Page 1

Fall 2010

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews


TRENDS Will emerging modalities and mobile applications bring mass adoption?

• ‘National Strategy’ to define online ID • Walmart pushes EMV payments in U.S. • Government ID standards get wheels

Identity-Based Security for Citizen eIDs Entrust Citizen eID security solutions are the most scalable, interoperable and proven in the world. As the global PKI leader, Entrust has been chosen by over 35 countries across the globe to provide trusted security solutions for ePassports, national ID cards and other forms of citizen eID. In fact, Entrust is the No. 1 provider of ePassport security solutions for both first-generation (BAC) and second-generation (EAC) ePassport environments and is leading the migration to the EAC standard. No matter if you’re just beginning development or evolving your citizen eID or ePassport strategy, Entrust is the choice for security. Visit us online to learn more, generate an EAC certificate or test your ePassport Single Point of Contact (SPOC) implementation.


Entrust and Entrust product names are trademarks or registered trademarks of Entrust, Inc. or its affiliates. All other company and product names are the property of their respective owners. Š Copyright 2010 Entrust. All rights reserved.

Contents 22

Cover Story

Biometric Trends: Will emerging modalities and mobile applications bring mass adoption?



PIV-I taxi project gets wheels in DC


Online ID

Identity ecosystem at core of Obama’s online ID plan



Pictures and patterns replace PINs and passwords for authentication



Walmart bringing EMV to the U.S.A.?

46 54 56 38

6 | OPINION | Secure online identities now 8 | PODCAST | Conversations on physical access migration, identity standards, and Walmart’s push for EMV 10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites

Fall 2010 32 | STANDARDS | GSA to update FIPS 201 managed service offering

INDEX OF ADVERTISERS AOptix Apriva Biometric Consortium Conference CARTES & IDentification The CBORD Group CoreStreet CPI Card Group CSC CSCIP Digital Identification Solutions Entrust Evolis HID Global IEEE ISC Solutions Kaba Access Control LaserCard Lumidigm MorphoTrak PhoneFactor Sarnoff Smart Cards in Government Teslin

31 51 39 53 61 2 39 67 28 17 3 7 68 25 57 35 33 11 37

34 | STANDARDS | State CIOs explore strong credentials 36 | MARKET | HP builds on EDS acquisition to create ID powerhouse 38 | INNOVATION | PIV-I taxi project gets wheels in DC 40 | FIPS 201 | So you want to issue PIV-I cards? 42 | FINANCIAL ID | Bank of America adds two-factor authentication 43 | PHYSICAL SECURITY | Survey offers view into future of access control 46 | ONLINE ID | Identity ecosystem at core of Obama’s online ID plan • 48 | ONLINE ID | Putting odds on online ID • 49 | ONLINE ID | Goals and actions for the ‘National Strategy’ • 50 | ONLINE ID | Liability, legislation around online ID 50 | ISSUANCE | ID vetting standards first step to online ID 52 | NFC | Cool new NFC apps win forum awards

19 27 63 47

54 | AUTHENTICATION | Pictures and patterns replace PINs and passwords for authentication 56 | PAYMENTS | Walmart bringing EMV to the U.S.A.? 58 | EMV | First U.S. issuer jumps aboard EMV bandwagon

21 | CALENDAR | Industry events from the identity and security worlds 22 | COVER STORY | Top Trends in Biometrics • 23 | VEIN | Hitachi takes vein pattern to the masses • 24 | IRIS | Sarnoff puts iris recognition on the move

• 24 | IRIS | AOptix gets up close with iris at a distance • 26 | MOBILE | Mobile devices putting biometrics in your pocket 29 | MARKET | E-prescribing rule could be a boon for biometrics 30 | TECH | Biometric certification fills knowledge gap

60 | CAMPUS ID | Emerson’s contactless conversion 62 | Q&A | HID explains: Trusted Identity Platform 66 | SOCIAL NETWORKING | Peersourced ID vetting coming to Facebook Fall 2010


Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, EDITOR Zack Martin, ASSOCIATE EDITOR Andy Williams, CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Gina Jordan, Autumn Giusti, Meredith Gonsalves, Ross Mathis, Ed McKinley ART DIRECTION TEAM Darius Barnes, Ryan Kline ADVERTISING SALES Chris Corum, Sales Department, SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2010 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to

Secure online identities now Strategy for securing IDs in cyberspace is past due Zack Martin Editor, AVISIAN Publications “Hi, my name is Zack and I’ve been a Yahoo! email user for the past 11-years.”

digital certificate so I can have two- or even three-factor authentication online.

“Hi Zack.”

The technology exists. Countries across the globe are issuing citizen IDs for this purpose. Rather than do it via a national ID program, the U.S. is considering a solution through the National Strategy for Trusted Identities in Cyberspace (See NSTIC, page 46). It would be voluntary, but I’ll be there to pony up.

“I was just looking for a free email service, it was the 90s, Gmail didn’t exist and I wasn’t a fan of Hotmail. And now … this is hard to say … my email was hacked. Everyone in my address book was spammed with male supplements ads, even my grandmother.” “I know this isn’t a surprise to any of you here at the Yahoo! 12-step support group. I’m not sure how my password was hacked, it was complex with characters and numbers and it wasn’t a word  – yet somehow it was still cracked.” “Which brings me to the reason I’m here, we need to band together to get rid of passwords and force the powers that be to come up with a way to secure our online identities now!” (crowd goes wild) Okay, only part of the story is true. My Yahoo! email really was hacked. It threw me into a panic, sending me to every login-protected site I use to change all my passwords. Before I was able to remember all my various passwords. Now I can’t. I’ve become the idiot with the list of passwords written down and hidden (no, they’re not on a Post-it underneath my keyboard). This incident brought to mind something I’ve been wanting for a long time – a strong credential for online identification. I want out of the password malaise and don’t understand why I can’t go somewhere, get vetted and receive a piece of hardware or download a

I am stumped as to why this hasn’t happened before. Properly marketed with privacy controls put in place, I believe there are millions of people who would be willing to pay for a service to protect them from identity theft and online fraud. Think about all the cash flowing into companies marketing products that claim to protect individuals from identity theft. Some have wondered why this necessitates a national strategy like NSTIC. I believe there needs to be something to ensure that corporations and the government are on the same page. The continued proliferation of competing standards and projects will just breed confusion about what service to use and further delay real progress. While the national strategy document is a start, my fear is this will get bogged down in the inevitable politics, as legislation will almost certainly be required to answer lingering questions around issuance and liability. And there needs to be national standards around identity proofing and vetting, a process that could take years. It’s a long time coming and I’m hoping that some day soon I’ll be able to use a smart card, token or biometric to access my online account and at that point hear the crowd truly go wild.

What do the Manchester City Football Club

and the Indian Government Health Department have in common? Evolis card printers: their choice for smart card personalization Manchester City FC chose the Evolis card printers to print subscribers’ cards, access control badges and employee IDs. The Indian Government Health Department also picked the Evolis printers to encode and print health insurance cards for 60 million beneficiaries. Evolis is trusted by companies and institutions all over the world for their identification needs. Simply because the Evolis solutions are innovative, user-friendly, reliable and cost-efficient. Call us today at 954.777.9262 or visit

Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact

Episode 55: Migrating physical access systems

Episode 58: Identity standards series – Kantara

Migrating from a legacy physical access control system can be a daunting proposition. Re-carding may be the least of the worries some migrations involve entirely new backbones and infrastructures. Regarding ID Editor Zack Martin spoke with Alan Fontanella, senior director of product marketing for identity and access management at HID Global, about migrating access control systems.

As part of the ID standards podcast series, J. Trent Adams, chair of the Kantara Initiative Leadership Council, explains his group’s role in online ID. The Kantara Initiative is trying to bring unity to the various identification standards underway across the globe. Adams gives listeners an overview of what Kantara is trying to accomplish and how its getting there.

Highlights: “Some of the market drivers are a broader need for more security and the extensibility of security … as organizations look at the overall life-cycle management of physical access control. “ “We’re witnessing growth in 13.56 MHz high frequency readers well above 20%. And in parallel we’re seeing the decline of some of the legacy physical access control installations out there (such as) magnetic stripe readers. We’re really witnessing a migration from older legacy physical access control technologies both in mindset and in practice to more higher secure security.” To listen, visit and select “Episode 55” 8

Fall 2010

Highlights: “We’re not advocating for any one approach,” Adams says. “It used to be that the advocates for any one of those (identity products) would draw battles lines … the one technology to rule them all. Slowly but surely folks in the space are beginning to realize it’s not going to happen and each of the technologies were developed to solve a specific problem and there’s a lot of overlap.” “Each of these technologies can work together and solve different problems and have a happy harmony. What we’re doing is setting up a place that enables the conversation from the multiple parties to come up with a common solution.” To listen, visit and select “Episode 58”

Episode 60: Walmart’s drive for EMV

Episode 62: Identity standards series – OpenID

Jamie Henry, director of payment services with Wal-Mart treasury organizations, talks with Regarding ID’s Gina Jordan about the retailer’s push for EMV in the U.S. “We want to provide our customers with the most secure transactions in the market place, and the chip and pin technology provides that high level of security,” Henry says.

In our continuing podcast series on identification standards, Don Thibeau, executive director at the The OpenID Foundation and chairman and president of The Open Identity Exchange, speaks about its place in the ID standards landscape. OpenID may be the one ID standard that many people are already using but don’t even realize it.

Highlights: “We’re interested in EMV and helping to migrate EMV to the U-S market for two different reasons. The first is that we view it as a much more secure transaction. It offers two forms of authentication. First is that the chip on the card authenticates that the card is the actual card, it hasn’t been counterfeited or it’s not a fake card. The second piece of authentication is the pin (that) allows the user to authenticate themselves as being the approved or appropriate card holder.”

Highlights: “The powerful thing about OpenID technology is that users don’t have to sign up for it. If you have a Gmail account, an AOL account, a Yahoo account, or others, you are already OpenID enabled. And what that means fundamentally is that you can take your account and use it on other websites.”

“The second reason has to do with international travelers. Tourists are coming from places where EMV is well established or mandated, like the United Kingdom.”

“Its a single sign on value proposition, and it allows people to not be bothered with creating new accounts and passwords for every website that they visit. Rather, they can use an identity from a provider that they trust and they have a relationship with today, and move through the Internet using that identity.”

To listen, visit and select “Episode 60”

To listen, visit and select “Episode 62” Fall 2010


ID SHORTS • • • • • • •

Digital Identification Solutions receives $5M driver license order

Digital Identification Solutions announced it has received purchase orders from three separate driver license programs. The first of the orders is from L-1 Identity Solutions for the State of Kentucky and another is from 3M for the State of Arkansas. Furthermore, the State of South Carolina, a customer for several years, has also decided to extend its current install base. These three programs together will utilize approximately 500 additional EDIsecure printers and laminators. The total order value over the next few years from the programs is estimated to be in excess of $5 million. When combined with the EDIsecure driver license printers already deployed in the states of South Carolina and Mississippi, there will be more than 600 EDIsecure printers and laminators in use in the U.S. driver license market, and roughly 4 million cards produced per year on the equipment.

Apple hires NFC expert as mobile commerce product manager Apple has hired NFC expert Benjamin Vigier as its new product manager for mobile commerce, a move that has further sparked rumors that the next gen iPhone will feature mobile wallet capabilities. Vigier has been active in the NFC field since 2004, previously serving as product manager for mobile wallet, payment and NFC at mFoundry, where he developed both PayPal Mobile and Starbucks’ bar code-based mobile payments service. Apple has spent the last couple years steadily filing patents for NFC-based applications, al-


Fall 2010

ready dubbed iPay, iBuy, iCoupons and Products+, and the hiring of Vigier suggests that Apple may be ready to make use of them.

Additionally, Apple has filed patents for an NFC-enabled iPod, game controller, TV and iPhone. Apple is also looking to beef up security for its next-gen devices, possibly storing user signature inputs, including fingerprint recognition, which Computerworld argues will be essential to the success of Apple’s impending NFC launch.

Animetrics releases facial recognition for mobile phones Animetrics released a new facial recognition authentication service available on certain mobile phone platforms. The service, called FACER CredentialMe, is available on devices using the Android, Windows Mobile and RIM operating systems on the Sprint 3G or 4G networks. It was launched in conjunction with Troy Security Solutions, a mobile products and solutions provider. The biometric service enables a user to authenticate their identity for online services or transactions via unique characteristics in their face as recorded from the phone’s embedded camera. The biometric authentication can be used to entirely replace standard login methods or layered on top of them as a second factor of authentication. In addition to the service, Animetrics released a software development kit so developers can include face recognition biometrics in their applications.

Texas community banks deploy Bling Nation’s mobile payment stickers

American National Bank and Guaranty Bond Bank in Mt. Pleasant, Texas are offering tap and go mobile payment to their customers and the community through Bling Nation. Customers with a checking account at either bank can sign up for a BlingTag, a quartersized microchip sticker that adheres to the back of their mobile phone to enable debit transactions directly from their account. Each time a purchase is made using a BlingTag, the consumer receives a transaction confirmation and account balance by text message. Since the BlingTag does not store any personal information, it offers more security than traditional plastic cards and reduces the risk of identity theft and fraud, according to Bling Nation.

RockWest supplying first responder credentials RockWest Technology, a business unit of Identive Group Inc., announced the implementation of a credentialing and identity management system for the City of Colorado Springs, the El Paso County Department of Health and Environment and the El Paso County Sheriff’s Office. The three entities are using the Web-based solution to supply card-based ID systems for more than 20 county agencies including fire, police, health, sheriff and emergency management.


Had enough

+1 505-272-7082 |

ID SHORTS • • • • • • • Each agency manages its own identity vetting and issuance of first responder and employee credentials. The credentials issued by the agencies are interoperable via a printed bar code. The accountability and asset management systems will be launched by the jurisdictions in 2011.

Its optical fingerprint sensor is certified to meet the FBI’s Image Quality Specifications. Additionally, the reader comes with drivers for Windows, Linux and other operating systems enabling more choice from end users of what computer to use.

In the future, during an incident, city and county agencies will be able to scan ID credentials and emergency equipment data into the Emergency Incident Management Command system as part of the county’s overall accountability initiative.

idOnDemand, Directory Concepts team up to deliver One Identity on demand

This will enable the tracking of all county personnel and resources throughout an incident in accordance with the standards set by the National Incident Management System. Centralized credentialing and asset tracking provides first responder accountability and critical information for emergency management for this eastern Colorado county of more than 600,000 residents that encompasses approximately 2,158 square miles.

SecuGen releases biometric scanner, card reader in one Biometric developer SecuGen released its iD-USB SC/PIV, a USB-connectible device that is capable of scanning fingerprints and smart cards and is FIPS 201/PIV compliant. SecuGen is targeting its new offering at government and commercial projects that require both biometric and smart card capabilities in the solutions they choose. The new unit is now listed on the General Services Administration’s FIPS 201 Approved Products List. Some of the aspects of the new device that SecuGen is touting include its compliance with different standards. 12

Fall 2010

A partnership between idOnDemand and Directory Concepts could mean the streamlining of smart card issuance for buildings, computer login, electronic signatures, VPN and encryption management. IdOnDemand’s product will be included in Directory Concepts services. This collaborative effort will enable customers to bridge the gap between internal infrastructure and Infrastructure-as-a-Service with the implementation of Novell, Oracle, Microsoft and other identity management systems. For example if a customer is onboarding/ offboarding staff through its ID management system, the card production, revocation and management is programmed from a customer’s internal infrastructure to the idOnDemand system. This can connect the smart card issuance to multiple logins and/ or secure access points from a secure single identity service, thus eliminating the further costs or security threats.

AT&T, Verizon, T-Mobile enter mobile payments arena AT&T, Verizon Wireless and T-Mobile USA are reportedly teaming up to launch a contactless mobile payment pilot in Minneapolis, Atlanta, Salt Lake City and Austin, Texas. Trials are expected to commence in mid-2011. Participating customers will be able to pay for a variety of goods and services with NFC-enabled smart phones using Discover Financial Services’ payment network.

Meanwhile, MasterCard and Visa have been employing their own mobile solutions. In June, MasterCard teamed up with Citigroup to produce contactless PayPass stickers that can be affixed to mobile phones. Visa and DeviceFidelity also developed their own solution earlier this year that works with existing smart phones, including Apple’s iPhone.

Italy orders more LaserCard credentials LaserCard received an order for an additional $550,000 of optical security media cards for Italy’s Citizen ID Card program. Known as the Carta d’Identità Elettronica or CIE, the ID cards are used by citizens for identification and travel. In addition to this program, LaserCard’s multitechnology ID cards are also used by two Italian government agencies – the Ministry of Justice and the Carabinieri, Italy’s National Police – to help protect employees and provide secure access to government facilities. LaserCard supplies ID credentials for government ID programs worldwide, including the next-generation U.S. Green Card, multiple programs in Italy, the Saudi Arabian and Angolan National ID Cards, the Costa Rica Foreign Resident Card, the Hungarian Professional Driver License and vehicle registration programs for three state authorities in India.

Kantara Initiative, Open Identity Exchange develop trust framework partnership In effort to develop more secure online transaction services, Kantara and the Open Identity Exchange have introduced their most recent collaborative effort in online trust ecosystems.

ID SHORTS • • • • • • • The two companies have partnered to deliver a service that combines Kantara Initiative Identity Assurance Framework (IAF) and the OIX Trust Framework Platform. The technology produced as a result of this merger has been said to meet the needs of a variety of networks, transactions and jurisdictions around the world. Both organizations will submit their own certification assessment results into an operational database hosted by OIX, thus providing a comprehensive view of their certification. In further collaboration Kantara Initiative representatives will join the OIX Advisory Board, and OIX will join the Kantara Initiative Identity Assurance Working Group (IAWG).

Hospital taps DigitalPersona for security solution DigitalPersona has been selected by Memorial Hospital of Union County in Ohio for a biometric solution to help it meet Health Insurance Portability and Accountability Act (HIPAA) requirements for securing electronic patient records. The solution will authenticate the hospital’s 600 employees when they seek access to specific patient records. The hope is that the system will both secure the files and streamline retrieval for those who need them. Additionally, the hospital is hopeful it will ease the issues caused by contingent staff who only work at the hospital a few times a month as they frequently have the highest password reset rates.

MaxID unveils new handheld solution MaxID introduced a new product in its line of mobile, multi-modal biometric devices. The new device, called the iDL300, is

smaller and more lightweight than other handhelds in the iDL product line and is expected to be available in September. MaxID is marketing the new offering in maritime security, border management and perimeter security due to its lightweight nature, rugged design and ability to read TWIC, CAC, PIV, PIV-I, SAM and FRAC cards as well as passports and driver licenses. Other capabilities of the new device include contactless card and bar code reading; optical fingerprint scanning; WiFi, 3G and Bluetooth communication and a screen that is bright enough to be viewed in sunlight.

Anakam offers third-factor authentication for Fortune 1000 clients Anakam Identity Suite has been chosen as the provider of three-factor authentication for West Corporations Fortune 1000 clients. Anakam will work to enhance the ‘West at Home’ service enabling it to feature a unique selection of authentication functions such as voice biometrics and digital signature. West at Home provides home-based customer contact solutions to secure customer data and achieve a high level of service. Anakam’s capabilities will add another layer of security to West at Home’s already existing two-factor authentication solution. The Suite delivers NIST Level 3 authentication with an out-of-band, one-time passcode via phone, email, or voice biometrics. Distribution of the Anakam product will first set priority on authentication of the virtual private networks (VPN) between the homebased agents and the West at Home platform. Later the deployment will increase to customer and client-facing solutions.

VA facility deploys Codebench Codebench announced that the Department of Veterans Affairs Financial Services Center in Austin, Texas has deployed Codebench’s PIVCheck Plus and Certificate Manager software to check and authenticate Personal Identity Verification cards for employees at its new facility. The PIVCheck Plus Software, in conjunction with the Software House C•CURE 800/8000 physical access control system, enables the VA’s Financial Services Center to use the PIV card as a single access control solution facility-wide. Cardholders use the PIV ID card to gain access into the building and verify privileges once inside the facility. The Financial Services Center is running a pilot using the PIV card for computer access. Results thus far are have reportedly been good and full implementation is expected by December 2010. Codebench’s PIVCheck Plus software has been used to read, validate, authenticate and then register each cardholder’s PIV card into the security system database without manual data entry. Codebench’s PIVCheck Certificate Manager is a PC-based application that, after registration, re-validates imported cardholder certificates on a periodic basis. It checks the revocation status of the card, enabling the system to revoke access privileges on the spot. PIVCheck provides three-factor authentication, managing the acquisition of cardholder data from a smart card and performing offcard biometric matching. The software uses an asymmetric key authentication scheme to identify forged or cloned cards. Digital certificates may be verified by querying the issuer’s validation authority or an OCSP/SCVP responder. PIVCheck is FIPS 201-certified in several of the NIST SP 800-116 categories, inFall 2010


ID SHORTS • • • • • • • cluding PIV Authentication System and Caching Status Proxy. Systems integrator Tech Systems, Duluth, Ga., installed the system for the Veterans Affairs Financial Services Center.

PhoneFactor announces e-banking authentication product PhoneFactor has added authentication for online banking to its list of service features. The company introduced the Universal Banking Gateway adding out-of-band authentication to online banking platforms through the PhoneFactor authentication solution. PhoneFactor already offers authentication via outof-band phone call or text message, now the online banking solution will authenticate transactions and logins. PhoneFactor also supports direct incorporation through Web plug-ins for Java and .Net. The company has already partnered with banking platform providers including Fiserv.

Aware supplying biometric technology to government agency Aware announced it has supplied a major U.S. government agency with client and serverbased software products for the Personal Identity Verification employee credentialing system implemented by IT services firm Jacob & Sundstrom. Aware’s Universal Registration Client (URC) and Biometric Services Platform (BioSP) are working together to provide enterprise-wide enrollment of employees into the PIV system and offer centralized data structuring and workflow for the issuance of the employee credentials.


Fall 2010

In the system provided to the agency, the URC will handle enrollment and capture of biometric information such as facial images, digital signatures and fingerprint scans as well as scans of an employee’s I-9 form. After an employee is enrolled, the BioSP provides card-based password access control to appropriate systems.

MorphoTrak wins North Carolina driver license deal MorphoTrak received an award notification from the North Carolina Department of Transportation for an enhanced security driver license system in the amount for $47.5 million. The system includes MorphoTrak’s Secure Credentials Center to increase security validations and privacy protections, while increasing customer service and convenience.

Additionally, the new device is touted as a customizable option designed to fit the needs of field operations in law enforcement homeland security, military operations and transportation security. Some of the more notable changes from the previous HIIDE model is that the iris, fingerprint and facial templates are stored at onetenth of the size of a standard image file allowing for quicker transmitting of data. Other capabilities of the new device include built-in GPS, 802.11 wireless support, Bluetooth support, 3g and 4g support, WiFi support, Tactical Radio support and WiMax support.

Gemalto reaches 10 million e-ID milestone in India Gemalto has reached the ten million milestone for distribution of electronic driver licenses and electronic registration certificates for cars delivered to India, making it the biggest project of this nature in the world.

MorphoTrak’s North Carolina solution includes new driver licenses that incorporate security and anti-fraud features making it difficult to reproduce IDs for fraudulent purposes. The 3D Photo ID technology, provided by sister company Sagem Identification, features laser engraved three-dimensional photo-images that are one of the most secure first-line security features available.

The digital security company designed the e-driver licenses to protect against identity theft. The card stores all the driver’s personal data in addition to their driving history.

L-1 introduces new biometric device

The program has reached nearly one-tenth of the driving population in India, providing convenience to the owners of the e-documents and greater efficiency for monitoring by the authorities.

L-1 Identity Solutions has unveiled a new biometric device called the HIIDE 5. The device is the next generation in their HIIDE device family that is a small and lightweight mobile option for enrolling or authenticating of one’s identity using biometrics in the field.

Gemalto’s e-Registration Certificate card contains data about the vehicle, insurance information and control certification. Both devices incorporate a microprocessor for secure storage.

Gemalto is also deploying Driver’s Licenses in Australia, El Salvador, Finland, Mexico, Norway and Sweden.

ID SHORTS • • • • • • •

Transit, payment apps could be added to government IDs The U.S. Department of Defense is planning to pilot using its Common Access Card for access to public transportation, says Bob Gilson, management and program analyst at the Defense Manpower Data Center in the DOD. Gilson made the comments during a session at the Smart Card Alliance Annual Conference in Scottsdale, Ariz. Gilson has been charged with looking at future applications that could be added to the ID credential and potentially other PIV cards. Transit is the first application being looked at as public transportation authorities are looking to move to open loop systems. Most transit agencies currently issue proprietary contactless smart card technology but many have expressed a desire to accept contactless payments from MasterCard, Visa, American Express and Discover so they don’t have to issue a card of their own. In the next year the DOD wants to conduct four pilots, testing adding a transit application to the Common Access Card, Gilson says. A limited test with about 100 participants is already underway in Salt Lake City, which has an open loop transit system already in place. The DOD is also looking at the addition of an EMV payment application to the Common Access Card. The application would be a prepaid one that would enable soldiers to make purchases in an off or online environment.

German Government to deploy SCM smart cards in nationwide campaign As a result of the new electronic identification program rolled out by the German government, SCM Microsystems has announced that more than 700,000 of its contactless smart

card readers will be distributed. The readers will be part of free IT Security Kits provided by the government to promote security amongst German citizens. Germany’s Federal Ministry of the Interior has chosen the deployment of the new e-ID cards to protect online identities, handle government transactions at both the local and federal level, and access a range of consumeroriented applications including ePayments.

secure many off-the-shelf applications using encryption, digital signatures and strong certificate authentication. This enables organizations to control access to resources, prevent theft of information, and comply with privacy and digital signature regulations.

Start-up develops new gait technology Plantiga Technologies, a start-up company based in Vancouver, has announced the development of a new security and defense technology utilizing gait biometrics. The system uses special footwear to generate walking and movement patterns, or gait patterns, to identify the individual based on their bio-

Entrust offers SaaS credentialing Entrust is extending its public key infrastructure technology to provide the Entrust Credentialing Service, an end-to-end hosted solution for organizations to issue unified smart card credentials. This system is tailored for enterprise, citizen or government environments that want to secure physical and logical access, virtual private networks (VPN) and other enterprise functions and capabilities. Based on Entrust Managed Services PKI, the credentialing service includes all necessary components including identity vetting, data capture, personalization, printing, issuance and revocation. The credential facilitates mobility, interoperability and security of enduser access by employing one credential for building access, computer/logical access and a range of applications including secure email and document signing. In advanced deployments, the multi-purpose smart cards can also include the electronic machine-readable travel document (eMRTD) data identical to an e-passport. This capability helps extend the value of the service, particularly for law enforcement organizations and government departments. Entrust’s multipurpose smart cards that include eMRTD credentials are compliant with all ICAO standards, including Basic Access Control and Extended Access Control. Entrust Managed Services PKI enables organizations to establish and maintain a trustworthy environment by providing certificates that

metric profile. The usage of footwear to communicate gait information is what makes this technology different from other gait biometric systems that typically depend on visual analysis of an individual’s gait via cameras. The company sees its technology as having benefits beyond basic identification as the system could help track personnel behavior by recording where they have been, what they have been doing and when they were doing it. Plantiga expects a working prototype this fall.

Citi unveils PayPass stickers MasterCard PayPass stickers are available for Citi credit cardholders to affix to their mobile device and use to make contactless payments at PayPass-accepting merchants. Fall 2010


ID SHORTS • • • • • • • Citi has rolled out a PayPass locator app that searches and maps the nearest PayPass merchants. The plan is to also release locationbased services that would enable consumers to find deals close to them.

The SmartMX platform includes a number of security features to guard against reverse engineering and attack scenarios. It also employs a dedicated hardware firewall to protect specific sections on the chip.

Paul Galant, CEO of Citi Cards, says the system will enable customers to continue to receive benefits that come with using a credit card – earning miles, cash back or rewards points.

Bank of American to test microSD cards for mobile payments

Germany taps NXP for national ID smart card chips NXP Semiconductors’ SmartMX contactless microcontroller has been chosen to power the new German contactless National Identity card. The German government selected the company as the supplier of an ultra-thin inlay containing the SmartMX chip. Issuance of German contactless ID cards, which will replace the current paper-based IDs, will start in November. More than 60 million cards are to be rolled out over the next ten years. Equipped with a new communication protocol, the contactless ID card will enable secure e-government and e-commerce services while protecting against identity theft. Only trustworthy service providers will be able to access ID card data once authorized by the citizen, ensuring privacy, as well as authenticity of data for service providers. More than 150 companies are preparing for the rollout of the new ID card and participating in trials to offer services such as online banking, registration for online shopping, airline passenger check-in, online tax declaration and car registration. The new German ID card can also be used as a travel document within the EU – and to some other countries such as Tunisia, Morocco and Egypt – instead of a passport.


Fall 2010

Bank of America is testing NFC payments enabled through microSD cards, a spokesperson for the bank tells The program began in September and will run through the end of the year in New York. Smart phones including the Blackberry and many devices running the Android operating system, have the required microSD slots. Apple’s iPhone does not, but press reports state that BofA may test a sleeve for the iPhone to enable it to use a MicroSD card for NFC payments.

Singapore school taps CBORD for contactless campus card Singapore American School selected the CS Gold one-card solution from CBORD to manage card-based purchasing, security operations and more. The school provides preschool through grade 12, American-based curriculum for to 3,800 expatriate students in Singapore. The card is formatted to meet Singapore CEPAS contactless card standards so students can use it for payment nationwide in addition to using it on the campus. CEPAS is a multipurpose stored value card used throughout Singapore as payment for services including transit, taxi service, electronic tolls, parking, retail, and more. The school uses CS Gold to manage a variety of functions including dining purchases, printing, bookstore purchases, library privileges, and online account management. More than 10,000 ID cards will be issued to parents and students. A card-based access control system is also planned for installation.

ActivIdentity providing software to UK Policing Improving Agency ActivIdentity announced that the National Policing Improving Agency (NPIA) in the United Kingdom has procured 250,000 licenses of its ActivIdentity ActivID Card Management System and ActivIdentity ActivClient security software to issue digital credentials to members of the country’s police forces. The ActivIdentity solution has been selected as a key component of the NPIA’s Identity and Access Management framework operated by Siemens Enterprise Communications. The ActivID Card Management System enables the NPIA and associated police forces to issue and manage digital credentials on smart cards and securely update applications and credentials post issuance. The ActivClient security software will enable agencies to secure workstations with smart cards while enforcing strong authentication for desktop access, network login, and remote access to the new Central Service infrastructure. NPIA’s new Central Police Service infrastructure is part of the agency’s overall Information Systems Improvement Strategy which strives to move towards convergence and the use of common, compatible technology throughout the police service and create a single re-usable national IT infrastructure.

LEGIC partners with Dutch ID solutions provider; intros new contactless locks LEGIC announced the release of a new contactless locking system and a new partnership with Magna Carta, a Dutch cashless payment vendor.

ID SHORTS • • • • • • • Magna Carta is a global supplier of contactless identification solutions for the education, health care, leisure, government and business environment, working in applications such as catering, vending, access control, ticketing, parking, photocopying, cashless payment, time registration and transaction systems. The company has already deployed several multi-application projects based on LEGIC contactless smart card technology. LEGIC has also been working with Austria’s Data Mobile to deliver a new wireless locking system based on contactless technology. The technological core of the solution is LEGIC’s contactless reader chip “lockstar,” which was developed for battery-operated offline locks with low energy requirements.

The solution, which uses a single smart card for locking and unlocking, can be installed on traditional lockers, office furniture, medicine cabinets, or key cabinets.

The physical card looks just like a standard credit or debit card but includes small display and button to enable cardholders to use the same card for standard banking payments and one-time password (OTP) generation.

NagraID launches MasterCard display card for e-banking

Cardholders press the on-card button to generate an OTP to access online services, so unlike traditional OTP solutions, a separate hardware token is not required.

NagraID’s MasterCard display cards have been approved and are ready for commercial deployment. By passing the MasterCard approval process, the NagraID designed technology has proven to meet the required compliance standards and possess required levels of strength and durability.

Other features include compliance with MasterCard’s 3D Secure Chip Authentication Program (CAP) along with a touch-sensitive keypad for electronic signature and enhanced security features such as challenge-response question applications and PIN code card protection.

Fall 2010


ID SHORTS • • • • • • •

NFC providers partner to promote common API for Android STMicroelectronics, NXP, Trusted Logic and Stollmann have announced that they will promote a common hardware-independent API for NFC applications on Android mobile devices.

PLAID was developed within an Australian Government smart card project operated by Centrelink, an agency responsible for the broad provision of social services in Australia. Centrelink has a very large footprint with more than 300 offices and 30,000 desktops needing secure, private, smart card based authentication for both logical and physical access using contactless protocols.

The NFC API will enable developers to create NFC applications to be distributed through app stores, granting Android users access to a range of contactless applications, including mobile payments, ticketing and data sharing directly from their phones.

Centrelink implemented a centralized, rolebased ID management system some nineyears ago and is transitioning this system to support contactless smart cards, an effort that gave rise to the PLAID project.

The API is a result of consultations with various partners including mobile network operators, handset manufacturers and NFC controller providers.

Microsoft supports on-campus ID management Microsoft has partnered with InCommon Affiliate help the education community build the online infrastructure to support federated access

New PLAID draft available Standards Australia is seeking comments on the latest version of its Protocol for Lightweight Authentication of Identity (PLAID) logical smart card application. PLAID defines a standardized authentication protocol resolving some of the issues with cryptography, privacy, and speed with contactless smart cards. The standard is capable of transitioning older Weigand-based solutions to modern solutions without relying on re-cabling, PKI, or anything other than commercial off-the-shelf smart cards, readers and public domain cryptographic libraries. The intellectual property for PLAID is freely available to any manufacturer, government or other party under an irrevocable license from the Australian Commonwealth. This includes the full specifications, license reference, source code and testing tools. Steps are underway to standardize PLAID for Australian and International standards at which point the intellectual property will be assigned to those bodies.


Fall 2010

on campus. Through InCommon, higher education institutions and their partners offer access to contract and collaborative services in a privacyand security-enhanced method. Microsoft’s identity and access management solution, built on Active Directory, includes: • Microsoft Live@edu: An enterprise-class hosted e-mail, communications and collaboration solution for students, faculty and staff. This service can also be extended to an institutions identity platform for access to the cloud, to enable access to Live@edu services, and provide the benefits of Shibboleth federation support. • Microsoft Cloud Services: With cloud applications for a range of devices, from PCs to laptops to phones, academic organizations can provide collaboration portals,

and support long-distance and grouplearning environments. • Active Directory Federation Services 2.0: A security token service for IT administrators that is interoperable with Shibboleth.

HID Global releases new Fargo printers HID Global introduced a new line of direct-to-card FARGO printer/encoders. The new product line is made up of three models and is the first new line of printers introduced since HID purchased Fargo. The line consists of the DTC1000 entry-level printer for small organizations; the professional-level DTC4000 printer for small- to medium-size organizations with more security and scalability requirements; and the advanced, DTC4500 professional printer for large corporations and government organizations with high-volume needs, says Ryan Park, senior product marketing manager for secure issuance at HID. Each of these printers comes with Swift ID, an embedded application that enables users to create their ID badge, Park says. After plugging the printer into a computer via a USB or Ethernet cable and installing the printer drivers a user can access the application through a Web browser to design the badge. The DTC FARGO line is also modular in design and enables organizations to add functionality as their needs grow. Depending on the printer model, options include technology card encoding – iCLASS, Mifare, DESFire  – dual-sided printing, dual-input card hoppers, lamination capability and more. The 1000 is priced at $2299, the 4000 is $2899 and the 4500 is $3199.

ID SHORTS • • • • • • •

GPS tracks Chicago area school bus riders The Palos Heights School District 128 in Chicago is using GPS technology to track its students allowing the district to keep up with the student from the time he or she first enters the school bus until exiting the district’s care. The contactless luggage-type tag affixed to the student’s book bag is scanned as students board the bus allowing district personnel to use a secure Web site to check the child’s status. The district has become just the second school district in the state to use GPS technology not only to track school buses, but the students who ride them. Parents can now call the school to check the minute their child arrives. The district has assigned the tags to 400 students in preschool through 5th grade at a cost of $16,000 for the technology on 10 school buses. That includes the cards themselves, which cost $3.25 each.

3M acquiring Cogent for $943 million 3M and Cogent announced that they have entered into a agreement for 3M’s acquisition of the biometric developer for approximately $943 million, or $10.50 per share. Cogent provides finger, palm, face and iris biometric systems for governments, law enforcement agencies and commercial enterprises. The agreement provides for a subsidiary of 3M to commence a tender offer to purchase all outstanding shares of Cogent Systems.


Fall 2010

3M’s ID management business includes border management products; document manufacturing and issuance systems for IDs, passports, and visas; document readers and verification products; and security materials, such as laminates, to protect against counterfeiting and tampering. “Adding Cogent Systems’ products to our business strengthens our product portfolio and services in high security credential issuance and authentication systems and positions 3M’s business in law enforcement applications,” said Mike Delkoski, vice president and general manager, 3M Security Systems Division. “It also expands our reach into access control and other commercial ID and authentication applications.” With approximately $130 million in revenue in 2009, Cogent Systems is based in Pasadena, Calif., and employs approximately 500 people. Cogent Systems would be part of 3M’s Security Systems Division.

Entrust’s SPOC technology chosen in Finland e-passport initiative Entrust has been selected to deploy its security solutions for Finland’s Population Register Centre. After implementing its Extended Access Control (EAC) e-passport solution more than two-years ago, Entrust has begun deployment of its Single Point of Contact (SPOC) infrastructure for e-passports. This SPOC technology is the standard method for certificate management between countries for support of EAC-enabled e-passports, which enables a country like Finland, with this system, to communicate directly between SPOCs for international EAC certificate requests and responses. The solution is part of the Entrust Authority public key infrastructure (PKI) platform, and enables transition from first-generation epassport deployments to second-generation architectures.

The Population Register Centre stands as the national Certification Authority services provider, creating electronic identities for Finnish citizens. Additionally they provide eIDs for government employees. As the only Certificate Autority in Finland that issues qualified certificates as specified in the Act on Electronic Signatures and the relevant EU Directive, it is the provider of the first generation of e-passports in Finland. The Finnish Population Register Centre anticipates having the SPOC up and running in production by the end of the year. This type of e-passport security from Entrust has been deployed in governments around the world, including the U.S., Finland, Croatia, Slovakia, Slovenia, Singapore and New Zealand.

Instead of ‘passing the hat’ UK street performer takes contactless payments via guitar Street performers typically keep their guitar case open or have a hat available for passersby to leave donations. The UK term for this is busking and Peter Buffery is taking it to a new level. Accepting contactless cards only, Buffery will entertain crowds on his specially designed guitar that is equipped with contactless technology for listeners to make a donation to charity using cards provided by Barclays and Barclaycard. The contactless card reader was built into the head of the instrument as to not affect the sound. Buffery is a musician based between London and North Devon, studying Music Technology at Kingston University and working on his debut album.

CALENDAR • • • • • • • Situated outside EAT. in London’s Soho Square, Barclays and Barclaycard issued passers-by with pre-paid contactless cards. Each donation of £5 made from the cards through the payment system on the contactless guitar will go towards the goal of £2,500 to be donated to Help a London Child. While Buffery busked, listeners were able to hold their contactless cards over the head of the unique guitar to make a donation – with no scrabbling in pockets for change required. The £2,500 raised by the Contactless Busker will fund at least one of Help a London Child’s small grants. This could be used to pay for specialized musical instruments for young people with disabilities, music workshops for less advantaged teenagers or even transport costs for young careers allowing them to attend a concert and take a break from their everyday responsibilities.

UK’s e-passport has new security features The redesigned UK passport has been released and features improved security features and iconic images from across the country. The new 10-year passport will start being issued in October, with pages of the passport containing well-known UK scenes, including the White Cliffs of Dover, the Gower Peninsula, Ben Nevis and the Giant’s Causeway. The use of these images, recreated through special printing techniques, is just one of a number of new security features contained in the passport, including: • moving the chip to the inside of the passport cover so it is no longer be visible. • a secondary image of the holder printed onto the observations page; • new designs now stretching across two pages; and • a new transparent covering which includes several holograms.



Biometrics Consortium September 21-23, 2010 Tampa, FL

CARTES & IDentification December 7 – 9, 2010 Paris-Nord Villepinte Exhibition Center Paris, France

OCTOBER 2010 FEBRUARY 2011 ASIS International 2010 October 12 – 15, 2010 Dallas, TX

Biometrics 2010 October 19-21, 2010 London, UK

RSA Conference USA 2011 February 14 – 18, 2011 Moscone Center San Francisco, CA

SCA 2011 Payments Summit February 15 – 17, 2011 Salt Lake City, UT

NOVEMBER 2010 APRIL 2011 Sixth Symposium and Exhibition on ICAO MRTDs, Biometrics and Security November 1 – 4, 2010 ICAO Headquarters Montréal, Canada

ISC Solutions November 3 – 4, 2010 Jacob Javits Convention Center New York City, NY

Smart Cards in Government Conference November 16 – 19, 2010 Washington DC

ISC West April 5 – 8, 2011 Sands Expo and Convention Center Las Vegas, NV

18th Annual NACCU Conference April 17 – 20, 2011 Baltimore, MD

MAY 2011

Smart Card Alliance Annual Conference May 2 – 5, 2011 Hyatt Regency – McCormick Place Chicago, IL

Fall 2010



TRENDS Will emerging modalities and mobile applications bring mass adoption?

Zack Martin Editor, AVISIAN Publications Some scoff at the idea of emerging biometrics, saying that the identification technology as a whole is still emerging. In reality, however, fingerprints have been used to identify criminals for nearly a century and around the world biometrics are used to gain access to buildings, get cash at ATMs and authenticate online transactions. The days when biometric scanners were merely props in James Bond movies are gone. The North American market appears to be on the precipice of a change. Use cases for secure authentication are everywhere, and the technology foundations to enable biometrics have matured. Re:ID editors spoke with a group of industry leaders to get their thoughts on what’s coming in the biometric market. The individuals deploy and look at biometric systems every day and the emerging trends they identified were remarkably consistent. They include the rise of two formerly outlying modalities and the coalescence of biometrics and mobile devices for two distinct applications.


Fall 2010

Trend: Vascular biometrics gets under your skin Vein pattern biometrics is a modality that is garnering a lot of interest, says Rick Lazarick, chief scientist at the identity labs for CSC. Some large-scale test results show that both finger vein and palm vein biometrics are extremely accurate, he says, and possess some really important convenience attributes. The modality is being used in ATMs throughout Japan as well as in Brazil and Poland. “The ATM implementations show that they have the capability to be used in large scale and mainstream applications,” Lazarick says. The Japanese ATMs use three-factor authentication for transactions – card, PIN and a vascular biometric, says Walter Hamilton, a senior consultant at ID Technology Partners and chairman of the International Biometrics and Identification Association. The technology is starting to show up in North America as well. The Port of Halifax in Nova Scotia is using vascular technology for physical access control and Baycare Health System in Tampa, Fla. is using it for patient identification, Hamilton says. “It works well, and based on independent testing, I see the technology being just as accurate as fingerprint for one-to-one matching,” Hamilton says. “I also see the general population having fewer challenges submitting a good sample of their vein pattern in comparison to the problem some people have with fingerprints.” Some individuals have difficulty with enrolling a usable fingerprint sample, Hamilton says. Very fine fingerprints are tough to pick up and others may have damaged their fingerprints making it difficult to get an image and then match later. Vein pattern biometrics use light to map the vascular pattern underneath the skin so the surface doesn’t matter. Failure-to-enroll rates for vein pattern technologies are very low, Hamilton says.

Hitachi takes vein pattern to the masses Hitachi’s VeinID finger vein scanners have been deployed since 2004 by major banks in Japan and more recently Poland,” says Lew Iadarola, VeinID sales manager for Hitachi Security Solutions. “Some South American banks are conducting trials as well.” “In total we have more than 100,000 embedded modules in ATMs, time and attendance readers and other devices,” says Iadarola. Another 100,000 of the company’s USB-connected logical access readers have also been deployed for authentication to various networks and applications, he notes. According to Iadarola, one of the largest use cases in the U.S. is with Konica Minolta’s bizhub multi-function printers. The finger vein scanner secures document output in government, military and health care environments. Additionally, Japanese telecom giant KDDI has deployed more than 10,000 VeinID scanners for employee logon. Rather than using the biometric to identify an unknown individual from a population, Iadarola sees vascular technology as ideal for operational biometrics. “Use the vein pattern to ensure the individual is who they claim to be and only then initiate the service, access or transaction,” he says. “Our focus with VeinID is one-to-one matching on a smart card or device,” he explains. This comes from the company’s historical preference to enhance privacy in public facing applications. Many of our large customers preferred to minimize the liability that comes with handling personally identifiable information by performing match-on-card transactions rather than storing information in a database, he says. Government Integrators and end-users worldwide did not want to use the same technologies used and stored in databases by law enforcement. “Some people want to buy a coke, rent a car, and pick up their prescriptions without providing something personally identifiable,” he concludes. “People prefer to verify identity and walk away leaving nothing behind.”

Test results have shown that the technology is very reliable, adds Lazarick. “Many times vascular outperforms iris,” he says. It can also be viewed as a privacy-enabling technology compared to fingerprints, iris and facial, Hamilton says. Fingerprints leave a residue that can be lifted off a surface and potentially replicated.

“Some people doubt (fingerprint biometrics’) ability for credentialing because there’s a chance someone may copy a fingerprint from a glass,” Hamilton says. Since vein pattern records the pattern beneath the surface it’s virtually impossible to covertly observe. “Unions and certain segments that would object to fingerprints would not object to vein pattern,” Hamilton says.

Fall 2010


Vascular is also touted as the hygienic biometric, Hamilton says. Typically with this technology a user places his hand or finger on a guide above the scanner whereas with contact scanners there is the possibility of germ transfer between users. But there still are challenges vascular technologies will have to overcome, Hamilton says. Fujitsu and Hitachi are the two main vein rec-

ognition providers and each uses its own proprietary algorithm for matching. This means templates from a Hitachi scanner cannot be read by a Fujitsu scanner and vice versa. This may change, however, as the National Institute for Standards and Technology is working on a standard for vein recognition. But, Hamilton explains, the work is in the early stages.

Trend: Iris gets a second look Iris is the other modality that seems to be on the cusp of widespread deployment, says Bryan Ichikawa, vice president of identity solutions at Unisys. “Long distance iris recognition opens up whole new worlds and works very well,” he says. The U.S. Department of Homeland Security contracted Unisys to test the different long distance iris products last year. The test, says Ichikawa, showed that iris solutions from multiple vendors could be used for one implementation.

Sarnoff puts iris recognition on the move Sarnoff Corp., a subsidiary of SRI, is a leader in long distance iris recognition technology. The company offers two models in its Iris On the Move (IOM) line: a walk-thru gate called the IOM PassPort and a small mountable unit called the IOM Glance. “Sarnoff revolutionized iris recognition by providing longer distance, higher speed, and higher throughput than traditional systems,” says Mark Clifton, Sarnoff’s acting president and CEO. “We have improved upon systems that require you to be uncomfortably close,” he explains, “and have enabled recognition up to 3 meters in distance while walking at a natural pace. Because of that we can process up to 30 people per minute.” The initial adopters include airports, banks, stadiums, construction sites, he explains, “any place where you have need to get people in and out very quickly.”

AOptix gets up close with iris at a distance AOptix Technologies, a Campbell, Calif.-based iris innovator, launched its first “iris at a distance” product, the InSight VM, early in 2009. “It puts the advanced adaptive optics technology of the original InSight into a new form factor appropriate for access control, immigration control and eGate applications,” says Phil Tusa, VP of Biometric Programs for AOptix. Immigration control is a key application being addressed by the InSight line. “We recently completed three highly successful proof-of-concept studies in the Middle East where the adoption of iris recognition for enrollment of deportation subjects and the screening on in-bound travelers is underway,” he explains. “They demonstrate extraordinary results on key criteria including failure-to-acquire and failure-to-enroll rates, average time of capture and accuracy.” Leading the adoption of iris are national identity programs following closely behind immigration applications, Tusa says.  He suggests that governments around the globe are evaluating iris recognition technology, which could lead to cooperation between governments to share methodologies creating more secure immigration and travel environments.


Fall 2010

Long distance iris systems from Sarnoff and AOptix show tremendous promise, Lazarick says. “They are close to having something pretty phenomenal,” he says. “Mainstream iris adoption has already begun,” says Phil Tusa, vice president of Biometric Programs for AOptix Technologies. “There are many large scale, production  and final stage testing deployments underway that demonstrate that important end-users have fully accepted the modality.” In the Middle East iris is being used for immigration applications and to track individuals expelled from the country, Hamilton says. Airports are also considering using iris for employee access control to secure areas. “The data from real-world, large scale deployments will demonstrate that iris offers significant advantages over other modalities for appropriate applications,” adds Tusa. The real innovation that is bringing iris to the forefront is its newfound flexibility. In the past, iris capture required a user to precisely and purposefully place the eye in front of a camera. Newer solutions enable the images to be captured from long range, while the subject is in motion and even without his knowledge. “Longer distance identification means that an officer no longer has to be close to a subject to identify him so there can be a larger safety buffer,” explains Mark Clifton, Sarnoff’s acting president and CEO. “Distance enables iden-

Have you gained access to Biometrics Certification? Access is now being granted to qualified Biometrics Professionals.

IEEE, along with some of the world’s leading biometrics experts, has developed a new certification and training program for biometrics professionals and their organizations. The IEEE Certified Biometrics ProfessionalTM (CBP) program focuses on the relevant knowledge and skills needed to apply biometrics to real-world challenges and applications. • Certification: Earning the IEEE CBP designation allows biometrics professionals to demonstrate proficiency and establish credibility. • Training: The IEEE CBP Learning System combines print materials and interactive online software – ideal for job training, professional development, or preparing for the CBP exam.

To gain access to more details, visit

tification in large venues, perimeter control and discrete applications.” Additionally, Clifton explains that longer distance also enables one system to capture both the iris image and face image simultaneously, providing multiple modalities to improve accuracy, speed and ease of use. Iris nullifies a lot of the hygienic concerns that people have with fingerprints. It also has the potential, like it or not, to be used for nonintrusive or surreptitious identification as shown by a recent announced deployment in northern Mexico.

Trend: Biometrics going mobile What may bring biometrics to the masses is its use in smart phones and mobile devices. These devices are being used more frequently for higher-value transactions and steps need to be taken to so they can be better secured. PINs and pattern-based applications exist but many argue they don’t offer the level of security that biometrics can provide. Traditionally the topic of biometrics and handsets has centered on hardware, most often the integration of fingerprint sensors into the phone. Globally a variety of handsets have launched with built-in sensors, and early this year LG released the first model with U.S. availability. But it is software not hardware-centric biometrics that has the industry buzzing these days. Using the tools already built into phones, a range of biometric authentication is possible. Adding biometrics to mobile devices could be relatively easy, says Cathy Tilton, vice president of standards and emerging technology at Daon. “The obvious (modalities) are face and voice,” she says. “The devices already have cameras and microphones.”


Fall 2010

Adding iris to the mix wouldn’t be much of a stretch either, adds Lazarick. “Without an additional infrastructure you could fuse them,” he says. “As the functionality of these devices increases, the security of the transactions will more and more demand identity verification.”

Because you are matching against a single known template, the captured image does not need to be as precise as it would to isolate a match from thousands or millions of templates in a one-to-many environment. “It’s all manageable if you get used to using the device,” Lazarick says.

There is also the opportunity for multi-modal application via mobile devices. In a multimodal environment, the system would take a score from a voice pattern, facial image and perhaps an iris image to determine if the individual is authorized to use the device or conduct the transaction, Lazarick says.

And for most smart phones these features could be added with a software application and no additional hardware. “To coin a phrase, ‘there’s an app for that,’” Hamilton says.

Getting acclimated to use the mobile device for biometric verification may be the biggest challenge. Because it is a one-to-one match, however, many of the issues that exist with large-scale one-to-many matches don’t apply.

Enabling biometrics on mobile devices will take away the need for people to verify identity at fixed locations, says Ichikawa. A credential could be stored on the mobile device and confirmed via facial recognition iris, fingerprint or voice. “Once you create a level of mobility, you don’t have to authenticate at fixed points,” he says. “You can now identify them anywhere.”

Mobile devices putting biometrics in your pocket Animetrics is offering facial recognition for Android, Windows Mobile and RIM (Blackberry) operating systems. Using the phone’s embedded camera, a facial image patterns is generated at the point of access and compared to the enrolled pattern to grant or deny access. On the voice front, PerSay, a spinoff from Verint Systems, SecuriMobile, Palo Alto, Calif., VoiceVault in the UK and Germany’s VoiceSafe all offer voice biometric solutions to secure mobile devices and transactions. Other companies are using mobile biometrics to add an additional factor to out of band authentication solutions. PhoneFactor, Overland Park, Kan., uses the phone as the second authentication factor, ‘something you have.’ They also use voice pattern biometrics via the phone to add the third factor, ‘something you are,’ to the authentication process. When a user authenticates to a PhoneFactor-enabled site, he enters his username and password. The PhoneFactor technology calls the user’s pre-supplied phone number. The user answers the phone and hits the #-key to affirm the transaction and only then is the online access granted. Additionally, a secret passphrase can be required for voice pattern recognition to further increase security.

Secure Iris Recognition… Effortless and On the Move Sarnoff, the pioneer of standoff iris recognition, offers a suite of highly accurate identity verification systems. Iris on the Move® (IOM) combines unprecedented speed with a touchless biometric solution for a variety of security applications including border control, critical infrastructures, correctional facilities, corporate offices, and many more. IOM can easily integrate with your existing access control system. Contact Sarnoff today to discuss how you too can experience life in the fast lane!

IOM PassPort™

Walk-through System

IOM Glance™

Compact System

609-734-2553 | |

and u c t ” n s” d o r ew P o l u t i o e s t N nt i t y S B ” r ne nd Ide Win 010 etrics a 2 t s e m ©2010 Sarnoff Corporation ISC Wst in Bio e B “

Trend: Law enforcement takes biometrics from the station to the streets The next trend again matches biometrics with mobile devices, but this time leaves the realm of the consumer world for that of law enforcement. The days of being arrested and having your fingerprint placed on an inkpad and rolled onto paper are already history for many police departments. Paper-based collection has been replaced by electronic scanners in the station. But what’s coming next is the extension of the capability to the street, says Tilton. Mobile biometrics devices have been used by the military in Iraq and Afghanistan for years to identify insurgents and make sure only authorized individuals enter restricted areas. The devices are also becoming popular to confirm access to U.S. ports with the Transportation Worker Identification Credential.

While many of the devices used by military officials are dedicated for those purposes, there are different peripherals that can be added to the iPhone and other mobile devices so it can be used to check biometrics, Hamilton says. Most of these are aimed at law enforcement applications to enable officers to enroll and check biometrics in the field. BI2 Technologies has a sleeve that works with the iPhone and can capture face, fingerprint and iris, Hamilton says. A number of law enforcement agencies are already using the system, he says. At the same time companies providing systems to the military are releasing updated products with increased functionality. Analysts predict that these dedicated devices will be used for both military and law enforcement applications while add-ons build biometric functionality into other mobile devices such as smart phones.

Is it Biometrics 2.0? While biometrics have been teetering on the edge of mass adoption for years in North America, the momentum may finally exist for widespread adoption. Interestingly, the trends identified for this article suggest that it may be different modalities and use cases that ultimately provide the spark. In the past, facial images and fingerprints were the modalities of choice, and most looked to physical security and one-to-many identification as the applications to drive adoption. While these modalities and applications are certainly still important and even dominant, it may be this newer generation – call it Biometrics 2.0 – that finally gives Sisyphus his much needed break from pushing the biometric rock up that adoption mountain.

Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.

Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit


The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for Fall 2010 smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America.

Next test dates NOVEMBER 19, 2010 Washington, DC DECEMBER 9, 2010 Paris, FRANCE Visit the LEAP web site for future exam locations and dates in 2010.

E-prescribing could be boon for biometrics Two-factor authentication required for electronic prescription of controlled substances The U.S. Drug Enforcement Administration (DEA) issued a new rule requiring doctors and pharmacists to use two-factor authentication when electronically prescribing controlled substances. The rule could mean big business for the biometrics industry, says Bill Spence, vice president of transaction systems for fingerprint biometric manufacturer Lumidigm. Titled, “Electronic Prescriptions for Controlled Substances,” the rule became effective June 1. It does not require doctors to submit these prescriptions electronically nor does it require pharmacies to accept electronic submissions, but it does govern the process when utilized. The doctor or pharmacist creating the prescription must authenticate, according the DEA, with two of the following: “something you know (a knowledge factor), something you have (a hard token stored separately from the computer being accessed), and something you are (biometric information). The hard token, if used, must be a cryptographic device or a one-time-password device that meets Federal Information Processing Standard 140-2 Security Level 1.” E-prescribing enables a physician to prescribe medication via a computer or mobile device. These systems are typically integrated with electronic medical records and help prevent harmful drug interactions and incorrect dosing.

While the DEA did not specify what, if any, specific mode of biometrics would be required under the e-prescription rule, they acknowledged that they would work with the National Institute for Standards and Technology to establish guidance for the program. There are other options for two-factor authentication besides biometrics. Tokens, complicated passwords, as well as ‘smart’ or ‘out of wallet’ questions could be used. But these options take too much time and/or require the individuals to carry around a piece of hardware, says Spence, whereas a biometrics is always with the individual and enables rapid authentication. Ohio already has a similar rule in place. “The state adopted an approach with e-prescribing saying that you always need a second factor and they essentially have adopted biometrics as that form,” he says. A challenge with fingerprint biometrics in this environment is that health care workers

frequently wear rubber gloves. They must remove the gloves to present the biometric, and the ongoing use of the gloves can dry out the skin making it difficult to get a good fingerprint scan. Lumidigm released a new fingerprint scanner to deal with this problem, Spence says. Its Mercury Series fingerprint sensors use Lumidigm’s multi-spectral technology that captures the fingerprint data from beneath the surface of the skin and can read fingerprint images through latex gloves. “It’s going to be a little more expensive for the device, but it’s not always about the price, it’s about the performance,” he stresses. Some of the scanners are already deployed in health care, Spence says, and we are fielding a lot of question from providers about the technology and how to deploy it. “It’s no longer the question of what are biometrics.” The question now is how to turn them on.

About the E-Prescribing rule The Electronic Prescriptions for Controlled Substances rule was issued by the U.S. Drug Enforcement Administration (DEA) as an amendment to the Comprehensive Drug Abuse Prevention and Control Act of 1970, commonly known as the Controlled Substances Act (CSA). The CSA is designed: “to ensure an adequate supply of controlled substances for legitimate … purposes, and to deter the diversion of controlled substances to illegal purposes. The CSA mandates that DEA establish a closed system of control for manufacturing, distributing, and dispensing controlled substances. Any person who manufactures, distributes, dispenses  … controlled substances must register with DEA and comply with the applicable requirements.” In the official summary, the rule is described as follows: “The DEA is revising its regulations to provide practitioners with the option of writing prescriptions for controlled substances electronically … The regulations provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled substance prescriptions while maintaining the closed system of controls on controlled substances dispensing; additionally, the regulations will reduce paperwork for DEA registrants who dispense controlled substances and have the potential to reduce prescription forgery. The regulations will also have the potential to reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions. Moreover, they will help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which may increase efficiency, and potentially reduce the amount of time patients spend waiting to have their prescriptions filled.” Fall 2010


Biometric certification fills knowledge gap IEEE testing lets professionals prove worth, improve prospects When Rick Lazarick and Cathy Tilton went to college there weren’t any programs that specialized in biometric training. But as the technology is becoming more popular end users want to make sure vendors and systems integrators have the requisite knowledge to deploy the systems. Lazarick, chief scientist at CSC’s Identity Lab, and Tilton, vice president of standards and emerging technology at Daon, have each worked in the biometric industry for almost two decades and received their training on the job. The two were tapped to help the IEEE come up with subject materials when the organization decided to launch a biometric certification program last year. IEEE and Holmes Corp. partnered to create the certification program and had the first testing last fall, says Emily Csernica, corporate marketing manager at the IEEE. “Certification programs enable industries to develop a baseline body of knowledge,” she says. “It helps the industry take the next step and become established.” 30

Fall 2010

Prior to 2001 the biometrics industry was pretty small, says Tilton. After that a lot of companies and individuals came out professing to be biometric experts. This type of certification can give outsiders an idea of who knows the industry and who doesn’t. “Going through the materials and taking the tests doesn’t make you an instant expert but you can be assured that they have a certain level of background and understanding,” she says. The certification can be used as a difference maker when competing for government contracts as well, says Lazarick. When writing a proposal for a potential contract it’s common to include subject matter experts that will contribute to the project, but it can be difficult to confirm the qualification of these experts. This type of certification provides proof of qualifications. “I see this filling the trust gap,” he says. It can also be useful for educating new hires, Tilton says. “If I’m hiring someone who doesn’t have the background it’s an excellent way to get them up to speed,” she says.

The program consists of 750 pages of printed learning material and an online learning system where students could take tests after completing each chapter, Csernica says. The actual tests are offered twice a year. While Lazarick and Tilton were subject matter experts and helped create the testing materials they also participated in the first test and found it demanding. “I consider myself a relative generalist,” says Lazarick noting that the test forced him to broaden his knowledge of the field and lean more about cryptography and revocable biometrics. “I guarantee it will be a challenge,” Lazarick says. By the end of 2010 the IEEE expects to have 400 certified biometric professionals, Csernica says. Cost for the learning system is $895 with the exam costing an additional $595. Group and volume discounts are available.

AOptix InSight™

Iris Recognition

Effortless. Fast. Accurate.

And Now Slim.

The new InSight VM iris recognition system from AOptix brings effortless subject capture in an elegant new form factor. At 2 meters nominal stand-off distance, subjects merely stand in an unprecedented capture volume of almost one cubic meter, and let the system do all the work of finding and imaging the iris. And the VM is fast. Typical single eye capture with on board image quality metrics is only 2 seconds. Most importantly, AOptix brings proven accuracy to solutions large and small. Let us show you our conclusive field studies that demonstrate extraordinary FTA / FTE rates, and matching accuracy results.

Changing the Way the World Looks at Iris Recognition. P. 408.558.3300 | Fall 2010


GSA to update FIPS 201 offerings

On deck: New procurement, bigger chips, easier enrollment and activation Ross Mathis Contributing Editor, AVISIAN Publications The General Services Administration’s HSPD12 Managed Service Office (MSO) has quite the task ahead of it – enrolling, issuing and activating credentials for hundreds of thousands of federal employees nationwide and beyond. Steve Duncan, program manager at the MSO, updated the Government Smart Card Interagency Advisory Board on its activities and challenges in the process to procure and maintain PIV compliant credentials.

Total Enrollments

Since the office started operations in August 2007 it has enrolled 504,000 applicants into the system, according to Duncan, accounting for 71% of the MSO clients’ eligible populations. The MSO has actively begun reaching out to individuals by telephone if they have not yet enrolled and gotten their credentials. They are behind – by maybe ten to twenty thousand – on activated credentials, explains Duncan. “We’re working on that,” he adds.




500,000 400,000

416,117 416,117

400,000 300,000


The GSA has an enrollment infrastructure of about 340 stations across the country, stretching from Puerto Rico


300,000 200,000 200,000 100,000 100,000 0 0

The MSO handles credentialing for more than 80 customer agencies, commissions, and boards, and that number is growing. “We actually, just added one last week,” Duncan says. “So we keep adding to our numbers.”

to Alaska and Hawaii. Still says Duncan, “we’re not at all the places we need to be.” He says there are at least 10 more sites that at which they would like to have shared stations. At about 80% capacity, the current infrastructure can support more than 160,000 enrollments per month. Duncan explains that they have started mobile circuits where the equipment is transported to remote locations by truck or FedEx. “We’ve done this a couple of times, and it’s worked out pretty well,” he says. “We did 350 remote locations with 44 stations and reached to about 50,000 people.” There is at least one more of these mobile circuits in the planning stages to assist early adopters who are now reaching the end of the lifecycle for their certificates or awarded contracts.

3,771 3,771 2007








GSA Managed Service Office (MSO)

Stations 400


400 300

292 214

300 200 200 100 100 0 0




45 45 2007








Charts: “The Status and Future Plans for the GSA Shared Service,” Steve Duncan, MSO Director; Interagency Advisory Board Meeting, July 28, 2010


Fall 2010

The MSO was established by the GSA to manage the government-wide acquisition of technologies required by HSPD-12. It provides federal agencies with interoperable identity management and credentialing solutions to support end-to-end services to enroll applicants, issue credentials, and manage the lifecycle of these credentials.

Centralized production After an applicant is enrolled in the system the data is sent to a centralized card production facility. The card is then sent back to the enrollment site where the applicant can activate the card. Enrollment and activation have been a problem for some federal employees because of the distance they have to travel. In an effort to simplify this, the GSA introduced the Light Enrollment and Light Activation solution. The enrollment package is sent out in a suitcase and enables direct connectivity to the USAccess central infrastructure via a public Internet connection. “This reduces or eliminates physical space, set up costs, the number of peripherals including dedicated hardware and VPN, and station certification,” Duncan says. Light activation is another solution that uses some software, a couple of card readers, fingerprint scanners and some installation instructions. Users can install this on any desktop or laptop that has connectivity to the Internet, and perform activations there, Duncan says. Agencies can have their cards sent to their internal security office and then the applicant simply has to go a shorter distance, some-

USAccess The MSO established the USAccess Program to provide federal agencies with a managed, shared service solution to simplify the process of procuring and maintaining PIV compliant credentials. USAccess provides agencies with the services and infrastructure necessary to manage the full lifecycle of a PIV credential including applicant sponsoring and enrollment, credential activation, and post-issuance credential updates.

place closer to get their credential activated. The GSA did a pilot of this solution in March before going live as a full production in the middle of June. The GSA is working on something that can solve both the enrollment and activation issues. “We haven’t solved the entire piece,” Duncan says. “We hope (that by) late Septem-

ber, early October we will have what we call Light Credentialing.” It will encompass the enrollment and activation application on the same PC or laptop and get rid of the cross match machines, which Duncan notes drives costs. “There are devices out there that don’t require you to do slaps (fingerprints) and we can still cap-

A Leader in

Smart Card Solutions 1 0 11 00 11 0 1 1 10

Access Control Contact EMV Contactless Dual Interface Government ID RFID Sticker


Fall 2010


ture the roles and individuals in the same forty-eight pound suitcase,” he says. “Then agencies will have a real solution to moving these things around and getting to those isolated pockets or the ones that aren’t close enough.” What’s next? The GSA released a request for information in July asking for thoughts and ideas on how the MSO can offer a better service to agencies. One thing is certain – they will move to a larger memory capacity card. “Our card is pretty full which is causing us grief on the key history,” Duncan says. A key question surrounds how to offer a solution for key recovery/key histories and support that going forward with the SHA-256 encryption algorithm. Other questions include whether to: • offer another PKI provider? • support more than one card issuer, or manufacturer? • change the business model or the management structure? • offer PKI validation as a service? For dispersed locations that don’t have an enrollment station but have a group of people needing credentials, the MSO is considering using enrollment brokers. “Where somebody that’s one of my customer agencies could sit down at another’s enrollment stations,” explains Duncan. “They can enroll them and port that data to us … we can send it off to our personalization people and then print credential.” The MSO is considering how it can expand the service. “Our core service has always been the enrollment and issuance of PIV credentials,” Duncan says. But he suggests there are other areas they could assist. “We can capture fingerprints and send them to the Office of Personnel Management … (so) why can’t we do the same with the FBI?” The GSA has a huge enrollment infrastructure that could be offered as a service to do national criminal history checks, for example, which are outside the process of receiving a credential. Duncan notes that the FBI slowed down for four days because of the huge number of criminal history checks being performed during the employment of the Census workers. This service could be used to assist in situations like this one. As the GSA ponders the future of the MSO, it’s clear that it will continue to be a force for innovation in identification and credentialing. 34

Fall 2010

State CIOs explore strong credentials High-tech IDs getting serious attention at state level When state CIOs were surveyed on their top 10 priorities, identity and access management made the list. At the National Association of State CIOs (NASCIO) mid-year meeting 30 members participated in a session where an ad hoc working group was formed to look into identity and access management issues. At the NASCIO annual conference in September the group plans to provide a report to members on different technologies and what some states have in progress, says Chad Grant, a policy analyst with NASCIO. “The main emphasis is to see what states are doing and get a lay of the land,” he says. The group is also working to create a roadmap for states to follow, Grant says, suggesting that they are mainly investigating federated identity approaches and technology that would be interoperable from one state to another. Though Grant downplayed the significance of this working group, some federal smart card officials think this could lead to states issuing PIV-I credentials. It could also help as states consider issuance of digital IDs as a part of the National Strategy for Trusted Identities in Cyberspace.

September 21-23, 2010 Tampa Convention Center | Tampa, FL Supported by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), the Biometric Consortium Conference is focused on Biometric Technologies for Defense, Homeland Security, Identity Management, Border Crossing and Electronic Commerce.

The Conference will be two and a half days of presentations, seminars and panel discussions with the participation of internationally recognized experts in biometric technologies, system and application developers, IT business strategists, and government and commercial officers.

FEATURED SPEAKERS INCLUDE: LtGen John R. Allen, USMC Deputy Commander, U.S. Central Command

Mr. Daniel D. Roberts Assistant Director, CJIS Division, Federal Bureau of Investigation

Mr. B.B. Nanawati Deputy Director General, UID Authority of India

Mr. Gerald Thames Executive Advisor, Booz Allen Hamilton

The 2010 Biometric Consortium Conference will include the following sessions:

Dr. Starnes E. Walker Director of Research, Science & Technology Directorate, U.S. Department of Homeland Security LTG Richard Zahner, USA Deputy Chief of Staff, G-2, U.S. Army

• Department of Justice (DOJ - FBI/NIJ) • Department of Homeland Security (DHS) • Department of Defense (DoD) • National Institute of Standards and Technology (NIST) • Biometric Identity and Security Session (BIdS) • Special Rapid DNA • General Services Administration (GSA) • Department of Transportation/Volpe (DOT/Volpe) • Standards • International • Industry • Iris Technology


Exhibit and Sponsorship Opportunities Available

HP creating ID powerhouse Electronics giant uses EDS acquisition to springboard into credentialing Autumn C. Giusti Contributing Editor, AVISIAN Publications The past year saw the rollout of HewlettPackard’s (HP) next generation government employee ID card, a development the company sees as the first step to bringing its identity management and credentialing services to cyber security, commercial clients and the health care industry. Assured Identity Plus is HP’s latest smart card product for the U.S. General Services Administration’s USAccess federal ID program. The program helps federal agencies to comply with HSPD-12, the mandate requiring them to issue secure credentials to government employees and contractors. HP is the prime service provider for USAccess, the GSA’s branding for the suite of FIPS 201 compliance services it provides through its Managed Service Office. Currently the GSA program holds an 80% market share for federal agencies issuing FIPS 201 credentials. Through its Identity and Access Management Services division, HP serves 79 of the 92 agencies enrolled in USAccess and has issued more than a half-million credentials, says Jess May, HP’s Global Identity Practice Lead for the U.S. Government Sector HP was involved in the credentialing space prior, but its $13.9 billion acquisition of Electronic Data Systems Corp. (EDS) in 2008 was a game changer. The acquisition put HP in a powerful position in government ID. With the EDS acquisition came the $66 million contract GSA awarded to the firm in April 2007 to support USAccess. It also included EDS’ contract with the U.S. Department of Defense (DOD). Currently there are 3.3 million active DOD credentials, says May, adding that since 2001 EDS and HP have issued more than 23 million credentials to the department. HSPD-12: Next generation add-ons One hang-up with HSPD-12 is that agencies have had trouble managing the requests and 36

Fall 2010

approvals that must be in place before an employee can obtain a credential. HP sought out improvements in this area to set its credentialing system apart, May said. With the next generation card, HP upgraded its self-service Web portal to provide agencies with a single system to issue, activate and maintain employee credentials. The portal allows agencies to request credentials and indicate which computer applications and government buildings an employee needs to access.

gram, putting out feelers to see what other technology and companies available. A GSA newsletter stated that they would “gather industry insight and guidance regarding the best way to structure the necessary re-competition for the program’s core service provider.” Responses were due in July. Citing the sensitivity of the program’s procurement actions, officials with GSA declined to comment for this story, only to say they were unsure where the RFI might lead. Global, commercial work

“All of the work flows and approvals are in the system,” says May. “On the back end, because you’re requesting this information from one place, all of your reporting for compliance is available.” Every 90 days, agencies are required to audit their employees to make sure their credential is valid. So if an individual was authorized to use 500 different online applications, for example, the agency used to have to validate that person for each application one-by-one.

For more than a decade HP has provided identity management services to government and commercial clients worldwide. The company provides national ID cards to Poland and Italy and lists the Department of Motor Vehicles in both Florida and Maryland among its clients.

“You don’t have to do that anymore … it’s a tremendous decrease in manual labor,” May explains adding that by streamlining processes HP can deliver services at a fixed cost.

On the corporate side, HP has helped commercial clients secure their computer systems following Sarbanes Oxley. “We’ve taken all the work we’ve done for Sarbanes Oxley and combined that with credentialing (for public access),” says May. “The same types of service we’re delivering to government agencies we are delivering on the corporate side as well.”

In line with HSPD-12 requirements, HP’s credential enables government employees to get past physical and logical access points with a single ID. Still, explains May, many agencies have not taken that step. “But the new FICAM (Federal Identity, Credentialing and Access Management) guidelines have requested that agencies start making this move,” she notes.

One of the major industries on the horizon for HP is health care. ‘My two biggest priorities are health care and cyber security, and you can’t have either one without ID management,” says Dennis Stolkey, HP’s senior vice president of U.S. Public Sectors. The company already does work for Blue Cross/Blue Shield and the Department of Health and Human Services.

GSA surveys market

According to May, HP sees itself playing a major part in the proposed National Strategy for Trusted Identities in Cyberspace initiative, which would give every citizen a national online ID.

HP is likely to be reapplying soon for its role as the USAccess program’s core service provider. GSA issued a request for information (RFI) on shared service providers for the pro-

Secure ID programs are complex. Choosing the right partner doesn’t have to be.

LaserCard’s customized secure credential solutions have been trusted for decades by major governments and enterprises around the world. Find out why customers and partners look to LaserCard for secure, counterfeit-resistant credentials and solid ID solutions, implemented on time and on budget. ÊÊ Professional services and consulting to optimize Secure ID

program implementation and performance ÊÊ Innovative credential design and manufacturing services ÊÊ Advanced credential technologies incorporating leading physical,

visual and digital security ÊÊ ISO 9001 certified: secure credential manufacturing plants

in USA and Germany

w w w. l a s e r c a r d . c o m

PIV-I taxi project gets wheels in DC Autumn C. Giusti Contributing Editor, AVISIAN Publications On the heels of making the crossover to nonfederal employees two-years ago, Personal Identity Verification credentials are finding their way to yet another segment of that group – taxi cab drivers.

using the cab if a cab driver fails to provide the proper credentials. They could prevent the meter from activating, Sivak says. The system would also track real-time traffic flow and the locations of cabs.

fice. In October 39 people linked with DC’s taxicab industry were indicted on bribery charges following accusations that they paid $330,000 to the DC Taxicab Commission to obtain licenses.

A handful of first responder groups and state and local agencies have begun the process to issue credentials under the PIV Interoperability for Non-Federal Issuers standard.

DC is following the lead of cabs in New York and Boston, which have implemented their own enhanced metering systems that accept credit cards and come equipped with GPS. The DC system would be similar although use of the PIV-I integrated smart chip credential is unique to the TSCC Initiative, according to Sivak.

Pending the DC Taxicab Commission’s approval, PIV-I will be used as the credentialing standard ensuring that every driver is adequately certified and licensed by the city, Sivak says. “Right now when you step into a cab, the only thing you have to validate the driver is the image they keep above their visor,” Sivak says.

The driver would use the DC One card for authentication via a PIV-I-enabled smart meter. The card would contain a high-assurance credential that would require a biometric or other strong authentication to activate the meter, Sivak says.

While DC’s current fare system is cash only, the new system would enable passengers to pay by credit card. That convenience factor has the added potential of bringing in more tips for the cab drivers, Sivak says.

To provide the new badges, the District plans to expand the credentialing capabilities of the DC One Card. The consolidated ID badge serves as an access card for DC government employees and, through an integrated smart chip, enables residents to ride the Metro, check out library books and access schools and recreation centers. OCTO employees will eventually use the PIV-I cards for network and system access, digital signing and data encryption, Sivak says. The cab driver badges will be part of a pilot program known as the Taxicab with Smart Chip Credential (TSCC) Initiative. The initiative’s goal is to better enforce cab driver licensing through a secure ID credential, increase cab revenues and enable passengers to pay by credit card. Once the new system is in place, the DC Taxicab Commission will receive a message that an unauthenticated driver is


Fall 2010

The TSCC Initiative also sets out to automate the current paper-based trip recording process. “It’s very difficult for us to know how much money a cab driver is earning. We’ve found that many cab drivers underreport income,” he says. DC has encountered licensing and fraud problems among its drivers. The District has 6,000 licensed cab drivers, but there are 8,000 to 12,000 cabs on the street, says Stephen Papadopulos, an official with the CTO’s of-

Photo: OCTO, Government of the District of Columbia

This fall, Washington, DC will issue its first PIV-I credentials to cab drivers and select employees of the Office of the Chief Technology Officer (OCTO), says Bryan Sivak, chief technology officer for the District of Columbia.

Use Government Smart Cards at Stand-Alone Doors ...

Made in the USA

With the E-Plex 5800 Series GS FIPS 201


The First and Only PACS Integrating Certified CHUID Readers Into Stand-Alone Locking Devices

• Scalable from one door to many • Simple card enrollment at door, or use optional software (Single PC or Networkable) • Perfect Solution when it is not feasible, or desired to run wiring • Validation through Federal Bridge PKI available • No wires to, or through the door • Meets Buy American Act • Install in minutes!

Kaba Access Control • 1.800.849.8324 •

Ideally, implementing the system would cost the District nothing, Sivak says. “The idea is that the vendor would be responsible for installing and maintaining the systems in the cabs.” The touch-screen monitors that passengers would use to make credit card payments could display news, financial information and advertisements for added revenues, much like the system in New York, Sivak says. Other potential funding sources include fees for credit card transactions and other service offerings. Earlier this year, DC issued a request for information to gauge interest in the taxicab project and received several responses from potential vendors, Sivak says. He hopes to have a contract awarded by the end of summer. Until the release of the PIV-I standard, Personal Identity Verification was the sole domain of the federal government. Today, non-federal entities can successfully issue interoperable PIV credentials by complying with the PIV-I version of the standard. In March, ActivIdentity Corp. launched its own PIV-Interoperable initiative to help streamline this process for non-federal organizations issuing employee ID cards. The company has been working to assist states and first responders address interoperability concerns, says John Bys, regional vice president for ActivIdentity. “DC is showing leadership in that area in terms of broader based-use at a state or local level. They’re following the lead of the Department of Defense in using the common access card,” he says. Bys would not confirm whether ActivIdentity will bid on the TSCC project but says that given the firm’s involvement with implementing PIV-I, “it’s hard to imagine we wouldn’t be involved with those RFPs, whether directly or indirectly.” While DC is calling TSCC a pilot program, Sivak reports that he “fully expects this is something that will become a full implementation.” The goal is to have outfitted cabs on the street by the end of the year and eventually equip all 6,000 cabs in the District.


Fall 2010

So you want to issue PIV-I cards? New document addresses pressing questions

It’s been more than a year since the first document regarding the PIV-Interoperable specification was released. In that time there was a lot of interest in the document but not a lot of guidance on how to deploy an actual PIV-I credential. This is changing. Government contractors, first responders and others who want to issue an identity credential that has some level of interoperability with the federal government now have more information to guide them. The Federal Identity, Credential and Access Management (ICAM), part of the CIO Council, released a frequently asked questions document offering guidance for organizations that want to issue PIV-I credentials. “For industry now there’s something to build to,” says Sal D’Agostino, CEO at IDmachines. “That’s critical … while you could have pursued it, not having policy and technical publications locked down made it hard to commit. “ The ICAM document identified four areas where non-federal issuers are unable to meet the full FIPS 201 standard. Alternative approaches are recommended. Credential numbering: FIPS 201 defines a specific numbering system that can only be used by federal issuers. PIV-I issuers should use the Universally Unique Identifier, a 128bit long code that is unique to each credential. PKI technology mapping: The Certificate Policy for the U.S. Federal PKI Common Policy Framework defines an object identifier (OID) that is specific to federal issuers. Non-Federal issuers must map their policies to the PIV-I hardware policy object identifiers and be cross-certified with the Federal Bridge Certificate Authority to meet the requirements of PIV-I. Background investigations: FIPS 201 mandates the use of a National Agency Check with Written Inquiries (NAC-I) before obtaining a PIV card. This background check is only available to federal employee applicants so the FAQ offers alternatives to the NAC-I. Visual distinction: The document defines certain visual security features the PIV-I card should include such as photo, name, organizational affiliation or issuer, and expiration date. But it also mandates visual distinction from a federal PIV card to ensure no suggestion of attempting to create a fraudulent Federal PIV Card. With the release of the documents questions have been answered, D’Agostino says. Other areas where there were questions were around the object identifier and with new guidelines for connecting the Federal Bridge due out soon vendors and issuers would be able to go ahead with any PIV-I projects. While this new documents clarified the picture for PIV-I issuance there have been some industry insiders who question whether or not others will issue the credentials. There has been no strong economic reason to spend the money to voluntarily issue the converged smart card IDs, some say. D’Agostino disagrees and says that a PIV-I credential could help organizations comply with any of a litany of regulatory challenges such as PCI and Sarbanes Oxley. “If you adopt PIV-I you are addressing all your compliance and regulatory concerns with one fall swoop,” he says. “By following strong identity policy and then using it –and the authentication factors – via a PIV-I framework, you can address all these things.”

As the leading provider of large identity management systems and biometrics for over 35 years, MorphoTrak brings its worldwide experience and advanced technology to assist customers across government and commercial markets in the design, implementation, and support of FIPS 201 compliant solutions. Visit MorphoTrak booth 201 at the 2010 Biometric Tech Expo or call 1.800.601.6790

Bank of America adds two-factor authentication

Customers use on-card display to generate one-time passwords

“We wanted to use something that was familiar to our customer,” he says. “The football shaped token was a little more challenging and didn’t feel as appealing as the credit card.” While the tokens are in the standard credit-card sized format they are only used to generate the passcodes for the sites, Inskeep says. They don’t have a magnetic stripe nor are they embossed with the individual’s credit card information. Instead the SafePass card has a small button and an on-the-card display.

Bank of America knows there are plenty of threats to its consumers. Fraudsters are always searching for new ways to phish information and access and empty bank accounts. The Charlotte, N.C.-based financial institution has been working on ways to protect its customers from these attacks. The first step was taken in 2005 when it deployed SiteKey, but it more recently added two-factor security for some of its customers with a one-time password system call SafePass. SiteKey, which was mandatory, enabled customers to pick an image, write a brief phrase and select three challenge questions. The customer and the bank can pass that information securely back and forth to confirm each other’s identity. When the customer logged into the site they knew it was legitimate because they saw the phrase and picture. “It’s been very effective for us,” says Todd Inskeep, senior vice president and customer protection executive at the bank. “Customers know when they go to a phishing site and they help us report the sites.” SafePass ups the ante for Bank of America customers offering two-factor authentication with a one-time password token. “We wanted to share a secret that would be hard for the bad guys to get,” Inskeep says. Password tokens are traditionally fobs that attach to a key ring. But Bank of America went in a different direction with a credit card-sized form factor, Inskeep says.


Fall 2010

When conducting certain types of transactions online, the user is prompted to enter a one-time passcode. To obtain the code, the user presses the button on the card to generate the code. Providing this numeric string enables the transaction to proceed with confidence. Customers can also choose to receive a passcode via a cell phone or other mobile device, Inskeep says. Customers that use the text message service are able to use SafePass for free while individuals that want the token have to pay a $19.99 fee. Bank of America enables SafePass with a subset of its customers, Inskeep says. Small business customers use it when conducting high-risk transactions; stock traders use it for trading penny stocks; and some consumers will be required to use it when wire transferring large sums of money. Inskeep would not disclose how many customers have signed up for the service, saying only that “adoption has been quite good.” The SafePass program earned Bank of America the Smart Card Alliance’s Outstanding Smart Card Achievement issuer award for 2010.

Survey offers view into future of access control Research shows major growth in contactless and multi-application deployment, though price still remains key driver In March 2010 Avisian Publishing and HID Global embarked on a research effort to gauge reader perceptions related to future trends in physical access control. The project produced an interesting look at both the current state and future direction of the security market. The following article highlights key findings from the research.

code was used. Nearly 45% use proximity technology and about 30% indicated contactless technology was in place (see Figure 1). When categories were evaluated in combination there were some interesting results. Two-thirds of all respondents indicate that they currently use proximity and/or contactless. This number jumps to 80% when asked about planned use of proximity and/or contactless.

The methodology was straightforward. A 14-question survey was developed and made available for online response. Calls for participation were promoted via article postings and banner ads on Avisian’s ID While it will likely come as no surprise that contactless saw the largest technology focused Web sites. During a four-day period, 250 respons- level of growth from current to planned use, the size of that growth 80% es were collected, with approximately 150 from end users or issuers of is dramatic. The use of contactless is anticipated to rise nearly 80%. 77% access products and an additional 100 responses from industry repre- Currently less than one in three users are issuing the60% technology but 65% sentatives. For this review only end user responses were considered. nearly six in 10 plan to deploy (see Figure 2). Current 56%


Questions focused on areas including: • Future card technologies and form factors, • Next generation applications, • Programming of credentials, • Security of access control solutions, • System selection criteria, and • Key drivers for future security decisions.


44% 33%


40% 31% 18%


20% 0

Mag Stripe




Contact Chip

Figure 2. Card technologies: Change in current and planned use


Card technologies

+79% Contactless

The initial questions explored card technologies currently deployed and plans for future implementations. Respondents were asked to select all that apply to the question: “Which card based technologies does your organization CURRENTLY SUPPORT?” More than 75% reported use of magnetic stripes and nearly 40% indicated that a bar

60% 40% 20%

Contact Chip +11%


-9% Prox






80% 77%


Figure 1. Card technologies: Current and planned use



77% Current


65% Planned


39% 65%

Planned 39%

44% 33%

Mag Stripe 40%

44% 33%







40% 20%

The survey suggests that magnetic stripe and bar coded IDs will make 80% up the bulk of the migration to contactless. Each technology experienced more than 15% declines and together made up 75% of the mi80% Contactless 60% gration from a currently used technology to contactless.

0 Barcode




As expected, this dramatic rise in40% contactless usage will come at the 56% 40% expense of other technologies but surprisingly it is not proximity that 40% 20% 31% will feel the bulk of the pinch. Proximity use remained strong with four 20% 18% 20% 31% out of 10 users reporting their intention to continue or initiate its use. 0 18% 20% Prox Contact Chip That is a Contactless decline of less than 10% from current use levels. It is not, how0 Contactless Contactto Chip ever, enough account for the 80% rise in contactless.

80% 44% 33% 40%

56% Mag Stripe

18% Mag Stripe



77% Current

Contact Chip +79% +79% Contactless


80% +79% Contactless


Contact Chip 60% Contact Chip


-9% 20%


20% -9%

+11% 40%

Contact Chip



Prox -16%

-16% -16% Mag


0 -16%



Fall 2010


Applications Moving from technologies to applications, respondents were asked to identify how they planned to use their cards in the future. Not surprisingly, identification and physical access topped the list at 75% and 65% respectively. Next came time and attendance and vending, both planned for use by more than half of all issuers. Visitor management, parking and logical security each received at least 40% response rate (see Figure 3).

All six attributes scored as important with an average 90% of respondents indicating so. Respondents were generally satisfied with their current installed solutions. Five of the six attributes averaged 70% satisfaction rate.

Figure 3. Applications: Respondents planning for use 80% 74%


65% 55%


51% 43%





The specific attributes identified were: • Multi layered security to protect data on card • Breach (or hacker) resistant hardware • Software upgrades to address new security threats • Key management, data & communication protected by a trusted system • Ability to configure different security levels on campus by location while using one credential per user • Hardware that can update security technology if current technology is hacked.




The attribute that garners the least satisfaction among the list was, “Hardware that can update security technology if current technology is hacked.” Less than 50% of respondents reported satisfaction with their current installed solution related to this item. System selection criteria

Ph ys i


Id e

nt ifi ca lA tio cc n es sC Ti m on e tr & ol At te nd en ce Vi V si en to di rM ng an ag em en t Pa rk Lo in gi g ca Ev lS en ec tM Co u rit gm st y t/T Re co ic k ve et ry in /P g rin t M Pu g bl m ic t Cl Tr os an ed s p Lo or op t Pa ym en t


In terms of rise in planned use, there was a significant lift in the number of end users planning to expand use of the ID to logical security – be it network access, file encryption, authentication or single sign on. More than 40% of end users responding to the survey plan to do so in the future, a rise of more than 50% over current levels (see Figure 4).

Figure 4. Applications: Current and planned use of logical security

Current Planned

28% Logical Security Applications






“Capability to Support New Applications with Minimal Investment,” was another system selection criteria investigated. Nearly 90% ranked it important and respondents were split down the middle in terms of satisfaction. The item, “Credential Form Factor Options (e.g., card, phone, sticker, etc.),” received an importance vote from 70% of respondents, with 40% expressing dissatisfaction with their current solution. Programming advanced technology credentials


A series of questions related to the security of current access control solutions. Respondents were asked to rate if they deem a particular security attribute important or unimportant. If they said it is important, they were asked if they are: “SATISIFIED with (their) current installed physical access systems related to the specific item.” Fall 2010

Two financial questions were posed, one asking about “Price” and another “Total Cost of Ownership.” Not surprisingly, both were deemed important by an overwhelming majority of respondents. In both cases, 60% of respondents reported that they were satisfied with their current solution leaving 40% dissatisfied.


Security of access control solutions


A series of system attributes or selection criteria was also investigated. Each item was rated as important or not important, and those deemed important were evaluated based on the respondent’s perceived satisfaction with their current solution related to the item.

With the rise in advanced card technology use, the issue of programming credentials into cards has become increasing complicated and essential. Respondents were asked: “Which method(s) does your organization CURRENTLY USE when programming your cards/credentials prior to distribution?” Additionally they were asked what they plan to use in the future. If an access control system supplier or a service bureau provides programmed cards to the site, the response is categorized as “off-site.” If the issuer programs the cards via a desktop printer or a desktop programmer, the response is categorized as “on-site.” In some cases a combination of off-site and on-site programming was reported.

More than 65% of all respondents currently use on-site programming methods and this method’s use is expected to increase to nearly 70% in the future. Both off-site and combined on-site and off-site programming declines from current use rates to planned use rates among survey participants (see Figure 5).

Figure 6. Drivers: Key drivers in future access control decisions





Total Cost of Operation



Single Card / Multi-application Solution

Figure 5. Programming cards: On-site and off-site programming



Campus Security & Penetration Issues


80% Biometrics and Multi-factor Authentication Current Planned













Convergence of Physical and Logical Access 65%


Plug & Play Interoperability 21%




On-site On-site



Both On- and 15% 17% Off-site


Government Compliance (e.g., FIPS, SOX, HIPAA)


Both On- and Off-site

On-stie control decisions Key drivers for future access

IP Connectivity


.26 .23 .21 .14

Sustainability or “Green” Initiatives


Expansion to Mechanical Locks (Non-door)




0 20% On-stie -16% -14% Respondents were asked to select what they feel will be the leading +8% 0 Off-site Both drivers for physical access control in the next three years. Each was -16% -14%

asked to select the first, second and third most significant driver from Off-site Both a list of eleven options. For evaluation purposes, first place votes were weighted with three points, second place two points and third place one point. “Total Cost of Operation” led the list of drivers receiving acknowledgement from nearly 80% of respondents. Using this as the benchmark, the remaining options were compared to this response. “Single Card/ Multi-application Solution” ranked second, and “Campus Security & Penetration Issues” ranked third. The remaining responses fell far short of these top three suggesting clear differentiation in perceived importance (see Figure 6).

Conclusions The Future Trends in Physical Access Control study suggests that security technology is changing, and end users/issuers are acknowledging and planning for many of the changes. This seems evident in the rise in planned use of contactless technology, a strong list of additional carddriven applications being considered and widespread recognition of the importance of security in the solutions deployed. While this is positive for the access control industry, the user community remains extremely cost conscious. “Total Cost of Operation” ranks as the number one driver for future purchasing decisions, and both “Price” and “Total Cost of Ownership” topped the list of system selection criteria. It seems users are ready to embrace new solutions and higher levels of security, assuming the price is right.

Fall 2010


Identity ecosystem at core of Obama’s online plan

‘National Strategy’ proposes massive changes for electronic authentication Zack Martin Editor, AVISIAN Publications Create a system that individuals can use to login to a bank account, check email or keep track of research topics of interest. Give it a catchy name like “identity ecosystem” and expect it to secure all transactions while at the same time providing anonymity.

“The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities,” the report states.

This is the task facing the National Strategy for Trusted Transactions in Cyberspace (NSTIC): Find an efficient way to protect individuals online whether they are engaged in the most secure task or the most benign.

The White House National Security Council led the effort on the report. The group consulted with 70 industry advisory councils and associations representing various communities, including privacy, federal government, state and local government, health care, energy, IT and the financial sectors, according to a National Security Council Press spokesperson. All told almost 4,000 comments from industry and government were collected, adjudicated and in many cases incorporated.

Identifying the problem is easy. Finding and implementing solutions is an entirely different ordeal. The 36-page draft report released in June by the White House states that the strategy aims to curb the rise of online fraud, identity theft and misuse of personal information online. This involves creating an identity ecosystem that would enable security, efficiency, ease of use and confidence while increasing privacy, choice and innovation. 46

Fall 2010

It is expected that President Obama will sign a directive in September or October appointing a government agency to oversee implementation of the strategy.






The directive will be similar, possibly even an amendment, to Homeland Security Presidential Directive-12 (HSPD-12), says one source. This directive, signed by President Bush in August 2004, required a standard ID credential for all federal employees that resulted in FIPS 201 and the Personal Identity Verification standards. The strategy comes out of the Cyberspace Policy Review that recommended better authentication technology to prevent online fraud and identity theft. Some government officials, however, will say it is 10 years in the making starting all the way back when the U.S. Department of Defense issued the first Common Access Card. Subsequent credentialing efforts and this extension to the citizen are all logical outgrowth from this early program. The report calls for an interoperable solution in which participation is voluntary. And while no specific technology is called for in the report

there are references to smart cards, USB key fobs, mobile phones, software certificates and trusted computing modules. Biometric technologies are not mentioned in the report. There were also references to some existing government identification projects, including HSPD-12 and Federal Identity, Credential, and Access Management (FICAM). Both are used as examples of how any new identity ecosystem should align with existing federal projects. Some government insiders say extending a PIV-type infrastructure to the public only makes sense. Government officials are moving quickly to get a national strategy signed by the president and an implementation plan that includes high-level milestones. But there will be any number of steps required post-signature that will take considerable time.

Putting odds on online ID Will it be the feds, states or private sector issuing credentials? Federal issuance Odds: 1% Model would be somewhat similar to passport issuance. Pros: Because of passports something of an infrastructure is already in place. Cons: Specter of “Big Brother” already looms large with this strategy and having the feds issue the credential would only make it bigger.

indications that states are becoming more interested in issuing strong credentials (See NASCIO story, page 34). Cons: States are broke and don’t have money to upgrade infrastructure. Local government also doesn’t have much, if any, experience deploying these types of high-tech systems and credentials.

government in the current environment. Cons: Private corporations don’t have much of an infrastructure in place to start credential issuance. While the economy may be starting to recover, the capital it would take corporations to get a business up and running might be too great. Liability is another issue and Congress would have to pass some type of legislation that would limit liability in case of a data breach.

Private issuance Odds: 50%

It doesn’t happen at all State issuance Odds: 44% Model would be somewhat similar to obtaining a driver license with more in-depth identity vetting and issuance of a more secure document. Pros: Individuals are already used to going to a state office to get an ID document, this process would just be a little more involved. States also have the infrastructure in place, though upgrades would have to be necessary. Since the new credentials would be voluntary states could add a revenue source by issuing the documents. Unlike private organizations, states are already absolved from liability for other ID issuance processes, so new legislation might not be necessary. And there are 48

Fall 2010

Some corporations are champing at the bit for this opportunity. Organizations like the Kantara Initiative are already accrediting auditors who would then certify others for credential issuance up to level three assurance – a high confidence in the asserted identity’s accuracy; used to access restricted data. The model would likely have individuals applying for credentials in person with documentation, paying a one-time enrollment fee and then an annual fee after that to continue using the credential. Pros: Government can pass legislation and then not have to worry much about the process. Despite all the wailing and gnashing of teeth over privacy issues on sites such as Facebook, people still use them. Private organizations, it seems, are more trusted than

Odds: 5% Government and industry officials want this strategy to proceed, but anything is possible in politics. Politicians could find a bone to pick and necessary legislation could get held up. Some mainstream media are already calling this voluntary program a national ID card and if that persists it could spell trouble. That said, with proper education about the program people should realize it’s a necessary, if not long over due, initiative. Summary: It’s going to be a tough race between state governments and private corporations. Cost and trust are two of the biggest issues that need to be faced and it’s going to be a matter of who can figure those two things out and make it happen.

“We want implementers to feel some urgency due to NSTIC’s impact on economic and national security,” says a National Security Council spokesperson. “But we want to do it right, too, and ensure that we’re not creating more problems than we solve.” That urgency needs to be tempered with realism. The strategy calls for standard identity proofing for everyone that applies for a credential, but these standards don’t exist. The American National Standards Institute and the North American Security Products Organization have embarked on a standards creation process but this is expected to take at least 18 months. (See ID vetting sidebar) There is also a strong possibility that legislation will have to be passed before the strategy is enabled. If private organizations are issuing the credential there will have to be issues resolved around liability and privacy. (See liability sidebar). If there is any major political opposition to the strategy, DC insiders suggest that it could hit roadblocks at this point. And even if a strategy is published and credentials issued, where will individuals use them? Banks, hospitals and others will have to deploy back-end systems and infrastructure so the credential can be used. This won’t be cheap and it won’t happen overnight. But the business case will be there for companies to deploy the back-end systems, says the National Security Council spokesperson.. “Better and more prolific authentication mechanisms will streamline account management and improve the automation of business processes, ultimately leading to cost savings,” the spokesperson says. “This will also minimize the collection and usage of personally identifiable information.” Limiting the amount of personal information that providers store should make it more difficult for hackers to obtain that data. “We want to move away from the current paradigm where sensitive information is retained by every single service provider and instead move to a paradigm where individuals can chose when and what information is shared,” the spokesperson says. “Security is always a concern and the idea is not to limit individuals to one single credential but provide individuals a choice of credentials that enable only the necessary pieces of information to be shared,” he continues. “Consumers could choose to accept the risk associated with a single credential but others will choose to carry multiple credentials.”

Goals and actions for the ‘National Strategy’ Goal 1: Develop a comprehensive Identity Ecosystem Framework

Action 3: Accelerate the expansion of federal services, pilots, and policies that align with the identity ecosystem

Goal 2: Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework

Action 4: Work among the public/private sectors to implement enhanced privacy protections

Goal 3: Enhance confidence and willingness to participate in the Identity Ecosystem

Action 5: Coordinate the development and refinement of risk models and interoperability standards

Goal 4: Ensure the long-term success of the Identity Ecosystem

Action 6: Address the liability concerns of service providers and individuals

Nine actions align to these goals and the vision. These actions provide the foundation for the Identity Ecosystem implementation. The actions are: Action 1: Designate a federal agency to lead the public/private sector efforts associated with achieving the goals of the strategy

Action 7: Perform outreach and awareness across all stakeholders Action 8: Continue collaborating in international efforts Action 9: Identify other means to drive adoption of the identity ecosystem across the nation

Action 2: Develop a shared, comprehensive public/private sector implementation plan Fall 2010


ID vetting standards first step to online ID Groups tackling proofing challenges Creating an identity ecosystem is the plan for the National Strategy for Trusted Identities in Cyberspace. This ecosystem would give individuals privacy while also enhancing security.

Liability, legislation around online ID If private corporations are to issue identity credentials there will need to be some type of legislation passed spelling out the liability issues, says Tom Smedinghoff, a partner at the law firm of Wildman Harrold and chairman of the American Bar Association Task Force exploring the legal issues around identification. Corporations will want to know what the liability will be if a credential is issued to an individual claiming to be someone else. This is a huge issue for organizations and before anyone steps to the plate to begin issuing credentials legislation will have to be passed. “There is no case law addressing the liability of an identity provider,” Smedinghoff says. More than a decade ago Smedinghoff worked with the American Banker’s Association to produce a report on the liability of identity providers. “We looked at all kinds of legal theories and came up with a 200-page report,” he says.

This would involve some type of credential, be it a software or hardware solution, but how do we make sure that credential is issued to the correct person? This issue is alluded to in the strategy but not fully explored. There are thousands of different types of birth certificates in circulation and states having different standards for driver license issuance. This makes it essential that a standard for ID proofing and vetting be developed, officials say. A National Security Council spokesperson says the identity vetting and proofing aspects of the national strategy have not been formally assigned, but the American National Standards Institute (ANSI) and the North American Security

Looking at existing issuance models provides possible scenarios. If the credential is issued by the state or federal government there will be no liability because there are already laws in place eliminating government liability for issuing an ID to the wrong individual. There is also the credit card model that puts the liability for fraudulent purchases on the bank and merchant. Laws governing credit card use have been on the books for more than two decades and were relatively easy to come up with because the technology and systems had been around for so long, Smedinghoff says. This isn’t the case in the ID management space and it will have to be clarified through federal legislation. It won’t be easy, says Smedinghoff, adding, “in the ID management space we are looking ahead and anticipating what the problems will be and developing rules that are appropriate … that’s a tougher job.” Ultimately the liability may depend on the legal theory that’s used along with the jurisdiction, Smedinghoff says. “If you look at it from a tort perspective whether or not the ID provider is liable depends on fault,” he says. “If you look at the same perspective from warranty law, fault is irrelevant.” No matter the legal theory or the jurisdiction, clarification will be necessary before organizations decide to jump into the credentialing business. “Businesses need some certainly on the legal risk,” Smedingnhoff says, “and that’s where legislation could help.” 50

Fall 2010

Products Organization (NASPO) are working on the effort. ANSI and NASPO held a kick off meeting in July to start the process of creating a standard to verify identity, said Graham Whitehead, director of auditing at NASPO, during a session at the Interagency Advisory Board meeting in July. The goal, he says, is to have a standard in place by March 2012. Dan Combs, CEO at the eCitizen Foundation, attended the ANSI meeting. He says it was about defining the issues and setting an agenda. Another meeting is scheduled for the fall but further details have not been released. Combs has been working on identity related matters for almost a decade in both the private and public sector. “For good or ill it’s a vitally important issue,” he says. “Historically we haven’t done it well and now we’re trying to catch up and come up with a not bad solution.”

The best solution might be to create a system

like state driver license issuance, certification

There are around 2,000 of these agents

that uses public records and gets to a zero

for notaries is dependent on the state. “States

around the country, he says. They go to an

point, Combs says. By zero point he means

regulate notaries which means there are 50

applicant’s home and gather all the neces-

the issuer is not be able to find anything that

different standards,” he says.

sary documentation, Reiniger says. These documents are then sent to the organization

states the individual isn’t anyone other than

where the documents are validated.

who they claim to be. “I check the informa-

Only about a dozen states require any type

tion and now we know that we don’t have

of education to be a notary and only a hand-

anything that says he isn’t who he claims to

ful perform any type of criminal background

Reiniger notes that the task the notary per-

be,” he says.

check, Reiniger says. Before notaries could be

forms is much different than the organization

used to issue digital certificates or other types

issuing the credential. The identity proofing

The National Notary Association has also

of credentials this would have to change and

is conducted by the notary when he gath-

been looking into identity vetting and proof-

ID standards would have to be put in place

ers the documents, but the actual ID vetting

ing, says Timothy Reiniger, an attorney in the

for these new trusted agents.

is done by the organization when the documents are validated.

digital service group at FutureLaw who has worked with the organization. Reiniger has

Some notaries have already gone through

also been working with the American Bar

additional training and are working with digi-

It’s possible that states and private organiza-

Association to crate a legal framework for ID

tal credential providers, Reiniger says. SAFE

tions could partner to issue credentials, Reini-

vetting and proofing.

Bio Pharma and Exostar are utilizing these

ger says. The notaries, enabled by the state,

trusted agents to perform identity proofing

could perform the proofing and vetting and

before issuing credentials.

the state could issue the credential.

Reiniger says notaries could potentially assist with the ID vetting and proofing. But much

ARE YOUR SENSITIVE ASSETS SECURED? Apriva’s Authentication Ensures They Are Apriva’s encrypted Bluetooth® smart card reader and middleware provides authentication for mobile users. Apriva’s solution secures personal electronic devices for mobile computing applications and validates the identity of personnel interacting with your most sensitive information. This solution solves the US DoD and Federal civilian government mandates for PKI Authentication to devices and networks and is an optimal solution for warehouses, medical and manufacturing facilities.


AKO Go Mobile



Call 877-277-0756, Email, or visit for more information.

Copyright © 2010 Apriva LLC. All Rights Reserved.

Fall 2010


© 2010 Apriva LLC. All Rights Reserved.

sheim, eg24 AG from Zurich and LEGIC from Wetzikon. Pharmafabula, the winning application in the Research Track, was developed by the Universidad Pontificia de Salamanca, Club de Innovación to help the visually impaired access information about their prescriptions using NFC technology.

Cool new NFC apps win forum awards Austria’s NEXPERTS and Pharmafabula of Spain took top honors at the NFC Forum Global Competition in Karlshamn, Sweden. NEXPERTS topped the competition’s Commercial Track for its self-service shopping solution, while Pharmafabula nabbed first prize in the Research Track for its software solution designed to help blind patients receive and properly use medication. The field was made up of 20 finalists, representing countries from Asia, Europe and North America. Contestants were divided into the Commercial Track for ideas that addressed a specific market, business, or consumer need, and the Research Track for the academic community, including university student teams and institutions, according to the NFC Forum. A jury of experts and senior professionals from academia and sponsoring companies selected the winners. Entries were judged based on their innovation, commercial potential and usability, as well as on quality of design and implementation. NEXPERTS’ winning Commercial Track solution, “Touch & Pay,” is a multi-function NFC system that combines physical security, mobile payment and smart poster technology to enable secure self-service shopping. “Touch & Pay uses all of what is offered by NFC to make the end user experience as easy as possible,” said NEXPERTS CEO Kurt Schmid. “In the past there were trials for smart posters and mobile payment, but none of these trials used all the capabilities of NFC.” 52

Fall 2010

Touch & Pay is specifically designed for rural areas or countries without a point-ofsale payment infrastructure. According to Schmid, the system is currently being piloted in Zurich, Switzerland at a ‘farm shop,’ an unmanned and unlocked location where customers enter and shop unsupervised. Prior to Touch & Pay the custom was to take what produce you wanted and leave cash in an “honesty box” to be collected by the farmer at a later time. The new solution addresses the obvious risks involved in this practice, starting at the shop’s front door. To grant farmers assurance of the security of their produce beyond the moral integrity of shop patrons, Touch & Pay introduces a contactless electronic lock that customers can access with credentials stored directly on the NFC phone. When a customer passes her phone by the door, a contactless reader embedded in the lock reads the credentials and grants access to the shop. Once inside, items are selected for purchase by tapping the phone against the price tag. A digital shopping cart is automatically launched on the phone’s browser with the selected item and the price. To complete the transaction, you tap your phone against the check out tag, select a payment method, and you’re good to go. “Technically the architecture of the system is complex, but it’s easy for end users,” adds Schmid. Tap & Pay is supported by a number of German and Swiss partners, explains Schmid, including Winter AG from Unterschleis-

With Pharmafabula, pharmacists use an NFC mobile device equipped with FabulaWriter software to write audio information regarding dosage, treatment duration, warnings and other important information onto a tag located on the medicine’s container. The visually impaired patient can tap the NFC phone against the tag to download the audio file and play it directly from the phone. “The technology applied is very simple and easy to use,” project designer Fernando Fernandéz Fidalgo told Castilla y León Televisión. “You must only pass the NFC phone by the medication box, and in a few seconds you have a summary of the patient information leaflet in audio format personalized for the patient and the medication.” ONCE, a Spanish organization for the visually impaired tested PharmaFabula and were very satisfied. “The sensation was like opening a new door to access information,” said Fernando Sánchez-Guijo, Director of Affiliates at ONCE Salamanca. “This product and this technology are very important to us.” The runner up in the Commercial Track was USA’s ITN International for its “BCARD Reader,” a solution to improve exchange of information at events, trade shows and exhibitions. Third place went to NTT DOCOMO of Japan for “Wellness Support,” a health care solution that embeds medical devices with NFC tags. Artesis University College Antwerp in Belgium took second place in the Research Track for its “NFC Learning Environment,” which allows teachers to tag items to make lessons more interactive. Lancaster University of the UK took third place honors for “MyState,” which lets individuals tag objects to create interactive environments and personalized applications for Facebook and social networks. Winners in each track were awarded €5,000, €1,500, and €1,000.

Pictures and patterns replace PINs and passwords for authentication Alternatives to password overload rely on visual technologies Noruwa Ezomoghen Contributing Editor, AVISIAN Publications No doubt about it … passwords are a pain. But as the market becomes saturated with high-tech authentication methods and technologies, some are finding a niche modernizing simple ideas to heighten both security and ease of use.

Instead of a typical alphanumeric password, the user chooses a Personal Identification Pattern (PIP) on a five-by-five grid. Instead of memorizing the series of letters and numbers, the selected pattern is committed to memory.

Case in point: GrIDsure and Confident Technologies. The focus for both companies is to secure authentication to services using visual techniques such as pictures and patterns. These image-based technologies function across platforms and devices providing a simplistic, memorable replacement to passwords and PINs.

When a PIN is required for authentication, a five-by-five grid with a number in each square is presented. The user enters the numbers that correspond to their pattern or PIP. The backend solution verifies that the entered string matches the user’s PIP to confirm or deny access to the service or transaction.

GrIDsure’s birth was crafted from the initial question: “Is it possible to create a new pin number and ergo a new pass code every time you do something?” explains Stephen Howes, the company’s director and CEO. 54

Fall 2010

The concept is based on the idea that patterns and icons can be more recognizable and therefore memorable than numbers and passwords.

Angela Sasse, a professor at the University College of London, ran a user trial to determine how well people could remember patterns. “From the 50 users tested over a twelve-week period, 93%-94% were able to remember and implement their chosen GrIDsure pattern,” says Howes. In the study, some participants explained that they do not distinctly remember the numbers of their PIN, but rather the movements of their hands across the keypad, he explains. In other studies the GrIDsure pattern has proven to be more secure than traditional passwords or PINs. A study by Richard Weber, director of the Statistical Laboratory at Cambridge University, found it to be 100 times safer than a traditional PIN with 0-9 numerals, says Howe.

Added is the fact that the numbers are all randomly placed on the grid increasing the difficulty one may find in interpreting your pattern by looking over your shoulder. “The possibility of someone to shoulder-surf you is low and would have to occur tens of thousands of times in order for them to be able to decipher your pattern as opposed to a typical PIN,” says GrIDsure Chairman Jonathan Craymer. GrIDsure has seen interest in its technology primarily from large corporations, govern-

ment entities and financial institutions. The biggest interest has come from e-commerce retailers that have found the use of mandatory usernames and passwords to be a doubleedged sword that keeps customers safe but deters them from online purchases. Image-based solutions Confident Technologies offers image-based security to distinguish humans from automated bots and is now extending this concept to individual authentication. Where GrIDsure

relies on the memorization of a pattern, Confident’s ImageShield solution asks individuals to select image categories. Sarah Needham, manager of marketing and public relations for the company, explains that the user is prompted to pick a category of pictures – for example dogs, cats, boats, food – during registration. With subsequent authentications they are presented with a grid with pictures, each overlaid with a number or letter. The user selects the pictures from their chosen categories and enters the corresponding numbers or letters. This forms the one-time password for that session. Much like GrIDsure, the idea is based in the fact that the human brain has an easier time recognizing pictures and events than a random combination of characters. The idea was initially acquired from Vidoop LLC and the intellectual property was further developed to make it more secure and commercially accessible to all, says Needham. Needham explains that the average person has more than 20 online accounts forcing them to remember security credentials for each. To lessen the strain of remembering all of these passwords, many choose easy ones that can be hacked or they use the same one for multiple sites.

Confident Technologies: The user is prompted to pick a category of pictures during registration. With subsequent authentications they are presented with a grid with pictures, each overlaid with a number or letter. The user selects the pictures from their chosen categories and enters the corresponding numbers or letters. This forms the one-time password for that session or transaction.






























GrIDsure: A user registers by choosing a Personal Identification Pattern (PIP) on a 5x5 grid (like the one on the left). To authenticate for future transactions, he is presented with a 5x5 grid filled with random numbers from 0-9. Using his selected pattern, the random numbers form a unique one-time password for the session.

From various scientific studies we saw that the 5,000 most common passwords are used by 20% of the population, says Needham. In the future, Needham envisions that ImageShield will create widespread security with improved user experience and present a new platform for marketing and advertising by altering the pictures displayed to users to present products and services. “The current method of alphanumeric passwords is antiquated and inherently flawed,” concludes Needham. “People simply cannot remember different, strong passwords for every online account they have.” Perhaps companies like GrIDsure and Confident Technologies are on to something, encouraging users to leave their Kindergarten lessons of “ABCs and 123s” behind in favor of earlier picture books and visual learning techniques. Fall 2010


Walmart bringing EMV to the U.S.A.?

Retailer pushes for chip and PIN while first domestic EMV issuance begins Ryan Clary Contributing Editor, AVISIAN Publications Last year there were 944 million EMV cards in circulation worldwide, according to EMVCo, virtually none of which were issued in the world’s largest payments market: the United States. With the rest of the world now upgraded to a higher security standard, the U.S. has a critical decision to make on when, how and if it wants to make the migration to EMV. Enter Walmart. Already offering EMV payment in its European Asda stores, the retail giant is planning a big push for the technology in its American outlets and wants the rest of the U.S. retail market to follow. “We’re interested in helping to migrate EMV to the U.S. market,” says Jamie Henry, director of payment services with Walmart treasury organizations. “We view it as a much more secure transaction, and we want to provide our customers with the most secure transactions in the market place.”

Henry is referring to EMV’s two forms of authentication: the chip and the PIN. The chip verifies the authenticity of the card – that it isn’t counterfeited – and the PIN verifies the identity of the user – ensuring that the card isn’t lost or stolen. How then does Walmart intend to bring EMV to the U.S.? “First of all, we’re having discussions with the media to help make our position known and to leverage other stakeholders in the payment environment that would have similar interests,” says Henry. Walmart’s technology teams are also in the process of updating the retailer’s existing payment terminals with EMV-compliant software, enabling the cards to be accepted in stores. This project should begin in earnest in the coming year, Henry says.

“We view (EMV) as a much more secure transaction, and we want to provide our customers with the most secure transactions in the market place.” — Jamie Henry, Walmart


Fall 2010


bECauSE EvEryoNE NEEdS SolutIoNS.


NovEmbEr 3-4, 2010 / JaCob JavItS CoNvENtIoN CENtEr / NEW york, Ny ISC East is now ISC Solutions – a

vertical sectors of security. At ISc Solutions,

reinvented event with your security needs

you’ll find a more accessible exhibit hall

and challenges in mind. much more than

layout, show floor theaters presenting best

just a name change, ISc Solutions will

practices & case studies, and numerous

present the application of products and

targeted networking opportunities – all to

technologies that were launched at ISc

help tackle your greatest challenges, solve

West, applied across the most robust

specific problems, and discover solutions. s p o n s o r E d By :

p ro d u c E d By:

E n d o rs E d By:

c o r p o r AT E pArTn E r s :

Fall 2010


One of the major issues surrounding EMV’s migration to the U.S. is whether or not to incorporate contactless technology. Walmart has made it clear which side of the fence it stands on – at least for the time being. “We’re not fans at this point of contactless payments via the card mechanism,” says Henry. “Our opinion is it doesn’t offer any higher form of security than the magnetic stripe on the back of the card because it’s simply just communicating that same information. It’s actually probably a lower form of security because there’s no PIN required in contactless.”

Walmart also sees the purportedly superior speed of contactless payment to in fact be negligible: “It’s not that big a deal to tap it against the device versus swiping it through a device,” says Henry. “You still need to go into your wallet; you still need to pull the card out, and then it’s just a matter of either tapping and holding it for a second or so against the reader or swiping it through the machine.” On the other hand, Patrick Gauthier, senior vice president at Commerce Fault Line, believes that contactless does provide added security over traditional payment methods and is the ideal avenue for chip payment’s migration to the U.S. “We need to leverage contactless deployment in U.S., which has been happening slowly but surely,” adds Gauthier. “Walmart has expressed reluctance to that, but if you fix the transactions rules – interchange fees, authentication requirements – balancing the merchants and issuers benefits, you can make contactless a no-brainer, even for large merchants like Walmart.” Contactless offers a number of other benefits as well. “First of all, not all consumers are comfortable with swipes – sometimes the stripe is read, sometimes its not and the motion can be difficult for the elderly and disabled. The motion of contactless is extremely intuitive – just a tap,” Gauthier says. “Secondly, if you have contactless, the form factor doesn’t need to be a card; it could be all sorts of things.”

First U.S. issuer jumps aboard EMV bandwagon The United Nations Federal Credit Union has become the first U.S. card issuer to deploy EMV cards to its members. With more than 4,000 members outside the U.S., the credit union had to do something to accommodate those customers living in areas where EMV is used, says Merill B. Halpern, manager of card services at the credit union. The institution recognized the need of its members, who reside and frequently travel to more than 210 countries and territories, to have payment cards that can be accepted the world over. “We were hearing from our members for a long time they were feeling disadvantaged when they used our cards in location that didn’t accept mag-stripe-only cards,” Halpern said. “They didn’t want to draw attention to themselves, creating line waits, very often the clerks don’t know how to get an approval … and as a result our card became not so top of wallet.” The credit union is taking advantage of Gemalto’s World Traveler program to provide the organization with issuance services including full card design and production, ensuring global acceptance and forward compatibility for both online and offline payment transactions The credit union rolled out the program in the second half of 2010. 58

Fall 2010

Contactless or not, EMV still has a few obstacles to tackle before becoming a reality in the U.S., Henry says. Unless merchants see lower interchange fees for EMV transactions there is no incentive for them to spend the money to upgrade the terminals and infrastructure. Issuing banks also don’t have an incentive to issue the new, more costly cards. EMV transactions take longer to process at the point-of-sale, Gauthier says. EMV was developed between 1994 and 1996 – before the e-commerce boon – and authorizes transactions offline whereas transactions in the U.S. are conducted online. This means EMV transactions take a few seconds longer to process than magnetic stripe transactions, which has deterred retailers claiming those extra seconds amount to significant losses in revenue, says Gauthier. There’s the issue of money and how long it will take to make the switch to EMV. There are roughly 1 billion payment cards in the U.S. and 6 million merchants, and updating those kinds of numbers will take some time and cost. This is why leveraging the burgeoning contactless movement would be so beneficial to EMV, according to Gauthier. Still, despite the snags, Gauthier says the U.S. has never been closer. “Probability of a migration to chip in the U.S. is high, the planets are aligning, and payment networks are looking in earnest at migration,” he says. If merchants, payment processors and banks get on board with a more secure payment solution it might not be traditional EMV as seen in other countries, Gauthier says. “We could have ‘EMV a la 2010’ – EMV updated for today’s payments in the U.S., which includes leveraging contactless,” he says.

2005 2006 2007 2008 2009 Spring 2009

Spring 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews




Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Airport IDs:

Grounded ... off? or ready for take


converges Canadian telco logical ID physical and

in an online world

contactless Bank-issued te payments compe t for transit marke

Outsourcing ID programs Real ID becoming reality London trials NFC

renew Card fraud cases in US call for EMV e NFC global updat

Summer 2009

Summer 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

HACKING IDENTITY The impact of smart card and security hackers Iris at-a-distance takes biometric center stage Health care mulls identity options EMV takes aim at U.S.

Fall 2009

Fall 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews




IDENTITY The forces are aligning but

Will a new president scale back existing projects or add new ones?

is America


BIOMETRICS On campus, in the military PLASTIC IDS Recycling & green options

Contactless payments: Floundering or burgeoning? Airport worker credential in the making New rules for biometric sharing

Winter 2009

Winter 2008

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

Changing Perspectives?

BEYOND ISSUANCE … e-passports struggle to achieve usage



Is identity broken? EU considers student ID Registered Traveler in flux Plus NFC, RFID, biometrics

OWN THE ENTIRE COLLECTION 1000+ pages of ID technology insight just $200 • Educate new employees • Refresh your industry knowledge • Research for presentations • Review best practices • Learn from the experience of other implementations • Gain a competitive edge

For the first time, AVISIAN is offering all back issues of their industryleading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 15 issues of re:ID and 6 issues of CR80News magazine. Plus you get password-protected access to our online library with more than 1000 feature articles. To order, visit

Emerson’s contactless conversion Lessons learned from a rapid rollout Andy Williams Associate Editor, AVISIAN Publications Re-carding a college, even one with just 4,200 students, doesn’t come easy. When those cards feature a new technology and the time line is short, a lot of things can go wrong. For Boston’s Emerson College, however, it was a relatively smooth process and the few things that went wrong were fixed on the fly, recalls Adam Travis, Emerson’s enterprise system administrator, information technology. Technically, Emerson has no campus to speak of, says Travis. “We’re right in the theater district. Thousands walk by our buildings every day. To enter each of the eight buildings on campus you walk past a guard post.” The school’s dorms are on the upper floors so students need to present their card to enter the building and again to enter the living areas, he adds. One element that led to the abandonment of Emerson’s previous system was the college’s implementation of the Banner system to handle payroll, student information, admissions

and finance, says Travis. In the school’s older student information system, Social Security numbers were the primary student identifier, he says, but the switch to Banner required the university to issue new student ID numbers.

dors, says Travis. One vendor that caught Emerson’s eye was campus card provider CBORD. Another was Charlotte, NC-based ID provider ColorID. Both ended up providing re-carding assistance to the school.

That, says Travis, provided an ideal opportunity to replace the legacy card system and magnetic stripe card the school used for about 10 years.

This part of the process was not a quick. The first discussions took place in 2007 but the contract was not signed until two-years later, Travis says. At about the same time Travis was negotiating with ColorID to print the new student cards. “They started getting us quotes then we had conference calls and worked closely with them in June and July,” says Travis.

When it came time to ditch the current system and to find someone to help the college re-card, Emerson looked at a number of ven-

Lessons learned from card technology upgrade Plan with future needs in mind The CBORD system enables Emerson to integrate video surveillance functionality when the campus is ready. Education is crucial “We had to let people know they couldn’t punch holes in the card because of the chip,” says Emerson’s Adam Travis, and even teach them “what to do when the readers didn’t have a slot to swipe.” Leave enough time to receive all necessary components “Our last batch of cards arrived less than 24 hours before distribution started,” Travis says. “They made it on time, but it was nerve-racking. And we had no blank stock during the week of implementation.”


Fall 2010

Communicate with other business units Because the bookstore upgraded its software during the implementation process, Travis reports that they had to scramble to ensure compatibility with the new systems. Leave time for testing and training “We didn’t have a lot of time for testing because of the tight time frame. By the time we went live in August, there wasn’t time to test the meal plans. For the most part things did work,” says Travis. But be careful. Order spares “We didn’t (invest in spare readers) to save money, but a couple readers had problems at installation,” explains Travis, suggesting that you will want to have them anyway for future needs so go ahead and get them up front.

The new campus card deployment Emerson’s new system is more modern and enables greater flexibility and better security, says Read Winkelman, CBORD’s vice president of sales. With Emerson’s main concerns being security, contactless technology quickly rose to the top. “A contactless card tends to be more difficult to duplicate which makes it more secure,” he says. “Emerson described what they were looking for which helped us guide them towards the technology to re-card their system.” The university decided to go with HID’s iCLASS contactless smart card technology, Winkelman says. “iCLASS is certainly a little newer and more secure than prox,” says Winkelman. “We have 35 or 40 customers with some form of iCLASS implementation, all college campuses.”

Maximize your card technology . . . Campus Card Systems • Access Control and Integrated Security Solutions Food Service Management Tools • Online Ordering • Catering and Event Management Housing Assignment Systems • Judicial Conduct Tracking

. . . One safe student at a time. • Improve safety • Drive revenue • Reduce costs Learn how at

The CBORD Group, Inc. · 61 Brown Road · Ithaca, NY 14850 · TEL: 607.257.2410 · FAX: 607.257.1902

David Stallsmith, ColorID product management director, agreed that iCLASS would be beneficial compared to a prox card, citing, the increased memory and ability to be used with more applications. The top concern for many Universities is physical access control, and officials are often willing to pay a little more for a more secure card, explains Stallsmith. “We tend to recommend iCLASS in most cases because HID manufactures its own cards and their support is excellent,” he says. “When they’re going to re-card the whole campus at one time the school needs to know that the cards can be delivered on time and that they work.” Quick rollout Winkelman says the contactless conversion went fast. “From signing the contract, it took about three months.” The campus card system deployed is CBORD’s CS Gold that handles both debit, through the mag stripe, and physical access through the contactless iCLASS chip, says Winkelman. Emerson now has iCLASS readers mounted at each of the guard posts when entering buildings. “When someone presents the card, his picture comes up on the screen so the guard can see that the picture matches the photo,” says Emerson’s Travis. “He doesn’t have to look at the card but can see the photo.” Mag stripe card readers and POS terminals were installed in the dining hall. In addition, readers were installed at copying, laundry and vending machines. About 50 iCLASS-based door access readers were installed across the campus, says Travis. Emerson went with HID’s Corporate 1000 program that guarantees a certain range of ID numbers are assigned to Emerson and won’t be duplicated at any other site, says Travis. CBORD’s UGryd system for off-campus card use was also implemented. “Right now about a half dozen businesses, mostly food and one CVS pharmacy, accept the Emerson card,” says Travis. The school is also testing an elevator card reader that controls access to certain floors. “One floor of our dorm includes apartments for guest artists or scholars in residence,” says Travis. “This allows guests access to their apartment but no one else can get to that floor.” “A distinct advantage of utilizing contactless is that students no longer have to hand the card to a guard at the desk … they can keep the card in their wallet or bag and present it at the reader,” says Travis. When asked about the advantages for his team, he explains, “I like the fact there’s no moving parts, no mag stripe read heads which means fewer repairs.”

Q&A: HID’s Trusted Identity Platform HID Global’s Trusted Identity Platform was first introduced in March but the identity provider is rolling out more features to the system as the year progresses. A recent partnership aims to enable HID’s iCLASS credentials on NFC chips. This would allow mobile handsets to function as access control tokens and more, says Tam Hulusi, senior vice president of strategic innovation and intellectual property at HID. The credentials will be delivered to the devices via HID’s Trusted Identity Platform that verifies all points in a system or network so that transactions can be trusted, explains Hulusi. Re:ID spoke with Hulusi to understand the significance of the Trusted Identity Platform. Q: What is the Trusted Identity Platform? A: The Trusted Identity Platform, or TIP, is a secure network that provides the framework for creating, delivering and managing secure identities. Simply put, the architecture is a central secure vault that serves known endpoints – such as credentials, readers and printers  – on a secure network connection and within a published cryptographic key management security policy. HID Global refers to this as a bounded-type system, where all the devices attached to it are known and therefore trusted to exchange information securely. The TIP architecture is scalable, its transmission protocol and encryption models are standards-based, and it can support multiple applications. TIP systems also can be virtualized and cloudbased, and therefore can provide services across the Internet without compromising security. TIP’s secure delivery infrastructure will provide the framework for all future security identity products from HID Global. Q: Why did HID Global develop TIP? A: Access control system equipment is migrating well beyond cards and readers into a whole new era of configurable credentials, contactless technologies, and a world in which mobile phone and other devices can carry “digital keys” that they receive over the air or via the Internet. Near Field Communications is a promising technology that makes this possible, but the only way to make it secure is if the industry can establish an identity methodology based on a com-


Fall 2010

9th Annual

SMART CARDS in GOVERNMENT Identity, Security & Healthcare

Nov. 17–19, 2010 Pre-conference Workshops Nov. 16

Walter E. Washington Convention Center, Washington, DC

The Leading Showcase for Government Projects in ID and Security Who Should Attend? The conference draws key decision makers from every level of government and industry. Over 800 will attend, including government and industry executives, administrators and technologists

Join the Leaders

The 9th Annual Smart Cards in Government Conference will look at the opportunities and challenges ahead for government issuers, accreditation and testing authorities, procurement programs, and the industry to meet the government’s market demands.

Building on years of development and tens of millions of government-issued smart cards, the conference expands its focus on emerging identity and security developments by including new government initiatives to improve and implement electronic medical records (EMRs). The conference will cover new smart card applications with the potential to improve the security and privacy of patient information, provide the secure carrier for portable medical records, reduce healthcare fraud, provide secure access to emergency medical information, and provide the platform to implement other electronic applications as needed by the healthcare IT industry. Conference sessions will reflect and amplify the though leadership of the Smart Card Alliance Healthcare and Identity Councils.

New This Year: Expanded Coverage of Secure Electronic Medical Records

Continuing Coverage of Expanding Smart Card Deployments

The conference will provide comprehensive coverage of the continuing rollout of Personal Identity Verification (PIV) credentials, biometric-enabled security systems, and other programs deploying millions of smart cards to government employees, contractors, and U.S. citizens, including the First Responder Authentication Credential (FRAC), Transportation Worker Identification Credential (TWIC) programs, and more.

Largest Exhibition of Government ID Technology

For exhibit and sponsorship opportunities contact Bill Rutledge, 212-866-2169







ActivIdentity • AMAG Technology • ASK intTag • AVISIAN Inc. • Aware Inc. • CPI Card Group • CSC • Datacard Group • Digital Identification Solutions • Exponent Inc. • Gemalto • Giesecke & Devrient • HID Global • HP • Identification Technology Partners, Inc. • Identity Stronghold • International Card Manufacturers Association • Kaba Access Control • L-1 Identity Solutions • LaserCard Corporation • Lenel, a UTC Fire & Security Co. • MorphoTrak • Muhlbauer Inc. • NXP Semiconductors • Oberthur Technologies of America Corp. • SafeNet • SMARTRAC Technology Group • Software House/Tyco International • Teslin Substrate by PPG Industries

Register Early: Take Advantage of Pre-Registration Discounts •

prehensive chain of custody, in which all end points in a system or network can be validated so that identity transactions between them can be trusted at any time. HID Global has spent three-years creating a solution to this challenge, and the resulting TIP secure identity system is a simple but protected identity transaction system that we believe represents the future of the physical security world.

Q: How does TIP work?

Endpoints – such as credentials, readers and printers  – communicate with the Vault via rules governed by HID Global’s Key Management Policy and Practices (KMPP). Using industry-standard cryptography, TIP messages between endpoints are encrypted by two nested symmetric keys to form Secure Identity Objects.

A: TIP provides a protected identity transaction network that enables validation of all endpoints, or nodes, in the network so that transactions between the nodes are trusted. At the heart of the TIP framework is a central secure vault that serves known endpoints, such as credentials, readers and printers, on a secure Internet connection, within a pub- Several Secure Identity Objects can be nested lished security policy. in a TIP message to deliver multiple instructions to different devices such as access cards, smart phones and computers, each with different access control characteristics, if required. The simplest Secure Identity Objects is the emulation of credential data from an iCLASS card. Once a “handshake” is accomplished between the Secure Vault and an endpoint device, the device is deemed to be trusted in the network. Trusted devices no longer need to communicate with the Vault and can operate independently. In this way the transaction between endpoints, such as a credential and a reader, is trusted and resulting transactions, such as opening a door or logging onto a computer, can also be trusted. Q: What are HID’s plans for deploying TIP?

Q: What does TIP consist of? A: The TIP model consists of three central elements: • The Secure Vault, which provides a secure storage capability for encryption keys, available to known, and trusted endpoints, • A Secure Messaging methodology to secure messages to the node endpoints using industry-standard transmission protocols and nested symmetric key methods, and • A Key Management Policy and Practices (KMPP) governance that sets the rules by which the Secure Vault is accessed and keys are distributed to endpoints.


Fall 2010

A: HID Global will announce and begin deploying TIP later this year, and has already taken a first, big step toward realizing its vision of a trusted, virtual and on-demand identification network with the announcement of the partnership with NFC chip proData security, privacy and reliability are en- vider INSIDE Contactless. sured using symmetric-key cryptography, so that all endpoints can execute trustworthy The partnership will enable NFC phones to transactions. This approach delivers security hold the same iCLASS access control and crebeyond the hardware level, extending trust dential information as our physical smart card boundaries to other third-party platforms and it will be delivered via the TIP system. supporting TIP protocols. HID plans to announce other partnerships Q: How does TIP establish endpoints that will combine contactless solutions, NFC and trusted transactions? and other widely deployed technologies to create a variety of platforms, from mobile A: Endpoints are created by implementing a phones to laptops, for applications ranging TIP node protocol and a resident Genesis Key from user authentication to cashless vendso that they can be recognized and registered ing and PC log-on security. These platforms by the Secure Vault as a trusted member of and applications will significantly extend the the network. This means that they are allowed value proposition for contactless smart card to exchange data with the Secure Vault. credentials.

Newly approved FIPS 201 products Research detailed product listings and compare different vendor offerings online at, the most robust source for FIPS201, HSPD-12, ISO 24727 and PIV products and services. Cryptographic Module

nShield Edge, Thales e-Security, Inc.

Fingerprint Capture Station

FS60 3.2”x3.0” USB2.0 Fingerprint Capture Station, Futronic Technology Co Ltd.

Facial Image Capturing Station L-1 Camera Tower OLY E420 L-1 Camera Tower OLY SP350, L-1

PreFace SDK with Videology 24C7.38USB PreFace SDK with Videology 24Z704USB, Aware, Inc.

PIV Card

G&D StarSign® Sm@rtCaf?® Expert 80K with PIV Applet, Giesecke & Devrient

PIV Card Printer Station

SCOPE 5400, Muhlbauer, Inc.

Single Fingerprint Capture Device

ASEDrive IIIe KB Bio PIV, Athena Smartcard

FS60 3.2”x3.0” USB2.0 Fingerprint Capture Station

FS98 USB2.0 Mini Fingerprint Scanner FS99 USB2.0 Mini Fingerprint Scanner Module, Futronic Technology Co Ltd.

Futronic’s FS60 fingerprint scanner is a cost effective solution for large scale fingerprint identification systems. It uses an advanced optical system to capture high quality four-fingerprint images in less than one second. With a large 3.2 x 3.0 inch (81.28 x 76.20 mm) scanning area, it is ideal for use in electronic ID, border control, passport issuance and secure voting applications. It can also capture rolling fingerprint images in a 1.6 x 1.5 inch (40.64 x 38.10mm) scanning area. Fully programmable LEDs, buttons and an acoustic buzzer enable intuitive user interface design.

Caching Status Proxy

Brivo ACS Onsite Aparato, Brivo Systems, LLC

Electromagnetically Opaque Sleeve One Hander Guardian, EK Ekcessories, Inc. Privacy Protection Foil, Bensons International Systems Transparent Card Reader SCR339, SCM Microsystems, Inc. ASEDrive IIIe Combo Bio PIV ASEDrive IIIe KB USB ASEDrive IIIe USB V2 ASEDrive IIIe USB V3, Athena Smartcard, Inc. iCLASS RK40 (part 6130CKN000000-G3.0) iCLASS RMK40 iCLASS RMPK40 iCLASS RPK40 (part 6136CKN000000-G3.0) HID Corporation SecuGen iD-USB SC/PIV, SecuGen Corp. USB Smart Card Reader, Alcor Micro, Corp. Ricoh Smart Card Reader, the premiere resource for compliant credentialing

Get your FIPS 201 Approved Product listed on customizing photos, links, brochures, contact information, and more. Contact for more information.

Contact: Ryan Kline Coordinator 850-391-2273


id technology resource

visit to research and compare approved products

Peer-sourced ID vetting comes to Facebook Security application enables friends to verify one and others’ identities Zack Martin Editor, AVISIAN Publications Those friend requests seem to come in bursts on Facebook. Nothing for weeks and then “boom” 10 requests in four days. Some requests are easy to accept but others can be difficult. “How do I know this person? Do we have friends in common?” These are frequent questions but the most difficult one is: “How do I know that person is really who they claim to be?” Privacy on Facebook is a hot topic these days. Adding friends can be risky as you share personal information with people you can’t see face to face. You think you know the request is really from your friend, the person claiming the identity, but you must take them at their ‘digital word.’ Matias Huvelle, COO at My Safe Corp., and his two partners saw this vulnerability as their children began using social networking sites. “We thought of an app for different social networks,” he says, “to help our kids and other users around the world have a more secure identity.”

In order to become validated at the different levels a user must earn points. These points are earned by becoming validated by other users, a mix of people who have gone through the process already and those who have not. As the levels get higher the point totals increase.

The company created MySafeFriend, a Facebook application that lets friends confirm one another’s identities. There are five levels, the first three are free, and each one requires different tasks. While the application is live on Facebook, Huvelle says his company is looking to port it to other social networking sites as well.

Level four validation requires a payment card. The application compares certain data provided against data from the card transaction. Optionally, you can validate your mobile phone number. The charge is $3 for two years of validation. Level five validation will be the highest level, explains Huvelle, but details



Fall 2010

have yet to be worked out on this assurance level. My Safe Friend is rolling out a marketing plan to educate people on the application, Huvelle says. In order for the system to work properly it needs to gain a critical mass of users to authenticate one another. That’s the biggest hurdle the site will have to overcome. The promise of a validated identity is a good one, but it remains to be seen whether it will be enough to get individuals to use the application.

Secure = Facebook Identity



When it comes to identity management, trust is not a one-way street. You need a solution that not only establishes foolproof identities but also protects the personal information of every citizen. At CSC, we deliver integrated identity management and privacy assurance solutions that create confidence and earn public trust. You can count on us to seamlessly integrate the latest technology, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Public Sector CSC.COM/NPS

I want...

a powerful Direct-to-Card printer that gives me maximum security and works seamlessly in my network.

HID Global introduces the new FARGO速 DTC4500 A breakthrough in powerful, secure and versatile card personalization The FARGO速 DTC4500 packs an extremely robust and highly-reliable print engine that delivers speed, power and versatility to meet the most rigorous secure issuance requirements. With a 500 card ribbon capacity and the ability to feed 200 cards at a time as standard features, the DTC4500 makes daily runs of thousands of cards fast and easy. Field-upgradeable options, such as technology card encoding, UV printing or single and dual-sided lamination modules offer added durability and security when more sophisticated card applications are required. And its unique high-speed dual-sided simultaneous lamination saves valuable time. With its ability to print and encode through a single Ethernet cable, the DTC4500 plays well with everything else in your network. All this and its backed by a two-year warranty from HID Global, the world leader in secure identity solutions.

To learn how HID can help with your card personalization needs, visit

Regarding ID Fall 2010  
Regarding ID Fall 2010  

Regarding ID Magazine features the best editorial insight from across the ID technology landscape.