Regarding ID Fall 2013 by AVISIAN

35 A SURVEY OF ID TECHNOLOGY - FALL 2013 - ISSUE 35

User: Jack Smith Attribute Class One:

Gender: Male; DOB: 03-14-1964; Occupation: Physician; Marital status: M; Residence: Tampa, Florida, USA

PII requests pending

Personal Cloud units remaining

Shared data credits earned

PENDING ATTRIBUTE REQUESTS GEO-LOCATION INQUIRY

DATE OF BIRTH VERIFICATION

Geo-location_inquiry_ Position_current

DOB_veriﬁcation_ Age_18_or_above

Relying party: Sony_Electronics, IMC4398

Relying party: Pasco_Cty_Voter_Registration

Timestamp: 02:19:28

Timestamp: 09:37:01

APPROVE

DENY

APPROVE

DENY

APPROVE

DENY

APPROVE

DENY

Giving the user control of online identity

-16

re: I

Timestamp: 02:19:28

Timestamp: 09:37:01

Sony_Electronics, IMC4398 Relying party:

Pasco_Cty_Voter_Registration Relying party:

Position_current Geo-location_inquiry_

Age_18_or_above DOB_veriﬁcation_

3•

INQUIRY GEO-LOCATION

W as

VERIFICATION DATE OF BIRTH

tC in Op ard gt PENDING ATTRIBUTE REQUESTS Al on in po lia NS rtu nc C ep on TIC nit res ve an ies en nt t : d t for credits earned units remaining pending io he re nC Shared data Personal Cloud PII requests ne lyin en w te id g pa r• en rt tit ies Uc ye en co tri sy dI ste D m r

-C

LIV

.co

Marital status: M; Residence: Tampa, Florida, USA Gender: Male; DOB: 03-14-1964; Occupation: Physician;

Attribute Class One:

The path to interoperability.

HID iCLASS SE

Open, adaptable and powerfully secure, iCLASS SE® is the platform that simplifies everything.

iCLASS SE® is HID Global’s next generation access control platform that enables authentication of a wide variety of commercial credential technologies. A highly flexible reader family along with an array of multitechnology credentials ensure interoperability in a variety of technology environments. iCLASS SE is also enabled for (NFC) mobile phones and other smart devices. Now, you can use multiple form factors to create your ideal access control solution today. For more information, visit hidglobal.com/path-reid © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, iCLASS SE, Secure Identity Object, SIO and Seos are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission. All other trademarks, service marks, and product or service names are trademarks or registered trademarks of their respective owners.

WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®

Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

AUTHENTICATE PHYSICAL IDENTITIES, AUTOMATE PHYSICAL ACCESS, ACHIEVE AUDIT & COMPLIANCE 24/7 the safe software suite centralizes your disparate physical access platforms into a policy-based system that automates physical identity and access management. safe ensures that the right physical identity has the right access – for the right reasons – at the right time. With instant verification of who is where, why they are in that location, and who authorized their physical access. all managed automatically to achieve full auditability and compliance to various regulations. safe’s ability to automate these processes drives down operational costs. it’s the most efficient way to manage employees, contractors, visitors and their access lifecycle in your organization. make your world safe with quantum secure. quantumsecure.com • info@quantumsecure.com • 1.408.687.4587

phy siC al

titie

s pr iv

iden

s se oC

pr ing rd

oa -b

/o n-

w o

rk o w

va l

o pr

ar ed

pl m Co ty

ri Cu

at e om ut ll ya fu Ct ri

e ar

ati o

kf or

&e xpi r

se y-b a

gs tat us

tra

liC

inin

nC heC

syste

ileg es b ase

g vis itor

tiv tia

agin

ity & a CCess

on rol e

ini

aCC es

l aC

phys iCa

ies

oCa tion

Cess priv

ies

s Ce

liC

i lyt

itie

ian ss

ana

pl Ce

d on

and

ide

ilege s bas e

tit

man

rt i

siC yC

l id en

loCa tion

epo lr

hy rit

aCCess requ est and appr ovals

eve

self-serviCe

e-l

iCa

for

al se Cur

rl og

iCies

physiC

pol

and

rate

tiv

dispa

ses

Ces

rates

pro

oma tes

liz

ma te

siC

rifiCation watCh list ve

exe

integ

te ma

-b

-/o

aut

vid

e at

physiCal aCCess privileges based on baCkground-CheCk status

pro

liz

at e

SAFE

™ SAFE attestation audit SAFE

software suite

Ew e

er ag an m ty ti en id r to si vi

t ly

a an

iCs

C at

yt al

mp lia ng nC er FE eg S A do ul at F E Cu or in me fr nt m aC an ti ag on er m an ag er w

F SA

bb adg i

self s erviC

atio

al o rt

str egi

ine

tor

g n en

rit

raC

latio

t Con

re Cor

SAF

en E ev

al id

ger

SAF

physiC

a s man

SAFE

aCCes y and entit

d re matCh an SA FE data

tion ConCilia

CONTENTS User: Jack Smith Attribute Class One:

Gender: Male; DOB: 03-14-1964; Occupation: Physician; Marital status: M; Residence: Tampa, Florida, USA

COVER STORY:

Giving the user control of online identity Up to this point, identity has been focused on the application, not on the user. This is changing as consumers demand more control over their personal data and enterprises make the switch to accept third-party issued credentials. Find out what user-centric identity is all about and what it’s going to take to get there.

34 Verizon: Come for the telephony, stay for the identity The telecommunications giant wants to be the online identity provider to the masses. In the wake of numerous data breaches resulting from weak credentials, Verizon is making inroads. With its cloud-based identity service, the company plans to make online transactions more secure.

40 OPACITY: Clearly adding security to contactless smart cards

PII requests pending

Personal Cloud units remaining

Shared data credits earned

PENDING ATTRIBUTE REQUESTS GEO-LOCATION INQUIRY

DATE OF BIRTH VERIFICATION

Geo-location_inquiry_ Position_current

DOB_veriﬁcation_ Age_18_or_above

Relying party: Sony_Electronics, IMC4398

Relying party: Pasco_Cty_Voter_Registration

Timestamp: 02:19:28

Timestamp: 09:37:01

APPROVE

DENY

APPROVE

DENY

APPROVE

DENY

APPROVE

DENY

Timestamp: 02:19:28

Timestamp: 09:37:01

Sony_Electronics, IMC4398 Relying party:

Pasco_Cty_Voter_Registration Relying party:

Position_current Geo-location_inquiry_

Age_18_or_above DOB_veriﬁcation_

INQUIRY GEO-LOCATION

VERIFICATION DATE OF BIRTH

PENDING ATTRIBUTE REQUESTS pending PII requests

units remaining Personal Cloud

34 credits earned Shared data

Marital status: M; Residence: Tampa, Florida, USA Gender: Male; DOB: 03-14-1964; Occupation: Physician;

Attribute Class One:

User: Jack Smith

U.S. government officials want to do more with the contactless interface on agency-issued smart cards, but concerns over the channel’s integrity has limited its use. Enter OPACITY, a standard that ups the security of contactless smart cards and ushers in greater functionality.

52 NSTIC pilots: One year and $9 million later It’s been a year since the first pilots for the National Strategy for Trusted Identities in Cyberspace were awarded. The winners are hard at work proving out different aspects of the next gen identity ecosystem. Check out their progress on key areas including leveling up social networking credentials, creating an attribute exchange network, building privacy and accessibility, adding multi-factor authentication and testing key use cases.

40 Fall 2013

CONTENTS

6 Editorial: User centricity is changing online ID New approach shifts focus from issuer to individual 10 ID Shorts News and posts from the web 11 Calendar Industry events from the identity and security worlds 18 Podcasts Mobile biometrics, biometric adoption rates, password weakness 24 Forging a user-centric future Putting the user first in new online identity ecosystem 26 The personal cloud business model 28 Designing a user-centric identity system 30 Putting a dollar value on online identities 32 Postal Service delivering identity ecosystem Cloud credential exchange enables feds to accept multiple online IDs 33 SecureKey awarded FCCX contract 34 Verizon: Come for the telephony, stay for the identity Telecom giant aims to bring cloudbased ID to the masses 36 The dollars and ‘sense’ behind federating identity Gov study: Outsourcing online IDs can save $100 million +

Fall 2013

38 Derived credentials enable high assurance ID on mobile platforms Vast possibilities, few real world deployments 39 New use case: Derived credentials expedite physical access transactions 40 A clear view of OPACITY Emerging standard secures contactless smart card communications 42 Printing ID cards in a Mac environment 44 IP-based readers migrate intelligence to the door Integrating physical access into the broader corporate enterprise 48 How to choose an Identity & Access Management solution Commercial, cloud systems offer best options 50 New hologram tech protects high-value identity documents 52 NSTIC pilots One year and $9 million later … 53 AAMVA Leveling up social credentials 54 Criterion Systems Creating an attribute exchange network 56 Internet2 Building privacy and accessibility

57 Daon Adding multi-factor authentication 58 Resilient Network Testing use cases in health, education 60 The future of mobile biometrics 61 Device cameras enable continuous facial recognition 61 Voice biometric secures financial transactions on mobile phone 62 Japanese hotel IDs guests with facial recognition 62 Global biometric forecast: huge revenues by 2018 63 Europeans favor biometric identification of criminals, unsure on use for daily life 64 ‘Misguided focus’ on false acceptance rates hinders biometric adoption 64 HID awarded new gesturebased access control patents 65 GAO: Biometric exits at airports still a work in progress 66 Different PIN every time Software-based, multi-factor alternative to hardware tokens

Knowing “who” matters! Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or a smartcard cannot provide alone. With patented multispectral biometrics, only Lumidigm can answer who without question. When it’s important to have greater assurance of who is accessing your assets, choose an authentication solution from Lumidigm. Questions? Visit www.lumidigm.com, email us at sales@lumidigm.com or call +1 (505) 272-7057.

AdvantageTM

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Andrew Hudson, Jill Jaracz, Gina Jordan, Ross Mathis

USER CENTRICITY CHANGING ONLINE ID

ART DIRECTOR Ryan Kline

NEW APPROACH SHIFTS FOCUS FROM ISSUER TO INDIVIDUAL

ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com

ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2013 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Fall 2013

My first introduction to smart cards was back in 1999 writing about the U.S. Department of Defense starting to issue smart cards to soldiers. The sky was the limit for these cards, and at the time, it was bleeding edge stuff. Smart cards and biometrics have come a long was since then. Millions of cards have been issued in the Defense Department alone, not including those issued to other federal agency employees. Smart cards are still considered the gold standard when it comes to security but for mass scale online consumer identity, other technologies are far more likely to fill the void. Cloud-based and mobile solutions seem to be stepping up to claim the key roles in securing online identities. One certainty is that the future of online identity will be focused around the consumer. This issue takes a long look at the idea of user-centric and federated identity and what this will mean for the consumer and the enterprise. What is user-centric identity? Think about extending the Facebook, Google, Yahoo or other account logins to access other sites. This is a basic example of federated identity as the same login is shared and trusted by multiple parties. But when a user clicks on that button agreeing to use their Facebook login, do they read the popup and figure out what information will be given up? Readers of this magazine may, but most consumers almost certainly do not. If you click on that button you may well be sharing your name, date of birth, email address, physical location, list of friends and more. For giving up that data you get the convenience of using that same login at the other site. For some it may seem a worthwhile tradeoff, but others don’t see the value. In a user-centric world, the consumer would be able to click the button to use a federated login but instead of being told what information would be shared, there would be choices. The user could choose to share email, other data or nothing at all. This is user-centricity as it puts the consumer in control of the identity. The problem I foresee with the user-centric model lies with the relying parties – those organizations that will accept these federated identities. Today they have a free flow

PERSPECTIVE

of information from consumers. It will take a sizeable carrot to convince them to give this up. Some say regulations will be a large enough stick, but I am unconvinced that this alone will suffice. Still there is the potential for better data with user centricity. If a user opts in and freely gives up information, then that suggests theyâ&#x20AC;&#x2122;re interested in that product and are more likely to act. Marketers may not be getting as much data but the data they do get will be more valuable. Security will also be improved in a user-centric ecosystem. Vendors plan to deploy a series of multi-factor solutions both active and passive. No longer will user names and passwords be the standard, as consumers will likely have a selection of one-time

pass code techniques, geo-location, device recognition and other technologies from which to choose. The National Strategy for Trusted Identities in Cyberspace also encourages a focus on consumer choice and control. The tenants of user-centric identity can be seen in many of the pilots detailed in this issue. While it might not result the smart card in the hand of every consumer as I envisioned back in the late 90s, user centricity can give the consumer choice, portability and better security for online identities.

Fall 2013

October 15-16, 2013 • Washington, DC • Walter E. Washington Convention Center

Smart Card Alliance and Re:ID Magazine present:

USER-CENTRIC

LIVE

Opportunities for relying parties in NSTIC and the new identity ecosystem

THE FIRST EVENT FOCUSED ON THE BUSINESS OF USER-CENTRIC IDENTITY User-Centric ID Live is a comprehensive forum to address business challenges and commercial opportunities surrounding user-centric identity. The time is now. The products and services are being defined that will allow individuals to manage their personal identity across a range of web resources and mobile apps, commercial enterprises, retail and hospitality environments, in the workplace, at security checkpoints, and beyond.

EXPO A concurrent exhibition will showcase the full range of technologies, solutions, and

Conference sessions will focus on technologies, standards, implementations, applications, and business models in the new user-centric identity ecosystem. Also presented will be an overview of the market and the social and legal issues

services that support the new

that arise with these new tools.

Promotion opportunities at the

user-centric ID ecosystem.

conference are available for leading companies offering products, technologies and services in this

GET INVOLVED WITH NSTIC AND AN $11.9 BILLION MARKET

evolving field. This is a unique

Helping expedite the market, the National Strategy for Trusted Identities in Cyberspace (NSTIC) outlines parameters for a user-centric identity ecosystem to be built and managed by the private sector. As the NSTIC pilots roll out this year, the opportunities for identity provisioning will expand exponentially as part of the $11.9 billion Identity and Access Management (IAM) market. Professionals who stay ahead of the knowledge curve will be ideally positioned to leverage these new identity models.

company to a receptive and eager

opportunity to showcase your audience. Contact: Bill Rutledge bill@cnxtd.com +1 212-866-2169.

ORGANIZERS ORGANIZED BY THE IDENTITY INDUSTRY THOUGHT LEADERS Regarding ID magazine (Re:ID) delivers in-depth, unrivaled coverage of identity technologies and projects around the globe to a high-profile base of decision makers and innovators. The Smart Card Alliance’s 200+ member companies include the majority of commercial organizations involved in the creation of the new identity ecosystem.

LEARN MORE AND REGISTER

MEET THE LEADERS DRIVING THE MARKET The leading companies and organizations driving the new identity ecosystem will present their ideas, provide insight and showcase technologies and solutions.

UCentricID.com

Track 1

Track 2

Track 3

Results and challenges with the public-private identity ecosystem

User-centric identity concepts, technologies and how they will impact business

How retailers, banks, gov and others will consume identities in the new ecosystem

NSTIC program executive briefing Get the latest update on legislative and government perspectives from program insiders. Learn about prospective funding opportunities and new pilots.

Identity ecosystem for dummies A crash course in the concepts and technologies vying for dominance in the new realm of user-centric identity. Leave the session with the knowledge to talk-the-talk about the keys to next-generation identity.

Being a relying party is a good thing Explore the basics of relying parties and their role in the ecosystem. From health care and government to Web services and big-box retailers, the promise is protection against breaches and ID management database hacks.

NSTIC

TECHNOLOGY

Pilot progress: ‘Show me the numbers’ A panel of participants from the original pilots discuss initial results and unique test cases. Find out which trials could hold value for your organization. The global perspective: Competing and complementary initiatives Hear from leaders involved in Internet identity programs beyond U.S. borders. Can NSTIC work in tandem or will multi-national organizations be forced to support geospecific infrastructures?

Defining the major initiatives There are many identity initiatives in the market. Hear the ‘elevator speeches’ in a rapid-fire format from individuals driving and defining the key programs. Use cases: Implementing identity in real world environments Largescale user-centric identity is just now emerging, but its building blocks have been deployed prior. Hear from enterprises that have deployed solutions, how they have worked and how they will evolve.

RELYING PARTIES

Social networks as identity providers Some people love it, other hate it. Explore the pros and cons of using and consuming social network identities to authenticate users in your enterprise. Fortune 500 & SMB relying parties A mix of giants and startups discuss their participation in user-centric identity schemes and how they view their role in a future all-encompassing ecosystem.

Learn more and register at UCentricID.com Your conference badge includes access to the concurrent Smart Card Alliance Government Conference and Exhibition, the leading showcase for government projects in ID and security.

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

MOBILE BROWSER ENABLES SMART CARD LOGIN Biometric Associates LP announced the launch of the baiBrowser app that will enable U.S. government officials to access secure Web sites with smart cards on mobile devices. The baiBrowser app enables federal employees to use their iPhones and iPads, along with their governmentissued smart card, to access secure web sites and portals that require smart card authentication. “Traditional iOS and Android browsers – Safari and Chrome – do not support smart card authentication of a mobile user to secure web site,” says Mike Smith, director of business development for Biometric Associates. “However, with the baiBrowser, whenever a secure site requiring smart card authentication is accessed, the site can query the smart card through an encrypted Bluetooth connection.” The user’s digital certificates stored on the smart card are displayed on the device and the user can choose the appropriate one, enter their PIN and login. “The secure site can use the smart card to

Fall 2013

verify the identity of the mobile user and decide to grant access. The actual cryptographic operations are performed by the chip on the smart card,” Smith adds. The iOS version of the app is available as a free download from the iTunes

App Store. The Android version is being tested by U.S. Government users and will be available in the Google Play Store in the second quarter of 2013.

ID SHORTS

ALLIANCE: SMART CARDS SHOULD SECURE HEALTH RECORDS

CALENDAR

OCTOBER

User-Centric ID Live Oct. 15–16, 2013 Walter E. Washington Convention Center Washington, D.C. Smart Card Alliance Smart Cards in Government Oct. 15–16, 2013 Walter E. Washington Convention Center Washington, D.C. NFC and Mobile Money Summit Oct. 22–25, 2013 Milano Congressi Milan, Italy

NOVEMBER

CARTES Secure Connexions Nov. 19–21, 2013 Paris Nord Villepinte Paris, France

FEBRUARY

RSA Conference 2014 Feb. 24–28, 2014 Moscone Center San Francisco, Cal.

APRIL

ISC East Oct. 30–31, 2013 Javits Center New York City

NACCU Annual Conference April 13–16, 2014 Sheraton Chicago Chicago, Ill.

MAY

The Smart Card Alliance Health Care Council submitted comments calling for smart cards to be used to secure electronic health records. The comments were in response to a report from Republican Senators that examined health care IT adoption and some of the issues surrounding the systems. “REBOOT: Re-examining the Strategies Needed to Successfully Adopt Health IT,” was released in April by Senators John Thune (R-S.D.), Lamar Alexander (R-Tenn.), Pat Roberts (R-Kan.), Richard Burr (R-N.C.), Tom Coburn (R-Okla.) and Mike Enzi (R-Wyo.). The paper details concerns with current health IT policy, including increased health care costs, lack of momentum toward interoperability, potential waste and abuse, patient privacy and long-term sustainability. The Health Care Council submitted comments on pointing to problems with identity management and authentication as the major issues undermining the secure use of electronic records. “There is a fundamental identity management and authentication problem in health care. We have no way to properly and securely identify patients and health care providers, match health care records and identify those that have authorized access to them,” said Michael Magrath, Gemalto, and chair of the Health care Council. “If we are going to do it right and architect a safe, secure, and interoperable health IT infrastructure, it is critically important to address both provider authentication and patient authentication concurrently.” To solve the identity management problem, the council recommends the health care industry use existing federal initiatives and standards and move to smart card-based identity management and authentication. For healthcare providers, this can be accomplished in the form of PIV and PIV-I cards, smart card-based electronic identity credentials already used in several other govern-

CARTES America May 6–8, 2014 Mirage Conference Center Las Vegas, Nev.

Fall 2013

ID SHORTS

ment identity programs. For patients, identity management with smart health ID cards can improve patient quality of care, administrative efficiency, revenue collection and legislative compliance. The council states that a patient’s health care record has different security challenges unlike financial or other personal data. “Protecting an individual’s medical information and their privacy is the most important and fundamental element of an electronic health record system. Personal health information warrants the need for very high confidence in the accuracy of the asserted identity of those who attempt to access it. “Once an electronic health record is compromised and in the wrong hands, the damage to the individual’s privacy is irreversible and the consequences can affect the victim for his or her lifetime. The

Fall 2013

security of personal health information is far different when compared to other types of personal information including financial. Unlike financial information, there are no policies and procedures in place to restore one’s health information once it is compromised. Additionally, organizations and professionals have a fiduciary obligation to ensure transmission of information is properly authenticated between respective parties.” Smart cards can also help prevent medical identity theft, according to a report from Booz Allen Hamilton for the U.S. Department of Health and Human Services. “Few providers require any strong evidence of patient identity at the point of service. Patients are often asked to provide only verbal assertions of identity and coverage. However, technology solutions such as biometrics, smart cards

or electronic patient records may be able to assist providers in verifying patients’ identities based on past histories, demographics, or facial photographs.”

NATURAL SECURITY PILOT DEMONSTRATES HIGHER SPENDING A six-month pilot of Natural Security’s payment technology saw more than 800 transactions per month and highertransaction amounts than those with typical payment cards. Natural Security announced results of the pilot that included fingerprint and finger vein biometrics and mid-range contactless payment cards. The pilot was with financial institutions Banque Accord, BNP Paribas, Crédit Agricole, and

ID SHORTS

ADDING SMART-CHIP TECHNOLOGY TO MICROSD MEMORY CARDS GIVES SD EQUIPPED SMART PHONES AND TABLETS NEW CONSUMER CONVENIENCES WHETHER THEY’RE CONNECTED TO THE INTERNET OR NOT Crédit Mutuel Arkéa as well as retailers Groupe Auchan and Leroy Merlin. The pilot was carried out in France from October 2012 to March 2013, and involved more than 900 consumers. Results include: 94% of participants said they were ready to use this payment option for all of their in-store purchases. The participants carried out almost 5,000 total transactions. The average transaction amount was €58.60 Euros, 15% higher than the value of the average card payment. Participants described the payment method as modern (74%), innovative (71%), secure (61%) and convenient (60%).

NEW SMART-SD CARDS FEATURE SINGLE WIRE PROTOCOL FOR NFC A new solution from the SD Association adds Single Wire Protocol (SWP) to support near field communications, adding a Secure Element to the microSD memory card. The new smartSD card supports authentication services and shifts control of the secure element from the service provider to the consumer. The smartSD is fully compatible with all SD-capable smart phones, tablets, computers and similar consumer electronic devices. The new NFC-enabled smartSD cards will be manufactured in the SD, SDHC and SDXC form factors. The cards will

be made available for consumers to purchase, or alternatively, be issued by various service providers including banks, credit card companies, retailers, transit providers and governments. “Adding smart-chip technology to microSD memory cards gives SD equipped smart phones and tablets new consumer conveniences whether they’re connected to the Internet or not,” explains Brian Kumagai, president of the SD Association. “We know consumers want more flexibility to expand their storage needs, and a simple way to participate in a variety of value-added services offered by a variety of companies and institutions today.”

Fall 2013

ID SHORTS ID SHORTS

BELL ID RELEASES NEW NFC SECURE ELEMENT FOR THE CLOUD Bell ID launched a secure element in the Cloud that promises to facilitate the provisioning of near field communication (NFC) based mobile services. The new secure element is capable of managing keys, certificates and NFC credentials in a secure remote environment as opposed to in the mobile device itself. This functionality provides app issuers an added level of control to manage their credentials without the help of a third-party provider. Bell IDâ&#x20AC;&#x2122;s cloud secure element software has already seen commercial deployment. Using a standard contactless terminal and acceptance infrastructure, it supports complete EMV payment transactions via remote SE. Upon conducting a transaction, the consumerâ&#x20AC;&#x2122;s NFC credential is accessed via the remote secure element. Once this action is completed, the appropriate command is created and transmitted back through the mobile device to the pointof-sale terminal. The data presented follows the same format used in standard card-present transactions, but the NFC-enabled se-

Fall 2013

cure element can also pre-authorize payments, meaning consumers can conduct transactions even when not connected to the server. To account for security concerns, the new software to secure element solution comes outfitted with instant fraud detection and can immediately block an application when necessary. Additionally, storing the secure element in the cloud boosts computing power and expands storage capabilities when compared to previous physical secure elements.

ID SHORTS ID SHORTS

Fall 2013

ID SHORTS

GEMALTO PROVIDES TSM FOR MOBILE NFC TICKETING IN FRANCE

Gemalto has been selected by French transport group Keolis to provide and operate the Allynis Trusted Service Management (TSM) services for the NFC mobile ticketing roll out in the territory of Caen la mer. Transit passengers in Caen are able to use their NFC mobile phone to ride city transportation with ease. Registered passengers can purchase tickets directly from their phone or load their subscription. To ride the city’s Twisto bus or tram services, they simply wave their phone in front of a contactless reader to validate the ticket. Regular commuters as well as visitors to the city can use this new service. Gemalto’s Allynis TSM bridges the gap between financial institutions and mobile operators, providing end to end security encryption and over-the-air loading.

Fall 2013

OBERTHUR, HID GLOBAL PARTNERSHIP BRINGS NFC SIM CARDS FOR MOBILE ACCESS A partnership with HID Global will provide Oberthur Technologies with the ability to support HID’s Seos digital keys on NFC-enabled smart phones. The partnership will see the Seos digital keys applet embedded into Oberthur Technologies’ NFC SIM cards, enabling the use of NFC smart phones for a wide range of applications that have previously been reserved for use on smart cards. Oberthur brings its dragonFly suite of NFC SIM cards to the partnership. The dragonFly solution has attained Common Criteria EAL4+, MasterCard, Visa and MIFARE DESFire certifications. Seos is part of an ecosystem of interoperable solutions and services for issuing, delivering and revoking digital keys on NFC-enabled mobile devices. Seos can be used for physical access, opening doors to homes, hotels, offices, hospitals, universities or commercial buildings.

ALLIANCE: TWIC PROPOSAL INCREASES RISK The U.S. Coast Guard is proposing to limit the electronic reading of Transportation Worker Identification Credentials (TWIC) and instead rely on visual inspection. More than 2.4 million cleared maritime workers have a TWIC, which was issued in response to the Maritime Transportation Security Act of 2002. When used in conjunction with an electronic reader, the smart card establishes that it is a valid card issued by TSA and not a forgery; that the card has not expired; that the card has not been revoked by TSA for cause; and that the person presenting the card is the same person to whom the card was issued.

The Transportation Worker Identification Credential Reader Requirements Notice of Proposed Rulemaking would limit the use of the biometric smart cards and readers and use visual inspection of TWIC cards as the primary security protocol for 95% of the maritime user population. The Smart Card Alliance disagrees with this proposal and has submitted comments and recommendations to: Expand the scope of the proposed regulation to make the use of TWIC card readers mandatory for a majority of the facilities and vessels

ID SHORTS

currently identified in different risk groups. Require transaction logs when visual inspection is used and when any non-automated exception situation is encountered. Conduct a new reader cost analysis using more current information that is representative of today’s TWIC reader products. Require maritime operators to download the latest version of the certificate revocation list every 12 hours regardless of maritime security level.

Correct the statement in the notice: “TWIC readers will not help identify valid cards that were obtained via fraudulent means, e.g., through unreported theft or the use of fraudulent IDs.” TWIC readers can identify cards that were obtained through unreported theft of the TWIC card by performing biometric verification of the cardholder. Require the use of readers at large general cargo container terminals in risk groups or re-classify them. Require vessels at sea to update the revocation lists under certain circumstances.

FINANCIAL SERVICES RESEARCH COMMITTEE MAKES IDENTITY A PRIORITY The Financial Services Sector Coordinating Council, an industry group working to protect financial services companies from cyber attacks, had made identity assurance a top priority in its latest research agenda. The council is looking at two aspects of identity assurance, identity vetting during enrollment and authentication when later accessing services, says Bob Blakley, director of security innovation at Citi and co-chair of the council’s research and development committee. “We have a set of problems with processes and documentation for establishing identity,” Blakley says. “A lot of identities are established online and that limits the ability to examine authoritative identity source information, such as birth certificates and other documents.” The council is working on a pilot with the U.S. Department of Homeland Security to improve identity vetting during account enrollment, says Dan Schutzer, co-chair of the council’s research and development committee and chief technology officer for BITS, the technology policy division of The Financial Services Roundtable. The pilot connects to state driver license bureaus to make sure the provided information matches that on record. On the authentication side there are a number of issues bring reviewed, Blakley says. The problems with usernames and passwords are well documented and knowledge-based questions – what’s your favorite movie – can be social engineered. One-time passcodes and text message are better but can also be circumvented with man-in-the-middle and man-in-the-browser attacks. “We’re asking that attention be paid to how to establish identity at enroll-

Fall 2013

ID SHORTS

PODCASTS EPISODE 109: BIOMETRICS AND THE MOBILE Within the next two years the majority of mobile phones will come biometric-enabled, says to Denise Culver, a telecommunications researcher and a analyst with Heavy Reading. Regarding ID’s Gina Jordan spoke with Culver who says that smart phones already have the tools necessary to make biometrics work: best-in-market cameras, high-speed data, HD screens and other advanced technologies that are the perfect for biometric authentication applications. When it comes to making the switch from prior authentication methods to biometrics, she believes the consumer will be quick to get on board. “It won’t be much of a switch for consumers to look into a screen that scans their iris or speak a word that enables the device to recognize their voice,” Culver adds.

EPISODE 110: WHAT’S HINDERING BIOMETRIC ADOPTION? Technical issues and a lack of end user acceptance are hindering the adoption of biometric technology, says Cecilia Aragon, associate professor at the University of Washington Department of Human Centered Design and Engineering. Aragon has studied the adoption question, and spoke with Regarding ID about her report and some possible solutions to advance beyond consumer apprehension. The issue of false rejection, and its accompanying frustration, is a primary reason biometrics have been held back, Aragon explains. “The frustration of having your biometric rejected by the system and having to try over and over again can lead to frustration that overrides a rational examination of the system,” she explains. “What we’re trying to do is find ways to measure that emotional response and operationalize it, that is, to find ways to translate is into features and guiding principles for biometric systems.”

EPISODE 111: ANALYZING THE STRENGTH OF PASSWORDS Passwords are a common attack vector for fraudsters, and making them stronger – mandating alphanumeric characters and capitalizations – is a common requirement. Joseph Bonneau, now an engineer at Google, has spent a lot of time studying passwords, and a paper he wrote after analyzing a 70 million password set took top prize in the National Security Agency’s first Science of Security Competition. Regarding ID spoke with Bonneau about his paper and the future of passwords. He thinks passwords aren’t going anywhere anytime soon but are a flawed security system nonetheless. “Passwords cannot be redeemed as long as humans are picking them,” he explains.

Fall 2013

ment with high degree of assurance and how do we authenticate an identity when they login without traumatizing the user,” Blakley adds. The council plans to collaborate with the research community to find promising use cases. If a technology shows particular promise the council will help conduct pilots. “The point is to make sure our ability to protect customers remains strong,” Blakley explains. “The whole idea is to authenticate someone so only they can decide what to do with their money.”

SECUREKEY ADDS HARDWARE-BASED AUTHENTICATION TO MASTERPASS SecureKey and Intel’s Identity Protection Technology will provide users of MasterCard’s cloud-based with an additional level of hardware-based security to help reduce fraud and add convenience to online payments. The Identity Protection Technology is included in all Intel-inspired Ultrabook devices and PCs with the latest Intel Core processors. It enables hardwarebased two-factor authentication for online websites and business logins. When a consumer is making a purchase from a site that is MasterPass enabled it will recognize the credentials stored in the Ultrabook. Consumers will have to still enter a user name and password but won’t have to fill out the credit card information, address or other information. Some UltraBooks are also equipped with NFC to read contactless bank cards as well, says Andre Boysen, executive vice president of marketing at SecureKey. For users of these devices, tapping the card will authorize the transaction. The SecureKey solution reads the contactless bank card and performs the card authentication using the existing issuer payment network over an encrypted channel. This implementation provides equivalent security to a card-present transaction, which over time may significantly reduce the fraud risk for card issuers and lower transaction costs for merchants. The NFC capabilities also eliminate the need for the consumer to manually enter payment and shipping information by enabling consumers to load new cards into MasterPass-connected wallets with a tap.

ID SHORTS

HOMELAND SECURITY TAPS HID FOR ‘GREEN CARDS’ U.S. Citizenship and Immigration Services, an agency within Homeland Security, selected HID Global to continue manufacturing the Permanent Resident Cards known as Green Cards. HID will be responsible for the secure production, delivery and storage of up to two million Green Cards in 2013. The Green Card incorporates technology to prevent counterfeiting and obstruct tampering, while facilitating authentication of the card. It combines HID’s LaserCard optical security media with an RFID tag – the same tag that is used in the Passport Card, NEXUS and SENTRI programs to enable easier crossings at land and seaports. LaserCard, which was acquired by HID in 2011, was originally tasked with producing the Green Cards in 1997.

DELHI POLICE COMMISSIONER DEMANDS FULL-PROOF VERIFICATION FOR SIM CARDS In an attempt to restrict fraudulent use of mobile SIM cards by criminals and terrorists, telecom service providers in India are planning to introduce biometric authentication. The push for full-proof verification is coming from Delhi Police Commissioner Neeraj Kumar, who recently said the department of telecommunications (DoT) should institute a central database containing all mobile subscribers using biometric parameters. Kumar’s suggested solution would require logging fingerprints, thumb impressions, or a similar biometric identifier for each subscriber when they apply for a new connection. The police commissioner wants physical verification of all applicants prior to activating the SIM, according to a report in the Business Standard.

If operators in India opt for televerification, SIM cards would be sent by registered mail only, a process that is already being used for the delivery of credit and debit cards. To further discourage fraudulent SIM card use, Kumar advocates stringent punishments if service providers issue multiple SIM cards to the same customer application form number. Kumar’s demands for SIM card security come in the wake of a number of emerging fraudulent tactics like SIM swapping. In a SIM swap, a criminal obtains and uses a replacement SIM card to acquire security messages and one-time passwords (OTP) sent by a bank to the victim’s handset. Using that OTP, the criminal can then change account information, add beneficiaries and even transfer money out of the victim’s account. Kumar’s request has been passed on to India’s home secretary for consideration.

Fall 2013

ID SHORTS

NFC RING PUTS ACCESS TO PERSONAL DATA ON YOUR FINGER A new NFC-enabled ring being funded through KickStarter is attempting to bring authentication to your finger. The ring consists of a titanium band with two inlays each containing an NFC chip. Each chip has a separate role with one dedicated to public information and the other reserved for private data. The location of the two NFC chips is designed such that the wearer can use a different hand gesture to share different information. In this way, the information shared is controlled by the user. At present the ring is capable of unlocking a smart phone and granting physical access to doors. On the personal data chip, anything from simple URLs to Bitcoin codes can be safeguarded. The ring is programmable and could serve as an ignition key for NFC-equipped automobiles. John McLear, the ring’s creator, set a price point of $38 per unit to be purchased through Kickstarter. Things seem to be progressing well as the project recently achieved its initial goal of $46,000. He plans to use all funds raised on Kickstarter to expand the business, improve the ring and diversify the product line by offering broader aesthetic options in the form of colored inlays.

Fall 2013

IP ACCESS CONTROL SOLUTION SECURES SITES FOR TEMPORARY OFFICE PROVIDER Switzerland-based Performance Buildings provides technology for “ondemand” offices, those companies that need space for a limited time to work, meet and hold conferences. Making sure these facilities are secure but also accessible to clients is a challenge. As part of their technology offering for tenants, Performance Buildings and its partner company Design Offices were seeking a secure access system that was easy to use and cost effective. “We’re not just offering rooms, we’re offering tenants of temporary ‘on-demand’ office space a secure environment where they can work and meet, with all the technological solutions they need in today’s modern world,” said Phill Handy, managing director from Design Offices. HID Global was selected to create an intelligent facility management system for on-demand access to the shared of-

fices. Using HID’s EdgeReader ERP40 networked access control solution and its iCLASS SE platform readers, the solution enables end users to access rented office spaces with legacy technology, existing smart cards and NFC-enabled smart phones. It facilitates a seamless experience for tenants that use the on-demand facilities, allowing them to access rooms and facilities, book space and catering services online, open conference room doors, and sign out once their session is over. The IP-based access solution reduced Performance Buildings’ initial investment through the use of Power over Ethernet by eliminating the need for additional cabling, separate power supplies and multi-door controllers. The solution is interoperable with Performance Buildings’ IP-based architecture that links all subsystems and their devices. Performance Buildings is offering the new solution to its property management customers in Switzerland and Germany.

ID SHORTS

GEMALTO ELECTED FOR NATIONAL EID CARD PROGRAM IN SOUTH AFRICA Gemalto will supply its Sealys electronic smart card-based identification solution for a national identity program in South Africa. This secure embedded software will protect the holder’s image and biometric data within the secure contactless identity e-document. The highly durable polycarbonate smart card-based will replace South Africa’s traditional, paper-based “green books.” The Department for Home Affairs will offer the card to citizens 16 years of age and over. The South African eGovernment initiative aims to improve confidence in official identity credentials and to prepare for the deployment of a comprehensive suite of efficient and convenient eGovernment services.

The Gemalto solution supports public key infrastructure and match-on-card authentication techniques to enable easy verification of authenticity and a futureproof platform. The solution is already supports 15 national eID programs in Europe (Belgium, Czech Republic, Finland, Sweden, Portugal, Lithuania), in the Middle East (Qatar, Oman, UAE, Bahrain and Saudi Arabia) and in other areas.

SALTO IN TOP-TEN LARGEST ACCESS CONTROL COMPANIES SALTO Systems is now the 8th largest access control company worldwide, according to market research firm IMS Research. In the report, “The World Market for Access Control Equipment – 2013 Edi-

tion”, the Oiartzun, Spain headquartered company entered the ranks of the world’s top ten access control companies for the first time. SALTO started commercial activity in 2001 with the objective of creating a new advanced state-of-the-art access control concept. According to IMS, the company has consistently delivered innovations in functionality, technology and design that have been well received in a variety of sectors and geographies. Products such as their SALTO Virtual Network have accelerated growth and become the access option of choice on more than 1,500,000 doors. Customers include airports, hospitals, government buildings, universities, corporate headquarters and hotels. SALTO saw sales of $72 million in 2012, a growth of nearly 20 percent compared

Fall 2013

ID SHORTS

SUN ROLLS OUT SAFE FOR AVIATION, IMPROVES WORKFLOW OF AIRPORT SECURITY OPERATIONS To improve the workflow of its airport security operations, Friedman Memorial Airport (SUN) in Idaho’s Sun Valley implemented Quantum Secure’s SAFE for Aviation software suite.

Fall 2013

SAFE for Aviation v4.5 comes with predefined policies, workflows and procedures for issuing ID credentials. It also grants and revokes access to airport facilities, while simplifying adherence to TSA and FAA regulations, audits and security directives. SUN’s Airport Security Department oversees approximately 1,000 identities including airport and airline employees, in-house and external vendors, government employees, hangar owners, associations, sublease tenants, and temporary workers. Each of these individuals must undergo a TSA-adjudicated Security Threat Assessment before airport operators can issue ID cards or badges. Additionally, individuals must be vetted on a continual basis

ID SHORTS

to allow for a comparison of new threat information. Previously, this was labor-intensive requiring multiple entries of the same data into the various airport security systems. This caused personnel to spend more than 90 minutes for each new enrollment and more than 45 minutes for every badge renewal. With the SAFE software suite, data is entered only once and the relevant information flows to all applicable systems and business processes. It automates background checks enabling SUN operators to perform new enrollments in less than 15 minutes per person including all related processing, document scanning and biometric registration. With SAFE, renewals are completed in less than 10 minutes.

to the prior year. The current year outlook is strong, and the company expects to achieve an even higher rate of growth in 2013. SALTO sells its products in more than 90 countries and has offices in 24 countries including the UK, USA, Canada, Mexico, Germany, Portugal, Australia, the Netherlands, Denmark, Sweden, Malaysia and the UAE.

NFC FORUM ISSUES HEALTH CARE SPECS The NFC Forum published three specifications covering the use of the near field communications protocol in health care: the Personal Health Device Communication Technical Specification, the Connection Handover 1.3 Candidate Technical Specifications and the Signature Record Type Definition (RTD) 2.0 Candidate Technical Specification. The Personal Health Device Communication spec enables health devices such as wireless blood pressure monitors, weighing scales and glucose meters to transmit health data via NFC to external computer systems for monitoring by physicians. To reduce costs and better managing chronic health conditions such as heart disease and diabetes, health care providers are increasingly advocating use of wireless health monitoring devices. The two other specifications published are candidate technical specifications still under review by the NFC Forum members and other standards organizations. : Connection Handover 1.3 defines the structure and sequence of interactions that allow two NFC-enabled devices to establish a connection using other wireless communication technologies, such as Wi-Fi or Bluetooth. Signature RTD 2.0 provides developers with a means to enable users to verify the authenticity and integrity of data within NFC Data Exchange Format (NDEF) messages.

TECH COMPANIES PETITION TO BRING AN END TO PASSWORDS A group of Silicon Valley-based tech companies launched a public advocacy campaign called Petition Against Passwords in an attempt to influence large digital service providers to move towards “passwordless” authentication and identity protection. The group says passwords are a thing of the past and need to go. Calling them the weak link that smashes the security chain, they says current efforts to strengthen and protect passwords isn’t enough. New methods of authentication are necessary to secure the future. The mission statement reads, “The mission of the Petition Against Passwords is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them. This movement is working on behalf of every person who has ever had their identity stolen, their password leaked, or been confused just trying to remember passwords and PINs for multiple sites. There are better ways to log in online and it is time we had access to them. The Petition Against Passwords is about giving us a voice in the conversation about how our identities are shaped online.” Identity companies such as LaunchKey, Clef and TechFreedom have all signed on to support the petition.

Fall 2013

User: Jack Smith Attribute Class One:

Gender: Male; DOB: 03-14-1964; Occupation: Physician; Marital status: M; Residence: Tampa, Florida, USA

PII requests pending

Personal Cloud units remaining

Shared data credits earned

PENDING ATTRIBUTE REQUESTS GEO-LOCATION INQUIRY

Geo-location_inquiry_ Position_current

DOB_veriﬁcation_ Age_18_or_above

Relying party: Sony_Electronics, IMC4398

Relying party: Pasco_Cty_Voter_Registration

Timestamp: 02:19:28

Timestamp: 09:37:01

-16

APPROVE

re: I

DATE OF BIRTH VERIFICATION

DENY

APPROVE

DENY

APPROVE

DENY

3•

W US as hi ng E an

APPROVE

R-

rt C

Op ard to Al Timestamp: 02:19:28 in po Timestamp: 09:37:01 lia nC NS rtu nc e on Sony_Electronics, IMC4398 Pasco_Cty_Voter_Registration TIC nit pr es ve Relying party: Relying party: an ies en nt t: d t for io Position_current Age_18_or_above he re nC Geo-location_inquiry_ ne lyin DOB_veriﬁcation_ e w nt id g pa e r• en rt INQUIRY VERIFICATION tit ies Uc GEO-LOCATION ye DATE OF BIRTH en co tri sy dI ste D. m PENDING ATTRIBUTE REQUESTS c

LIV

pending PII requests 26

Fall 2013

units remaining Personal Cloud

credits earned Shared data

Giving the user control of online identity NEW INTERNET IDENTITY ECOSYSTEM FORGES A USER-CENTRIC FUTURE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Click on a new Facebook application and a warning box pops up telling the user that the app will access their basic info, email address and other data. The user can either hit “OK” or “Cancel,” it’s a black and white choice with no option to just give up certain data. The scenario illustrates a major concern with the use of social media credentials for access to other sites, a process known as social login. The user does not control the information that is shared with the other site. This issue is leading some to advocate a different type of identity model online. A user-centric identity model puts consumers at the center of action enabling them to choose what information they want to share. It puts the user in control of their identity, eliminating reliance on an outside identity provider every time a new connection is made. It also can make the process more secure by adding multi-factor authentication – such as one-time passcodes, biometrics or smart cards – or multi-factor security techniques such as identifying the specific computer used for login, geo-location or other passive behind-the-scenes operations. A combination of these techniques eliminates reliance on and lax security around user names and passwords. “The definition I favor for user-centric identity involves a digital identity or credential that an individual, acting on his

or her own behalf, can choose to use in a variety of online interactions, with an expectation of privacy and security around identity-related data sharing,” says Eve Maler, principal analyst serving Security & Risk at Forrester Research Inc. These user-centric credentials can also be used in multiple places. “This differs from a digital identity or credential issued by an

trol, says Phil Windley, founder and chief technology officer at Kynetx and a founder of the Internet Identity Workshop.

SOCIAL LOGIN BOLSTERED BY PASSWORD FRUSTRATION Using social network information to login to other web sites is becoming increasingly

A USER-CENTRIC IDENTITY CAN BE USED IN A VARIETY OF ONLINE INTERACTIONS, WITH AN EXPECTATION OF PRIVACY AND SECURITY AROUND IDENTITY-RELATED DATA SHARING

employer, whose usage is governed by an employment agreement and by goals that aren’t entirely the individual’s own,” Maler adds. “It also has a reusable element with multiple online services, which local login accounts like the ones we use in the U.S. for online retail banking don’t generally support.” Single sign-on, federated logins offered by OpenID, Google, Facebook, Yahoo and others has its roots in user centricity, but ultimately the consumer doesn’t have con-

popular. “People have too many identities and can’t keep them straight,” Windley explains. He feels consumers end up accepting social logins because they simply don’t want to remember any more user names and passwords. A recent study concurs, finding that 52% of consumers are comfortable using social logins for access to other sites. The study – conducted by identity management provider Janrain – determined that the main reason was consumer frustration

Fall 2013

with multiple user name and password combinations. Companies who choose to accept these social logins also stand to benefit. Some 92% of those surveyed have left a site and cancelled a transaction instead of resetting or recovering

login information according to the study. Leveraging a social login that the consumer has already established can solve this problem, and 65% say they are more likely to return to a site that accepts social credentials

and automatically welcomes them. Janrain provides web sites with the ability to accept credentials from 30 different identity providers, says Michael Olson, product marketing manager at the company.

THE PERSONAL CLOUD BUSINESS MODEL Would a retailer or enterprise pay to have some certainty of whom they’re dealing with online? Respect Network is betting the answer is yes. The company is working to set up personal clouds that consumers can use for multiple purposes, including user-centric identification and controlling what personal information they share with various online entities. A basic personal cloud would be free to the consumer but Respect Network would charge the online business for the service, says Drummond Reed, chief technology officer at the company. The business model is similar to that of the payment card world where the accepting business pays a fee for each transaction. “We don’t know exactly how much the relationship fees will be yet, but as with credit card interchange fees, we expect them to be a relatively small percentage of the value and therefore very attractive to businesses,” Reed says. Respect Network is pitching its benefit to businesses as: • Lower cost of customer acquisition • Lower cost of customer data – direct instead of from third parties • Lower cost of customer retention – Respect Network personal channels will last for the lifetime of the customer, even if the customer changes address or service provider • Lower cost in secure communications • Higher amount of customer self-service He anticipates that certain services would be free to the consumer, but cloud service providers would likely offer additional service at an additional fee. “We expect most cloud service providers will also follow the same ‘freemium’ model used by Dropbox, Google Drive, and others. A base level of personal cloud service will be free but consumers will pay for higher levels of storage and other value-added services,” Reed explains.

Fall 2013

Sites that use Janrain’s technology present a login screen that enables a user to select their credential of choice. After the user selects their desired login, a permissions screen displays the specific information to be shared with the other site. The information given up is highly dependent upon which identity provider the user chooses. “For some they need to grant access to all the information, for others it’s more granular and they can choose what information to give up,” Olson explains. Using these social credentials can also lead to greater security, Olson says. Consumers who leverage social logins tend to use more secure passwords. Also, when a social login is used the relying party – or the site where the credential is used – doesn’t store the password information. So if that site’s identity database is hacked they don’t have to worry about the information being compromised.

OWNERSHIP ISSUES When a consumer chooses a social login he doesn’t own the identity, Windley explains. If a consumer uses a Google login for different sites and wants to change something, or if Google decides to remove the user, all links to credentials on other sites are also removed. “I need to be able to move my credentials without losing all my connections,” he says.

SALTO Electronic Locking System

THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description

Features & Beneﬁts

The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.

· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates

The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com

i ns pi r e d access Fall 2013

Consumers enjoy the idea of using these federated accounts for ease of use, but they don’t know what data they’re giving up for that convenience. “Social login IDs such as accounts at Facebook, Twitter, and LinkedIn approach being usercentric because individuals choose to create them and then reuse them at participating third-party sites for personal data sharing,” Maler says. “But these and many of today’s digital identities or credentials operate on a business model that treats users as the data product.” This model puts the user at a disadvantage and has led to discussions around “personal data stores” that are user-centric and give the consumer value, Maler says. These stores – sometimes referred to as personal clouds – can balance security, transaction value, user choice and broader privacy concerns. However, this model has thus far been difficult to achieve.

“There are minimal real world examples of this out there,” says Andy Land, vice president of marketing at Unbound ID. Some telecommunication companies are starting to move in this direction, as they want to become a trusted intermediary in the chain, he explains. To ultimately achieve this model, however, he notes it may take government regulation. Pushes for better regulation of personal data are already driving this in the European Union, Land says. As U.S. companies are forced to make these changes overseas it will likely trickle down to consumers here.

WITHER THE MARKETERS? Marketers will be the ones to most oppose a user-centric identity model, Land says. The flood of marketing data will be slowed, but the data provided will be more valuable.

Instead of getting a small amount of data on 500,000 possible customers, the company will get a lot of information from 50,000 customers who opt in, Land says. “It’s the use of your data with consent and you’ll give up the data because there’s a benefit to you,” he says. “It offers users transparency, choice and control … which are all limited today.” For example, a user in the market for a new car might request information from multiple auto dealers without giving up personal data, contact information or even a name. Additionally, the user could choose to provide a credit score to help the dealer accurately price the vehicle and loan options … all while maintaining anonymity. Land cites the example of a user opting in to a hotel loyalty program. When the guest enters the hotel a message pops up on his mobile, welcoming him and offering mobile check in. The handset can then

DESIGNING A USER-CENTRIC IDENTITY SYSTEM SUSAN MORROW, HEAD OF RESEARCH AND DEVELOPMENT, AVOCO IDENTITY

The goal of user centricity is a key design tenet of a workable consumer identity platform, but designing user-centric consumer identity systems is a unique and challenging task. To paint a picture of usercentric identity, imagine a human being at the center of a large ecosystem – to the scale of a solar system. From this, designers are faced with the challenge of planning a way to make that person central, whilst retaining the integrity

Fall 2013

of the expanded ecosystem, ultimately creating a fluid communication network that gives all parties what they need to transact. User centricity needs to be part of a holistic design approach, incorporating security, usability, privacy and trust, all of which impact on user centricity. Until now, corporations or government agencies have largely controlled digital identity. As an example, many com-

panies use a directory, such as Microsoft’s Active Directory, to control employee access to company networks. The administrator of the system, not the employee, is effectively in control of that identity. Perhaps “identity” is the wrong word to describe a method to access computer resources. But directory systems like Active Directory not only log employees into computers, they also carry information, like name, employee number,

etc. This is all well and good when used within a closed system, like a corporate network, but in an expanding, disparate world of online services and applications, there needs something that still can proffer information about individuals but that isn’t controlled by some “Big Brother” entity who can use this information in different ways. These systems are perceived to watch everything consumers are doing; block access to

become the room key enabling the guest to skip the front desk. Since the user has shared information with the hotel, it knows what television channel the guest wants on and can also set the thermostat to the preferred temperature. “All of the data is given with consent and the hotel can only use it for their own purposes,” Land says. Ultimately the data will be better for the marketer because they will be serving those customers who are interested in hearing from them, Land says.

Respect Network is introducing the idea of a personal cloud for individuals that would enable control of the identity and remove any third-party intermediaries. There should be something that is easy to use, such as Facebook Connect, but without Facebook in the middle, he explains. “Click on a button and the next step should be served by your personal cloud. It will detail what information you can share and what attributes you decided to share.”

SOCIAL LOGINS APPROACH USER CENTRICITY BECAUSE INDIVIDUALS CHOOSE TO REUSE THEM, BUT THEY TREAT USERS AS THE DATA PRODUCT

ENTER THE PERSONAL CLOUD A user’s control of the data is important but so is portability, says Drummond Reed, chief technology officer at Respect Network.

services, or force them to use only others; form a (misinformed) view of consumers and then share it without a shred of accountability. The identifying method must be autonomous, independent, transparent and – most of all – under your control. But the Internet is a two way street. There needs to be a way identify individuals online so it’s under their control, but at the same time the service requesting this information needs to be certain the identity is valid and has been verified. Thinking along these lines, a digital identity must be made up of claims about an individu-

al that can be verified by some entity, potentially increasing trust. This entity could be almost anyone or any organization. For example, my bank knows my monthly salary and a credit file agency will have a fairly certain knowledge of my date of birth and current address. But similarly, reputation based sites like eBay or Etsy could verify that I am a trustworthy person who can buy and sell items. Social graph information held on social networking sites like Facebook, Twitter or LinkedIn could also be used to verify an individual to a certain level of assurance

or be used in conjunction with other methods. An online identity system needs certain pre-requisites: 1. It needs to be accessible and understood by the services and applications relying on it by using industry standards. 2. It needs to be under the control of the identity owner. 3. It needs to be able to show the service or application pieces of information to prove certain aspects of an individual. 4. It needs to be able to do this in a way that says, this is true, i.e. verifiable. 5. It needs to be really easy to get at and use – maybe ac-

cessed using a pre-existing social network login accounts. 6. It needs to have privacy designed into it from the outset. 7. It needs to be as secure as possible without making it onerous to use. Most of all, however, the online identity needs to belong to and be controlled by the individual. Identity needs to become personal again – not co-opted by corporations or governments. How to get there technically isn’t the issue, it’s an attitude, or rather the wider Web’s attitude to what those identities are, that needs to be addressed and debated.

Fall 2013

PUTTING A DOLLAR VALUE ON IDENTITIES

The relationship with the personal cloud should also be lifelong, Reed says. “You shouldn’t be subject to losing those relationships if you lose your social networking account,” he adds. Respect Network is forging its own type of social, federated login called Respect Connect. As with Google, Facebook and others Respect Connect will be an option for users when choosing a federated login, Reed says. Respect Connect will link with an individual’s personal cloud and enable the user to pick and choose which information to share. It will also offer the user higher levels of identity assurance and the ability to use multi-factor authentication technologies, Reed explains. Respect Network has partnered with identity verification companies to offer higher-level identity vetting. There will also be a peer-to-peer sharing aspect to the personal cloud, Reed explains. Individuals will be able to share personal data based on their profession, hobbies and other common interests. Neustar is working with Respect Networks, engineering external authentication aspects of the personal cloud, says John Kelly, vice president of technology strategy at Neustar. There will be other functionality of the personal cloud too, such as storage. “It’s a complete platform in the sky that gives you storage and contains information about you,” he adds. “What you have now is multiple identities across the Web.” Respect Networks is going with a business model similar to the ones used by the credit card market, Reed says. The difference is that with the credit card networks, businesses pay an interchange fee based on the value of the transaction. On the Respect Network, businesses pay a relationship fee based on the value of the relationship – the value to the business of having a trusted connection to that individual’s personal cloud.

Fall 2013

Online identities have a value to social networks that could fetch more than $100 each. UnboundID released research that helps define the value of a consumer’s digital identity. The report “Valuing Identity in Today’s Digital World,” compares the value of aggregated, anonymous data to real identity data. It estimates that real data increases a user’s profile value by as much as 100 times, creating a value of up to $124 per identity. The study was conducted by Compass Intelligence, and surveyed more than 1,000 U.S., Canadian and UK adults with a prior understanding of digital identity. The study defines digital identity as comprised of elements such as identifiers (name, address and age), connections (social networks), behavior (viewing or usage), preferences and more. The study found that 51% of respondents want their digital identity data to improve the experience provided to them. In addition to streamlining user experience, there are real cost benefits as well. Corporations could use digital identity data to lower the cost of identifying their customers – a cost that Compass Intelligence’s research suggests can run as high of $12.4 billion annually. The research also posits that corporations stand to create new revenue streams by making data the product itself – providing highquality identity information to enterprise customers as a service and offering customers a way to manage and control their own identity information. These business models offer promise, but are only feasible when the user is allotted transparency, choice and control over their data and when there is an established trust with the company that it will honor the user’s choices. In an effort to better evaluate the identity data, the survey asked respondents to assign a value to their digital identity data. Respondents rated the value of their info shared on social media like Facebook and Google+ between $62.79 and $106.40. Executives participating in the survey listed the price they would pay for real identity data as high as $124 per user.

Windley, founder and CTO at Kynetx, hopes to add another component to the personal cloud. He wants to enable a consumer to receive notifications and information related to things – data, requests, interactions – in their personal cloud. “This is the kind of utility that makes it personal. Its not just that I have an identity but the personal cloud starts serving as a catch point … and I’m seeing interactions around it and interesting things that didn’t happen before,” Windley explains. For example, an individual can tag their car and mileage in their personal cloud and when the car gets close to requiring an oil change, notification can be sent as a reminder. In addition, the personal cloud

could request information from local auto shops about oil change specials and availability in an anonymous manner such that personal details and contact information are not disclosed. Adding this aspect to the personal cloud will offer more value to the consumer. “The theoretical benefits of user-centric identity are only marginally interesting to people,” Windley says. “But there’s a lot of reasons why people will care.” The key, he stresses, is to focus on the tangible, real world benefits these solutions can deliver.

INTEGRATED SECURITY SOLUTIONS FOR A SAFER ENVIRONMENT

If we could collectively accept a suitable replacement for passwords, it would’ve forced about 80% of these attacks to adapt or die. ID BADGING

ACCESS CONTROL

DIGITAL SURVEILLANCE VISITOR MANAGEMENT

Idesco is your security partner to keep your employees and visitors safe and secure at all times. For over 70 years, Idesco has protected the most prestigious organizations with ID badging, access control, digital video surveillance and visitor management systems designed to meet the most stringent requirements. Our team of experts is dedicated to delivering world-class customer service and support to guide you and assist you whenever you need it. Call 1-800-336-1383 today to get a FREE consultation with a security expert. Idesco is proud to support products and services on the GSA schedule. Idesco is also on New York State contract through The Office Of General Services. Fall 2013

Idesco Corp. • Toll Free: 1-800-336-1383 • www.idesco.com

POSTAL SERVICE DELIVERING IDENTITY ECOSYSTEM CLOUD CREDENTIAL EXCHANGE ENABLES FEDS TO ACCEPT MULTIPLE ONLINE IDS ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

The United States Postal Service is trying to reinvent itself as a cutting edge provider of cloud-based identity systems. Federated identity is a hot topic among relying parties and identity providers and one of the most anticipated pilots will be the U.S. Postal Service’s work with the Federal Cloud Credential Exchange (FCCX, pronounced F-Six). “The exchange is a pilot project designed to enable more efficient and secure credentialing of citizens visiting federal government web sites,” explains Darleen Reid, senior public relations representative for Postal Service. The goal for the exchange is to relieve government agencies from managing independent username and password systems to authenticate citizens to government services. The intent is to expand agency acceptance of credentials issued by third parties. In short, FCCX aims to simplify the technical integration for accepting certified, externally issued digital credentials, explains Jeremy Grant, senior executive advisor for Identity Management at NIST. Policies mandate that federal agencies are to accept credentials that have gone though an approval process, but delays

Fall 2013

have prohibited this from happening. The main reason that it has taken so long to accept third-party credentials is the level of integration required for each individual credential provider. FCCX will change this and enable agencies to integrate once with the cloudbased solution and then be able to accept numerous types of credentials. “It makes it an ‘Easy Button’ for agencies that want to accept federated credentials,” Grant explains. Once a credential is approved, the FCCX will have 30-days to make sure it can be accepted for use on federal sites.

THE EXCHANGE AND THE STRATEGY The Federal Cloud Credential Exchange also supports the National Strategy for Trusted Identities in Cyberspace (NSTIC) by echoing the need for and vision of an identity ecosystem. The national strategy is an initiative that fosters a safer, more secure cyber environment that will improve – and ultimately transcend – the oft-used password for logging in online. “NSTIC has a vision for the identity ecosystem that enables individuals and

organizations to utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation,” says Reid. The fundamental idea behind NSTIC is straightforward. A student, for example, gets a digital credential from their mobile provider and takes steps to have additional verifications performed so there is greater assurance behind that credential. It can then be used to login to banking, e-mail, social networking sites and even conduct business with federal agencies – without having to memorize the dozens of accompanying passwords. It is this added level of assurance that the national strategy is so keen to push to the masses. The hope is that citizens and organizations alike will discover a renewed comfort and trust in the online environment, as all participating service providers will have agreed en masse to consistent standards for identification, authentication, security and privacy.

HOW DOES FCCX WORK? The exchange effectively acts as the central hub for the authentication of

credentials from multiple agencies, spanning all different levels of assurance. Put another way, the exchange is a cloud-based go-between for third-party credential providers and agencies. “The exchange would act as an integration ‘middleman’ between federal agencies and approved digital credential providers,” says Reid. “It would streamline digital credentialing, authentication and reduce costs for government agencies while also providing secure, privacy-enhancing and easy-to-use solutions for citizens.” The project aims to create a hardware and software solution that will make it possible for citizens to access services on numerous government web sites using externally issued digital credentials brokered through the platform. The middleman would stand between the credential service provider and relying party services. This architecture enables relying parties to interact with multiple credential providers without the effort and cost of integrating each of them: the basis for the cloud credential exchange. The USPS will be the operating entity for the exchange, managing the implementation and working with the GSA, NIST and other agencies, explains Reid.

WHO’S USING FCCX? The future of FCCX looks promising. “We anticipate up to six government agencies with citizen-facing services to utilize the service within the pilot year,” says Reid. In the meantime, the move to FCCX makes sense for the Postal Service as it creates a unique opportunity to expand to the digital realm in a way that places the agency at the forefront of a new identity ecosystem, perhaps cementing the agency’s relevance for years to come.

SECUREKEY AWARDED FCCX CONTRACT The United States Postal Service has tapped Securekey to run the Federal Cloud Credential Exchange (FCCX). The contract is for one year with additional add on years possible. The value of the contract could be more than $15 million over three years, with a minimum value of $5.7 million. The Federal Cloud Credential exchange will enable citizens to use select thirdparty issued credentials to access U.S. government sites and services, says Andre Boysen, chief marketing officer at Toronto-based Securekey. The Postal Service will be approving individual credential providers to work with the exchange. It is expected to spur broader federal agency acceptance of approved third-party issued credentials of varying strengths and types, from simple usernames and passwords to PIV cards. SecureKey will provide its briidge.net Exchange, a cloud-based authentication and credential brokerage service that will enable FCCX to easily broker user credential management capabilities instead of having to create and manage an authentication infrastructure to handle tens of millions of citizens. The briidge.net Exchange Platform builds trusted identity networks by connecting identity providers – such as banks, governments, health care organizations, and

others – with consumers’ online services though a cloud-based broker service. The platform enables identity providers and online services to integrate once and reduce integration and complexity otherwise incurred in establishing many-to-many relationships. Users are able to use their familiar credentials, such as a banking credential, to access online services offered by other service providers. The SecureKey briidge.net Exchange Platform significantly reduces credential management costs for online service providers, while removing user sign-up barriers, preserving user privacy, and providing convenience. Securekey has set up a similar service in Canada, providing an identity infrastructure for citizens to access government sites and services using banking credentials. Three of Canada’s largest banks, BMO Financial Group, Scotiabank, and TD Bank Group are the initial Trusted Sign-In Partners, with other financial institutions expected to follow in the coming months. The service is part of the Government of Canada’s Cyber Authentication Renewal initiative. No passwords or personal information are exchanged. Trusted SignIn Partners won’t know which government service is being accessed and the government won’t know which Trusted Sign-In Partner is being used.

Fall 2013

VERIZON: COME FOR THE TELEPHONY, STAY FOR THE IDENTITY TELECOM GIANT AIMS TO BRING CLOUD-BASED ID TO THE MASSES Tracy Hulver has no small plans for Verizon Enterprise Solutions. “We want to be the world’s largest identity provider,” he explains, though it’s a little tongue in cheek. Verizon is known for its mobile phones and home Internet but the company has also been in the identity and credentialing business for years, explains Hulver, senior identity strategist at Verizon Enterprise Systems. Some of the business came from its acquisition of Cybertrust, but Verizon had deployments previously. While the telecommunications giant might not be as widely known for identity services, the two sectors are analogous. Telecom companies have made it possible for anyone to dial an 11-digit number and

Fall 2013

reach an individual anywhere in the world, Hulver says. This is much like identity. The company has primary two goals in the identity sphere. The first is to provide device and PKI-driven identity services to run large government implementations, Hulver says. The second is Verizon’s cloudbased offering for identity management called Universal Identity Services, explains Hulver. The Universal Identity Service performs the vetting, credential issuance, authentication and access management, Hulver says. This is the service Verizon wants to bring to the masses. “Because of the complexity of PKI we created cloud-based authenticated identity,” he says. The service aims to tie a high-assurance credential – such as a PIV-I – to an individual without the cost

and intricacy frequently associated with identity deployments. The idea behind cloud-based identity is the same as with any cloud-based service, reduce the cost and complexity of deployment and implementation. An enterprise might be willing to tackle deployment of multi-factor credentials for 20,000 employees, but it’s an entirely different process when it comes to provisioning tens of million of customers, Hulver says. Deploying physical tokens to that many customers is cost prohibitive but as the problem with passwords proliferate, stronger solutions are necessary. Verizon’s Data Breach Investigations Report shows that more than 80% of breaches are due to stolen or misused credentials. “The problem continues to grow and passwords continue

to be the weak link,” Hulver says. “The need for cloud-based identity is growing and it’s a way to get credentials cheaply.” Even as breaches and risks increase, organizations still remain slow to embrace the need for strong credentials for consumers, Hulver says. Instead they are going the route that corporate enterprises have taken, forcing tougher passwords by requiring a minimum number of alphanumeric characters, capitalizations and frequent password changes. This solution doesn’t solve the problem and can cause headaches for users who have trouble remembering a growing list of complex user name and password combinations. “And if I really want to steal a password I could do some simplistic social engineering or use malware or a key logger,” Hulver stresses. Multi-factor authentication is just starting to emerge as an option for consumers, but most sites offer the more secure solution have opted to make it optional, Hulver says. Sites don’t want to make access too difficult for fear of driving customers away. “Online companies are very sensitive to that and thus the adoption rates for (companies offering) multi-factor are less than 10%,” he adds. Verizon’s Universal Identity Services aims to make authentication secure and easy. One use case has a consumer entering a user name and password and then scanning a QR code on a pre-registered

mobile device as an extra authentication factor, Hulver says. There are also risk analytics that can be used in the background as an extra authentication factor invisible to the consumer. For instance, if a consumer logs in from a home computer with the same wireless access point, same IP address and their preregistered mobile phone is within five feet of them it’s likely that the correct individual is accessing the account. When the same consumer attempts to login from another network or device, additional factors can be required such as a one-time passcode delivered to or generated by the individual’s mobile device. Online retailers are showing interest in this type of risk-based authentication technology because it does not require the consumer to do anything different, Hulver says. An airline has deployed Verizon’s Universal Identity Service to its gate agents, mechanics and reservationists, Hulver says. The company likes the cloud-based aspect of the system because it is easy to deploy to employees geographically dispersed across the country. Previously, the airline had employees using hardware tokens for access to services. The airlines’ reservationists all work from home, Hulver explains. In the previous solution, if the token was misplaced the employee had to spend time on the phone with the help desk to access the network. The new system places the primary creden-

Biometrics problematic for online ID Enterprises are showing a lot of interest in the use of biometrics to secure access to networks and web sites, says Tracy Hulver, senior identity strategist at Verizon Enterprise Systems. But most of the deployments are still in the pilot stage, as organizations want to make sure the technology works properly before fully rolling it out. “The problem with biometrics is usability and reliability,” Hulver explains. “If I’m asking for a fingerprint does it work all the time?” If not, what do you do in cases of false rejection? Biometrics are typically based on the probability of a match. “With passwords, PIN and one-tie passcodes you either enter it correctly or you don’t,” Hulver says. “With biometrics there’s a threshold, and security people are just now wrapping their heads around that.”

tial on the user’s handset with a one-time passcode application. If the phone is lost, stolen or damaged the employee can have a one-time passcode sent to another phone line or can access it through a computer application. “Universal Identity Services enables many different types of credentials,” he stresses. Another deployment saw a health care provider implement the system for physician login, Hulver says. Doctors need a quick yet secure way to write electronic prescriptions. This system enables a physician to log on to a computer and then use a mobile device to receive a second factor of authentication.

WHAT WILL IDENTITY LOOK LIKE IN THE FUTURE? There are many ideas for what the identity ecosystem will look like in the coming years. Some envision consumers signing up with identity providers and paying for a service while others expect the relying parties to bear the cost. It’s the latter model that Hulver sees catching on. “We don’t see the end user buying the credential,” he explains. The business model he sees is one in which the enterprise pays sub-pennies per transaction to benefit from the increased levels of security and convenience. In a perfect world, Verizon would issue everyone a credential with some confidence of the asserted identity, commonly known as a level of assurance two, Hulver says. From there the credential could be leveled up. The current challenge, however, is that there is no place able to consume higher level credentials such as level four. The relying parties do not have the systems in place to accept these high assurance identities. It is a bit of a chicken and egg dilemma. Until then, Verizon is laying the groundwork to help enterprises offer better security to its customers and employees. “It is difficult to change the way the world operates and come up with a different paradigm,” Hulver says. “But Verizon’s size and number of users enables us to deploy at a massive level.”

Fall 2013

IRS

THE DOLLARS AND ‘SENSE’ BEHIND FEDERATING IDENTITY GOV STUDY: OUTSOURCING ONLINE IDS CAN SAVE $100 MILLION + The Internal Revenue Service could save up to $300 million annually by outsourcing an identity credential, according to a report compiled by the National Institute of Standards and Technology. Moreover, the IRS stands to save $111 million up front should it establish an identity management system that aligns with the National Strategy for Trusted Identities in Cyberspace (NSTIC), the U.S. government initiative designed to encourage interoperable, secure credentials for citizens. Recent research conducted by ABI further supports identity outsourcing by federal agencies. In a report entitled “Securing Online Access to e-Government Services Through Federated ID,” the federated identity model is promoted as a means to strengthen online government and health care utilities. These reports have captured the attention of the public and private sectors, building momentum for the idea of federating identities.

WHY OUTSOURCE? By shifting identity from an in-house operation to a third-party vendor the IRS could spread the work over multiple, trusted organizations rather than shoulder the entirety of the responsibility itself. Moreover, the addition of outside vendors to the fray means that they could bring their own, added levels of security.

Fall 2013

“If the IRS continues to do its own identity management, it controls and is responsible for every aspect – from identity verification, to performing routine authentication accurately, to protecting its actual credential repository,” explains Eve Maler, principal analyst serving Security and Risk Professionals at Forrester. The unfortunate truth, however, is that the IRS has a checkered past when it comes to protecting identities online. Following a recent agency breach that leaked some 2,000 Social Security numbers, it may come as significant relief that

because of cost savings associated with maintaining identity repositories, performing authentication and performing password resets – particularly where these are mediated by call center personnel,” explains Maler. There is real cost associated with utilities like password resets and other access management functions, and the agency could glean inspiration from the private retail sector. “Marketing and retail web sites are increasingly enabling ‘social login (a form of identity outsourcing) in order

THE IRS STANDS TO SAVE $111 MILLION UP FRONT IF IT ESTABLISHES AN IDENTITY MANAGEMENT SYSTEM THAT ALIGNS WITH NSTIC an alternative to online identity protection is available. “As we’ve seen, data protection is hard and the IRS isn’t doing it very well,” says Maler. “With the use of external credentials, it would depend on a third party and thus give up some control, but the calculation is much the same as for outsourcing any function to the cloud.” Though outsourcing identity could bring an added level of security, the real draw remains the cost savings. “Outsourcing identity credentials is appealing

to smooth the path to users’ account registration and gain access to user data,” says Maler. Social login has been criticized for a perceived lack of user control and privacy protection. This poses a significant hurdle for citizen use as Maler points out. “Government-to-citizen identity outsourcing puts a premium on user privacy, shielding the sources and clients of those identities from knowing about each other.”

ENTER NSTIC Despite the apparent advantages of an outsourced identity management system, no U.S. federal agency has officially committed to the switch. As Maler points out, NSTIC might yet play a definitive role. “A key motivation in the original Federal Identity, Credentialing and Access Management program that underlies NSTIC is government efficiency,” says Maler. “The NSTIC program takes into account broader government-to-citizen scenarios as well as entirely privatesector efficiencies such as safer online commerce.” Should an NSTIC-aligned solution be implemented, the returns will likely make the move worthwhile. The NIST report estimates that an NSTIC solution utilizing third party credentials would cost the IRS $40 million to $111 million less to roll out than a proprietary, IRSmanaged identity system. Additionally, it could save $2 million to $19 million annually. The NIST report goes on to reveal that further savings could be recorded as an NSTIC-aligned solution would eliminate the need for the IRS to pay for the individual identity proofing of users. Instead, the NSTIC solution could ac-

cept third party, trusted credentials that have already been proofed. Leveraging third parties in this way would enable the IRS to spread proofing costs across numerous parties where the credential would be accepted. Federated identity may already be a familiar to some who use Facebook, Google and other social media sites as login credentials on other sites. What is lacking with these current solutions, however, is an added layer of certainty that an NSTIC-aligned solution could provide, according to Phil Sealy, research analyst with ABI Research. At present, the social network driven, federated identity solutions don’t ensure that identities match their owner as a single person could maintain multiple accounts under different personas. Thus, the argument for a more secure and reliable identity management system – one that tethers a digital credential to each individual citizen – is certainly understandable. As Sealy reveals, however, there remains concern as to how these credentials would be used by federal agencies. Privacy, then, is an ever-present consideration and Sealy believes that the issuing of digital identity credentials to every citizen is sure to raise eyebrows –

particularly amongst American citizens who are still reeling from the recent NSA leaks. With this in mind, federated identity initiatives – especially those adopted by federal or health care agencies – will need to be approached with delicacy and transparency. Sealy posits that it will also be vital for the public to acknowledge the value that federated identity will provide – a means to limit the information the user shares with a web site – as opposed to how the technology could be abused. Per the ABI report, federated identity promises to improve upon security and privacy by providing an easy to operate, user-centric service for accessing e-government services. Despite being very early on in the process, ABI Research estimates that some 786 million federated identity credentials will ship in 2018. That’s a significant number, and one that has surely put identity vendors on high alert. The facts and figures are just too significant for even a large federal agency like the Internal Revenue Service to ignore. Ancillary benefits aside, the financial incentive to outsource identity credentials simply makes sense.

PROPRIETARY AUTHENTICATION VS. NSTIC Proprietary Authentication System

NSTIC-Aligned Third-Party Authentication System

Advantages

Full control of security policies and procedure More control of costs/pricing models used Quicker adoption (because policies, procedures, and pricing models are not finalized for NSTIC-aligned third-party credential authentication)

No need/cost for infrastructure, license agreements, or service agreements for identity proofing, credential management, and authentication No need for specialized staff to manage full authentication system

Disadvantages

Potential need for/cost of additional infrastructure (up-front and operation and maintenance [O&M]), license agreements, or service agreements for identity proofing, credential management, and authentication Need for specialized staff (or outsourced staff) to maintain full authentication system

Lack of control of security policies and procedures (determined by IDPs within bounds of GSA guidelines) Lack of control of pricing models Slower adoption (the NSTIC’s standard policies and procedures are still being developed)

Source: “Economic Case Study: The Impact of NSTIC on the Internal Revenue Service” NIST

Fall 2013

DERIVED CREDENTIALS ENABLE HIGH ASSURANCE ID ON MOBILE PLATFORMS VAST POSSIBILITIES, FEW REAL WORLD DEPLOYMENTS

User names and passwords are easy to use on laptops, PCs and mobile devices, but higher assurance credentials such as cryptographically secure smart cards can be cumbersome to use across various platforms and devices. This has brought about the idea of derived credentials, which would basically enable a user to spawn lower assurance credentials onto different platforms to perform other tasks. For example, a government employee could use their secure

Fall 2013

agency-issued PIV smart card to create another digital credential for their mobile device. This derived credential could then be used to check and potentially even sign email via the handset. “We’re learning that the PIV is great for many things but you need another form factor,” says Kevin Kozlowski, vice president of Government Initiatives at XTec. The push for derived credentials is coming out of the federal government and the U.S. Department of Defense, says

Ray Wizbowski, formerly of Gemalto and now at Datacard. “The government has been looking at ways for officials to securely use credentials on mobile devices,” he explains. The last draft of FIPS 201-2, the government smart card specification, introduced the idea of derived credentials. This version of the spec released in the fall of 2012 has the PIV presented to a mobile device manager that then assigns a subcredential to the device using a parentand-child model. The derived or child credential would be placed on a secure element within the handset or tablet. Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary. Derived credentials were also mentioned in NIST’s Special Publication 800-63-1, which focused on electronic authentication. But this prior mention was in a generic form and not specific to PIV. It will require additional special publications to flesh out the details of how derived credentials will work. These publications will be needed so that vendors can create new products conforming to the revised spec. Some vendors are not waiting and are already working on solutions. XTec has run some pilots using derived credentials on iPads and iPhones but the

company can place the credentials on any mobile platform, Kozlowski says. He uses the derived credentials on his iPhone to validate his identity instead of using his PIV-I. With derived credentials, the PIV is essentially serving as a Certificate Authority that signs a certificate that is placed on the mobile device, he explains. In this early example, the system emails a certificate to the mobile device to be loaded and used from there. Eventually, he says the certificate will need to be directly loaded on the SIM or other Hardware Security Module to prevent possible tampering. Policies surrounding derived credentials need to be sorted out before they can be used in real deployments. Differentiating the derived credentials and making sure the primary one cannot be duplicated are issues that must be addressed, Wizbowski says. “Is it a truncated part of the certificate that identifies it as coming from a mobile device so it’s not giving full access?” he asks. “The technical pieces are still in the formative stages. A lot is being proposed and there are many ways to address it.” How long should the derived credentials be valid? A day, a week or a month, Koslowski asks. And what applications can accept the derived credential instead of the primary? “Some apps you might want to mandate the card because of the security,” he adds. The government market might be the main focus for derived credentials in the short term but as high assurance identities become more commonly available the idea could catch on in the consumer market as well, Wizbowski says. Looking at the commonly used four levels of assurance, each one could be a credential. “You could issue low-level credentials for social networking and higher level ones for email and other uses,” he explains.

✪✪✪ NEW USE CASE: DERIVED CREDENTIALS EXPEDITE PHYSICAL ACCESS TRANSACTIONS

The main discussion around derived credentials is using them on mobile devices to access email and secure web sites. But HID Global is working on a scheme that would see derived credentials placed on the same smart card to expedite physical access, says Bob Dulude, director of Federal Identity Initiatives at HID. It can take as long as 2.5 second to verify a PIV certificate for physical access, Dulude says. “The certificates are very large, 2K, and it can take a long time to read that data and validate it, not the best performance at the door,” he explains. “With prox it takes less than half a second.” HID wants to put a card verification certificate on the PIV to enable quicker processing at the door. “It’s constructed to have the minimal data necessary to open the door,” Dulude says. The derived certificate would be tied to the cardholder’s PIV certificate so that revocation lists could be checked without any changes to the existing infrastructure. “Using a derived credential reduces the size and improves performance,” Dulude says.

Fall 2013

A CLEAR VIEW OF OPACITY EMERGING STANDARD SECURES CONTACTLESS SMART CARD COMMUNICATIONS ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

OPACITY – the Open Protocol for Access Control Identification and Ticketing with privacy – is designed to provide mutual authentication, privacy and confidentiality for contactless transactions. “It’s primary goal is to enable secure contactless communication with a level of performance required for building entry or transportation and a level of security in line with the latest guidelines from the National Security Agency,” explains Jerome Becquart, vice president of Product Marketing and Identity Assurance for HID Global. It is the result of a joint effort between HID Global and the U.S. Department of Defense.

WHAT IT DOES The OPACITY protocol is designed to protect contactless communication between an identity credential, such as a smart card or mobile phone, and an end point device such as a door reader, tablet, computer or mass transit gate. “With OPACITY, performance is improved by a factor of approximately four for critical tasks,” says Becquart. “The secure wireless communications capability enables the use of PIN and biometrics on the contactless interface, further strengthening authentication alongside PKI for both logical and – in the future – physical access.”

The driving force behind the multi-year effort is to protect the contactless interface on the Common Access Card. This interface is subject to eaves dropping, which lead the NSA to considerably restrict what can be done via the interface rendering it virtually unusable in all but a few limited use cases. “It was necessary to define a secure contactless protocol with the appropriate level of performance to solve that security challenge and address privacy issues,” says Becquart. “Defense Department involvement meant that compliance with the most recent cryptographic guidelines was an essential requirement.”

Defining OPACITY’s two modes of operations

FULL SECRECY

ZERO KEY MANAGEMENT

Full Secrecy mode is best applied to situations where it is necessary to establish a session consisting of many transactions and where the material communicated is sensitive, such as in administrative or key life cycle management or when the information communicated will remain critical and must be protected over a long period of time.

Zero Key Management mode is a lightweight option suited when off-card applications – the terminals – are not always capable of supporting a security module, operating secrets and the corresponding key life cycle management, such as in legacy physical access control or logical access control deployments.

In this mode, OPACITY requires a mutual authentication between the card and terminal and the presence of a Secure Application Module to store the secure materials involved in this mode of the protocol. Leveraging Full Secrecy, previously transmitted secrets cannot be revealed in the clear even if the static terminal authentication key has been compromised.

Fall 2013

Zero Key Management does not require any secrets to be stored on a terminal. Zero Key Management provides card authentication but not terminal authentication and is to be used only in environments where terminals are known and trusted.

OPACITY CAN IMPROVE PERFORMANCE BY A FACTOR OF FOUR. IT ENABLES THE USE OF PIN AND BIOMETRICS ON THE CONTACTLESS INTERFACE, FURTHER STRENGTHENING AUTHENTICATION FOR BOTH LOGICAL AND PHYSICAL ACCESS

HID developed OPACITY with support from the Defense Department and worked closely with a number of standards bodies to ensure openness and compliance. It is standards-based and open for anyone to use. It is also being considered by the National Institute of Standards and Technology for possible inclusion into FIPS 201-2. The result is a mutual authentication protocol with shared key establishment for confidential, end-to-end transport and integrity protection, says Becquart. “In short, the secure session is established over the contactless interface in a single command before any identifiable data is exchanged,” he explains. OPACITY has two modes of operation: Full Secrecy and Zero Key Management. “Full Secrecy mode ensures that identity of the cardholder is never compromised with end-to-end protection even after the transaction or the session is completed,” explains Becquart. For older, deployed readers that cannot support the requirements of Full Secrecy mode, the Zero Key Management mode can be used. “This mode does not require storage of secret keys in end point termi-

nals,” explains Becquart. It provides card authentication but does not authenticate the terminal and such should only be used in environments where readers are known and trusted.

WHY OPACITY? The objective for the OPACITY protocol is to enable the contactless interface to be used for a larger number of use cases, expanding the contactless applications for the Common Access Card. According to Becquart, current contactless protocols can leak personal identifiable information, and they also may fail to verify that the reader is a genuine party to be trusted. They simply aren’t cryptographically strong enough to weather the next 20 to 30 years of authentication, he suggests. At present, OPACITY is being tested in limited pilots at the Defense Department, but its inclusion in the next generation FIPS 201-2 specifications could dramatically expand its use throughout the U.S. government. At the Mark Center in Virginia, a group of Defense Manpower Data Center em-

ployees are using OPACITY-enabled Common Access Cards to gain access to offices via doors protected by HID pivCLASS, PKI-enabled readers. In a mobile access proof of concept, a group of Defense Department employees are trialing OPACITY-enabled Common Access Cards to securely access e-mail from NFC-enabled phones, sign and encrypt e-mail and access secure web sites. “This proof of concept requires no additional piece of hardware to interface between the card and phone, yet maintains a high level of privacy and security,” says Becquart. The solution addresses the Bring Your Own Device challenge without having to deploy an expensive and cumbersome smart card reader to connect your phone to your Common Access Card, he explains. As authentication for physical and logical access continues to evolve and permeate more sectors of society, it will be imperative to install a solution to safeguard these actions when they occur over a contactless interface. It is HID and the U.S. Government’s hope that OPACITY will provide a clear choice.

Fall 2013

PRINTING ID CARDS IN A MAC ENVIRONMENT GABRIEL SCHONZEIT, PRESIDENT OF IDSECURITYONLINE.COM

Over the last few years, ID card systems have evolved to become widely available to organizations of all sizes. However, most systems available on the market are Windows-based, excluding de facto an ever-growing percentage of potential users. Does that mean that Mac users cannot operate their own ID system? No, but close attention must be paid to every component of an ID card solution, from the choice of the printer to finding Mac-compatible ID card software.

ID CARD PRINTERS The market for Mac-compatible card printers is dominated by a select few manufacturers, including Evolis, HID Global/ Fargo and Nisca. Finding a card printer with a Mac driver is relatively easy but users need to make sure that the printer is

Fall 2013

compatible with the exact version of their operating system. Developing a driver for a new operating system typically takes a few months and it is challenging for card printer manufacturers to keep up with Apple. Also, all Mac printers come with USB connectivity only. Some models include an Ethernet port to connect a printer to a network but as of today, there is no FireWire or Thunderbolt-compatible card printer. Choosing the right printer starts with a thorough review of key features. Card printers can be single or dual-sided and include a magnetic or smart card encoder to personalize technology cards. For highvolume applications, printers with highcapacity feeders are available to maximize productivity. Finally, highly-secure badges can be produced with laminating card printers, as adding a clear or custom layer

of protection to a card significantly reduces the risk of fraud and counterfeiting.

ID CARD SOFTWARE When it comes to designing ID cards on a Mac, several options are available. Any design software like Photoshop or even a word processor can be used as long as the document is sized properly. This technique works great if only a few cards need to be printed. However, for card personalization in high volumes, ID card software is the way to go. The solutions available on the market are not merely design platforms, however. Current solutions can streamline the ID card creation process by managing cardholder data, connecting to an existing database or adding encoding capabilities to badges.

THERE IS NO FIREWIRE OR THUNDERBOLT-COMPATIBLE CARD PRINTERÂ â&#x20AC;Ś MAC-COMPATIBLE PRINTERS ONLY COME WITH USB OR IN SOME CASES ETHERNET

Mac-compatible solutions come in different versions. Entry-level options are great to design professional badges and issue up to a few hundred cards a year. Advanced solutions include an internal database to store cardholder data and simplify reprints. These options also support external database connectivity to print cards in batches. Finally, fully-featured software is network compatible and can encode magnetic and smart cards. In all cases, trial versions should always be downloaded for testing purposes.

CAMERAS Many users choose to use their own digital camera to capture ID photos. Technically, it works but it is far from being time efficient. To streamline a photo ID process, users

should look for a proper ID camera with a TWAIN driver. TWAIN drivers handle the communication between computer software and imaging devices. This functionality enables the user to see a live video feed on a computer screen and capture a picture with a click of a mouse. When integrated with ID card software, the photo is automatically inserted into the desired templates. This feature translates into huge savings in time and energy as users do not have to go through the upload-edit-import process for each card. Unsurprisingly, all ID cameras do not come with Mac drivers so users need to check the OS compatibility. Another critical point is the image quality: card printers issue badges with a 300dpi resolution which means that pictures of low definition will definitely look pixilated

once printed. Investing in a high-quality ID camera is essential to ensure high-quality photo ID badges.

BUYING TIPS First-time buyers should consider Maccompatible ID card systems that come prebundled with a printer, camera, supplies, cleaning kit and software. These bundles typically include all the necessary components to design and print professionalgrade badges on a Mac. Before making a final decision, users should check the warranty coverage. Card printers are reliable machines but changing a part like a print head can be very costly.

Fall 2013

IP-BASED READERS MIGRATE INTELLIGENCE TO THE DOOR INTEGRATING PHYSICAL ACCESS INTO THE BROADER CORPORATE ENTERPRISE DAMON DAGEENAKIS, SR. PRODUCT LINE MANAGER FOR PHYSICAL ACCESS CONTROL, HID GLOBAL

Using one network to control multiple solutions certainly has its benefits. The move to Internet Protocol – or IP – based networks is making it easier to operate and simplify the expansion and customization of physical access control systems. A major benefit of this approach is the ability to move intelligence to the door, which reduces system failure points and streamlines system monitoring and management. By migrating to open architecture, IP-based intelligent controllers, users can also simplify future infrastructure enhancements and modifications because they can invest in hardware platforms that are not tied to proprietary software.

NETWORKING ADOPTION DRIVERS Most companies and institutions today have installed security, access control and video surveillance systems at their facilities. Others may even have installed incident response systems, perimeter detection systems and alarm monitoring systems. These and other

Fall 2013

disparate and isolated systems cannot easily share information, and yet, there are natural synergies between each of them. IP-based solutions can facilitate their integration, creating the opportunity for a single new system that can be much greater than the sum of its individual parts. The ability to manage video monitoring, access control, intrusion protection, incident response and other solutions on a single network in any environment delivers better facility management. Users get more out of their investments and realize the benefits of a single system that performs multiple functions with a single interface. There is also an obvious synergy between physical and IT security within an IP-based environment. The ability to combine physical and logical access control on a single credential improves user convenience while increasing security and reducing deployment and operational costs. These solutions enable organizations to leverage their existing credential investment to add logical access control for network log-on as well as create an interoperable, multi-layered security solution across company networks, systems

and facilities. They also help organizations enforce more consistent policies, while facilitating the use of consolidated audit logs throughout the enterprise. With the majority of larger installations now utilizing network communications, there will likely be a natural push for IT and facility security teams to work closely on integrated solutions that combine both sets of functionality using the same IP connections. As a result, IP-based access control has the potential to change the role of the security systems integrator, who is increasingly being influenced by IT integrators. In the meantime, there may be many new buildings using IP-based building control systems, as well as organizations that see advantages to using IP rather than proprietary networks, not only for integration, but to deliver new capabilities such as remote communications. Earlier concerns about the security of IP-based access control are rapidly waning as the industry realizes that it actually improves security. As an example, being able to integrate video surveillance with access control offers a more comprehensive view. Being able to manage all of the various video management and analytics subsystems, intrusion devices and associated IP-based edge devices through a single user interface significantly enhances situational awareness as all information can be immediately combined and correlated.

IMPORTANCE OF OPEN STANDARDS, MODULAR, SCALABLE PLATFORMS A key to realizing the benefits of IP-based, networked access control is the use of an open and scalable platform. This ensures that information can be seamlessly exchanged between the previously disparate systems. Systems based on open standards also make it easier for users to expand, customize and integrate solutions while delivering more robust security. New technologies can be brought into existing architectures without requiring a software overhaul

Modularity is also important. A modular design enables users to select only the features they need, using streamlined system architecture. This helps lower the cost of an entry-level system for organizations that want the benefits of intelligent, networked security solutions but donâ&#x20AC;&#x2122;t yet need a full-featured system. In the past, the only choice was to move to a proprietary system that locked the customer into a particular system size and performance level. In contrast, todayâ&#x20AC;&#x2122;s advanced controllers, thin-client software and IP connectivity enable a customer migration path with many incremental and affordable investment steps over time.

EARLY CONCERNS ABOUT IP-BASED ACCESS CONTROL ARE WANING AS THE INDUSTRY REALIZES THAT IT IMPROVES SECURITY

to accommodate them. Standards-based solutions also give users the flexibility to choose from many different products and suppliers and to tailor these solutions to their own, specific needs. Untethering users from any single supplier also gives the industry more incentive to innovate and differentiate their solutions.

This also requires that there be a continuum of options to fill the gap between traditional mechanical locks with no intelligence and door solutions with full, IPnetworked intelligence and functionality. It must be possible to easily adapt solutions for facility expansion or changes to virtually any card/reader configuration that

Fall 2013

future security needs may require. This could mean controlling a couple of doors with dozens to hundreds of cardholders or managing hundreds of doors at multiple facilities with as many as 100,000 card holders. IP-based access control solutions must be able to bring intelligence to the door while protecting the value of customersâ&#x20AC;&#x2122; overall investments, from controller to reader to credential. Unlike proprietary solutions, open architecture IP-based solutions provide access to hundreds of access control software system options rather than a single manufacturerâ&#x20AC;&#x2122;s panel and matching software solution. This enables the end user to purchase a system-agnostic controller coupled with access control software, with the option to later change that software to meet evolving requirements without requiring a major upgrade. For optimal scalability, developer kits that feature open architecture application programming interfaces (API) to the embedded software driving access control functionality should support IP access control solutions. Basing solutions on an open architecture platform will enable customers to meet evolving requirements and future expansion needs while protecting the value of their overall investments. Users should have a wide variety of options for future additions, including fire alarms, intrusion detection, CCTV, biometrics and others as required. For optimal security, the next generation of IP-based access control solutions also must use a controller platform that is capable of operating with fully trusted connections from host to controller to reader to credential. This approach will substantially increase security options for access control systems in the future.

Fall 2013

THE END GAME: NO WIRES The first step to untethered, networked access control connectivity is wireless, intelligent locksets and readers. These devices will grow in prevalence with the advent of new lower-cost, more energy-efficient products. By using interoperable, openarchitecture IP-based intelligent controllers, users will have a broad range of both

basic and wireless intelligent readers to choose from, providing access to multiple credential technologies. IP-based access control is well on its way to widespread adoption. Its benefits include simplified system operation, expansion and customization, with the added ability to integrate a physical access control system with many other solutions on the same network.

AN OPEN ARCHITECTURE PLATFORM SUPPORTS EVOLVING REQUIREMENTS AND FUTURE EXPANSIONS INCLUDING FIRE ALARMS, INTRUSION DETECTION, CCTV, BIOMETRICS AND MORE

SIA WITH ISC SUPPORTING Sponsored by: INDUSTRY THE SECURITY

November 20-21, 2013 Javits Center North New York, NY, USA

LOCAL YOUR

CONNECTION TO THE WORLD OF SECURITY •

Direct access to technical reps from 200+ brands

•

FREE business seminars designed to help you increase revenue and reduce costs

•

Drinks & networking on the exhibit floor

•

Local expertise from association leaders in NY, NJ, CT and PA

“One day at ISC East saves me hundreds of hours on the phone.” -2012 ISC East Attendee

NOVEMBER 20-21.2013 J A V I T S C E N T E RREGISTER NYC

NOW AT ISCEAST.COM

R E GEndorsed I S T Eby:R N O W A T I S C E A S T . C O M Fall 2013

HOW TO CHOOSE AN IDENTITY & ACCESS MANAGEMENT SOLUTION COMMERCIAL, CLOUD SYSTEMS OFFER BEST OPTIONS

Handling Identity and Access Management processes manually can be time consuming and expensive, but improvements can achieved via commercial products and cloud-based offerings. Cloud-based Identity and Access Management is the best option for enterprises provided it meets all requirements, according to Andras Cser, principal analyst serving security and risk professionals at Forrester. From a cost standpoint, he sees cloudbased offerings as clearly superior with an estimated 310% return on investment over manual Identity and Access Management solutions. Cser co-authored the Forrester report, “Use Commercial Identity and Access Management solutions to Achieve More Than 100% ROI Over Manual Processes.” It examines the various Identity and Access Management methods in an effort to determine comparative costs and benefits for each. Building an in-house system might seem like a good idea at first but the costs can add up rapidly. He reveals that homemade solutions are nearly 30% more expensive than commercial off-the-shelf Identity and Access Management systems and a staggering 85% more expensive than cloud solutions. Cser offers a disclaimer to the findings of the Forrester report, stating that only

Fall 2013

after an enterprise has defined metrics can the cost model be used effectively. “These metrics include things like the cost of a call at a help desk or time wasted by users waiting for the help desk to reset their password,” explains Cser. This resulting cost model should serve as an effective decision-making tool for organizations considering their Identity and Access Management options. The model accounts for four distinct scenarios: Manual solutions Homemade/in-house solutions Commercial-off-the-shelf solutions Cloud-based solutions To further break down these four solution options, the team at Forrester took into account seven different cost categories: Infrastructure Personnel Security Help desk identity administration Access request submission/approval Attestation and Compliance Business agility/Identity and Access Management as a business enabler

MANUAL IDENTITY AND ACCESS MANAGEMENT There remains a significant reliance upon manual Identity and Access Management processes; in fact, Forrester estimates that

some 60-70% of organizations find themselves in this category. Manual solutions are aptly named, requiring personnel within the organization to manually conduct Identity and Access Management tasks. This could mean that users must call a help desk to reset a password or obtain a new or different level of access. These processes often require paperwork and lengthy reviews of user access permissions. Simply put, manual solutions are inefficient. The trade-off, however, is the low up-front cost. But as the user population increases so too do the cost of manual processes. This makes manual Identity and Access Management a viable solution for small operations, but larger firms should look elsewhere.

IN-HOUSE IDENTITY AND ACCESS MANAGEMENT In-house or on-premises solutions see an organization build its own Identity and Access Management solution, often burning through considerable resources in the process. It can be a dangerous game as in-house solutions must be well documented, designed and constructed correctly. Forrester estimates that the expense of an in-house Identity and Access Management initia-

CLOUD SOLUTIONS CAN BRING AS MUCH AS A 90% REDUCTION IN OPERATION AND PERSONNEL COSTS tive can cost anywhere from 50-150% more in maintenance and development labor than other options. The draw for in-house solutions, as Forrester sees it, is that they are completely controllable enabling a company to implement a solution that does exactly what it wants.

COMMERCIAL OFF-THE-SHELF IDENTITY AND ACCESS MANAGEMENT At the other end of the spectrum from in-house lie the commercial systems. These carry recognizable brand names like CA, NetIQ, IBM, Oracle and Quest and can be great for automating Identity and Access Management processes. The product licensing and maintenance fees, according to Forrester’s estimates, range from $15 to $50 per user. The performance, however, is often far superior to in-house systems. Additionally, some users find that the licensing and maintenance costs are offset by lower labor costs. Forrester cites a potential 40% reduction in labor costs using off-the-shelf solutions. As the Forrester report points, however, the down side is that infrastructure costs often increase. Additionally, commercial solutions tend to require long term contracts, are expensive to replace and rigid in terms of what the customer can add.

CLOUD-BASED IDENTITY AND ACCESS MANAGEMENT Forrester sees great promise in cloud-based Identity and Access Management solutions both in terms of cost and return on invest-

ment. With an estimated $100,000 up-front cost and monthly subscription of $4 per month per user, Forrester posits that cloud solutions can bring as much as a 90% reduction in operation and personnel costs. The advantage of cloud-based Identity and Access Management begins with low maintenance and labor costs. It continues with pay-as-you-go billing benefiting the organization as they only pay for active users. As a future-proof advantage, Forrester explains that cloud Identity and Access Management is a viable stepping-stone toward federated Identity and Access Management because the cloud provider can also act as a trusted go-between for client networks. At present, however, cloud solutions have a tipping point of roughly 10,000 users. Beyond this level the organization’s need for customization often eclipses the cost benefits offered by the cloud system.

MAKING THE CHOICE While cost is always a concern, Forrester makes clear that anything is better than manual processes and for those organizations looking for strong return on investment, cloud-based Identity and Access Management is the best bet. Ultimately, Forrester explains that the key for those looking for a new solution is to first know the needs and metrics. By establishing a strong understanding of an enterprise›s situation, an organization can select the solution that suits its needs now and in the future.

Fall 2013

NEW HOLOGRAM TECH PROTECTS HIGH-VALUE IDENTITY DOCUMENTS IAN LANCASTER, GENERAL SECRETARY, INTERNATIONAL HOLOGRAM MANUFACTURERS ASSOCIATION

More than 65 years after its invention, the hologram remains a potent weapon in the battle against counterfeiters and organized criminal gangs in the multi-billion dollar trade of illicit passports, driver licenses and other fake ID documents. The International Hologram Manufacturers Association (IHMA) works actively to ensure holography remains a relevant and added value solution today and well into the future, explains Ian Lancaster, IMHA general secretary. Metallised holograms first appeared on ID documents in 1984 when the United Nations’ passports included the simple authentication devices on the book’s cover. Shortly thereafter, Brunei and Iraq incorporated a hologram inside the passport. In these early instances, the hologram served as an authentication device as opposed to protection for the personal data. In the 1990s, this began to change when passports held by United Arab Emirates’ nationals incorporated the first all-over transparent hologram. In this instance, the hologram not only served as an authentication feature but also to protect the biographical data contained in the passport. This new, all-over hologram required the development of new techniques for high refraction index coating of the hologram. This also marked a turning point as the number of passports issued with holograms as an authentication device and laminate to protect the biographical data page increased steadily. Today very few use a hologram as an authentication device only. In 1999, the European Union drafted a set of security standards for passports that were codified in 2004 with EC Resolution No. 2252/2004. They mandated that an optically variable device (OVD) – the most common of which is the hologram – must

Fall 2013

be used for authentication and security on the biographical data page. Another major driver for the inclusion of holographic technology on ID documents came in 2002 – in the wake of the Sept. 11, 2001 terrorist attacks – when the International Civil Aviation Organization (ICAO) specified that passports should feature optically variable devices like holograms to combat counterfeiters. With the regulations from both the European Union and ICAO requiring an optically variable device, the technology has become a front line weapon in the fight against passport counterfeiters. Today, it is estimated that 80 countries include holograms on their passports. A Keesing Reference Systems’ survey found that 55% of passports now use an optically variable device to protect the data. The total production of passports is estimated at 150 to 300 million units per year. While this number is subject to annual fluctuation, it will undoubtedly rise as populations and the number of people travelling abroad increase. This, along with the fact that all ICAO member countries must now issue Machine Readable Passports with OVDs, all but guarantees a growing market for holograms.

SECURITY SHIELD The principal role of a hologram on a passport or other identity document is to shield against forgery of the variable information such as the photograph and personal data. The ability to provide effective protection, however, lies in the continuous innovation, invention and evolution of holographic techniques. Both optical effects and material science techniques have established holograms as authentication devices that are easily

recognized yet difficult to accurately copy. They can be readily integrated into the production process and can stand up to the rigorous demands of a ten-year useful life. Still virtually anything can be copied and thus the holographic industry continues to work vigorously to inform the public that even the most sophisticated holograms can be reproduced … to some extent. The real debate is just how accurately can holograms be copied? The answer is not very accurately at all. This is where the real value of holograms designed for security applications can be realized. The intrinsic features of holograms make them difficult to copy with 100% accuracy. This has ensured the

hologram’s success. The document they protect may have been counterfeited and other overt features copied, but a poorly copied hologram will provide a tell tale sign that the credential is fraudulent. Holograms serve not only as a deterrent and secure means of protection and authentication, but also as a warning that a document might be counterfeit. Therefore, a hologram’s purpose is not solely to prevent counterfeits but to act as an effective detection device, making it easy for the trained eye to distinguish the legitimate from the fake.

NEXT GENERATION HOLOGRAMS MEETING PASSPORT NEEDS Passport production and personalization is exacting and has proven to be technically challenging for the holographic industry. However, it is a challenge that manufacturers are responding to with promising developments including a whole new

generation of personalized photopolymer holograms that match the bio data contained within the passport. One example of this, HoloID from Hologram.Industries, enables high-speed in-line holographic personalization. Utilizing photosensitive material to create unique color patterns and animations, the technology provides control and colour modulation to create portraits and other features. The information is recorded in the holographic laminate and the printed data on the substrate, providing a high primary level of security that is virtually impossible to falsify. At the secondary level, data in the electronic chip also matches with the holographic and printed information to provide an extremely high level of security and authentication. Also making an impact in the battle for increased ID document security is Hologram.Industries’ DID visual security device. Visually quite different from traditional holograms, the solution creates a two-color diffractive image appearing at

the direct reflection angle, which changes when the document is rotated 90 degrees. The technology has already been adopted by 20 countries including China to meet the need for an easy to use but difficult to imitate security device. To date, there have been no reported attempts to counterfeit the technology or even imitate its color permutation effect. Other holographic technologies are providing documents with visually appealing features coupled with added security. 3M’s transparent hologram security laminate shows a faint holographic image that exposes tampering and protects against the wear and tear of everyday use. The Kurz KINEGRAM is being used to protect the contactless smart card chips now used on many passports. When the passport’s data page is tilted back and forth, the projected letters ‘OK’ are seen to move up and down with adjacent columns moving in opposite directions. Although the contour-based letters “OK” show strong contrast with respect to the background, these images cover very little surface area and therefore allow for sufficient see-through transparency to view the chip. Any attempts to physically tamper with the chip module would be immediately evident through the destruction of the KINEGRAM structures.

FUTURE CHALLENGES

55% OF PASSPORTS NOW USE AN OPTICALLY VARIABLE DEVICE TO PROTECT THE DATA

It’s clear that holography continues to demonstrate a strong ability to adapt and move with the times, remaining a highly effective and competitive counterfeiting deterrent. Holography not only safeguards the integrity of identity documents, but also adds real value by offering greater scope for design, functionality and easeof-use. The challenge remains, as ever, for manufacturers to respond to changing customer requirements and keep one step ahead of competing technologies through research, development and innovation. If the developments of the last few years are anything to go by, then the future for holography in ID document security remains assured.

Fall 2013

It has been a year since the first round of pilots for the National Strategy for Trusted Identities in Cyberspace was awarded. Progress is being made and issues tackled as identity technologies are deployed in real world scenarios. A common theme among the pilot winners is the camaraderie and information sharing, says Cathy Tilton, vice president of Standards and Technology at Daon and lead for the company’s NSTIC pilot. “There are synergies among the many different things we’re doing,” she adds. By late September additional pilots will have been announced that will explore other areas of the national strategy and the identity ecosystem.

NSTIC PILOTS ONE YEAR AND $9 MILLION LATER … 54

Fall 2013

AAMVA

LEVELING UP SOCIAL CREDENTIALS At a high level, a trust framework is a guarantee. For example, payment cards use a trust framework to guarantee payment when a charge is authorized. In the identity ecosystem a trust framework would guarantee that an ID provider has taken steps to assure that an online identity is connected to the correct individual. The American Association of Motor Vehicle Administrators and the Virginia Department of Motor Vehicles is implementing a trust framework as part of its pilot for the National Strategy for Trusted Identities in Cyberspace. The trust framework needs to serve both the public and private sectors, says Paul Blanchard, project manager for the Cross Sector Digital Identity Initiative pilot. The team initially looked at what was available publicly conducting a gap analysis to find out what areas needed to be filled. It was determined that the InCommon Trust

Framework best fit the project’s needs though it still required fine tuning. “You’re assembling these components and gluing them together with a trust framework that enables multiple replying parties, attribute verifiers, credential service providers and others to all participate in this identity ecosystem,” Blanchard explains. Next, the pilot is going to take identities from commercial providers – Google, Facebook, etc. – and enable consumers to add assurance to them, Blanchard says. Consumers’ will use driver license data, which will be checked against the Virginia DMV, to add the extra authentication elements. “We’re enabling consumers to take their commercially available identities and augment it with different authentication events so the identity becomes more reliable to relying parties,” he says. Relying parties will choose what strength credentials they will con-

sume. “They can say they’re fine with a self-asserted credential or they can choose to augment that,” Blanchard adds. The project is offering a “buffet of authentication events” for users, Blanchard says. Included in this buffet is a gesture-based authentication technology from pilot participant Biometric Signature ID. To enroll, the user draws a “signature” using the mouse and builds a profile. When returning to use the system, the user again draws the signature, it is checked against the enrolled version and an authentication decision is made. Another pilot partner, PhoneFactor, provides out-of-band authentication by delivering one-time passcodes to a user’s mobile or home telephone. We are working to sign up relying parties to consume these new credentials, Blanchard says. The system will be privacy enhancing and user centric, enabling the relying party to only see the user data necessary to complete the specific transaction, Blanchard says. For example, if a relying party needs to know that the user is over the age of 18, the system will simply return a yes or no response, rather than provide actual the date of birth.

$1.6 MILLION AWARDED PILOT PARTICIPANTS AAMVA, THE COMMONWEALTH OF VIRGINIA DEPARTMENT OF MOTOR VEHICLES, BIOMETRIC SIGNATURE ID, CA TECHNOLOGIES, MICROSOFT AND AT&T.

Fall 2013

CRITERION SYSTEMS CREATING AN ATTRIBUTE EXCHANGE NETWORK

An attribute exchange network is often discussed but rarely seen, kind of like Bigfoot. But unlike the legendary creature, the attribute exchange network is being brought to life by Criterion Systems and its pilot for the National Strategy for Trusted Identities in Cyberspace. Creating the network to communicate just the required, relevant identity information to a relying party is a difficult task on its own, but the widespread use of cloud and mobile channels has increased the difficulty, says David Coxe, CEO of ID Dataweb and cofounder of Criterion Systems. This new system will create a credential federation. Users will create a credential and then give permission for attributes to be used at different relying parties. “Those attributes are bound to the credential and can be used to create more accounts and enable single-sign on,” Coxe explains. Criterion is working with attribute providers Lexis Nexus and Pacific East, Coxe says. Google, AOL, Facebook, Symantec and Verizon are credential providers with more on the way. Consumers will have the chance to improve the assurance of those identities by validating additional information. Criterion has four participants lined up that will test the attribute exchange network. Broadridge Financial Solutions: Online communications will be enabled through federated login for consumers

to inquire about proxy statements from investment bank accounts. GE: Corporate partners and consumers will use federated login through commercial identity providers to access accounts, enabling fine grain access based on the individual’s role. FEMA: The agency will issue credentials to first responders for use to access content via the Next-Generation Incident Command System. eBay: The online giant will verify seller attributes to strengthen the levels of assurance associated with account creation for new sellers. The system will be free for consumers and they will use existing credentials they have with Facebook, Google, etc., Coxe says. Users can

click a button on a site that accepts the credential and will see what attributes will be shared and they can revoke access and manage the ones they want to share. “We can minimize the data shared through a filtering technique,” he adds. Users will also have the ability to level up the identity assurance for relying parties that require higher assurance credentials, Coxe says. The pilot will also offer different types of authentication technologies. Device verification solutions will be able to ping a handset or laptop to make sure it’s the one previously registered. Criterion has also partnered with fingerprint, voice, gesture and other biometric vendors, Coxe says.

$1.98 MILLION AWARDED PILOT PARTICIPANTS CRITERION SYSTEMS, ID DATAWEB, AOL, LEXISNEXIS RISK SOLUTIONS, EXPERIAN, PING IDENTITY, CA TECHNOLOGIES, PACIFICEAST, WAVE SYSTEMS, INTERNET2 CONSORTIUM/INCOMMON FEDERATION AND FIXMO.

Fall 2013

172

435

exhibitors

137

countries

19,072 visitors

BUILDING TRUST IN MOBILE LIFE 19-21 NOVEMBER 2013

speakers

EXHIBITION & CONFERENCE

SECURE SOLUTIONS FOR PAYMENT, IDENTIFICATION AND MOBILITY Fall 2013 57

Paris Nord Villepinte FRANCE

INTERNET2

BUILDING PRIVACY AND ACCESSIBILITY Figuring out attributes in the identity ecosystem isn’t as easy as one would think. “What’s out there in terms of attributes is wily and woolly and we’re not sure what market forces will move us to standardization,” says Kenneth Klingenstein, director of Middleware for Internet2. Internet2 is zeroing in on a handful of areas in the ID ecosystem, with attributes at the core of the effort. But there are other major areas of work that the organization is tackling: The Global Public Inclusive Infrastructure (GPII) will help ensure that individuals with accessibility barriers – due to disability, literacy, digital literacy or aging – can access and use the Internet regardless of economic resources. A privacy manager will enable consumers to have control over their attributes Multi-factor authentication policies will help govern the use these technologies Anonymous credentials will enable a user to be anonymous and unobservable On the attribute front, Internet2 is working to define common attributes and create an attribute registry. The problem now is that attributes are used in different ways, Klingenstein says. Even the mobile phone number and name – the most commonly used attributes – aren’t used in a consistent manner, he explains. Internet2 set up a SAML gateway that looked at what attributes social networks were sending to relying parties and found that the information being sent wasn’t consistent. “What the ID providers from the social side are send-

ing is all over the board,” Klingenstein says. The GPII work is an area that has been neglected, Klingenstein says. In the pilot applications, user preferences – including information on the individual’s accessibility barriers – will be stored and accessed securely in an online repository. These barriers will govern the selection of which authentication method to present to the individual. Internet2 is working on a privacy manager with Carnegie Mellon University, Klingenstein says. Research has shown that more than 90% of social network users don’t know what information is being given or released, and furthermore, they don’t how to change it. The privacy manger is a virtual console to help individuals manage the release of attributes enabling them to leverage trust, informed consent and preferences across a variety of contexts and credential types. “You can start to see these tools in the consumer marketplace but they’re hostile in terms of usability because consumer identity providers want to make money off of identities,” Klingenstein explains. Multi-factor authentication is another research area for Internet2. There are clear advantages to using multi-factor with federated identity, and combining the two with single-sign on can enable multi-factor authentication across service providers. There are wide-scale rollouts of multi-factor authentication technologies planned at the Massachusetts Institute of Technology, the University of Texas School System and University of Utah. In addition, 25 institutions across the

country will collaborate to share experience related to multi-factor technologies. The pilots are exploring problems with multi-factor technologies. “Multifactor authentication fails more than usernames and passwords,” he says. Thus, policies to deal with these failures are important. “You need policy alternatives that would enable a step down,” Klingenstein says. “There’s not elegant answer but there needs to be procedural options.” The last focus area is also the toughest: anonymous credentials, Klingenstein says. “A host of stabs have been made at this in the past 10 to 12 years,” he explains. These credentials would be issued by attribute authorities and allow for minimal attribute disclosure, for example over or under the legal age; graduate of university in a certain year; resident; first-responder certifications; etc. These credentials would also be tamper-proof and unobservable. Brown University is leading the work on this project and is looking at several pilots that will integrate the anonymous credentials in different ways. Their work on anonymous credentials has, thus far, produced some revelations. First, they’re a poorly named technology because they can provide identity information with user consent, allowing for minimal disclosure of attributes. There are also alternative approaches that use similar phrases such as “zero-knowledge.” In the next year, Internet2 is scheduled to deliver materials guiding twofactor authentication; citizen-centric attribute activities; a next-generation privacy manager; and anonymous credentials.

$1.8 MILLION AWARDED

PILOT PARTICIPANTS INTERNET2, CARNEGIE MELLON AND BROWN UNIVERSITY COMPUTER SCIENCE DEPARTMENTS, UNIVERSITY OF TEXAS, THE MASSACHUSETTS INSTITUTE OF TECHNOLOGY, AND THE UNIVERSITY OF UTAH.

Fall 2013

DAON

ADDING MULTI-FACTOR AUTHENTICATION A group within the American Association of Airport Executives was the first to start using technology associated with a National Strategy for Trusted Identities in Cyberspace pilot. The pilot rolled out in March as a small group from the industry association began using the multi-factor technology to access a specific portal, says Cathy Tilton, vice president of Standards and Technology at Daon and lead for the company’s NSTIC pilot. Participating members are using credentials based on Daon’s IdentityX – a risk-based, multi-factor, mobile authentication technology. They are utilizing

smart phones or tablets to verify identity each time they access the web site sections that house sensitive data. Participants in the pilot go to a special web site to access their portal, Tilton explains. If they haven’t enrolled they are walked through the process, which includes downloading the IdentityX app to their mobile device, entering a sponsorship number and then authenticating. The IdentityX app enables many different types of authentication. Users enroll a password or PIN, facial image, voice and optional geolocation. The app

also features cryptographic mutual authentication. Depending on the risk of the transaction or the security level the relying party requests, it can also be any combination of the authentication types. “The system could require an individual to speak their PIN while being authentication via facial recognition and do mutual authentication,” Tilton says. Daon is collecting initial information on the pilot and Purdue University is analyzing the data. The next step is to roll the system out to all AAAE members.

$1.8 MILLION AWARDED PILOT PARTICIPANTS DAON, AMERICAN ASSOCIATION OF RETIRED PERSONS, PAYPAL, PURDUE UNIVERSITY AND THE AMERICAN ASSOCIATION OF AIRPORT EXECUTIVES.

Fall 2013

RESILIENT NETWORK TESTING USE CASES IN HEALTH, EDUCATION

A patient with a pacemaker is on a business trip when he starts feeling odd. It’s not an emergency but he wants to see a doctor. Having his physician send all the appropriate medical data to a local physician, however, can be daunting. Resilient is trying to fix this problem setting up a network that will enable the primary care physician to send the patient’s information to another physician with high-assurance identity vetting and authentication, says Joe Glynn, director of program management at Resilient Network Systems. “We identity proof the physician and authenticate via a second factor that they are the correct physician before they can access the referral package,” he explains. The health care pilot also includes a clinical support engine that can help the physician receiving the referral make appropriate decisions, says Britton Wanick, vice president of technical services and operations at Resilient Network Systems. When the referral package is sent to the other physician it is reviewed by the engine along with anything the new doctor may recommend. The support network can also ensure that new medications don’t have harmful interactions with existing medications. “We look to provides a national capability that can get to any doctor anywhere for a referral but then also provide contextual information so we can raise the quality of care,” Wanick says. Resilient is working with Gorge Health Connect, a health information exchange in Oregon, and San Diego Beacon Health in California. The pilots will be rolling out in September and Oc-

tober. Neither of these health networks have fully made the move to electronic referrals so Resilient is helping with that process, Wanick says Resilient is working on a separate pilot with school children and the education sector. “We’re attempting to enable appropriate access to student records while also enabling student and parent access online media and education material,” says Wanick. Resilient is working with school districts, online learning providers and school information systems to make sure the students are associated with the parents and both of those are associated with the school system, says Glynn. On the student side there has to be an additional level of obscurity to comply with the Family Education and Privacy Rights Act and the Child Online Protection Act. Typically to gain access to a student’s online records, a parent uses the student’s user name and password, Wanick explains. This pilot will vet the parent’s identity and then provision access. This way it will give more assurance that only the parents and children have access

to the records and better comply with federal legislation covering protection of children online. On the digital media content side, the system will make sure that students and teachers are accessing the information, Wanick says. This makes sure that the content is being consumed correctly but more importantly, it makes sure the student accessing the data isn’t being tracked. “Their privacy is maintained and the provider’s aren’t mining data about the student and parents for later use,” Wanick says. This part of the pilot is rolling out to school districts in September and October.

$1.99 MILLION AWARDED

PILOT PARTICIPANTS RESILIENT NETWORK SYSTEMS, NATIONAL LABORATORY FOR EDUCATION TRANSFORMATION, LEXISNEXIS, NEUSTAR, KNOWLEDGE FACTOR, AUTHENTIFY, RIVERSIDE UNIFIED SCHOOL DISTRICT, SANTA CRUZ COUNTY OFFICE OF EDUCATION AND THE KANTARA INITIATIVE.

Fall 2013

C C B e nc re fe on C

September 17 – 19, 2013 | Tampa Convention Center | Tampa, FL Register now! www.biometricconference.com Join nearly 2,000 participants including: • 100+ speakers • 100+ federal, state & local government organizations • Representatives from 39 US states • Representatives from 30 countries • Representatives from 30+ academic institutions • Representatives from 475+ biometric industry, system integrators and user organizations

The Biometric Consortium Conference and Technology Expo is the U.S. federal government’s primary outreach and collaboration event with the biometric and identity management communities each year. The conference and collocated Technology Expo focus on the development and application of identity technologies worldwide. The conference, co-chaired by NSA, NIST, and MITRE and hosted by AFCEA International, has wide participation of federal, state, and local government agencies involved in homeland, national security, law enforcement, as well as commercial sectors and academia.

ONLY at the Biometric Consortium Conference will you be able to take advantage of: • • •

• •

A free pre-conference biometrics training session An opening panel that will provide the “most important to know” information about our community Five concurrent tracks, each designed with specific purposes in mind: o High-level information on important issues from around the globe o In-depth descriptions of real-world issues and how they were solved, supplying lessons-learned that will apply within your systems o Technology and standards development o Big-picture identity management o Collaborative workshops to advance the community One of the largest identity-focused expos in the world Pre-and post-conference meetings with our community

Sessions • • • • •

Federal government (DoD, DHS, FBI, NIST, and Interagency) Private sector International IEEE Biometrics, Identity, and Security (BIdS) Research Showcase AFCEA Identity Management (IdM)

Fall 2013

Exhibit and Sponsorship Opportunities Available. Visit www.biometricconference.com for details.

THE FUTURE OF MOBILE BIOMETRICS Biometrics and smart phones aren’t new, facial recognition has been an option for some Android handsets for more than a year. The rumors that Apple is going to include a fingerprint scanner in the next generation iPhone have brought the talk of mobile devices and biometrics to a fever pitch. Denise Culver, telecommunications researcher and analyst with Heavy Reading, studied the topic in a report entitled “Biometrics Offer Promise For

More Secure Smart Phones.” The report looked at how biometrics can secure emerging apps like mobile wallets and ticketing. “Service providers have barely scratched the surface of what NFC and secure element technology can do to secure services on smart phones,” says Culver. Modern smart phones already have the base capabilities for biometric authentication – sensors, processers, memory and user interface.

Buyouts and market shifts Recent mergers and acquisitions across the biometric and mobile landscapes highlight the importance of the technology. Culver cites key transactions including: Apple’s purchase of fingerprint manufacturer AuthenTec Intel’s acquisition of an Israeli based medical device manufacturer that specializes in heart-based biometrics Google’s purchase of Viewdle, a provider of facial recognition software Microsoft’s acquisition of PhoneFactor and its voice biometric authentication system.

Fall 2013

“As smart phones, tablets and other mobile devices proliferate, they provide users with really powerful computing options,” explains Culver. “The need to secure these devices becomes even greater as we entrust them with more personal data. The same will apply for enterprises who will have no choice but to enable these devices to be used for corporate data as well.” Consumers are the ones driving the usage of smart phones, and Culver believes that those same consumers will be the drivers behind the use of biometrics on the devices. “It will trickle – or likely flood – into enterprise because consumers love to access personal and corporate data on their personal mobile device, and they emphatically do not want that information hacked,” she says. People are already accustomed to logins and other security to protect these devices, so she feels making the jump to biometrics will be less daunting.

“It won’t be much of a switch for consumers to look into a screen that scans their iris of speak a word that enables the device to recognize their voice,” Culver adds. “Regulatory compliance requirements are a huge driver for biometrics,” says Culver. “Heavily regulated industries like banking and health care are often the first to incorporate biometric authentication.” It is the overwhelming rise in Bring Your Own Device (BYOD) initiatives that are forcing enterprise IT to address the challenge of authentication on mobile device. “Corporate IT really faces a huge challenge in how to limit or control what people put on their mobile devices,” says Culver. “People often carry more than one device and store everything from personal banking and health care data to sensitive enterprise data,” explains Culver. “So protecting them is not just necessary, it’s vital.”

DEVICE CAMERAS ENABLE CONTINUOUS FACIAL RECOGNITION

VOICE BIOMETRIC SECURES FINANCIAL TRANSACTIONS ON MOBILE PHONE

Identify Security’s identifyME solution leverages a user’s mobile device camera to conduct biometric authentication, recognizing the user as a live person and continuously monitoring the user’s presence at the device for the duration of the session. “An authorized individual using a portable or stationary device – smart phone, laptop or desktop PC – signs on to the host via wired or wireless connection to perform his/her duties,” explains Steve Hoechster, vice president of Marketing and Communications at Identify. What happens next is a utility that is new to the biometric access control fold. “The host will activate the camera and it will begin scanning the face of the user to identify the person facing the camera as a living person according to personalized and typical biometric characteristics on record with the organization,” says Hoechster. Still a fledgling solution, identifyME is being tailored to meet the gamut of security needs, and according to Hoechster, will incorporate the following recognition methods: Presence. Ultrasonic, laser and capacitive proximity sensing technology will be utilized to confirm the presence of a live person in front of the camera Physical attribute. Physical facial geometry is measured, such as the distance between the eyes and compared to recorded data of the user Thermal image. Validates the presence of a live person. A special attribute of the camera will be used to capture the thermal image of the user attempting to sign in. Facial expressions. Using various combinations of biometric facial recognition technologies to verify that the user is relaxed, alert and his/her ability unimpeded to perform his/ her duties by being under the influence of substances or in a state of fearfulness Identity. Validate the identity and current status of the person with the organization Authority. Validate the current level of authority of the person within the organization Location & time. Transmits the GPS location of the user to the host for authentication and authorization Validation. Performs the above outlined procedures rapidly and perpetually during the session while the user is connected to the host

UK-based biometrics start-up, Voicekey has developed an iPhone app that could replace PINs as a means to validate financial transactions. The OpenSezMe app was developed in conjunction with Nottingham Trent University. Using patent-pending software, it extracts unique features from an individual’s voice to forge personalized biometric ‘classifiers.’ These classifiers are then stored in either a central database or locally on a user’s iPhone. The app is available for free on the Apple App Store. It prompts the user to speak a random phrase three times to establish the unique voice biometric. “The OpenSezMe app uses voice biometric technology to secure personal or confidential data on a mobile phone,” explains Tony Allen, Managing/Technical Director at Voicekey Ltd. While the app is currently being used more as a marketing aid for Voicekey and voice biometrics in general than a ready-to-use solution, the future use cases for the technology seem promising. “The underlying voice biometric technology uses a patented technique to produce unique voice biometric classifiers (not voiceprints) from very short enrollment phrases,” explains Allen. “This biometric classifier (the voicekey) is then stored on the user’s mobile device, allowing them to own their personal biometric.” When a user wants to access their data, they simply open the app and generate a verification sample by speaking a short, prompted random phrase that is then – along with the stored voicekey – sent to the Voicekey server. It is in the Voicekey server where the biometric verification process occurs, and transmits a confidence score back to the phone. “The phone uses this confidence score plus a user threshold setting to decide whether it is the enrolled user speaking or not,” says Allen. “If yes, the app allows access to the secret data. If no, the app refuses access.” “For now, the primary function of the OpenSezMe app is to generate interest and commercial contracts for the company based on the technology demonstrated by the app,” explains Allen. “We are talking with several major financial and telecom organizations with a view to developing voice verified solutions that will control access to call centers, automated help desks, mobile enterprise devices and secure web services.”

Fall 2013

GLOBAL BIOMETRIC FORECAST: HUGE REVENUES BY 2018

JAPANESE HOTEL IDS GUESTS WITH FACIAL RECOGNITION VIP guests checking into the Universal Studios hotel in Japan can walk in, see themselves on a video monitor along with a green check mark and know they will be recognized when they arrive at the check-in counter. Universal Studios Japan is one of the first hotels to deploy NEC’s facial recognition technology for the hospitality industry, says Allen Ganz, senior account development for the biometric division at NEC North America. Some 500,000 customers are enrolled in the Universal program and it has been positively received from guests. “If you see people’s expressions as they use it there’s a very visual reaction and a personal experience for them,” he explains. NEC is marketing the facial recognition technology in the hospitality industry as a way to recognize high-value customers, Ganz says. The opt-in program would identify customers as they walked up to the front door and alert the front desk, concierge and others in the hotel that the guest arrived. That way the hotel staff can personally greet the customer and improve their stay. The system is software based and can work with traditional IP or analog surveillance cameras, Ganz says. The software integrates with the hotel’s loyalty and customer relationship management system. “Ultimately, we’re not selling facial recognition, we’re selling enhanced customer experience that’s enabled by face recognition,” he adds. NEC is also marketing a facial detection system that recognizes the age and gender of a guest when they arrive so that digital signage could be tailored for that individual, Ganz says. For example, a 60-year-old man would receive a different ad than a 25-yearold woman.

Fall 2013

Research and Markets released the “Global Biometric Systems Market Forecast & Opportunities 2018″ predicting that global biometric revenues will reach as much as $20 billion by 2018. According to the report, lack of data protection and outdated security practices like passwords and PIN codes have been a driving force behind the growth of biometric technologies. Moreover, ever-present security threats like terrorist attacks and plane hijackings along with an increasing global crime rate have inspired a call for a more robust worldwide security solution. A global trend has already formed with Government projects in the implementation of e-Passports, driver licenses, border management and national ID initiatives across many of the world’s largest countries including India, Mexico and Russia. These international initiatives have been a major component in the growth of biometric systems, and with China announcing its own biometric National ID program set to begin this year, biometric technology is sure to see a major resurgence. According to the Global Biometric Systems Market Forecast & Opportunities 2018 report, global biometrics market revenues are expected to touch $20 billion by 2018. At present, fingerprint recognition technology is the dominant modality in the market but the hierarchy of modalities is likely to shift. On a regional level, North America and Europe combined to account for 61% of the total revenues of global biometrics market in 2012.

EUROPEANS FAVOR BIOMETRIC IDENTIFICATION OF CRIMINALS, UNSURE ON USE FOR DAILY LIFE Some 81% of Europeans favor using biometrics to identify criminals but are less in favor of using the technology in everyday life, according to a survey conducted by biometric and IT-solutions provider Steria. A majority of European citizens – 69% – support the use of biometrics in identity cards or passports and to enter secure areas. However, only 45% favor of the use of biometrics to replace PIN numbers for bank cards. The survey included 3,650 respondents from across Europe. It found that citizens lack a comprehensive understanding of the benefits and applications of biometrics technology and the impact it can have on daily life. With regards to the application of biometrics, French respondents showed the most support for the technology to be used to identify criminals at 89%, followed by 80% of British and 77% of German respondents. Overall, 69% of all European respondents concur in their support of biometrics in identity cards or passports, with French, Danish and British respondents leading the way at 81%, 73% and

68% respectively. Additionally, 69% of all respondents also favored the use of biometrics to enter secure areas, again with French (77%), Danish (75%) and British (69%) leading the charge. Where support for biometrics begins to wane, however, is with everyday use cases for the technology. Only 45% of European respondents expressed an interest in biometrics as a replacement for bank card PIN numbers. A trend in Europe is the biometric ID/ passport credential, but Steria’s survey reveals a difference in opinion amongst European citizens. Roughly half of respondents – 54% – indicated that increased security against identify theft is the most essential reason for biometric IDs or passports while just 12% indicated that reducing crime was most important.

Fall 2013

‘MISGUIDED FOCUS’ ON FALSE ACCEPTANCE RATES HINDERS BIOMETRIC ADOPTION For decades, biometrics have been commonly touted as an effective way to secure facilities and networks, but when it comes down to it the technology simply has not achieved widespread adoption. The biggest hold up for biometrics might be the very idea of changing existing processes, says Cecilia Aragon, associate professor at the University of Washington’s Department of Human Centered Design and Engineering. Aragon insists that companies looking to

implement a new solution – particularly one as unfamiliar as biometric authentication – ask a few vital questions. Is the system easy to use? Is it pleasant to use? Is it reliable? Do people trust it? She posits that security professions have stifled the technology’s growth with their overriding desire to eliminate false acceptance. “Security professionals are focused on lowering the false

accept rate – not allowing an intruder into the system at all costs,” says Aragon. She says this focus ignores the importance of user experience. “The false reject rate – which is what happens to an authorized user who accidentally gets rejected – is the only error that an authorized user will ever see,” explains Aragon. False rejection and its accompanying frustration is the primary reason biometrics holding biometrics back, she

explains. “The frustration of having your biometric rejected by the system and having to try over and over again can lead to anger and frustration – to such an extent that emotion can override a rational examination of the pros and cons of a new system,” she says. “We’re trying to find ways to measure that emotional response and find ways to translate it into features and guiding principles for biometric systems.”

HID AWARDED NEW GESTURE-BASED ACCESS CONTROL PATENTS The U.S. Patent and Trademark Office has granted several patents for HID Global’s gesture-based access control methods. HID’s gesture-based solutions use 3D motion sequences to ensure privacy, security and convenience when using RFID-based devices like smart cards and NFC-enabled smart phones. The company’s newest solutions enables the user to define a series of hand motion sequences or gestures as the control operation and

New patents granted to HID Global for this invention are US 8,427,320 and US 8,232,879, and the company has received notification that the European Patent Office has indicated their intention to grant a patent.

Fall 2013

authenticating factor for an RFID-based device. As an example, a user could use HID’s gesture solution in conjunction with an RFID smart card, and upon presenting that card to a reader, rotate the card 90 degrees to the right and then back to the original position to enable the card to be read. In this case, the motion of rotating the card back and forth constitutes the gesture utility. HID maintains that the addition of a gesture or motion utility significantly reduces the prospect of a rogue device covertly stealing the user’s RFID credential in what’s called a “bump and clone” attack. HID’s gesture-based solution opens new possibilities for authentication especially when used in conjunction with NFC-enabled mobile phones. Additionally, users can define gesture-based passwords, easily adding another factor of authentication to a phone-based transaction. In addition to recognizing 3D motions (left, right, forward and backward), HID’s user-defined, gesture-based passwords can also work in a two-dimensional capacity similar to that of a combination lock. Actions that can be undertaken using the gesture solution include unlocking and locking apps or physical doors or allowing the user to discretely send an emergency signal at the time of transaction. HID Global’s existing IP portfolio includes more than 1,000 pending and issued patents. HID has also received notice that the European Patent Office intends to grant a patent for the gesturebased technology as well.

GAO: BIOMETRIC EXITS AT AIRPORTS STILL A WORK IN PROGRESS A report from the Government Accountability Office suggests that progress toward biometric exits at airports still needs work before the additional security measure becomes a reality. The report reveals that in February 2013, the Secretary of Homeland Security testified that the DHS plans to report overstay rates by December 2013. DHS officials, however, have yet to assess or document improvements in the reliability of such data used to cultivate overstay records in accordance with federal internal control standards. Without a documented assessment to back up the reliability of overstay data, the agency would lack the vital information needed to use overstay data for policymaking purposes. Biometric exit capabilities would see airports collect biometric data, likely fingerprints, to log passengers’ departures, but this utility has been more akin to a pipe dream than a reality for Homeland Security.

Homeland Security has had biometric entry in place at U.S. airports and other border crossing since in 2004. The US-VISIT program has been collecting fingerprint data from foreign travelers and running them against a watch list. Homeland Security has piloted biometric exit but hasn’t full deployed a system, though the 10-busiest airports are supposed to test a system. The reasoning behind the GAO report, entitled “Overstay Enforcement,” is simple; millions of people visit the United States each year either legally on a temporary basis or without a visa. Overstays are those individuals who are admitted legally on a temporary basis but overstay their authorized period of admission. Homeland Security maintains the primary responsibility of identifying and taking proper enforcement action to address these overstays. The GAO has long kept an eye on overstay operations and in April 2011, reported on the DHS’s actions to identify and address overstays, making recommendations

to strengthen these processes. The DHS has since agreed and has taken, or is in the process of taking, steps to address them. The GAO report, which reviews Homeland Security’s progress since April 2011, addresses the following: Homeland Security’s efforts to review its records to identify potential overstays. The extent to which changes in Homeland Security’s systems or processes have improved data on potential overstays and the agency’s ability to report overstay rates. The extent to which Homeland Security has made progress toward establishing a biometric exit system. To accompany its report, the GAO prescribed some actions that need to be taken. Specifically, it recommends that Homeland Security assess and document the reliability of its data, establishing time frames and milestones for a biometric air exit evaluation framework.

Fall 2013

SOFTWARE BASED

Overview

SyferLock delivers enhanced single-factor, two-factor and multi-factor authentic utilizing patented software-based grids to convert static passwords/PINs into se ONE-TIME-PASSWORDS one-time passwords/PINs (OTPs). SyferLock’s solutions provide device-less OTPs, offe a simple, more secure way to access information while leveraging existing passwords infrastructure. SyferLock’s flexible, adaptable solutions enable enterprises to effectively address multi-factor authentication across a range of use cases and platfo Increasingly, enterprises areTOturning to SyferLock MULTI-FACTOR ALTERNATIVE HARDWARE TOKENS and its superior software-b C L O U D & ESOFTWARE-BASED, NTERPRISE authentication solutions to eliminate hardware tokens and to reduce TCO. DEVICE-LESS

DIFFERENT PIN EVERY TIME

EDITIONS

Software-based authentication solutions are often considered inferior to smart cards, tokens or other hardware-based SUPERIOR systems. SyferLock to dispel A U T H E Nhas T I Cbeen A T I Otrying N these misconceptions with a software & SECURITY based authentication platform based around the PIN. Since 2007 the company has been providing it’s software based authentication technology to enterprises in a variety of markets, says G RCardell, E A T L YCEO R E DatU SyferLock. CED TCO Chris SyferLock’s technology is based on a grid and PIN system. A user registers by entering their email address or network user name. They can then watch a video on how S I M the P L Esystem T O D Eworks. P L O Y From & there they enter their password and choose a USE PIN and one of eight positions on the grid. For example, the PIN might be 2490 and the position could be upper left hand corner. When the individual returns to login N T E Gtheir R A Tuser E S name WITH theyI enter and password andW then I D Elook R Aat N the G E grid. O F Instead of entering their actual PIN, 2490, they enter APPLICATIONS the numbers that are in the upper right hand corner of the boxes corresponding the digits 2, 4, 9 and 0. In the grid pictured, the result is 3347. Contact: The red and blue numbers change h r i s login C a r dsoe lthe l PIN entered each withCeach time+is1 .different. 2 0 3 . 2 9 2While . 5 4 4 1the grid is used in a typical deployment, enterprises can info@syferlock.com add security by having a full QWERTY w w w .displayed. s y f e r l o c This k . c oenables m keyboard upper and lowercase letters as well as digits to be used. A smart phone application is also available. Instead of having the grid

Fall 2013

How SyferLock’s Authentication Solutions Work

displayed on the computer screen it’s tions have expressed interest as well, generated on the mobile device. Even Cardell explain. “Legacy deployments At login, aloses gridthe (assmart shown below)based of cells is shown, cell containing: if1.an individual phone, on hardware areeach not always practia fraudster wouldn’t be able access in the cal center, and we’re seeing companies move - A static number or to symbol and the system unless they had both PIN to software-based adds. - Random numbers inthe the corners which changesolutions,” with eachheauthentication. and position, Cardell says. Software-based authentication can been deployed in varibe cheaper hardware doesn’t 2.SyferLock has User inputs the numbers corresponding to because their pre-selected corner position in pl ous markets but health care is picking have to be purchased and distributed. of associated static password/PIN characters as their one-time password/PIN (OTP up with more requirements for strong Enterprises only have to purchase the authentication because of HIPPA, software licenses. “From an administra-

For example, with a static PIN of “2490” and a pre-selected corner of “top left”, the user would input a GridPIN of “3347” for this log-in attempt.

4. Upon every refresh and/or new log-in, the corner numbers randomly change, crea a new OTP.

Cardell says. A home health care company deployed hardware tokens and its nurses nearly staged a revolt over usability issues. The company has since switched the SyferLock and the reports back have been positive. Other enterprises that have deployed hardware-based authentication solu-

tive side it’s like keeping track of another laptop,” Cardell says. “Think about managing the tokens for an enterprise of 20,000.” Deployment of the system can be as quick as a few hours or a few days depending on the size and complexity, Cardell says.