can be used for network login. “We’re really trying to incorporate it into everyday use,” he adds.

An open standard for exchanging and verifying attributes One of the technical hurdles for the first responder access credential is how to securely and efficiently indicate an individual’s attributes and training via the credential. These certifications and training can change often so updating the information on the credential is key. One focus of the PIV-I/FRAC Technology Transition Working Group is providing jurisdictions with an open standard so they can share and verify attributes from the first responders, says Karyn Higa-Smith, program manager for identity management at DHS’ Science and Technology Directorate. Defining and verifying attributes – what the first responders are qualified and trained to do in the field – has been a difficult obstacle.

Citi entering identity business Citi Corp. is getting into the identity business with plans to issue PIVI credentials to government contractors and perhaps event financial account holders, says David Belchick, head of public sector identity at Citibank’s Global Transaction Services. Citi was certified to issue PIV-I credentials in April and is now unveiling a managed service offering that it calls Identity Plus. Belchick says it’s a good fit for the company’s multi-national corporate clients. “Having wet signatures and sending things via DHL is bad enough here in the United States,” says Belchick at the September Interagency Advisory Board meeting. “But when you’re talking about India, China, places like that, it’s expensive and it’s hard to facilitate.” The financial services company’s first client for the new service is the U.S. Army Reserve Command. USARC wants physical access credentials for its entire contractor base – 280,000 employees – within two years. Qualified contractors who already carry the Defense Department’s Common Access Card won’t need the new credentials, says Belchick. Citi is also tracking the health care market, he says, including the legislation proposing a Medicare common access card. Bills introduced in the House and Senate would set up a pilot program for developing a Medicare smart card to cut down on fraud. From there it’s not far to take PIV-I to consumers and corporations. The organization is looking at delivering identity applications to existing plastic. That includes upgrading some mag stripe cards to not only EMV for corporate cardholders who travel overseas, but adding Identity Plus where Citi will work to combine PIV-I, payment applications and mobile. Belchick sees the mobile platform as the long-term hub of identity. But he says problems with identity on the Internet will look insignificant when the industry starts talking about the explosion of identity on smart phones. “I think the problem with mobility and smart phones is going to be compounded five or tenfold over the problems we’re having with identity on the Internet with desktops and laptops,” he explains. While payments are becoming a key application in mobility, Belchick doesn’t think they will truly become mainstream without a good foundation in identity. He says Citi is making investments toward strongly linking identity to payments in the mobile world. Since PIV and PIV-I are based upon high-levels of assurance, they could become more commonplace as society migrates to smart phones. Ultimately, Belchick says consumers will drive the migration. To this end, he says, industry hasn’t done a good job of making consumers want to improve their security. Winter 2011

With the PIV-I standard there is no defined way to store these attributes on the smart card. The working group will be testing a way for these attributes to be stored in a database and synched with handhelds at disaster sites. This had been possible previously but only using expensive, proprietary technology that was deployed by only a handful of participants. The open standard the working group is testing will enable any jurisdiction to deploy this type of system, says Higa-Smith. Chester County is one of the participants in this test, says Kagel. County officials started looking at some type of credential in 2006 because of its proximity to Maryland and Delaware. “In southeast Pennsylvania everyone is an interstate responder,” he says. Early on all the solutions were proprietary and Chester County wanted an open system, Kagel says. “You needed certain software to read certain bar codes,” he explains. “What we really like about PIV-I is the interoperable framework. If you’re from Chester County but end up in Colorado it can be read and verified.” The attribute piece for the first responder credential has been difficult to tackle. Commanders at a scene need to have more information than just whether an individual is a firefighter or an EMT. And when trying to coordinate personnel from several different jurisdictions and possibly even states it can be difficult figuring out what individual’s are qualified to do. “I need to know if you’re an interior firefighter or an exterior firefighter. Where are you qualified to work?” Kagel explains. “By being able to go to the granular level and marry training with job titles it helps at scenes.” In order to get the desired level of detail Chester County created a new system that stores this information along with all training and certification, Kagel says. The county is working with the DHS working group so it could be used as a model across the country for other jurisdiction. In a separate initiative, the state of Pennsylvania is creating a system that will electronically store and verify training and skills for first responders. “If we get a certification we will electronically validate it,” Kagel says. When these systems are fully in place, a first responder will insert the PIV-I card in a handheld, authenticate using either a fingerprint or PIN,

Winter 2011

and his training and certification will be displayed. The handhelds will be updated from a backend database every 18 hours so officials will know if qualifications have changed or been suspended. Chester County has 200 credentials in the field now and is working to roll out 5,000 cards by the second quarter of 2012, Kagel says. Eventual plans are to issue 50,000 credentials. Police, firefighters, Hazmat and emergency management are the first phase. Public health, public works, hospitals and finally critical infrastructure will follow. Virginia’s for FRAC The Commonwealth of Virginia started down the first responder credential in 2005, shortly after the FIPS 201 specification was released, says W. Duane Stafford, statewide credentialing coordinator for the state. “We tried to the best of our ability to issue a card that would comply with FIPS 201,” he says. Since there wasn’t a PIV-I spec at that time, this was the best Stafford could do. Virginia issued 2,300 credentials to emergency responders in Arlington County and the City of Alexandria so they could gain access is there was an emergency at the Pentagon or elsewhere in the capital region. The commonwealth is moving forward with a PIV-I solution now and issuing 13,000 credentials in the Hampton Roads area, Stafford says. There’s an issuing station set up in Hampton Roads for first responders to receive credentials. After being sponsored individuals can then come into the center for enrollment and receive the credentials, Stanfford says Funding these projects can be difficult. Virginia, and most of the jurisdiction involved with the Homeland Security working group have been receiving federal grants to assist with the programs. Funding will continue to be an obstacle for first responder credentialing programs as state budgetary struggles persist. But the case for the credentials is getting stronger as first responders use the IDs for additional important functions. This, in turn, enables the expense to be more readily justified.

Get security and convenience... along with durability, performance and a compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multispectral imaging approach to user identiﬁcation is the best there is. Lumidigm technology was speciﬁcally developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272 7057 and sales@lumidigm.com to answer your questions.

AdvantageTM

Winter 2011

What it takes to issue PIV-I credentials

How an organization gets certified to issue these high-assurance IDs In the early days of finance in England, bankers would routinely write letters of introduction for customers so they could access credit in other parts of the world. “If you had an account in good standing with a bank in England you would be given a letter of introduction and when you sailed to the new world you would use it to get a loan,” says Jeff Nigriny, CEO at CertiPath. Today’s new world is online and identity credentials now take the place of these letters from hundreds of years ago. CertiPath enables other organizations to issue high assurance PIV-I credentials so that individual’s can be trusted in this new online world. “It’s not 34

Winter 2011

that a relying party knows who I am directly or even explicitly, it’s about trusting the issuer of the credential,” Nigriny explains. Recently, CertiPath has taken financial services provider Citi through the process as well as HID Global. Both organizations are now certified to issue PIV-I credentials. Other organizations are also working to become certified, Nigriny says. The market potential for PIV-I is enormous with as many as 54 million credentials anticipated. Many of these will be going to federal contractors but there’s also a market for first responders and health care workers. Addi-

tionally, Citi announced plans to issue highassurance credentials to its customers as well. With the National Strategy for Trusted Identities in Cyberspace and efforts to secure online identities in motion, PIV-I has been discussed as a possible option for citizens. The road to PIV-I certification begins with paperwork, says Judith Spencer, chair of the Policy Management Authority at CertiPath. A company must explain their intent and how their PIV-I system will operate. At this stage we are trying to make sure the request is coming from a legitimate potential issuer, explains Spencer.

From there the request goes to CertiPath’s Policy Management Authority, an advisory group consisting of the existing CertiPath-enabled issuers. The group provides non-binding views to CertiPath on policy, technology and business practices related to the Bridge Certification Authority and approval of applicants for cross-certification. Members of this group, through CertiPath, have credential interoperability and have been cross certified with the federal bridge through a common trust framework, Spencer says. “The members administer the framework and they’re able to see each other’s policies,” she explains. “That’s how we maintain the mutual trust.”

After that’s completed the organization must hire a third-party auditor experienced with PKI systems, Spencer says. The auditor looks at the certification practice statement and makes sure it’s fulfilled with the certificate policy. If this is a new service and the organization doesn’t have any credentials issued, a “day zero audit” is performed. The auditor looks at the physical environment where the credentials will be stored and issued, the operations, the personnel and separation of duties. “The auditor is going to make sure people are actually doing what’s in the document,” she says.

Defining the terms:

After approval from the authority the organization enters into a policy mapping service agreement which states that CertiPath will provide services that may lead to cross certification. And then it’s a process of more back and forth. The company needs to provide a certificate policy and if it plans to offer encryption, a key recovery practice statement, Spencer says. Then CertiPath maps the company’s certificate policy to its own. “It’s not about compliance but conformance and having compatible processes,” Spencer explains. “They don’t have to do it like we do it but we have to get the same results.”

Policy management authority: An advisory group created by CertiPath that provides non-binding input on policy, technical and business practices related to the Bridge Certification Authority and approval of applicants for cross-certification. Certificate authority: Core to a Public Key Infrastructure, the purpose of these trusted third parties is to issue digital certificates for use by other subordinate authorities, organizations, or individuals. Certificate policy: A certificate policy is a document that defines the various actors in a PKI, their roles and their duties. Certificate practice statement: An organization’s standard operating procedure on how the service will be operated and how the certificate authority will be compliant with the certificate policy.

While the audit is taking place, testing is done on the credentials the company wants to issue. The organization issues the four certificates and PIV-I compliant smart cards to CertiPath for testing, Spencer says. They are tested in CertiPath’s lab to make sure the certificate profiles are correct. Officials from the Federal PKI Authority are brought in to observe the tests. The smart card has to be fully populated with the certificates, biometrics and containers, Spencer says. “It has to be a real operational card,” she adds.

Policy mapping service agreement: An agreement that identifies the appropriate assurance level for interoperability between all parties.

CertiPath goes through the policy and provides a mapping report. “It contains questions we have or requirements if missing or inadequately covered,” Spencer says. For example, a common issue is order process. CertiPath requires that an organization runs logs of the system and reviews them every two weeks. “From the time you flip a switch to turn on your certificate authority to when you turn it off everything needs to be continually audited for anomalies,” Spencer says. CertiPath returns the results of the mapping to the company, which can then start a process of back and forth until the certificate policy mapping returns the same results. After that’s accepted the company needs to write a certification practices statement (CPS). This is the organization’s standard operating procedure on how the service will be operated and how the certificate authority will be compliant with the certificate policy. For example, if the certificate policy says there is a secure facility that is protected from unauthorized access, the CPS would describe the facility and the credentials required for access to facilities and offices.

CertiPath runs a suite of PIV-I tests on the card to make sure it operates correctly. If errors are found a report with explanations is delivered to the company. The look of the card is scrutinized during this process. “It must be visually distinguishable as a PIV-I card so it doesn’t appear to be masquerading as a PIV card,” Spencer explains. Results of this testing along with the documentation of the applicant’s key recovery system goes to CertiPath’s Policy Management Authority. The group reviews the results and votes on whether the organization should be certified. From start to finish the process takes between six and twelve months depending on how quickly and organization can turn around documents and make the necessary changes, Spencer says. But that doesn’t mean they’re done with the reports. After six months of issuing credentials a full operational audit has to be performed and submitted back to the Policy Management Authority. If the company hasn’t issued a significant number credential’s in that first six months they can get another six-month extension. But operational audits are required for all organizations every 12 months.

Winter 2011

Countries adopt biometrics for voter ID, fraud prevention Nigeria, Brazil choose fingerprint to help secure elections Jill Jaracz Contributing Editor, AVISIAN Publications A number of countries have turned to biometrics as a solution to prevent voter fraud during national elections, and they’ve met with surprising success.

Biometrics creates an inexpensive, effective one-to-one relationship between the person and the entitlement, and don’t depend on the recipient being literate, says Trytten.

California-based DigitalPersona is assisting two countries trying to maintain fair and democratic elections. Founded in 1996, DigitalPersona started with the belief that the fingerprint reader would be the next must-have computer peripheral. While that has not yet panned out, the company has found that biometrics can “guarantee secure authentication in civil identification,” explains Chris Trytten, director of product marketing for DigitalPersona.

Nigeria requires biometrics for recent national elections

A fingerprint is “something you are,” says Trytten, adding that with a fingerprint you can prove you were definitely at some place at some point in time. DigitalPersona developed a product called Civil ID to help governments identify individuals through fingerprints. According to Trytten, DigitalPersona’s Civil ID product has historically been a high-end system designed for border control, civil documents and law enforcement. However, some have started to adopt the product as a way to provide secure voting and government services by reducing fraud.

Pakistan looks to biometrics to prevent electoral fraud Election Authorities in Islamabad, Pakistan are working on a new voting system that would include biometrics to impede fraudulent voting. They plan to introduce a system that would include ballot papers inscribed with a watermark, magnetic ink stamps for voters and biometric authentication. The new system would better identify attempted voter fraud. According to an article from The Express Tribune, fraud was a significant issue in the 2008 general elections when more than 37 million bogus votes were cast from a population of just 81 million Pakistani registered voters. In addition to the new technological assurances for a cleaner election, voters in Pakistan would face stiff penalties – including fines and a minimum of three years in prison – if discovered attempting to defraud the electoral system.

Winter 2011

DigitalPersona’s Civil ID service was an instrumental part of Nigeria’s 2011 national elections. “In Africa, a lot of countries are embracing democracy,” says Trytten. Unfortunately, he explains, many do not trust the election process, and elections often lead to civil unrest or even war. “The foundation for democracy [necessitates] secure voting systems to provide results people trust,” says Trytten. Nigeria became a democracy in 1999, but subsequent elections suffered from voter fraud as people voted more than once and ballots we cast by dead and fictitious people. In an effort to break this cycle, Nigeria’s Independent National Electoral Commission (INEC) decided to integrate biometrics into the voter registration process. INEC selected three vendors – Zinox Technologies, Ltd., Haier Electrical Appliances Corp. Ltd. and Avante International Technology Inc. – to provide voting registration systems. Each used DigitalPersona’s fingerprint readers to authenticate voters. The new system was used in the April 2011 national election. To prepare for the election INEC began a nationwide voter registration drive in January 2011. DigitalPersona provided 132,000 fingerprint readers to the local and international integrators of the Nigerian Direct Data Capture System. To register voters, INEC set up registration stations across the country. Voters gave the registrars their personal information, took a photograph and had all ten fingerprints captured. Upon completion of the registration process, voters received a photo ID card. INEC was able to register 73 million voters across the country, nearly half of the country’s 152 million people. Those who had not enrolled were prohibited from voting. When casting a ballot, a voter showed the card at the polling location. The registrars accessed the voter’s record, matched the face to the photograph, and captured the fingerprint. This new print template

“In Africa, a lot of countries are embracing democracy,” says Trytten. Unfortunately, he explains, many do not trust the election process, and elections often lead to civil unrest or even war. “The foundation for democracy [necessitates] secure voting systems to provide results people trust,” says Trytten.

was compared to the template originally enrolled in the voting record and stored on a central database. Using the unique ID number on the photo ID card, the system is able to perform a rapid one-to-one match.

devices. Instead votes are stored on memory cards, which are then turned in to authorities when the election closes. “Votes can’t be intercepted over a network,” says Trytten.

Bipartisan observers and citizens agreed that the election was fair. “It was a large event for Nigeria,” says Trytten. “There was some violence, which was to be expected, but the results were trusted and there was no civil unrest.”

While the number of Brazilians enrolled in the fingerprint system is low – only seven percent of the population – the government continues to enroll citizens. Voting is mandatory in Brazil, and if someone doesn’t vote they can be fined. Citizens receive a summons to be enrolled into the system.

The Nigerian voting system was estimated to cost $230 million. Brazil trials biometrics in preparation for national rollout Brazil has also embraced the use of biometric readers for voting. In 2008 DigitalPersona began working with Diebold, the electronic voting system provider, to provide its U.are.U fingerprint readers for Brazil’s elections. The Brazilian government piloted the Diebold/DigitalPersona solution during the 2008 elections in three small cities. Based on its success, it was rolled out in all cities with populations of up to 10,000 for the 2010 election. DigitalPersona delivered 180,000 fingerprint readers in three months to meet the election deadline. “[The Brazilian government] went to great lengths to make this transparent,” says Trytten. The process was completely audited, with a group of people who examined the software and hardware and digitally signed it to ensure its legitimacy. Another way the Brazilian government worked to keep its elections secure was to capture the voting results locally and not via networked

Brazil plans to convert its entire voting system to electronic voting stations by 2018, says Trytten. “These systems are evolving. I see this as a work in progress,” he says. That both the Brazilian and Nigerian elections ran smoothly is a sign of the biometrics’ success. “[In Nigeria] there were early reports of sensors not working. That was a software issue,” says Trytten. “They worked well once the bugs were ironed out. We discovered issues before the deadlines and were able to respond to them quickly.” The Nigerian elections clearly succeeded in combating voter fraud. But Trytten says that in Brazil, “it’s hard to know what fraud was stopped, but the measure that I use is whether or not the press and community reviews deemed it a success.” He explains that there were no accusations of fraud and no recounts. “That’s a huge transition,” he says, “and by those indications, they were successful.” Both governments were reportedly pleased with the electronic fingerprinting systems. A lot is at stake, if those involved can’t agree on election results. “We’re talking about avoiding warfare and violence … this is a tremendous step for these countries,” says Trytten. Winter 2011

The business case for health IDs

Smart card supporters cite quicker reimbursements, easier claims processing Gina Jordan Contributing Editor, AVISIAN Publications The health care market is riddled with identity management and authentication challenges but smart cards may be poised to change that. Health care organizations are faced with a myriad of obstacles when it comes to security, identity verification and authentication of staff, says Michael Magrath, director of business development for government and health care at Gemalto. Magrath serves as chair of the Smart Card Alliance Health Care Council. For a recent webinar, the council brought together a group of presenters leading the charge for strong authentication in the health care industry. These include physical access to secure areas of the hospital and strengthening network access to sensitive electronic health records and billing information. Some institutions have responded by issuing smart card-based identity credentials to caregivers for physical and logical access.

Initiatives from Washington are also impacting the industry. Earlier this year, the US Department of Health and Human Services’ Health IT Privacy and Security Tiger Team recommended that two-factor authentication be required for individuals remotely accessing electronic health records for the purpose of sharing them with another provider. Realizing that at some point providers outside the federal government will access health information stored in federal databases – like the Center for Disease Control or the Veteran’s Administration – the Tiger Team recommended that a certificate authority that is a member of the Federal Public Key Infrastructure Framework issue digital certificates. “The safest and most secure two-factor authentication methods are based on smart card technology where a tamper resistant chip with security software is embedded into the card or token or even a mobile device like a phone,” Magrath says. “This is the same technology that’s used in today’s electronic passports and federal government IDs … they are used to access the most secure networks in our country.”

When it comes to patient identity there’s an identity crisis. — Michael Magrath, Gemalto

Winter 2011

When it comes to patient identity there’s an identity crisis, Magrath says. ID cards issued by private and public insurers don’t prove patients are who they claim to be. Personally identifiable information is printed on the face of the card, including name, date of birth and sometimes Social Security number. Strong authentication of identity is a critical step in addressing fraud and medical identity theft. Several health care organizations in the U.S. are tackling the issue of patient identity with smart card technology. Doing so can help reduce medical identity theft and bring efficiencies to existing health care administration systems, says Magrath. “Identity and authentication solutions based on this technology will provide an ideal foundation for improving the security and privacy of health information systems and electronic health records,” he adds. David Gans, vice president of innovation and research at the Medical Group Management Association, describes the benefits of the patient smart ID card from the perspective of the practice. Smart cards bring a return on investment and can change how a patient is received, how claims are processed and how the practice interacts with insurance companies. It also lowers administrative costs because organizations are more efficient. “If you’re going to reduce the administrative cost to a practice, an organization needs to look at how to reduce the time interacting with insurance carriers to get appropriate payment for the services provided to patients,” Gans says. The MGMA looked at ways to reduce administrative costs by using smart cards. The group’s data assumes a general practice with an average of fifteen patients per doctor, per day. The study found that without smart cards, around 5% of the practice’s 3,000 claims per year are rejected by the payer because of incorrect demographic information. Research shows it takes about 642 hours of staff time each year to manually register patients and handle rejected claims. Using smart cards, it takes just a quarter of the time: 158 hours. Smart cards bring the value of increased accuracy, lower costs and higher profits for the practice, Gans says. Everyone benefits. Patients have less hassle because of denied claims. Providers save money on labor and supplies and are paid quicker. Insurers are better able to automate the processing of claims and have less manual work to do on rejected claims. Wyckoff Heights Medical Center in Brooklyn, N.Y. started offering patients a medical information smart card early this year. The change brings benefits including the ability to instantly and accurately identify patients, says Rajiv Garg, president and CEO at Wyckoff. Chronic disease is rampant in the community Wyckoff serves, bringing a lot of repeat visits from patients. The smart card reduces registration time, diminishes duplicate records and cuts down on medical and billing errors. The smart card also builds patient loyalty to Wyckoff. Wyckoff’s identity smart cards are used to track, improve and prevent unnecessary hospitalization. Patients can also sign up for alerts reminding them about clinic appointments, medication time and blood glucose checks.

Garg says smart cards have been around for years and using them takes a leap of faith but it’s not a big valley to cross. “Don’t be afraid of implementing,” he says. Smart card can equal time savings Health care providers and payers spend a lot of time and money verifying patient identity and eligibility for insurance coverage, and the quality of patient care can be negatively impacted. Dr. James J. James echoed that premise with findings from his work as director of the Center for Public Health Preparedness and Disaster Preparation with the American Medical Association (AMA). Work by the AMA in the smart card arena grew out of experiences from Hurricane Katrina. Of the 1.5 million people evacuated during the storm, an estimated 40% were taking prescription medications. About 100,000 evacuees had been previously diagnosed with mental illness. Health care providers encountered serious obstacles as they tried to assist these patients. Approximately 5% of the individuals could not be identified. Many people fled without their wallets and others were simply unable to offer any information about their identity. About half of the evacuees were suffering from chronic conditions and fled without their prescriptions or quickly ran out of medicine. “The major goal was understanding what their prescription history was so that we would have some basic medical information to treat them,” James says. The AMA applied for a grant from the CDC to research what to do the next time such a situation occurs. The CDC responded with funding for a health security card project. Part of the project included focus groups to help researchers determine what is most acceptable to the population in terms of medical data that should be made available in a crisis and the best platform for that data. They looked at existing products. Participants liked the idea of having a paper record but decided paper is hard to update and is not durable. Key chains were too bulky and cell phone and computer use differed greatly by age and culture. USB’s were also considered but there were security concerns. Overwhelmingly, participants favored the smart card. “We began our work looking at disaster situations,” explains James. “Not only did individuals want something with them in a major event, they also wanted it available for everyday emergencies whether it was a car accident or some other type of more limited event.” The health security information card pilot will be finished in a few months. James says they aim to determine the acceptability of use and the actual use. The final piece will be public opinion on utility and convenience. While the AMA awaits this public opinion, more and more provider organizations are recognizing that identity matters. Not only can it save them money but also make it easier for them to do their jobs while also offering better care. Winter 2011

Tech 101: Contactless smart cards

A primer on radio frequency identification For more than two decades, the contactless card has been a key tool in managing security, access and payments. Whether it’s used to open doors, facilitate public transit ticketing or mange multiple applications, contactless has become an essential element in many environments. But how does the technology enable all these uses without ever touching a reader? Contactless cards use radio waves of specific frequencies as carriers for communication. Bryan Ichikawa, vice president for Identity Solutions at Unisys, explains that when used for identification applications radio frequencies come in three basic categories: low frequency, high frequency and ultra-high frequency. Each has a set of ideal applications. Low frequency (LF) proximity cards operate at 125 or 134 kHz. These lower cost, lower security cards are typically used for door access applications. High frequency (HF) products operate at 13.56 MHz and included the common ISO 14443 and 15693 standards. The vast majority of ID credentials are high frequency, says Ichikawa, adding that things like passports and bankcards use the ISO 14443 standard. Ultrahigh frequency (UHF) operates at 433 to 953 MHz and has a longer range. “These cards can be read at 30 feet, but 10 to 15 feet is good accuracy,” says Ichikawa. UHF cards also work on different frequencies depending on geography and the allocation on the spectrum by the global standardization bodies and governments. UHF is commonly used in RFID tags for logistics applications and asset tracking. Contactless components The key component in a contactless card is an embedded integrated circuit (IC) chip that contains the applications and data that make the card functional. The chip is either a microprocessor with internal memory, or a memory chip with non-programmable logic. The components within the IC store, transmit and process data. A contact smart card also has an IC chip but it is exposed on the card’s surface. In order to be read, it must be inserted into a card reader where physical contact enables the chip to power up and communicate.

Winter 2011

In a contactless card, the chip resides completely within the card’s body. Because the chip isn’t exposed, it cannot be read via contact with a reader. Instead, the card only needs to come within proximity of the reader to be powered up. Inside the card an antenna coil is connected to the chip, eliminating the need for an internal power source. “The major feature [of contactless] is that it has no battery … it’s powered by the field of the reader,” says Martin Gruber, segment director for the Transit Team at NXP. An extra benefit is that the IC lasts longer because the plastic protects it, unlike the contact chip, which is exposed to the elements. “[The embedded chip] has a longer lifetime span of four to five years,” says Abu Ismail, senior engineer, Customer Application Support for NXP, adding that a contact chip’s lifespan is about two years. The other part of the contactless system is the card reader. The card relies on the reader as both a power source and the means by which the card shares data. The reader has a primary coil and a secondary coil that generates a magnetic field, says Ismail. When the card enters the reader’s magnetic field, it accesses the power it needs to turn on. As the card is held in proximity to the reader, it transfers data to the reader. With the radio frequency connection there is no limit to the amount of data that can be transmitted between the two. The speed at which data can be transferred to the reader varies. Ismail says

an NXP Mifare card has speeds up to 848 KB per second. Contactless cards are also equipped with a unique identification number (UID) that enables the reader to properly identify them. This is important in case of collision, when multiple cards try to talk with a reader at once. “It’s like three kids in school. You say, ‘Tell me your name,’ and they all speak at the same time. Then you ask them to go alphabetically to get them to speak [one at a time],” says Ismail. “In a similar process, the reader is sending the command, ‘Give me your unique ID,’ explains Ismail. If all cards answer at the same time, anti-collision processes enable identification to occur one card at a time. The identification of a specific card happens much quicker than getting children to respond one at a time. “If you have one card, the detection is 3 to 3.5 milliseconds, depending on the size of the UID,” says Ismail. Adding two cards at the same time adds an additional 2.5 milliseconds, and two more cards adds another 2.5 milliseconds to reading time. In terms of security, Ismail says a contactless card can support two different types of algorithms, Data Encryption Standards (DES) and Advanced Encryption Standards (AES). DES has a block size of 192 bits, whereas AES, which is perceived as a stronger type of security, has a 128-bit block size. The type of security within the card depends on the application for which it’s used, says Ismail. Each encryption standard secures the data on a card in a different way.

portation, an application that NXP started working on in the mid-nineties. “The Mifare pilot was the Seoul Metro in 1994, with the rollout in 1996,” says Gruber, adding that Seoul was “really the first city ever” to implement a contactless card payment system. Now cities all over the world, including Chicago, London and Boston, use contactless cards as an efficient way to board passengers. Users wave the cards over readers and are granted almost instant access. This short transaction time paired with the high-speed communication between the card and reader makes it an optimal solution. Plus, because the card doesn’t come into contact with the reader, there’s less wear and tear on the card, increasing its lifespan. Physical access control is another application best addressed by contactless cards, with employees at businesses all over the world gaining access to their workplaces through a simple tap of a card to a door reader. However, contactless cards aren’t the answer for every application. “There are two enemies to these technologies: Steel and water,” says Ichikawa. Steel blocks radio waves, which is why the newest passports have steel cloth woven into their covers. “You can’t read it when it’s closed,” says Ichikawa.

Contactless applications

Ichikawa also notes that since the human body is made mostly of water, the current trend in Mexico of implanting an RF tag in one’s shoulder to help locate you if kidnapped should be avoided. “If you put an RF card right next to your body, the body will absorb the radio waves, and there’s nothing to bounce back,” says Ichikawa.

Contactless cards are ideally suited for specific applications. One of these is public trans-

“There are general laws of physics here that make things pretty hard,” says Ichikawa.

Winter 2011

The diﬀerent contactless smart card flavors Many types but do they play together? Jill Jaracz Contributing Editor, AVISIAN Publications In soft drink business, Coke and Pepsi might look the same, but consumers know that these two colas have different flavors. The market for contactless smart cards isn’t much different. The four players that dominate the industry – HID, NXP, Sony and LEGIC – have subtle differences that create the different contactless flavors. 42

Winter 2011

In addition to these differences, they also have similarities. They are all in the high frequency (HF) category, meaning that they operate in the 13.56 MHz spectrum and comply with either or both the ISO 14443 or ISO 15693 standard. The 14443 standard, however, is the “most dominant standard within the HF technology band used around the world,” says Bryan Ichikawa, vice president of Identity Solutions at Unisys.

Ichikawa says that the 14443 standard is broken down into an A and a B standard, basically because one standard was developed by a company that held a patent, and the other was developed by competing companies that also wanted to get into the market. “In readers you embed the ability to read both type A and B readers. That’s how you achieve interoperability,” explains Ichikawa.

Dynamic Duo The New AOptix InSight ÂŽ Duo Combines the Performance of Iris and the Utility of Face

The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO / ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Bringing seamless multi-modality and potential for biometric fusion, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security.

See InSight Duo at BCC in Tampa FL, September 27- 29, Booth #523 or visit us online at www.aoptix.com/iris-recognition ÂŠ 2011 AOptix Technologies

T. 408.558.3300

Most contactless readers have the ability to read standard 14443 cards as well as one or more of the proprietary flavors. But, for example, a LEGIC reader typically won’t be able to read an HID iCLASS card and vice versa. There are exceptions, however, such as an agreement between HID and NXP that enables some iCLASS readers to read Mifare cards. These flavors do hamper true interoperability and can complicate end user choice. But they also make contactless solutions usable out of the box, as they come ready made with onboard file structures and applications. Truly standard 14443 and 15693 cards are available and they can be cheaper since they can be purchased from multiple vendors. But they are truly a blank slate and require applications to be added and or developed, which in turn adds cost. When choosing what type of technology to deploy it comes down to what the end user wants to do with the card, Ichikawa says. “It comes down to cost and speed,” he adds.

According to Martin Gruber, segment director for the Transit Team at NXP, Mifare is the “overall umbrella brand” for a portfolio of products. Mifare Classic is the original NXP product that was introduced in 1995-96 when the 14443 standard was first released. Mifare Plus was launched in 2009 and features higher security than Mifare Classic. DESfire is the newest and most advanced product, providing the highest level of security and flexibility. HID’s iCLASS HID’s iCLASS platform operates at the 13.56 MHz frequency like its fellow contactless providers, but it uses the less common ISO 15693 standard, says David Nichols, director of market strategy at HID Global. The different standard, he says, enables a longer read range and longer keys for enhanced security. “We have a 64-bit key whereas others use a 48-bit key … the longer the key the more secure it will be,” he says.

NXP’s Mifare

The decision to go with 15693 instead of 14443 centered on usability. It provided a longer read range that was similar to HID’s well-established proximity card technology. When an organization switched from prox to iCLASS, we didn’t want the usability or performance to decrease, explains Nichols.

NXP’s family of Mifare card and reader ICs is built on the ISO 14443 Type A standard. Mifare cards support multiple applications, each capable of operating independently of the others through user definable key sets and access conditions.

The ISO 15693 specification is divided into four parts and HID is compliant with the first two parts of the standard, Nichols says. After that is where iCLASS deviates with a specific access control application on the card and other changes.

Readers are capable of reading any variety of Mifare card, and NXP certifies both cards and readers to ensure compatibility across generations.

HID buys standard 15693 chips for its iCLASS cards, but then makes some changes, Nichols says. HID thoroughly tests the cards and offers a lifetime guarantee. According to Nichols, this testing and reliability separates iCLASS from standardized cards. While the cards use the 15693 standard, iCLASS readers are also equipped to read Mifare and ISO 14443 standard cards as well, Nichols says. LEGIC Prime and LEGIC advant

s chips s e l t c a t n Co o date shipped t Mifare 3.5 billion

LEGIC 70 million

FeliCa 500 million

Winter 2011

iCLASS ble Not Availa

LEGIC was founded in 1990 in Zurich, Switzerland. Though the company’s technology is available and in use in worldwide, it is most prevalent in Europe. LEGIC’s original 13.56 MHz contactless technology, LEGIC Prime, predates the development of the ISO standards for contactless. While Prime has been widely used since its launch in 1992, a newer and more secure line called advant is now available. The LEGIC advant system is a set of products that includes cards, readers and applications, according to Marcel Brand, manager of marketing communications at the company. LEGIC ensures its card readers are compliant with both the ISO 14443 and ISO 15693 standards as well as its own proprietary technology. LEGIC has designed its system to be flexible so that adding applications and upgrading readers can be done simply, says Brand.

Sony FeliCa Sony’s FeliCa could be the most varied of the contactless flavors, complying with a different ISO standard. To date it has seen the majority of its use in Asian markets, but the notion that it is only relevant in Asia is an image Sony is trying to correct. FeliCa was introduced in Hong Kong in 1997, says Jun Shionozaki, technical consulting manager for FeliCa Business Division at Sony. It was introduced to the Japanese market in 2001. “It’s deployed in other parts of Asia, Europe and the U.S.,” says Shionozaki. FeliCa has an extremely strong presence in Japan because of the maturity of the country’s mobile market. As of June 2010, 67 million Japanese handsets embedded with mobile FeliCa chips were in circulation, says Shionozaki. FeliCa is based on the ISO 18902 standard that defines near field communication. “We decided to focus on the 18092 standard which covers a wide range, including mobile,” says Shionozaki. Some aspects of the FeliCa system are open. “We comply with 18092, in that sense we can be considered open,” says Shionozaki. FeliCa uses encryption algorithms that are open standard as well, but it maintains a set of proprietary security elements. Sony says its FeliCa card is the first contactless card to achieve EA4L security. “It’s the highest level for consumer products,” says Shionozaki. Open standards When it comes to the largest of issuances, such as open system payment cards and electronic passports, banks and countries have gone with purely standard 14443 technologies, says Patrick Hearn, vice president of government and identification markets for the America at Oberthur Technologies. An open architecture was a necessity for these projects because of the millions of documents that would be produced and the variety of places the information on the credential would have to be read. “It’s easier to implement a large scale project using open standards,” he adds.

Open standards also tend to have longer lives, says Hearn. He estimates that a credentialing system based on open standards can last up to 10 years whereas proprietary systems may only last three to five years because they will be upgraded or phased out over time. When someone buys a standard 14443 card they know how it’s going to communicate and they can purchase standard applications and personalization tools, Hearn says.

Ultimately it comes down to what a customer wants to do with the system, Heard adds. Though he stresses the importance of truly open standard solutions for large-scale implementations, he notes that proprietary flavors are ideal for other projects. “Closed loop makes sense for some people,” he says. “You have a steady supply chain and standardized output and don’t need the benchmark testing.”

Technology for every one Contact Contactless Dual Interface EMV Sticker MicroSD GPR Retail Over the Air

At CPI we provide support globally for all Smart Card, Prepaid and Mobile technology solutions.

Learn more at our website: www.cpicardgroup.com Winter 2011

A walk down memory lane for the payment industry

BEYOND THE NFC HYPE Zack Martin Editor, AVISIAN Publications

This has been quite the year for near field communication. The hype around the technology has skyrocketed and enabled handsets are actually being sold in the U.S. In a handful of locations, these handsets can be used for purchases and other transactions. NFC is not a brand new technology. Millions of handsets are deployed in Japan but the hype around the technology in western countries has grown deafening. Until this year it had been all talk as handset manufacturers, telecoms and banks tried to figure out a way to make NFC a reality. But with RIM enabling two Blackberry devices, Samsungâ&#x20AC;&#x2122;s Nexus S and Google Wallet and Offers NFC has already become a reality to some with more slated in 2012. For payment industry veterans, the hype around NFC may be reminiscent of the push for contact smart cards more than a decade ago. Visa USA was a driving force behind the issuance of these cards and touted how they would revolutionize marketing and loyalty programs. It was an exciting proposition. Multiple retailers could create loyalty applications that could be stored on the same card. Frequency programs, electronic couponing, onetime offers all could be enabled with a contact smart card program. Visa lined up a handful of issuers but Target bought into it the most, issuing 9 million cards and swapping out 37,000 point-of-sale devices, according to published reports.

Winter 2011

Of all the exciting new loyalty programs Target could offer, they chose to roll out electronic couponing. There were a handful of ways an electronic couponing program could have worked: • Coupons could be automatically downloaded on to the customer’s smart card at the point of sale. For example if a customer bought salad dressing a coupon for a competing brand could be placed for automatic redemption upon the next visit. • Customer could also go online and search and download coupons. This would be relatively easy as each cardholder was given a smart card reader to plug into their computer. • Lastly, customers could go to a kiosk at the store and download the coupons to their card when they enter. Of all these options the latter is arguably the most difficult as it requires consumers to change behavior. In 2001 nobody was using a kiosk to download offers before starting to shop. They still aren’t in 2011. Yet this is the option that Target chose for its loyalty program. It did not catch on with cardholders. In 2004 just one year after switching all of its point-of-sales terminals, Target ceased issuing smart cards.

It’s now 2011 and Visa is once again the force behind an issuer and retailer technology migration. For the switch to NFC and EMV, the message is slightly different with added security receiving top billing. Marketing, however, is not far behind. When Google announced Wallet, security was highlighted because a PIN is required before payment data is transmitted. Yet while security was highlighted, as much time was spent explaining Google Offers, the location-based system that will notify consumers of deals in their areas. But the biggest problem still exists as it did a decade ago; convincing retailer’s to switch their point-of-sales devices to accept these new payment types. The problem isn’t as large as it was in the last decade as an estimated 10% of all point-of-sales systems shipped in 2010 included contactless and that number is expected to grow to 85% by 2016, according to ABI Research. This doesn’t include the contactless payment terminals already deployed in the U.S. either. Visa is offering a carrot and a stick for those merchants as well. Merchants who deploy point-of-sales systems that can accept EMV and NFC will receive a waiver from some of the burdensome compliance requirements for the Payment Card Industry Data Security Standards

Taking NFC beyond payments George Peabody, director of emerging technologies at the Mercator Advisory Group, says that much of the discussion around NFC focuses on payments but there is so much more it can do. NFC 1.0 is what’s being discussed now and it is all about payments, Peabody says. But when NFC was first envisioned the idea of a powerful Internet connection and cloud computing on mobile devices didn’t exist. Part of NFC 2.0 is using a device as a smart card reader, Peabody explains. Merchants could use these devices for payment acceptance, and individuals could use them to access secure Web sites. The approach can also be used for federal government PIV applications such as logical access to a communications network. In health care, the same approach can provide strong authentication for access into medical records. NFC 3.0 could extend the technologies role to the cloud, says Peabody. Together the two technologies could create a security-as-a-service capability with applicability for payments and other transactions. This technology could enable new payment options for retailers and consumers. “A retailer could, for example, accept an Amazon payment at the point of sale. The consumer would be saying, effectively, to use the payment credential I store with Amazon,” Peabody says.

Winter 2011

(PCI DSS). But if they don’t there’s a liability shift that will put them at fault for any certain fraudulent transactions. Analysts say there are similarities and differences from the push a decade ago. “It’s repeating what the card industry did 10-years-ago but bringing it to a whole new level,” says Sirpa Nordlund, executive director at the Moby Forum. The payment industry wanted to bring multi-application smart cards to consumers and retailers in 2001. The thought process is pretty much the same now but the form factor and computing power are different, Nordlund says. “People have the Internet in their pocket,” she explains. George Peabody, director of emerging technologies at the Mercator Advisory Group, says without additional security the business case for contact smart cards never existed. “There really wasn’t a value proposition,” he says. “They didn’t speed up transactions and weren’t accepted most places.” It’s not going to be just payments that that drive NFC, Peabody says. “The ability to use it for marketing purposes is the kind of thing that gets a merchant’s attention,” he says. “We’ve had large merchants tell is they would kill to know who’s coming into their store.” That may have been the same message a decade ago with contact smart cards but Peabody believes the difference is consumer usage. There was only a handful of banks issuing the cards and, outside of Target, very few retailers who could accept them. NFC is different because it uses the same contactless infrastructure that’s already in place.

Peabody believes the new Visa rules requiring EMV and NFC enabled payment terminals will convince the majority of merchants to swap out devices in the next five years. Show me the handsets All that said the lack of enabled handsets is still holding back the widespread adoption of NFC. As of late 2011, the Samsung Nexus S was the only handset being used for payments in the U.S. Two Blackberry models have been equipped with NFC, but they have not been used in any payment programs. And the latest iPhone iteration is sans NFC. This may change in 2012, says Peabody, citing that Google’s acquisition of Motorola Mobility is likely to bring more NFC handsets from the manufacturer. It’s going to come down to whether the mobile operators are willing to spend the money on NFC handsets, says John Devlin, group director at ABI Research. Until the business case is finalized on how the operators will make money it’s difficult to say whether they’ll invest the money. To integrate NFC into a handset costs the manufacturer $6 to $8 depending on the implementation. Telco’s are charging $20 extra for enabled handsets, Devlin says. 2011 has been a big year for NFC and 2012 looks to see more deployments with ISIS – the partnership between AT&T, Verizon and T-Mobile and payment brands – rolling out pilots. It is also likely to bring additional handsets and consumer availability as well.

NFC payments at peak of Gartner’s Hype Cycle Research firm Gartner has placed NFC payments at the peak of the “Inflated Expectations” curve in its 2011 Emerging Technologies Hype Cycle. According to Gartner, the Hype Cycle graph has been used since 1995 to highlight the common pattern of “over-enthusiasm, disillusionment and eventual realism” that accompanies each new technology and innovation. “Themes from this year’s Emerging Technologies Hype Cycle include ongoing interest and activity in social media, cloud computing and mobile,” said Jackie Fenn, vice president and fellow at Gartner. “Mobile technologies con-

Winter 2011

tinue to be part of most of our clients’ shortand long-range plans and are present on this Hype Cycle in the form of media tablets, NFC payments, quick response (QR)/color codes, mobile application stores and location-aware applications.” According to Gartner analyst Sandy Shen, NFC has made the list for the last several years and the continuous hype surrounding the technology will ensure that it will stay on the list for the next several. Gartner expects NFC payments to run the full course of the Hype Cycle, from its current position at the height of the hype stage, down

into the “Trough of Disillusionment,” eventually emerging up the “Slope of Enlightenment” to the “Plateau of Productivity.” “Our forecast is that it won’t reach mainstream until 2015,” Shen explained. “Afterwards it will gradually mature until it reaches the plateau.” Shen added that most of the technologies on the Hype Cycle make it to the plateau, although the time this takes varies depending on the market. In the case of NFC, the wait should fall between 5 to 10 years.

Winter 2011

Upgrading existing physical access control to comply with PIV mandates Beginning in fiscal year 2012, U.S. government agencies must upgrade their physical and logical access control systems to provide federal employees and contractors with more secure and reliable forms of identification using Personal Identity Verification (PIV) credentials. These credentials must leverage smart card and biometric technology in accordance with National Institute of Standards and Technology guidelines embodied in FIPS 201. These upgrades must be completed before federal agencies may use development and technology refresh funds to complete other activities. Until recently, upgrading to FIPS 201 standards was a difficult and expensive process that involved a number of suppliers and consultants. It also generally required a wholesale replacement of the current physical access control system (PACS) infrastructure, including head-end servers, panels and door control hardware. This has all changed. With the advent of modular hardware solutions and turnkey implementation strategies, agencies can establish a clear migration path from existing credentials and preserve investments in their existing PACS infrastructure. This also allows them to support changing security requirements and enable cost-effective enhancements down the road.

Dave Adams Senior Product Marketing Manager, HID Global

Understanding FIPS 201 requirements HSPD-12 set a clear goal to improve physical access control security and reliability through the use of government-wide standards. The

FIPS 201 standard went further to define the specific characteristics of an interoperable identity credential to be used throughout government. Another important document, SP 800-116, introduced the concept of â&#x20AC;&#x153;Controlled, Limited, and Exclusionâ&#x20AC;? areas, and required agencies to employ risk-based PIV authentication mechanisms for different areas within a facility (see Fig. 1). Simplifying the compliance process Ideally, it should be possible to upgrade an existing PACS infrastructure so that it can authenticate credentials across the full range of assurance levels as defined in SP 800-116, without requiring a wholesale rip-and-replacement. This is now possible using a modular hardware approach that delivers a high level of flexibility for future modifications. Agencies can install a combination of enhanced readers and FIPS 201 authentication modules that operate with existing components in the current PACS infrastructure. It is easy to deploy and eliminates the need to acquire a complicated mix of expertise, technologies and suppliers. At the core of this solution is a reader that must feature EAL5+ Secure Element hardware. This ensures tamper-proof protection of keys and cryptographic operations. Additionally, the reader should use the industrystandard Open Supervised Device Protocol (OSDP) communications specification to establish a secure bidirectional link with FIPS 201 authentication modules.

Fig. 1: Innermost use of PIV authentication mechanisms

Exclusion Access Point C

BIO-A

Limited Access Point B

BIO

Controlled Access Point A

Unrestricted 50

Winter 2011

CHUID + VIS

CAK

PKI

CAK + BIO(-A)

To achieve compliance, agencies simply deploy the new readers and install authentication modules between the readers and the existing PACS panel. This upgraded access control system can now perform PIV authentication tasks across all PIV permission levels, with a validation server providing centralized control of assurance level settings and the distribution of validation data. This modular compliance system performs all necessary PIV authentication steps, beginning at the time of enrollment. When a credential with the appropriate assurance level is presented to a corresponding reader, the authentication module validates the card according to the assurance level setting. The authentication module then extracts the FASC-N or UUID from the card and passes it on to the PACS panel for an access decision and logging. To prohibit access by revoked cards, the system retrieves and checks the card revocation status from the issuing certification authority or hotlist. To validate visitor PIV cards, authentication modules use the Server-based Certificate Validation Protocol (SCVP) to establish a chain of trust through the Federal Bridge. Vendors must have first successfully completed crosscertification to the PIV-I standard via the CertiPath Bridge, which ensures interoperability across government agencies and with nongovernment members of the Federal Bridge. For invalid cards, the authentication module is configurable to send a preset badge ID to the PACS panel (for logging and investigation) and/or close an output relay (to trigger a video camera, for instance). In the case of communications interruption in the validation process, authentication modules maintain an updated validation data cache that enables them to function “offline.” Meanwhile, strong authentication continues at the door. Other features further improve simplicity and flexibility. By capturing cardholder data the first time a card is presented for validation to a reader connected to an authentication module, this data can be shared with other authentication modules. This feature delivers several benefits. It makes it possible to use existing access control enrollment functionality and it enables integration with an

identity management or card management system. It also enables the use of third-party enrollment packages. Meeting current and future compliance needs Until recently, agencies faced with the mandate to upgrade their physical access control system to FIPS 201 compliance were required to work with multiple vendors and often had no choice but to replace their entire PACS infrastructure. The latest, modular solutions give agencies a single point of responsibility and accountability for achieving compli-

ance without a wholesale rip-and-replace upgrade. The solutions also provide the means to support many compliance needs, including PKIat-the-door mandates as well as PIV-I and PIV-C requirements for cards issued by nonfederal entities. For these and other challenging compliance requirements, today’s modular solutions give agencies a migration path that protects their current PACS investments while enabling them to employ risk-based security levels in selected areas, as required, and to leverage ongoing improvements in access control technology.

GAO: PIV usage still lacking A U.S. Government Accountability Office report from September 2011 indicates that government agencies are still lagging in their actual use of the PIV credentials. The GAO found mixed results when they looked at how eight agencies were progressing: the Departments of Agriculture, Commerce, Homeland Security, Housing and Urban Development, the Interior, and Labor; the National Aeronautics and Space Administration and the Nuclear Regulatory Commission. “Specifically, they have made substantial progress in conducting background investigations on employees and others and in issuing PIV cards, fair progress in using the electronic capabilities of the cards for access to federal facilities and limited progress in using the electronic capabilities of the cards for access to federal information systems,” the report states. “In addition, agencies have made minimal progress in accepting and electronically authenticating cards from other agencies.” Agencies attribute the delays to a number of obstacles. Many report problems issuing credentials to employees in remote locations. Others have not established effective controls for tracking the issuance of credentials to contractor personnel or for revoking those credentials and the access they provide when a contract ends. The GAO states that PIV-enabled logical and physical access systems haven’t been deployed because they are low priorities. For logical access there is also a lack of procedures for accommodating personnel who don’t have PIV credentials. A lack of funding has also slowed the use of PIV credentials for both physical and logical access. Lastly, there has been a trust issue with PIV. “The minimal progress in achieving interoperability among agencies is due in part to insufficient assurance that agencies can trust the credentials issued by other agencies. Without greater agency management commitment to achieving the objectives of HSPD-12, agencies are likely to continue to make mixed progress in using the full capabilities of the credentials,” the report explains. Federal agencies are going to have no choice but to deploy PIV-enabled systems going forward. The White House Office of Budget and Management mandated – in memorandum M11-11 – that agencies start using systems that take advantage of the PIV credential or risk budget cuts.

Winter 2011

Fla. schools use palm vein for lunch payments Biometric technology expedites lunch lines Ross Mathis Contributing Editor, AVISIAN Publications The Pinellas County School Board District in Clearwater, Fla. has paired up with technology provider Fujitsu Frontech North America to provide a reliable and secure method of handling school food service program transactions.

As part of the project Fujitsu partnered with MCS Software, an integrator for school food service environments. Pairing PalmSecure with MCS’s Newton point-of-sale system resulted in a fully integrated solution for managing snacks and meal plans.

With more than 102,000 students, the district is the seventh largest in the state and the 24th largest in the nation. Efficiently serving this large population has, at times, proven challenging for the district, particularly in the school cafeteria snack and lunch lines.

The system increases security without a need for student PINs or fingerprint scanners. This minimizes transaction times, which keeps cafeteria lunch lines moving at a steady pace. “The process is relatively simple,” explains Dunham, “and registration takes no longer than 20 seconds.”

Officials have tried everything from swipe cards to PINs, none of which seemed to help. The district even tested a fingerprint scanning system but it proved unreliable. “Students would place their finger on the scanner and leave behind oil, dirt, and residues. This would cause the system to malfunction or freeze up delaying the cafeteria lunch lines,” said Art Dunham, director of Food Service Department at Pinellas County Schools.

To register, a staff member first searches for the student’s name in the district’s centralized database. MCS’s point-of-sale software then displays the photo, in addition to class information, so that the student can be positively identified.

Then the district learned about vascular biometrics. Unlike other biometrics, vascular devices don’t require contact with the student’s skin so they are hygienic, non-intrusive and unrestricted by external factors such as skin types and conditions. They identified Fujitsu Frontech and its PalmSecure biometric sensor.

The student places a hand on the scanner for initial palm enrollment. A series of scans are performed to generate a unique and accurate biometric template. The template is a numeric representation of selected points from the vascular pattern. It makes it possible to compare future scans for authentication without storing an actual image of the palm vein pattern. After enrollment, the template is encrypted and stored on the district’s database.

PalmSecure uses near-infrared light to capture and store a student’s palm vein pattern, generating a unique biometric template that is matched against pre-registered user palm vein patterns. This makes forgery virtually impossible.

Once they have enrolled, students simply walk up to the cafeteria register with their food and place their hand on the scanner. In a matter of seconds the system pulls up their information and deducts the necessary charges required to complete the transaction. The use of bio-

Winter 2011

metric scanning also remedies conventional problems associated with students forgetting or sharing PINs and swipe cards. Parents can go online to add funds in their child’s meal account, set charge limits, see what their child purchased for lunch, monitor diets and view nutritional facts. “If a student is eating pizza every day the system will let them know about it,” Dunham says.

With previous systems there had been long waits that affected students. “It’s hard for students to focus and learn if they go the whole day hungry. In the past, due to long lunch lines, we found that students would just simply skip lunch,” Dunham says. “This remedies that problem and ensures students have the adequate time to eat their lunch, so that they can make it through the rest of their day comfortably.”

Additional features include medical and allergy alert messages for individual students. In the event a child unknowingly purchases a meal that may have adverse effects, or worse, causing a potentially life-threatening allergic reaction, the system can provide an alert.

Enrollment in and use of the biometric system is completely voluntary. Parents and students who opt out have the choice of using the traditional PIN number, with elementary students alternatively using a series of unique images to securely complete food service

transactions. “We do have parents who prefer that their children not participate in the program and that’s fine. We offer a different option so that everyone – both students and parents – remain happy,” Dunham explains. Currently only the high schools and middle schools are participating in the system. Still, explains Dunham, some 46,000 students have been enrolled. The system will be expanded to the elementary schools later in the school year. The district has ordered 300 palm scanners totaling around $120,000. Pinellas County also has plans to expand the PalmSecure system to support other school services and events including bus rides, field trips, attendance, yearbook sales and event ticketing.

Winter 2011

PIVCheck Plus Software

IDMS Issues PIV Card

Using PKI for physical access control Bob Fontana President and CTO, Codebench Physical security professionals are hearing about public key infrastructure, or PKI, more frequently than ever before. This is because the federal government, through the National Institutes of Standards and Technology and the Interagency Advisory Board (IAB), are pushing for higher security in the physical access control world. The federal government says physical access control systems (PACS) need to be upgraded to be FIPS 201 and SP 800-116 compliant. Depending on the level of assurance required for entering the space, each door or turnstile will be secured by an authentication system capable of verifying one or more authentication factors before granting access. A traditional access control reader provides one authentication factor, which results in “some” assurance. A single factor is the minimum standard for controlled access defined by SP 800-116. Readers with PIN pads can be used to provide two factors, and readers with a fingerprint sensor or iris scanner can provide three. A FIPS 201-compliant contactless card reader must also ensure that the credential being presented is the one that was originally enrolled in the PACS rather than a forgery or clone. Access control systems can use PKI at the door to accomplish this and determine a card’s authenticity. The process uses private and public keys to sign and verify a random challenge sent to the smart card. Only an original, legitimate card can respond correctly to the challenge.

Gets Certificate Status

ent smart card reader that passes smart card commands and responses between the card and the panel. Cryptographic processing of the response from the card is performed at the panel and certificates and certificate revocation status are cached at the panel. The advantage of this approach is that it does not require extra boards or equipment, and it is highly resilient because the panel is designed to operate oﬄine from the server for long periods of time. The downside is that the panel needs to be upgraded to perform PKI at the door. 2. The challenge is generated at the PACS server and sent to the reader, which passes it to the card. The reader passes the response back to the server, which then verifies the response and issues a message to the appropriate hardware to unlock the door. This solution works with all panels today can handle hundreds of doors concurrently. It has an early advantage because there is no need to update panel firmware. The disadvantage is that its reliability depends upon server availability, although this is mitigated with a backup server. 3. The challenge is generated by an additional board or controller and is sent to the reader, which passes it to the card. The reader passes the response back to the controller where it is verified. Depending on the verification results, the card identifier is sent to the access control panel.

There are three basic configurations for PKI at the door:

There is no need to update the panel firmware with this approach. Because it operates closer to the door, it is designed to operate independently of a server for long periods of time - much like a panel. On the negative side, a separate controller adds cost in equipment and wiring.

1. The challenge is generated at the panel and sent to the reader where it is passed to the card. The reader is effectively a transpar-

With all three approaches, data is sent over multiple hops from the card edge to the PACS.

Where does PKI at the door live?

Winter 2011

Certification Authority

With each hop, the data needs to be secured using encryption. Is PKI at the door for everyone? All of this data processing takes time. Factors, such as the type of card and type of connectivity between devices, cause card authentication times to range from one to several seconds. The good news is that once a cardholder has authenticated with the requisite factors to enter a particular area there is no need to re-authenticate unless a security area requiring even higher assurance is nested within it. Even then only the additional assurance factors are required. Therefore, security managers should plan their SP 800-116 security zones with an eye on minimizing cost while maximizing throughput and security. What does the future hold for PKI at the door? While a physical card is the primary means for gaining access into a high-assurance area, near field communications (NFC) is quickly becoming standard in mobile phones. With NFC, the phone becomes both a credential and a reader. Combined with cloud services, NFC can dramatically lower the costs of PKI at the door by eliminating panels and reducing wiring to an NFC terminal connected to a door relay. This type of solution won’t work in every environment, but it will provide organizations with additional options, especially in the commercial market. NIST and IAB are already looking into this technology and security companies are gearing up for it. The trickle down effect – where the mainstream market embraces technologies first implemented by the government – will play a large role in the adoption of PKI in the physical security market as a high assurance validation method.

Winter 2011

Jeremy Grant, NSTIC

Defining digital identities Four industry leaders breakdown the importance of online credentials There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase. But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance? In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID. Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPathâ&#x20AC;&#x2122;s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA). CertiPath, SAFE-BioPharma and REBCA along with the U.S. Federal Bridge make up The Four Bridges Forum a network of inter-linked cyber communities. The Four Bridges Forum includes all U.S. government agencies as well as the aerospace and defense and research and education communities.

Winter 2011

Most recently, Grant served as chief development officer for ASI Government, a consulting firm focused on government agencies acquisition, organizational and program management practices.

Mollie Shields-Uehling, SAFE-BioPharma Shields-Uehling directs the business and strategic activities of SAFE-BioPharma Association and serves as the primary liaison with member companies, vendor partners and others in the community. She has more than 20-years of international trade and biopharmaceutical experience. She was principal of Shields-Uehling Associates, and served in various leadership positions with Bristol-Myers Squibb, Wyeth, the International AIDS Vaccine Initiative, and in the White House Office of the U.S. Trade Representative and the U.S. Foreign Commercial Service.

Scott Rea, REBCA

Judith Spencer, CertiPath

Rea is a board member and director at the Research and Education Bridge Certification Authority (REBCA). A certified CISSP, he provides consulting services in the design, implementation, and management of PKI and dependent systems.

Spencer is the policy management authority chair for Certipath. She spent the last 36-years working for the federal government, beginning her career in cryptographic equipment repair before moving to public key technology and identity management 12-years-ago.

He serves as vice president of Government/ Education Relations and senior PKI architect at DigiCert. Rea is also vice chair of the International Grid Trust Federation and an independent consultant. He has provided technical subject matter expertise on PKI related topics to government, commercial and educational entities during the past 15 years.

Grant is the senior executive adviser and manager of the National Program Office for NSTIC. He began his career as a legislative aide in the U.S. Senate, where he drafted the legislation that laid the groundwork for the Department of Defense and GSA smart card and PKI efforts. Grant then joined MAXIMUS where he led the divisionâ&#x20AC;&#x2122;s security and identity management practice.

Most recently, she was instrumental in aligning various agencies and organizations around unified logical and physical credentialing of federal employees as directed in HSPD-12. She also chaired the Federal PKI Policy Authority where she promoted interoperability of high-assurance credentials.

Why are interoperable digital identities important and what distinguishes them from other forms of electronic identity? Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

Interoperability is one of the guiding principles for the effective establishment of the NSTIC identity ecosystem. Interoperability is important because it provides members of the identity ecosystem with the ability to choose which credentials they want to use and how they will use them.

Interoperable digital identities are the tools that enable regulatory and business processes to be conducted in cyberspace. They are used to protect privacy and confidentiality.

The majority of today’s credentials are accepted only by the institutions or communities which issue them. This results in many users and organizations having to maintain multiple credentials and multiple digital IDs with multiple service providers. However, interoperable credentials allow the individual to select one, or more credentials, accepted by a wide variety of participating entities. Additionally, interoperability could enable individuals to use Level four assurance credentials on a level one site, but do so in an anonymous or pseudo-anonymous way. Overcoming current barriers to interoperability is absolutely essential for realizing the vision of NSTIC.

Judith Spencer, CertiPath

Unlike their simple electronic counterparts, digital signatures cryptographically guarantee the integrity of documents to which they are affixed. A digital identity authenticates the identity each time it is used. In the case of the SAFE-BioPharma standard, each individual is part of an entity that has agreed to comply with a set of rules. The individual also agrees. Most other forms of electronic identity are based on self-assertion of the individual’s identity, without valid cross references to the individual’s real identity. The regulations associated with SAFE-BioPharma digital identities meet NIST Level 3 security requirements. Interoperable digital identities exist within legally-binding and regulatory-compliant cyber communities known as identity trust hubs. When a trust hub aligns itself with another trust hub, identities by one can be trusted within the other.

In the physical world today we have one or two documents – normally a driver license or a passport – which we use to assert identity to a variety of relying parties. You might say these are interoperable identity credentials because they are widely recognized and trusted.

Scott Rea, REBCA

In the virtual world an interoperable digital identity is the virtual equivalent of the driver license. It is widely recognized and trusted as a valid assertion of identity. The relying parties trust it because they recognize the issuer, know the assurance level – based on an independent assessment and certification – and have access to processes that can verify the validity of the credential. For example, whether it was legitimately issued, whether it was subsequently revoked, etc.

Interoperable digital identities enable their holders to participate in multiple trust infrastructures with a single set of credentials. This provides cost savings and convenience to credential holders who do not need to go through multiple identity validation processes associated with credential issuance, do not need to manage multiple credentials – i.e. revocations, renewals, expirations, etc., and can facilitate convenience through single-sign-on operations across multiple environments where this is supported.

By contrast other forms of electronic identity are purpose-issued and trusted only by the issuing organization. In the physical world this might be a membership card or an employee id card. In the virtual world it is generally a user ID/password issued by the relying party and valid only for access to that relying party’s resources.

This also provides lower operating costs to communities and organizations either issuing the credentials or relying upon then, which can also be passed on to the participants.

Winter 2011

What do these digital IDs look like to you? Mollie Shields-Uehling, SAFE-BioPharma

Jeremy Grant, NSTIC

SAFE-BioPharma digital IDs are a form of software installed on a computer, tablet, smart phone or other device. They are based, in part, on a close link with the user’s proven identity. They also enable the application of digital signatures to electronic documents.

Within the identity ecosystem, we do not advocate a particular form factor, so we don’t have a prescribed look and feel that makes one ID better than another. We do expect innovation to drive the identity market to the general public in a privacy-enhancing manner that is easy to use.

Generally, digital signatures compliant with the SAFE-BioPharma standard will be represented in the form of a graphic containing the individual’s name, the reason for applying the signature, date/ time of signing, the SAFE-BioPharma logo and other identifying information.

Scott Rea, REBCA I see these digital IDs as an analogy to the credit card in the financial industry. When banks first started issuing these, you could only use your card at merchants that specifically had an arrangement with your local bank, and these were limited in scope. But then along came the payments industry standards and the creation of standards such as Visa, MasterCard and American Express. Now, if your bank or issuing entity participates in one of these credit card standards, they can issue a credential in accordance with that standard that is accepted in a much broader community of merchants. This is typically acknowledged by a logo or brand being placed upon your card, which is still issued by your local bank, and also displayed by the merchant or relying party willing to accept it. In relating this to interoperable digital identities, the trust hubs are the payment standards, the Certification Authorities are the branding mechanism, and local education and research institutions can now issue credentials that can be relied upon internally and by the broader research community.

Winter 2011

This could be in the form of a smart phone or credit card. The employment of interoperable credentials will support the individual’s ability to create and utilize their digital identity with increased control and personal privacy. As far as the physical or architectural composition of digital IDs and their associated credentials, innovation and user requirements will dictate the form in which these are delivered. Our interest from the government side is to develop a framework for the identity ecosystem where multiple form factors can coexist and ultimately the market can decide which solutions are best.

Judith Spencer, CertiPath Interoperable digital identities need to have strong security tokens and processes associated with them. It is a well-known fact that the more often an electronic identity credential is used the more likely it becomes that it can be subverted. User ID/Password combinations are particularly vulnerable and for that reason they make lousy interoperable identity credentials. Cryptographically-based identity credentials, on the other hand, are particularly resistant to attack, and those associated with some type of hardware storage device and/or biometric activation processes are even more resistant.

How will these identities play together? How will they interoperate? Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

Digital Identities will not have to interact. They need to interoperate with the services we wish to interact with online but in no way does the identity ecosystem determine where identities play together. Moreover, the adoption of the identity ecosystem trustmark will help preserve the anonymity created by widely accepted credentials while simultaneously providing increased piece of mind. The result is an environment where people can safely pick and choose with whom they both work and play.

As the only trust hub serving the specific needs of the life sciences, the SAFE-BioPharma standard provides a unique and important bridge to other life science companies, U.S. federal agencies and to other industries.

Through the use of interoperable technology and policy, individual users will be able to transport their identities across service providers, communities and entities due to a common conformance to the identity ecosystem framework. Additionally members of the ecosystem will be able to identify those who maintain the established policy and security standards through the use of a trustmark. This will be a visual or digital device used to validate membership in and accreditation by the identity ecosystem.

A few years ago we cross-certified with the Federal Bridge. As a result, participating U.S. government agencies trust the identities asserted by SAFE-BioPharma. Any other trust hubs that have cross-certified either with the Federal Bridge also accept them. An example of the ease of that interoperability is the ongoing study between the National Cancer Institute and biopharmaceutical companies that are part of the SAFE-BioPharma community. The study examines use of interoperable digital identities and cloud-based digital documents to eliminate reliance on paper forms in clinical trials. NCI researchers use their federally-issued digital identity credentials from the Federal Bridge Certification Authority. Bristol-Myers Squibb and sanofi-aventis researchers use their SAFE-BioPharma compliant digital identity credentials.

Judith Spencer, CertiPath The secret to interoperable identity credentials is a mutually understood trust framework within which the credentials are issued and managed. Such a trust framework constitutes a federation comprised of organizations that will perform identity verification, identity credential issuers and authoritative sources of claims associated with the identity. The trust framework will have an established set of criteria for the issuance and maintenance of credentials by its member organizations and a neutral third-party Federation Operator will ensure that the member organizations adhere to these criteria.

Clinical trial start-up documents were placed in the cloud where the researchers, using their interoperable digital identity credentials can access them, apply digital signatures to them and return them to the cloud for additional action. The study has successfully demonstrated the ease of the process. It eliminated paper, reduced costs, saved time and eliminated document loss. From our perspective, it is an important first step in transforming the global clinical trial process from paper to being fully electronic.

Scott Rea, REBCA

Relying parties will make the determination concerning whether a particular trust framework provides the level of identity assurance required. Tools are available that can process multiple identity credential protocols and provide a standard output to specific back-end applications.

A credential issued by a research institution in accordance with the controls and standards published by the Research and Education Bridge Certification Authority (REBCA), can be utilized or relied upon at a known level of assurance by any other research institution or business partner that subscribes to the same or similar standards.

It is important to also keep in mind that relying parties will exist at both ends of the transaction. Just as a Web site/application wants to know the identity of the individual requesting access, the individual needs assurance that he/she has accessed the intended Web site/application. Therefore, it is entirely likely that individuals will utilize the trust framework as much as the Web site/application does.

REBCA polices have also been mapped to those produced by another trust hub - the Federal Bridge Certification Authority (FBCA), meaning institutions subscribing to REBCA can issue credentials that are not only trusted within the research community, but also by government agencies and all their other subscribing partners, at established levels of assurance.

Winter 2011

How do interoperable digital identities address regulatory compliance? Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

I would begin by reiterating that membership in the identity ecosystem will be voluntary. No organization or individual will be asked to accept or carry any specific form of credential. The voluntary nature of the identity ecosystem will significantly simplify compliance.

Biopharmaceuticals and health care are highly regulated sectors. The SAFE-BioPharma standard requires that the credential is tightly bound to the userâ&#x20AC;&#x2122;s vetted identity and provides strong authentication with every use.

Private sector partners and stakeholders, working together, will be able to establish trust frameworks and a policy foundation with which all participants will comply. The maintenance of a trusted status and the desire to continue to benefit from the advantages of identity ecosystem participation will drive entities to maintain compliance. Significant steps have already been made to address important issues of regulatory compliance. The establishment of the Federal Public Key Infrastructure Trust Framework has begun connecting the public and private sector through the use of interoperable credentials, established standards and effective accreditation systems. While government agencies are mandated to comply with policy, corporate entities who wish to participate must maintain the standards and policies outlined in the trust framework in order to continue participation. This is just one initiative in the greater Federal ICAM effort.

Judith Spencer, CertiPath Interoperable digital identities are tools that can be used by implementers in meeting specific regulatory requirements. In and of themselves, interoperable digital identities donâ&#x20AC;&#x2122;t address regulatory compliance, which differs from industry to industry. Rather the operating rules of the associated trust framework meet certain levels of assurance and observe specific privacy principles that enable industry sectors to be selective in order to address regulatory compliance.

Winter 2011

The standard, which was developed with participation from the U.S. Food and Drug Administration and the European Medicines Agency, has widespread regulatory acceptance and is 21 CFR Part 11 compliant. We have certified that our privacy policy is compliant with the U.S. Department of Commerce and European Union Safe Harbor requirements for protection of personal data. And SAFE-BioPharma digital signatures are consistent with FDA and EMA requirements for digital signatures. Use of SAFE-BioPharma signatures to digitally sign submissions made to the FDAâ&#x20AC;&#x2122;s Electronic Submissions Gateway has been ongoing since September 2006.

Scott Rea, REBCA When it comes to regulatory compliance interoperable digital identities perform a vital role in the consistent securing of data through its life cycle. Where there are regulations for the use of identity and authentication standards or for the protection of information and other data, especially when that data is shared across organizational boundaries. The Family Educational Rights and Privacy Act (FERPA) for example, is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The use of interoperable digital identities can facilitate the secure sharing of student data between institutions and with the student themselves or those they grant a release of data. Interoperable digital identities ensure that FERPA requirements are being met through the application of consistent data security controls.

Explain the role of standards in achieving privacy, security, and interoperability. Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

Instituting open and accepted standards is essential to establishing trust within the identity ecosystem. However, standards by themselves do not increase or impair security or privacy. In order to achieve privacy, security, and interoperability it will be necessary to also create an enforcement mechanism which assures that solutions in the ecosystem support the framework.

Standards are the policies and rules whose alignment allows for order in achieving privacy, security and interoperability. Their use is essential to achieve interoperability at the technical and policy levels. SAFE-BioPharma is a standard and our policies are aligned with those of other trust hubs, including those employed by each of the other Four Bridges Forum participants.

Scott Rea, REBCA

Judith Spencer, CertiPath

Without standards, any disparate heterogeneous distributed community will have difficulty achieving privacy, security and/or interoperability. When multiple parties are involved, without bilateral agreements between each and every one, it may be impossible to guarantee any sort of privacy or security required of trust infrastructures. Such bilateral agreements are extremely inefficient as is any system involving more than just a few participants.

Interoperability of digital identities requires conformity with standards across three axes: technology, process and policy/governance.

Setting standards for a varied trust community and auditing against those standards is the most efficient way to ensure there are consistent application of controls and interoperability amongst the participants.

Technology standards drive uniformity in the implementation of specific technical solutions and with increased uniformity comes increased interoperability among products from different providers. Process standards ensure uniformity in the way digital identities are deployed and managed, which enhances trust. Finally, policy and governance standards provide the overarching framework that addresses the privacy and security aspects of digital identities.

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.

The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.

Next test dates DECEMBER 9, 2011 Shanghai, CHINA FEBRUARY 9, 2012 Salt Lake City, UT MARCH 6, 2012 Las Vegas, NV MAY 23, 2012 San Francisco, CA Visit the LEAP web site for future exam locations and dates in 2011 and 2012.

Winter 2011

Do you envision a global proliferation of identity trust hubs? Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

I envision that the market will determine this. From a private sector perspective, I think the roles within the identity ecosystem offer many sectors a chance to participate in a meaningful way. We are already seeing organizations with large user populations form frameworks to support interoperable federated digital identities. Service providers, such as firms in health care, e-commerce and finance certainly can reap benefits from participating in a trust framework, rather than issuing identities of their own.

Yes, most regulated industries and those exchanging secure and confidential information within their own industries and across industry and government borders will operate within an identity framework infrastructure. This enables them to take full benefit from the efficiencies of electronic communications in cyberspace. An ecosystem of identity trust hubs already is forming – i.e. the Four Bridges Forum – and is being actively advanced by the National Strategy for Trusted Identities in Cyberspace.

Judith Spencer, CertiPath

Scott Rea, REBCA

Identity Trust Hubs or Trust Frameworks already exist globally in the physical world and their influence will continue to grow in the virtual world. In many countries, they will be government sponsored, while in others they will be the product of government and industry partnerships. Over time, they will become the dominant trust mechanism for identity credentials in cyberspace. Just like the World Wide Web itself, there will be trust nodes that interconnect and broker trust across national boundaries, between industry sectors, and ultimately down to the individual computer user.

I would not necessarily categorize the expected expansion of identity trust hubs as a proliferation, but I do believe there will be some natural outgrowth of these types of services in those communities that demand it. Financial services, health services and utility services are likely sectors and in fact some developments are already underway in these communities. It will be critical for any decent sized heterogeneous distributed community with any sort of trust infrastructure requirement, to establish standards and policies related trust tokens.

How do interoperable digital identities play a role in your area of responsibility. Jeremy Grant, NSTIC

Mollie Shields-Uehling, SAFE-BioPharma

One of the most important responsibilities of my current position is the establishment of a National Program Office tasked with implementing the NSTIC. Our primary mission is to convene private sector representatives, consumer and privacy advocacy groups, individuals, and the government in an effort to implement the strategy. We are, in effect, a facilitator for the establishment of the identity ecosystem. That ecosystem will be built upon the four NSTIC guiding principles, that identity solutions will be privacy enhancing and voluntary; cost-effective and easy-to-use; secure and resilient, and; interoperable.

SAFE-BioPharma is the global standard for digital trust in the life sciences and its credentials are used to authenticate the identities of persons accessing applications and VPNs and to apply digital signatures to virtually every electronic document used from the discovery through all phases of clinical development and manufacturing. They are used by researchers to sign electronic laboratory notebooks documenting research activities. They are also used to sign electronic submissions made through the FDA’s eSubmissions Gateway and to EMA.

Scott Rea, REBCA Judith Spencer, CertiPath As a federation operator, CertiPath is the broker of trust that makes interoperable digital identities a reality within the aerospace-defense community as well as between aerospace-defense and various national governments. In addition, CertiPath works with organizations in establishing trusted physical access control systems that accept digital identity credentials from multiple sources and make access control decisions based on the relationship with the trust framework.

Winter 2011

Securing information can be a challenging mandate. Ensuring that only the correct individuals or processes can access and utilize specific data requires strong controls to be applied consistently through the entire ecosystem. Interoperable digital identities facilitate access and protection of data at appropriate levels of assurance for the type of transaction being undertaken. Many universities and centers collaborate on research projects and the data associated with this research can be more easily managed and protected – typically at lower costs – when interoperable digital identities are utilized.

Congress mulls smart card for Medicare ID Proposed legislation revamps 1960s-era ID A bill submitted to Congress proposes smart card IDs for Medicare recipients and providers. Sens. Mark Kirk (R-Ill.) and Ron Wyden (DOre.) and Reps. Jim Gerlach (R-Pa.) and Earl Blumenauer (D-Ore.) are the primary sponsors of the proposed legislation. The Medicare ID has remained pretty much the same since the first one was issued almost 50-years ago, including a Social Security number printed on the front of the card. But it’s been suggested that strong credentials could help prevent an estimated $60 billion in Medicare fraud. A smart card-based ID, based on the Defense Department’s Common Access Card, could be one way to keep services in place while reducing waste and fraud, the bill proposes. The current Medicare system has no way to truly know whether someone actually received a procedure. In a smart card enabled system, Medicare applicants would go through identity verification and be issued a secure ID. When a service is performed the person would use the card to verify the transaction. The verification would be done at the point of care and would require a second authentication factor, such as a PIN. Health care providers would also have a smart card to verify the transaction on their end with a biometric. With 48 million Medicare beneficiaries and 1.65 million providers it would cost $1.9 billion, assuming $35 per person to deploy such a system, says Kelli Emerick, executive director of the Secure ID Coalition. She estimates that $550 million would have to be budgeted annually for maintenance. Emerick believes a smart card system could cut fraud by 66%, for an annual return on investment of $37.7 billion. That equates to a $377 billion savings in 10 years.

President Lyndon B. Johnson signed the Medicare Bill into law in July 1965. Since then the look of the Medicare card hasn’t changed, including the use of the Social Security number on the face. President Johnson signed the bill at the Harry S. Truman Library in Independence, Mo.

Following introduction, the Medicare Common Access Card Act of 2011 will be referred to the Senate Finance Committee. As of late October no hearing had been scheduled on the bill. Additionally, in its report to Congress due Nov. 23, the Congressional Super Committee created in the July debt limit deal could include a package to combat Medicare system waste. “There’s a ton of interest to do something simple and straightforward and the cost savings is very intriguing and appealing to a lot of congressional folks,” Emerick says. The bill proposes pilots in five areas with $29 million in funding from the Medicare Improvement Fund. The Secretary of Health and Human Services will design and implement the pilots in geographic areas considered to be of high programmatic risk. Goals of the pilots include: • Increase the quality of care • Reduce the potential for identity theft

• Improve the accuracy in the Medicare billing system • Prevent waste, fraud, and abuse. The pilot program will make use of existing federal standards for identity credentials and biometric data and protect data through existing federal privacy and security standards. After one year HHS will report back to Congress with status of the deployment, the usability of the card system and measures taken to protect data. Two years following the implementation, HHS is required to report to Congress with an additional analysis that will discuss findings from the Medicare smart card and make recommendations for the expansion of the program nationwide. AARP and senior rights advocate, Wilfred Brimley, joined the bipartisan members of Congress in announcing their support for the legislation.

Winter 2011

Issuing e-passports Issuance pending

E-passports spread to half the globe Ryan Clary Contributing Editor, AVISIAN Publications Nearly half of all United Nations (U.N.) member states are now issuing biometric e-passports, according to the newest data from the International Civil Aviation Organization (ICAO), the U.N. agency that oversees international air travel. ICAO, which held its 20th TAG/MRTD meeting in September, reports that 93 out of 193 U.N. member states now issue e-passports, with 21 additional countries ready to deploy the technology in the next 12 to 48 months. ICAO estimates that as of July 2011, these 93 states have issued more than 345 million epassports, of which almost 340 million are in circulation. As per ICAO specifications, each of these documents contains a contactless integrated circuit chip that stores biometric data – i.e. facial, fingerprint or iris – of the passport holder as well as other encrypted identification data. Forty-five of the e-passport issuing states store both fingerprint and facial data on their documents, while 34 store only the facial data. The remaining 14 states currently use facial data, but will begin including fingerprints by the end of 2011. 64

Winter 2011

According to ICAO’s findings, the U.S. remains the largest issuer with 72 million documents issued to date. The U.S. issued 13 million in the past year. The UK, which issued 5 million e-passports in 2011, ranks as the second largest issuer with 27 million in total.

By region, Europe leads the pack with multiple countries – notably France, Spain, Italy, the Netherlands and Germany – each issuing more than a million e-passports in the past year.

Report: 90% of passports chip-enabled by 2016 IMS Research predicts that within five years 90% of passport holders will be using e-passports with integrated smart card IC chips. Nearly half of all current passports issued today use smart chip technology, thanks to a rapid migration started in 2007. “This trend is set to continue,” states Alex Green, author of the IMS report “Electronic Government and Health Care ID Cards.” “There are still a few countries around the world that are not yet issuing e-passports. However, most have started and with the typical five to ten year replacement rates for passports, it is only a matter of time before all passports in circulation are e-passports,” explains Green. The report examines the use of biometrics in e-passports, which is still largely limited to a digital image of the holders face stored on the IC. Green says this will change: “By 2014, the situation is forecast to have been reversed. By this time the majority of passports being issued will also include additional biometric data such as one or more fingerprints, iris scans, etc.”

Country

Start Date

Annual Issuance

Issued to Date

Albania Algeria Andorra Argentina Australia Austria Bahamas Belgium Bosnia Herzegovina Botswana Brazil Brunei Bulgaria Cambodia Canada (limited) Chile Congo Dem. Rep. Cote d’Ivoire Croatia Cyprus Czech Rep. Denmark Dominican Rep. Estonia Finland France Gabon Georgia Germany Ghana Greece Hong Kong Hungary Iceland India Indonesia Iran Ireland Italy Japan Kazakhstan Korea (South) Kosovo Latvia Liberia Libya Liechtenstein Lithuania Luxembourg Macao Macedonia Madagascar Malaysia Maldives Malta Monaco Montenegro Morocco Mozambique Netherlands New Zealand Nigeria Norway Philippines Poland Portugal Qatar Romania Russia San Marino Senegal Serbia Singapore Slovakia Slovenia Soloman Islands Somalia Spain Sudan Sweden Switzerland Taiwan Tajilkistan (limited) Thailand Togo Turkey Turkmenistan United Arab Emirates United Kingdon USA Vatican City Venezuela

Jun-09 2010 Sep-06 2010 Oct-05 Jun-06 Dec-07 Nov-04 Oct-09 Mar-10 Jan-10 Feb-07 Mar-10 Nov-08 Jan-09 Dec-09 Apr-09 Jul-08 Jul-09 Dec-10 Sep-06 Aug-06 May-04 May-07 Aug-06 Apr-06 Jan-09 Jun-10 Nov-05 2010 Aug-06 Feb-07 Aug-06 May-06 Jun-08 2010 Jul-07 Oct-06 Oct-06 Mar-06 Jan-09 Mar-08 2010 Nov-07 2011 2009 Oct-06 Aug-06 Aug-06 Sep-09 Apr-07 2010 Mar-10 Jul-07 Oct-08 Jul-05 May-08 2010 2011 Aug-06 Nov-05 Aug-07 Oct-05 Aug-08 Aug-06 Jul-06 Apr-08 Jan-09 Sep-06 Oct-06 Dec-07 Jul-08 Apr-06 Jan-08 Aug-06 2009 Jan-07 Aug-06 May-09 Oct-05 Sep-06 Dec-08 Feb-10 May-05 Aug-09 Jun-10 Jul-08 2010 Mar-06 Aug-06 Jun-08 Jul-07

450,000 500,000 4,000 2,000,000 1,800,000 500,000 52,000 500,000 300,000 100,000 1,500,000 21,000 500,000 220,000 3,500,000 300,000 250,000 200,000 200,000 32,000 800,000 750,000 480,000 50,000 400,000 3,500,000 n/a 35,000 3,000,000 240,000 1,000,000 500,000 800,000 45,000 12,000,000 2,500,000 1,000,000 600,000 2,500,000 4,200,000 65,000 4,000,000 300,000 300,000 14,000 20,000 6,700 230,000 25,000 180,000 180,000 80,000 1,300,000 30,000 16,000 3,000 20,000 200,000 200,000 1,800,000 720,000 1,100,000 600,000 5,000,000 1,500,000 400,000 15,000 1,000,000 2,200,000 2,000 620,000 440,000 600,000 750,000 51,000 n/a n/a 2,000,000 100,000 825,000 750,000 1,500,000 40,000 860,000 30,000 1,430,000 80,000 300,000 5,000,000 13,000,000 0 420,000

900,000 500,000 19,000 1,500,000 10,800,000 2,500,000 200,000 3,500,000 600,000 120,000 2,200,000 80,000 750,000 600,000 50,000 480,000 400,000 600,000 400,000 16,000 2,700,000 3,750,000 3,360,000 200,000 2,000,000 18,000,000 n/a 35,000 15,500,000 240,000 4,000,000 1,500,000 3,500,000 200,000 20,000,000 2,500,000 1,500,000 2,800,000 11,200,000 20,000,000 130,000 10,000,000 200,000 1,000,000 4,000 30,000 30,000 1,100,000 110,000 150,000 1,100,000 80,000 1,500,000 100,000 40,000 18,000 70,000 150,000 20,000 10,000,000 2,600,000 5,000,000 3,600,000 12,000,000 7,500,000 2,000,000 45,000 2,000,000 7,500,000 10,000 1,300,000 1,300,000 3,000,000 1,500,000 250,000 n/a n/a 10,000,000 200,000 5,100,000 3,500,000 4,000,000 50,000 5,200,000 50,000 1,500,000 200,000 400,000 27,000,000 72,000,000 2,000 1,200,000

PKD use

Yes Yes

Yes

Reading ePassports

Yes

Pending Yes Yes

Yes

Yes Yes Yes Yes Pending Yes Yes Yes

Yes

The PKD system acts as a central broker to manage the exchange of Public Key Infrastructure certificates and PKI certificate revocation lists. ICAO says the PKD plays a critical role in minimizing the volume of certificate lists that must be exchanged and is essential to keeping the exchange of these crucial lists accurate and timely.

Yes

Pending

Yes

Pending Pending Yes

Yes Yes Yes

The other nations planning to issue e-passports in the near future include Armenia, Azerbaijan, Bahrain, Belarus, Cameroon, China, Colombia, Israel, Jamaica, Kenya, Kuwait, Lebanon, Oman, Panama, Saudi Arabia, Sri Lanka, Ukraine, Uzbekistan and Vietnam.

Despite the growing numbers, ICAO reports that less than a third of e-passport issuing nations participate in the organization’s Public Key Directory (PKD) – a system ICAO says is “key” in maintaining global interoperability of e-passports.

Yes

Yes Yes

Many states in Africa, Central America and South America have yet to commit to the new technology, although several major countries including Mexico and South Africa are among the 21 nations listed by ICAO as “pending” for e-passport deployments.

Issuance strong but usage lags

Pending Pending Yes

Pending

Japan and India are leading the Asia Pacific region each with 20 million e-passports issued to date. According to ICAO, India rolled out 12 million documents in the past year, compared to Japan’s 4 million. The two are followed by the Philippines with 12 million issued to date, followed by Australia with nearly 11 million.

Yes

Yes Yes Yes Yes

However, according to Acuity Market Intelligence, Europe will soon be challenged by the Asia Pacific region, which is projected to issue 55 million documents in 2014 alone, representing 42% of the global share. Altogether, Acuity projects that there will be 26 Asia Pacific nations issuing e-passports by 2014.

Even fewer states use Automated Border Crossing systems, which require the traveler to pass through e-gates that verify the biometric information stored on the passport. ICAO reports that 15 nations now use the systems – of which six employ facial scans, six check fingerprints and the remaining three use both facial and fingerprint scans. According to ICAO, just eight states read e-passports at airports and borders. These include the U.S., the U.K., Singapore, Portugal, New Zealand, Japan, Indonesia and Germany.

Yes Yes Source: ICAO

Winter 2011

Homeland Security’s Global Entry expanding Biometrics enable expedited border screening The U.S. Department of Homeland Security’s Global Entry program is expanding enabling enrolled U.S. citizens to enjoy expedited screening when returning from travel abroad to a number of domestic airports. The program also makes them eligible to participate in similar programs at foreign airports. Global Entry has 200,000 travelers enrolled, says John Wagner, executive director of Admissibility and Passenger Programs at U.S. Customs and Border Protection. It’s open to U.S. citizens and permanent residents as well as citizens of Canada, Mexico and The Netherlands via reciprocal arrangements. Global Entry is a program that requires travelers to undergo a background check and submit biometric data in order to receive expedited processing at U.S. airports. When the traveler returns from an international trip, he proceeds to a kiosk to present his passport rather than getting in line to see the customs officer. Currently, there are 137 Global Entry kiosks at the top 20 U.S. airports. At the kiosk, the traveler’s fingerprints are scanned and compared against the fingerprints on file to authenticate identity. Customs declaration questions are answered on the kiosk’s touch screen. The system runs a series of checks in the background and prints a receipt that the traveler presents as he departs the facility. “If they don’t have checked bags they can get out of the CBP area in less than a minute processing,” Wagner says. There are pilots underway to further extend the program, Wagner says. Testing is underway with a select number of UK citizens and next year there are plans to conduct pilots with Germany and Ko-

Winter 2011

rea. Other countries may also be on the horizon. “We’ve had very good discussions with Japan. We’ve had some interest with countries like France, Singapore, and Australia, New Zealand, but there’s still a lot of details to be worked out with those countries,” Wagner adds. Foreign travelers wishing to participate in the program must undergo two background checks, Wagner says. “Those countries have agreed to perform a similar set of background checks against their own databases and confirm to us is whether that applicant passes the series of checks in their home country,” Wagner says. “Then of course we’ll run the checks on our side and do the interview and fingerprinting as well.” The reciprocity with The Netherlands has enabled U.S. citizens to join that country’s trusted traveler program, Wagner says. If the pilot programs with other countries go well, that type of reciprocity will be extended opening up more options for U.S. citizens. Global Entry participants also can access a domestic trusted traveler pilot program that the Transportation Security Administration is testing at four U.S. airports with two separate airlines. Citizens participating in Global Entry, SENTRI or NEXUS are eligible to participate in that pilot free of charge. SENTRI and NEXUS are expedited traveler programs from the U.S., Mexico and Canada. Travelers enter their Global Entry number when making their airline reservation. “When you get to the TSA security screening checkpoint at one of those airports, you may be directed to a line that offers an expedited screening process,” Wagner says. “So you don’t have to take off your shoes, you don’t have to take your liquids out of the bag, you can leave your jacket on, things like that.”

PIV, PIV-I and FIPS 201 approved products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727, PIV and PIV-I products and services. Recently approved products Caching Status Proxy Software House CCURE 9000 Software House, Tyco Security Products

Cryptographic Module Luna PCI 7000 Cryptographic Module • (used in Luna SA with Cloning) (part 908-000057-002) • (used in Luna SA with Cloning) (part 908-54005-006) • (used in Luna SA with Key Export with SIM) • (used in Luna SA with Key Export with SIM) (part 908-54011-005) • (used in Luna SA with Key Export with SIM) (part 908-54011-006) • (used in Luna SA with No Cloning) (part 908-000061-002) • (used in Luna SA with No Cloning) (part 908-54009-005) • (used in Luna SA with No Cloning) (part 908-54009-006) • (used in Luna SA with SIM) (part 908-000055-002) • (used in Luna SA with SIM) (part 908-54003-005) • (used in Luna SA with SIM) (part 908-54003-006) • (used in Luna® SA with Key Export with SIM) Safenet, Inc.

Ready to explore compliant credentialing for your enterprise? FIPS201.com is the best place to learn about the array of products certified by the US federal government for PIV and PIV-I use. Heralded as the future of standards-based identity systems, PIV-I solutions are launching or being evaluated by corporations, first responder groups, campuses, hospitals and other organizations where security is key and standardsbased solutions are embraced. Begin your investigation at FIPS201.com to find the latest project news, access documents and presentations from pioneering organizations, and evaluate products … from cards and readers to biometrics and cryptographic elements.

FIPS201.com

PIV Card

the premiere resource for compliant credentialing

ID-One PIV (Type A) Large D Hybrid 125 ID-One PIV (Type A) Large D Hybrid 125 G ID-One PIV (Type A) Standard D ID-One PIV (Type A) Standard D Hybrid 125 ID-One PIV (Type B) Large D Oberthur Technologies

id technology resource

Transparent Card Reader

Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact info@fips201.com for more information.

C500 Smart Card Reader Zvetco, LLC

Contact:

Smart Card Reader Keyboard ATEN Technology, Inc DBA IOGear

Ryan Kline 850-391-2273 ryan@avisian.com info@fips201.com

visit FIPS201.com to research and compare approved products

Death knell for plastic cards? Don’t get the shovel quite yet Zack Martin Editor, AVISIAN Publications The death of the plastic card has been discussed for some time. In the last year this refrain has become more frequent as mobile devices become more powerful, talk of mobile wallets increases and the handset is touted as a viable identity credential.

cept them doesn’t mean plastic goes away. U.S. banks are just now beginning to issue EMV cards. The new Visa rules that give merchants a PCI waiver for deploying terminals that accept EMV and NFC is the first move in that direction.

With near field communication on the horizon, card manufacturers are understandably concerned about the longevity of their core business. In October, I spoke to a group of card manufacturers about the future of payment and identification technology. One of the chief concerns expressed in the Q&A: Are plastic cards nearing the end of their lifespan?

While Visa’s first deadline is October 2012 for the PCI waiver, it’s going to take time for merchants to switch over their point of sale infrastructure. There’s also the learning curve and comfort with a new technology.

Long story short, the card isn’t going away anytime soon. Don’t get me wrong, the mobile is going to be huge and the card industry should be preparing for it. More than half of 18-to-29year-old U.S. adults now own smart phones and overall 35% of U.S. adults own a smart phone, according to a July 2011 study from the Pew Research Center Internet & American Life Project.

I may be comfortable paying for my coffee with my mobile but when I’m buying a new television I’ll want something a bit more secure. And how many people are going to feel comfortable turning on the payment app and then handing that to a waiter to pay for a meal at a restaurant? On the identity front it’s more difficult to tell what the credential of the future will look like but the card is certainly a leading candidate. The National Strategy for Trusted Identities in Cyberspace is looking to add extra security for online identification and smart cards will be an option.

But between new payment technologies, including EMV and NFC, and various identity initiatives there will still be a market for cards. Though it’s likely more and more of these cards will be much more advanced than they are now.

There are also the government projects. While PIV government issuance is pretty close to complete the market for PIV-I could be enormous, more than 50 million credentials, some predict.

In the payments world, just because people have NFC handsets and merchants can ac-

Police, fire fighters, EMTs and utility workers could all one day carry PIV-I credentials.

Winter 2011

The corporate market is also looking at PIV-I. Large companies with multiple offices want a standardized specification that can be used anywhere. The mobile will have a role in the identity space too. FIPS 201 is undergoing a revision and federal smart card officials want to be able to port PIV functionality to the mobile device. Whether or not this draft will include that capability is still being decided. The mobile will also likely play a role in the national strategy. It doesn’t require the issuance of a new credential and it can be used in a number of ways with computers, connecting to a PC for multi-factor authentication, digital certificate transfer or one-time pass code generation. With more handsets shipping with onboard biometrics readers, there is the possibility for three-factor authentication with the phone and the computer. Card manufacturers need to prepare for the future. There may be fewer cards issued in the future, then again the numbers may not decrease. What seems certain, however, is that the cards that are issues will be more advanced. I’ve been covering industries that use plastic cards for almost 12 years and just about every year someone predicts the end of the plastic card. It hasn’t happened yet and I suspect we may still be having this conversation 12 years from now.