Regarding ID Fall 2015 by AVISIAN

43 A SURVEY OF ID TECHNOLOGY - FALL 2015 - ISSUE 43

Did the Feds create the

FRAMEWORK 5 TR

UST

FRAM

EWO

RKS

for digital ID?

- OPM breach prompts PIV usage - Driver licenses stronger after REAL ID - Biometrics secure construction sites

T S OT USERS 2.3 MILLION PIL

ILLIO

14 PILOTS

ERS

RTN

PA ILOT

C I 125

Make sure every visitor is a welcomed one.

HID Global Secure Visitor Management solutions track your guests and protect your facility. Upgrade from unsecured paper guest books to the robust security of our EasyLobby® Secure Visitor Management solution. With EasyLobby, you can identify who is in your facility and why, control access to secured areas, screen against unwanted guests and more. Just scan each visitor’s ID and print a customized badge in seconds. And it’s scalable, so you’ll get the protection you need as your company grows. Request a free web demo at hidglobal.com/welcomed-cr80 © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and EasyLobby are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.

HOW DOES YOUR COMPANY IDENTIFY ITS EMPLOYEES?

By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.

www.evolis.com

MORPHOWAVE

AWARDED BEST NEW PRODUCT OF 2015 BY SIA Revolutionary touchless biometric access solution Ideal for high traffic areas Multifinger matching with a single hand movement On-the-move matching

Maximum efficiency and security from the world leader in biometric solutions with #1 NIST-rated fingerprint technology

www.morpho.com/usa 1-800-444-0496 info.usa@morpho.com

“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”

— Robert H. Marketing Director Corporate Technologies

Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.

Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.

DATACARD GROUP IS NOW ENTRUST DATACARD

CONTENTS

eID adoption dichotomy shows North America behind its southern neighbors

Technology advances improve passport issuance and control

Fall 2015

18 Cover Story: Did the Feds create the framework for digital ID? In the past three years the U.S. government has spent more than $20 million on 14 pilots to foster an identity ecosystem. Advances have been made by NSTIC, but are we really any closer to securing cyberspace? The AVISIAN editorial team put the pilots to the test, asking each for outcomes and lessons learned.

AAMVA: Create Cross Sector Digital ID Initiative for Virginia DMV

ID.me: Deploy privacy-enhancing authentication engine

Michigan: Authenticate users for cross-agency state services

UK’s version of NSTIC: Verify brings online ID for citizen access

Pennsylvania: Access state benefits with Keystone ID

GTRI: Develop Trustmark framework for online ID

Internet2: Bring multi-factor authentication to campus

TSCP: Test trusted credentials for financial services

Resilient: Build trust network for health care and education

Daon: Authenticate seniors via mobile biometrics

Criterion: Implement attributeexchange network

Confyrm: Prevent account takeovers by ‘sharing signals’

MorphoTrust: Secure citizen access to health services

Privo: Secure kids’ identities online

University of Texas offers master’s in identity management 38

Biometrics securing construction sites 26

32 A decade after REAL ID It has been a decade since REAL ID was signed into law and while some are still struggling to issue better driver licenses, the majority of states have made strides to secure the identity documents and the issuance processes.

44 ‘Cyber sprint’ forces two-factor auth into Fed government When the OPM breach impacted millions of employee records, federal agency use of PIV cards for strong authentication was dismally low. This prompted a “cyber sprint” that increased adoption and, subsequently, the security of government networks.

6 A decade of progress Passports, PIV, REAL ID, NSTIC are impacting the identity landscape

A decade after REAL ID Driver license security improving, but holdout states risk resident’s ability to fly

8 ID Shorts News and posts from the web

University of Texas offers master’s in identity management

18 Did the Feds create the framework for digital ID? Three years in, NSTIC lessons emerging

Security industry readies to tackle the Internet of things

‘Cyber sprint’ forces two-factor auth into Fed government Massive OPM breach gives OMB the ammo needed to drive PIV use

26 Biometrics securing construction sites Tech saves money, increases security 30 The highway to two-factor hell Password hell is bad, but the popular fix could be worse

re:ID National eID Series: Different Americas Adoption dichotomy shows North America behind its southern neighbors

The three pillars of a secure ID: Card materials, personalization and Issuance models

User-managed access enables consumer consent for digital ID

Fake company lures hackers to decimate small business

Technology advances improve passport issuance and control

Fall 2015

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2015 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

Fall 2015

A DECADE OF PROGRESS PASSPORTS, PIV, REAL ID, NSTIC ARE IMPACTING THE IDENTITY LANDSCAPE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Virtually every time I go through airport security, I hear people bemoan removing their shoes and taking their laptop out of its case, asking, “are we really any safer than we were before 9/11?” While I am a typically a cynic, I do believe that the identity initiatives that have come after 9/11 have improved the safety and security of the country. The programs are not perfect, but they have made progress when it comes to securing identity. The different initiatives all have the same underlying mission: increase security through strong identity. With ePassports it was placing a contactless chip into the familiar passport books to reduce document fraud and add additional security when travelers enter or exit a country. In the case of HSPD-12 it’s securing identities for federal employees accessing networks and physical facilities. For REAL ID it’s a matter of securing the processes for issuing driver licenses to ensure that holders of these crucial identity and breeder documents are vetted appropriately and the cards are resistant to fraud. And NSTIC is about securing the virtual world for all consumers so that everyone can safely transact online. While these initiatives are far from perfect, each is making progress in its own right. Hundreds of millions of ePassports have been issued around the globe. The documents are more secure and counterfeit resistant, but actually reading the secure contactless chip at border crossings has taken some time. In the past couple of years, the process has started and chips are beginning to read. More than 5 million federal employees have been issued PIV credentials, though the volume of use for logical access has been less than stellar. Sadly it took a disastrous breach – OPM’s loss of more than 20 million records – for federal officials to take action. This summer’s 30-day cyber sprint upped the level of use by 30%. Now, the White House reports that 70% of federal employees are using PIV for access to networks. REAL ID was unpopular when it was signed into law, with many labeling it a de facto national ID program. Over the years there have been attempts to repeal it and

PERSPECTIVE plenty of protests. Fast-forward to today, however, and the vast majority of states are striving to comply – improving issuance processes, vetting and document security. The state of driver licenses was dismal prior to REAL ID. Each state had its own requirements when it came to what documents citizens needed, and security features of the documents were all over the board. Now if the documents are REAL ID compliant, jurisdictions can have confidence in the vetting that went into issuing that ID. NSTIC, the newcomer on the block, is different in that its mission is to catalyze the private sector to create a privacy-enhancing, interoperable, secure digital credential. The NSTIC national program office has worked to energize the market through a series of pilots exploring different aspects of an identity ecosystem. In three years, 14 pilots have been funded at a cost of more than $20 million with more projects to be announced shortly. Though we’re not yet ready to call NSTIC a success and begin deploying standardized, high-assurance digital IDs, we are learning and taking steps. Two NSTIC pilots are using data from DMVs to validate an identity so that they can issue credentials to people for access to online services such as Medicaid and other benefits.

There are also discussions around enabling government employees to use their PIV credentials for other purposes as well. Connect.gov enables individuals to access government web sites using credentials they already have. The project is working with the USDA, IRS, Centers for Medicaid and Medicare Services, Veteran’s Affairs and others agencies. The system accepts a number of existing credentials, including Yahoo, PayPal and Google as well as PIV. Of course, I always wish things moved faster. When you focus on any single initiative, it is easy to see the drudgery and the lack of rapid advancement. But when you look at the collective – really step back and see the forest through the trees – our progress takes shape. In little more than a decade, as a society we have progressed from not even realizing we were at risk to taking fairly significant steps on major fronts. Is it perfect? No. Are we done? No. But we are better off, despite what the naysayers – me included – often say.

P V

SOLUTION Brilliantly simple end-to-end architecture that reduces installation and equipment costs and delivers federal users strong and fast contactless authentication.

security.gallagher.com

Fall 2015

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

IDENTIV PACS READER GSA APPROVED An Identiv access control reader designed for government use is now included on the U.S. FICAM Approved Products List. The General Services Administration lab, which is part of the Federal Identity, Credential, and Access Management (FICAM) Testing Program, has evaluated and approved Identiv’s uTrust TS ScramblePad, joining the mullion, wall mount, and keypad models already on the approved list. The uTrust TS ScramblePad is an update to the company’s patented scrambling keypad door reader for highsecurity government and commercial entryways. The update adds new security features, including support for more than 1,500 credentials such as PIV, PIV-I, CAC, FICAM E-PACS, PKI, DESFire EV1, MIFARE, and PLAID. Using open communication protocol including Wiegand, RS-485 and Ethernet, the device offers simple migration from the previous ScramblePads to RS-485 or Ethernet-based FICAM E-PACS compliance.

Fall 2015

Identiv’s uTrust TS Government Readers are designed for agency customers to support existing building access systems – such as Identiv, Lenel, AMAG, Honeywell, or Software House – and provide a forward path to FICAM compliance.

HID UNVEILS PIN TOKEN HID Global expanded its identity assurance portfolio with the addition of the

ActivID Flexi Token, a PIN pad token designed for mass deployment by financial institutions and enterprises. ActivID Flexi Tokens are designed to minimize an organization’s costs for protecting data in high-volume deployments using a two-factor authentication device. The tokens are easy to mail and carry, and feature an intuitive interface with icons and messages that simplify usage through visual prompts. The token can be utilized for user authentication – OTP or challenge and response – transaction

THE TWO-FACTOR AUTHENTICATION TOKENS CAN BE GRAPHICALLY CUSTOMIZED AND INCLUDE OPTIONS FOR ON-SITE INITIALIZATION

ID SHORTS

CALENDAR 2015 Borderpol International Security Meeting September 9-11 The Dupont Circle Hotel Washington, DC

SEPTEMBER

signing and host verification through a dedicated button on the device. The tokens can be graphically customized and include options for on-site initialization to protect data and enhance security programming. Supporting a choice of security services, standards and algorithms, Flexi Token aims for flexibility in protecting critical data. It also improves security while accommodating “on demand” availability requirements by enabling banks and enterprises to use own their own authentication keys or reinitialize products on-site when new keys must be issued.

eIDConference 7TH edition September 28-29 Washington Marriott Wardman Park Washington, DC ASIS 2015 September 28-October 1 Anaheim Convention Center Anaheim, Calif.

DECEMBER

NOVEMBER

OCTOBER

MICROSTRATEGY INTRODUCES USHER FOR APPLE WATCH MicroStrategy’s security and analytics platform, Usher, added Apple Watch to its arsenal of biometric mobile identity and multi-factor authentication options. The system is also designed to ease security administration capabilities. “The app is designed to detect a vast range of business systems, hardware and physical entryways as users approach,” says Paul Zolfaghari, president of MicroStrategy Inc. Users receive prompts via push notifications on their Apple Watch. “They can use the solution to log in to secure web solutions in the morning before heading into work – like Salesforce, VPNs or work email. They can use Usher to gain physical entry to a number of locations when they arrive at work like parking garages, elevators, and other secure areas,” Zolfaghari says. “They can validate user identities in-person or over the phone with numeric one-time Usher codes. They can use Usher to easily access workstations via Bluetooth or a QR scan, eliminating the need for redundant password unlocks.” Usher employs access tokens that are stored in an encrypted format on the mobile phone. The server architecture is built on Public Key Infrastructure to ensure that only authorized users communicate with the Usher server from authorized Usher

Global Identity Summit September 15-17 Tampa Convention Center Tampa, Fla.

Smart Card Alliance NFC Solutions Summit October 7-8 Arizona Grand Resort Phoenix, Ariz. SIA Securing New Ground October 28-29 Millennium Broadway Hotel New York Cartes Secure Connexions November 17-19 Paris-Nord Villepinte Exhibition Centre Paris, France ISC East 2015 November 18-19 Javits Center New York Gartner Identity & Access Management Summit December 7-9 Caesars Palace Las Vegas, Nev.

Fall 2015

ID SHORTS

THE DEA MANDATES THAT PROVIDERS E-PRESCRIBING CONTROLLED SUBSTANCES MUST COMPLETE STRINGENT ID PROOFING, PERFORM TWO-FACTOR AUTHENTICATION AND USE DIGITAL SIGNATURES client devices. When the user initially launches the Usher app, it generates a key pair and a certificate signing request and sends the request to the Usher server. The server returns an access token and X.509 PKI client certificate based on the certificate signing request to the app, associating this access token and certificate with the current user. A self-service web portal enables an administrator to create and manage thousands of badges. Usher badges can be used for password-less authentication to a variety of resources, such as SAMLbased cloud and web apps, Windows and Mac workstations and physical access systems. Credentials and keys are software-based, and a single administrative action can revoke all Usher privileges for a specific user/phone instantly. On a replacement smartphone, users can

Fall 2015

install Usher from the App Store and verify their identity to restore all badges and credentials. On phones with fingerprint scanners, the administrator can force users to verify their identity with Touch ID on iPhones as the single source of identity or as a second factor. “Usher transforms Apple Watch into a key to the enterprise by enabling wearers to log into business systems, unlock computers, validate personal identity, and open physical entryways,” Zolfaghari says.

EXOSTAR PROVIDES IDENTITY SERVICES FOR E-PRESCRIBING Meditab, the developer of Intelligent Medical Software (IMS), selected Exo-

star’s ProviderPass to secure client’s electronic prescription of controlled substances. The solution meets Drug Enforcement Administration requirements while offering a consistent user experience for providers. To help prevent controlled substances from falling into the wrong hands, the DEA mandated that providers e-prescribing controlled substances must complete a stringent identity proofing, perform two-factor authentication and use digital signatures when submitting prescriptions. Meditab’s IMS ClientConnect portal enables providers to initiate a remote identity-proofing event, conducted in partnership with Exostar via Experian or a live web cam video. It issues OTP hardware tokens for providers following successful identity proofing and then au-

ID SHORTS

thenticates the token for access to EPCS functionality.

EVOLIS CHOSEN TO DELIVER MILLIONS OF VOTER CARDS IN TANZANIA In what has been called one of card printer Evolis’ largest deals ever, the company is in the process of personalizing national voter cards for the Republic of Tanzania. The $4.3 million contract includes 8,400 Zenius printers shipped to Tanzania to prepare for the nationwide elections in October. The National Election Commission is in the midst of a mobile enrollment process to register 23 million eligible voters throughout the country. In the field, portable biometric voter registration cases contain equipment for both enrollment and issuance of voter ID cards. The Evolis Zenius card personalization solution is a key element, capable of cost effective issuance of 150 personalized color cards per hour.

INTERCEDE, CITRIX PARTNER Intercede’s Citrix Ready MyID technology provides credentials that enable to XenMobile customers to securely sign and encrypt corporate email delivered by Citrix WorxMail.

NTT DOCOMO CUSTOMERS CAN USE BIOMETRIC AUTHENTICATION WHEN MAKING MOBILE PAYMENTS AND ACCESSING DOCOMO’S CONTENT AND SERVICES This enables customers to achieve a level of security on mobile devices that was traditionally only possible on a desktop PC with the use of a physical smart card. It bolsters the security of enterprise applications and offers customers strong authentication solutions that meet gov-

ernment security standards including FIPS 201-2 and SP800-157.

NTT DOCOMO DEPLOYING FEDERATED, MOBILE IDENTITY WITH BIOMETRICS NTT DOCOMO is implementing the Qualcomm Snapdragon Sense ID biometric platform and Nok Nok Labs S3 Authentication Suite to deliver strong authentication for the mobile carrier’s Japanese customers. The DOCOMO service including “DOCOMO ID login authentication and carrier billing payment” will help provide customers with better security, as well as ease of authentication when making mobile payments and accessing DOCOMO’s content and services.

Fall 2015

ID SHORTS

DOCOMO will launch the online authentication service with smartphones from Sharp and Fujitsu and plans to expand its biometric authentication offering to additional high-end Android devices in the future. It will enable access to online services from the carrier and other companies using fingerprint sensors and iris recognition on FIDO-enabled devices.

BANK CHOOSES SMS PASSCODE FOR MFA REMOTE LOG-INS When Carolina Bank wanted to strengthen the security of remote employee logins, it chose SMS PASSCODE for a multi-factor authentication solution. “They are using Citrix as the platform for providing the remote access, and Citrix out of the box does not come with multi-factor authentication,” says Henrik Jeberg, managing director of SMS PASSCODE in the U.S. “If you have your users in active directory and you have implemented the necessary remote access platforms like Citrix, then you put a server component on top – in this case SMS PASSCODE – and they log in remotely with that extra level of security,” Jeberg says. In this case, the MFA involves a known user, a password, and a challenge question sent to the user’s mobile phone. If the question is answered correctly, the user is logged in. “A lot of companies want to make it possible for their employees to log in from the outside – in a secure way,” Jeberg says. “It’s a very easy implementation process, and it’s a very low footprint solution.”

LAUNCHKEY BAKES AUTHENTICATION INTO RELYING PARTY’S APP When a relying party wants to add multi-factor authentication, it traditionally involves downloading a third-party app or receiving a one-time password via SMS. LaunchKey wants to change this recipe with its white label product that

Fall 2015

SMS PASSCODE ADDS SECURITY ON TOP, BECAUSE CITRIX OUT OF THE BOX DOES NOT COME WITH MULTI-FACTOR AUTHENTICATION

ID SHORTS

bakes the authentication directly into a relying party’s application. The product enables a relying party to request additional authentication within an app, such as fingerprint, PIN or other factor, says Gabriel Shepard, director of business development at LaunchKey. The system can also use push notifications to confirm transactions or request additional authentication for access. The company is focusing on health care, hospitality and the bitcoin market, Shepard says. For example, a health care institution might include LaunchKey in its mobile application so that when a nurse accesses a health IT system, the app sends a push notification requesting an additional authentication. Depending on what the nurse is attempting to access, the

authentication can change from a simple PIN to a biometric. LaunchKey’s solution enables geofencing so that systems can only be accessed when the individual’s mobile device is in certain areas and can restrict access based on time of day. In hospitality, the system utilizes Bluetooth to enable mobile access to rooms. After placing an online reservation the guest would receive an email requesting that they download the hotel’s app, Shepard says. The mobile device would then be paired with the email and as soon as they walked on the property they would receive a push notification telling them their room number and what time they can access it. Once the room is available they could go right to their

room and unlock the door with Bluetooth low energy, completely bypassing the front desk. “This maximizes app adoption and provides a better user experience,” Shepard adds.

GEMALTO UNVEILS NEW EPASSPORT INLAYS Gemalto’s new Sealys Premium inlays and eCovers for electronic passports add flexibility to bookbinding operations and enhance aesthetic qualities. Sealys Premium inlays and eCovers enables national printers to add efficiency to manufacturing processes and create ePassports that are thinner, flatter and more

LAUNCHKEY’S SOLUTION ENABLES GEO-FENCING SO THAT SYSTEMS CAN ONLY BE ACCESSED WHEN THE INDIVIDUAL’S MOBILE DEVICE IS IN CERTAIN AREAS

Fall 2015

ID SHORTS

THE SEALYS INLAY MARRIES THE DURABILITY OF SYNTHETIC FILM TO THE THINNESS OF PAPER SO BOOKLETS CAN FOLD AND LIE COMPLETELY FLAT

visually appealing. The new inlays and eCovers exceed ICAO durability tests. Gemalto’s ultra-thin Sealys Premium inlays and eCovers are marrying the durability of a synthetic film to the thinness of paper. Booklets can fold and lie completely flat, and the new inlay is more resistant to delamination, a classic means of attack by those seeking to remove or tamper with the microprocessor.

SECURITY PROVIDER BRIVO ACQUIRED FOR $50 MILLION Brivo announced that the company has been wholly acquired for $50 million by Dean Drako, president and CEO of Eagle Eye Networks. As Brivo’s owner, Drako

Fall 2015

will serve as the company’s chairman while Steve Van Till, Brivo’s president and CEO, will continue leading the company. Brivo’s cloud-based access control system currently serves more than 6 million users at 100,000 access points. It provides access control for small and medium size businesses, along with scalability and centralized management for global enterprises. The stated goal of the deal is to accelerate the cloud technology shift already underway in the physical security industry by combining Brivo’s cloud access control with Eagle Eye Networks’ cloud video surveillance solutions.

CARILLON, TELOS PARTNER FOR PIV-I Carillon Federal Services and Telos Identity Management Solutions are collaborating on high assurance interoperable Personal Identity Verification (PIV-I) credentials for use with Telos ID’s TSA Designated Aviation Channeling and FBI channeling programs. Carillon is licensed by the U.S. Government to issue and manage PIV-I credentials for verifying the identities of non-government employees who have been granted physical or logical access to government facilities or technology infrastructure. Telos ID is one of three organizations named by the Transportation Security Administration as a Designated Aviation Channeler, eligible to submit aviation worker information to TSA for background checks required for access to secure areas. Telos ID’s FBI-authorized non-criminal fingerprint background service supports state and federal government agencies as well as qualifying commercial organizations.

ID SHORTS

EMOJIS COMING TO A PIN PAD NEAR YOU For those who favor smiley faces and other emoticons over numbers and letters, a new way of logging into financial accounts is on the horizon. Intelligent Environments, a provider of mobile solutions for financial service organizations, launched Emoji Passcode. The company touts emoji as the fastest growing language in the UK. “Our research shows 64% of millennials regularly communicate only using emojis,” says David Webber, Managing Director at Intelligent Environments. “So we decided to reinvent the passcode for a new generation by developing the world’s first emoji security technology.”

Emoji Passcode has been integrated into Intelligent Environments’ Android digital banking app. The service enables consumers to log into their banks using four emoji characters – selected from a cast of 44 – instead of traditional PINs or passwords. The company says emojis are easier to remember and mathematically more secure than traditional passcodes. “There are 480 times more permutations using emojis over traditional four digit passcodes,” Webber says. “In addition, it will prevent hackers from identifying common and easily obtainable numerical passcodes, like a date of birth or a wedding anniversary. This new emoji security technology is also easier to remember as research shows humans remember pictures better than words.”

CONSUMERS LOG INTO THEIR BANKS USING FOUR EMOJI CHARACTERS – SELECTED FROM A CAST OF 44 – INSTEAD OF TRADITIONAL PINS. THERE ARE 480 TIMES MORE PERMUTATIONS USING EMOJIS THAN WITH FOUR DIGIT PASSCODES.

Fall 2015

ID SHORTS

OBERTHUR RELEASES NEXT-GEN PIV Oberthur Technologies announced that its latest generation of PIV cards, ID-One PIV on Cosmo V8, has been submitted to the General Services Administration for inclusion on the HSPD-12 Approved Products List. The new FIPS 201-2 compliant smart card is significantly faster than current PIV cards utilized by U.S. Federal agencies, says Rick Patrick, senior vice president in the Identity Group-North America at Oberthur Technologies. ID-One PIV is a physical and logical se-

SAMPLE

FIDO ADDS BLUETOOTH, NFC TO SPEC The FIDO Alliance introduced additions to the FIDO 1.0 specifications, adding Bluetooth Low Energy and Near Field Communication protocols to its U2F spec. This makes FIDO U2F appropriate for mobile applications and devices that do not have a USB port. The U2F Bluetooth transport specification enables the creation of special-purpose, Bluetooth Smart U2F devices that require just the press of a button to authenticate to an online service. In addition, phones and peripherals, which consume more power, can be programmed to act as U2F devices using Bluetooth. The U2F NFC transport specification enables the creation of portable U2F devices such as credit cards and keyfobs that are simply tapped against the target device to authenticate to an online service. Alternately, a mobile phone with NFC capability can be programmed to act as an NFC U2F device. The user taps the mobile phone onto a target device to authenticate.

ONLINEAUCTION.COM INKS IMAGEWARE curity access card solution that provides identity proofing, general authentication services and secures post issuance management. Initially designed for all Federal employees and contractors, the cards also can be issued by non-federal issuers.

Fall 2015

ImageWare Systems will provide its GoVerifyID mobile biometric security software to OnlineAuction.com’s 200,000 members. Also known as OLA.com, the company provides online auctioning services throughout the world and is expecting significant expansion later this year as it begins to service the Asia-

Pacific market. Using GoVerifyID, OLA members will access their accounts via biometric authentication using either voice or facial recognition.

CALIFORNIA DMV TAPS GEMALTO FOR DOCUMENT VERIFICATION Gemalto is providing the California’s 200 Department of Motor Vehicle offices with its Coesys Document Verification software solution. It enables DMV officials to verify the authenticity of documents such as passports, identity cards and driver licenses by checking graphical data and security features against reference templates from an array of issuing countries. The California DMV issues thousands of ID documents every day, and using Gemalto’s technology is able to streamline the review process to overcome challenges authenticating breeder documents. Gemalto’s solution confirms the authenticity of documents and the identity of applicants instantaneously to identify counterfeits and reduce fraud.

Easy to Authenticate. Difficult to Replicate.

TESLIN® substrate (pictured left) is the proven global substrate for secure credentials and ID cards.

When credential security and durability are paramount, TESLIN® substrate… • Offers exceptional flexibility to outlast more rigid card materials while protecting and cushioning embedded electronics.

• Features the ability to be customized with embedded security features for program-specific formulations that enhance material tracking and credential authentication. • Locks in printed graphics and forms virtually indestructible bonds with overlay and card body substrates to deliver highly secure card constructions. • Delivers tamper-evident protection by permanently distorting if alteration is attempted. • Prints unparalleled high-definition color images for quick and easy authentication by field agents.

Learn more by visiting Teslin.com/Easy.

Did the Feds create the

FRAMEWORK for digital ID?

THREE YEARS IN, NSTIC LESSONS EMERGING GINA JORDAN & ZACK MARTIN, AVISIAN PUBLICATIONS

“PROGRESS INCLUDES FIVE NEW TRUST FRAMEWORKS CROSSING SIX MARKETS, 2.3 MILLION PARTICIPANTS AND 125 PARTNERING ORGANIZATIONS” — MIKE GARCIA, ACTING DIRECTOR, NSTIC PROGRAM OFFICE

Fall 2015

In the past three years the U.S. government has spent more than $20 million on 14 unique pilots to foster a secure, online identity ecosystem. To evaluate if taxpayers have gotten value for the investments, re:ID asked each pilot recipient what they have accomplished and what lessons have been learned. The goal of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is to encourage private companies to create secure, privacy enhancing, interoperable digital identities for consumers. As we enter the fourth year of pilots and investments, it is clear that advances have been made. But does the learning warrant the dollars? “We have made a lot of progress, but no one would claim that digital identity has been solved in four years,” says Mike Garcia, acting director for the NSTIC National Program Office. “But NSTIC has been a catalyst and we’ve seen changes in the marketplace.” Some of these changes include five new trust frameworks crossing six markets, 2.3 million participants and 125 partnering organizations, Garcia says. An example of the successes is UCAID where NSTIC funded a pilot of multi-factor authentication on three college campuses. The project has expanded to 140 campuses as the universities have joined to increase online security for staff and students across the country. “This is the essence of the program,” Garcia says. “We can’t give out credentials to 300 million people, we want to make the market move on its own.” While the UCAID pilot looked at higher education, the American Association of Motor Vehicle Administrator (AAMVA) project looked at health care. “It took authoritative

records from the Virginia DMV and a common social media credential and bound them together to raise the level of trust,” Gracia explains. Pilot participants can now use these credentials to access health care records and resources. These are just two examples of the 14 pilots. The next round of pilots will be announced in September and will look a little different than previous pilots, Garcia suggests. “Over the last three years we took a broad approach,” he explains. “This time we’re asking people to tell us some of the crazy things you can solve with digital identity and how you can solve targeted use cases and impediments.” While some of the pilots have made strides and broken ground on digital identity they can’t all be winners. One NSTIC pilot awarded in the second year – Exponent was the prime contractor – fell through due to a change in leadership at one of the companies. The GSMA was awarded $822,000 a year ago to pilot an interoperable identity system across the four major mobile network operators in the U.S. At the time of the award the GSMA wouldn’t elaborate on the pilot details and when contacted 10-months later executives at the organizations said there was nothing to report on the project.

IDESG DEFINES THE FRAMEWORK While the National Program Office is working on pilots to create the identity ecosystem, the Identity Ecosystem Steering Group (IDESG) is moving on a parallel path, says Mark Anthony Signorini, chairman of the IDESG. The IDESG is the private sector body that works alongside NSTIC to define the trust framework for digi-

tal identity systems. “The IDESG is creating the foundation for the trust framework – we’re the theory and they’re the practice,” he explains. The IDESG recently published its baseline requirements for the Identity Ecosystem Framework, a set of minimum conditions for participants in four key areas: privacy, security and resiliency, interoperability and user experience. The requirements will serve as the basis for the IDESG’s Self-Assessment Program, which is targeted to be operational later this year. Under this scheme, identity service providers and relying parties will be able to self-assess their own policies, procedures, and operations to the baseline requirements and attest to their level of conformance. The IDESG will offer a public listing service for those organizations that self-assess and determine conformance to these baseline requirements. The model, requirements, Trustmark program scope, and scoping statement will comprise the initial version of the framework as envisioned in the strategic plan. The baseline requirements are currently in the form of a set of requirement statements. IDESG working committees are developing supplemental information to clarify each requirement statement and explain how each can be met. This supplemental information will be part of IDEF v1 release later this year. Three years into pilots to create an identity ecosystem and there are some tangible results, as readers will find as they read on. But there is still a lot of work before consumers have a common, interoperable, privacyenhancing online digital identity.

Fall 2015

AAMVA: Create Cross Sector Digital ID for Virginia DMV Awarded in 2012

The American Association of Motor Vehicle Administrators (AAMVA) develops model programs and serves as an information clearinghouse in motor vehicle administration, law enforcement and highway safety. In the first round of grants, AAMVA was awarded more than $1.6 million to pilot the Cross Sector Digital Identity Initiative (CSDII). The project is in its third year, seeking to create a secure online identity ecosystem with enhanced privacy and safer transactions. The pilot focuses on health care applications as well as providing convenient online access to governmental services in the Commonwealth of Virginia. “The CSDII objective is to leverage the Virginia DMV in-person identity proofing to strengthen a user’s selfasserted online identity to an elevated level of trust,” CSDII operations manager Jennifer Behrens told the IDESG NSTIC pilot outbrief in May.

OUTCOMES

Solution was developed binding identity proofing capabilities to social login credentials Microsoft’s orchestration tool based on the UProve token technology is used to restrict personal information accessible to only that required for a transaction CSDII Pilot Trust Framework was established; pilot participants agree on policies and practices Project exposed the need for Virginia to pass the Electronic Identity Management bill this year

THE OBJECTIVE IS TO LEVERAGE THE VIRGINIA DMV IN-PERSON IDENTITY PROOFING TO STRENGTHEN A USER’S SELF-ASSERTED ONLINE IDENTITY TO AN ELEVATED LEVEL OF TRUST

LESSONS LEARNED

One of the issues the AAMVA pilot has run into has to with standardization, says Michael Farnsworth, CSDII technical lead. Standardizing – or white labeling – these solutions can make them easier to use and roll out to the public.

“Another thing that we learned is trying to temper the emerging versus existing tokens that we could use for authentication. It’s very interesting what’s referenced in (NIST publication) 800-63 for authentication,” Farnsworth says.

“Everyone wants it to look their way, but anytime that gets changed or modified, it can sometimes cause challenges. It’s not only just the visual representation; it’s actually in some of the functionality,” he explains.

“There’s a lot more technology in the market that can be used that’s not explicitly stated there. When you start to test the waters with things such as biometrics, you often get into these conversations that

Fall 2015

say ‘that’s kind of emerging and we’re not ready to adopt that yet,’” he explains. “One of the common threads that we came to realize is the difference between theory and practice,” Farnsworth explains. “Balancing theory and practice and being able to effectively transition things from R&D into actual delivery are key.”

We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.

gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm

Trusted and convenient digital services for billions of individuals

Michigan: Authenticate users for cross-agency state services

Pennsylvania: Develop Keystone ID to access state benefits

Awarded in 2013

The Michigan Department of Health and Human Services was awarded $1.3 million in 2013 to implement an identity verification and authentication pilot for the state’s online benefits portal. More than 2.3 million citizens can log into MI Bridges to apply for benefits like food stamps, cash assistance and medical services.

OBJECTIVES

Provide relief for workers and reduce worker error Improve identity proofing and streamline the application process Enhance privacy for applicants

During the identity verification, MI Bridges calls vendor LexisNexis with the user’s name, address and birthdate. If the identity is verified, a LexID is returned and a four question, knowledge-based authentication (KBA) quiz is generated based on the applicant’s public footprint. Applicants can opt out of the quiz without impacting their benefits determination. The department reports “a relatively high number” of opt outs. State workers then receive the information with a field showing 1 - the applicant is verified, or 2 - the user is not verified and the worker must revert to manual verification methods. The department is also implementing multi-factor authentication using emails and text messages. “We’re giving them the opportunity to provide a mobile number and email when they come in to associate their case with the MI Bridges system,” Cathy Fitch, MDHHS project manager, told the IDESG Outbrief in May. “We also want to be able to verify that the phone and email address they’re using is actually theirs. We can do this by having the person enter a code confirming their identity and confirming the device that they’re using.” As of mid-May, more than 320,000 unique applications had gone through the identity verification and authentication process. “We’re looking at where we may have a high number of duplicate transactions,” Fitch says. “Are these bad actors coming into the system and trying to beat the KBA in order to receive benefits fraudulently? Are these people who are struggling with the KBA and continuing to try to go through it? Those are the things we’re trying to figure out at this point.”

LESSONS LEARNED One of the bigger issues has been the KBA quiz, Fitch says. “We are making some changes to when we deliver the KBA quiz. We’re moving to a streamlined version where the KBA will only be invoked at the end of the application,” she explains. Also education and outreach about the system is paramount. “We did do a fair amount of public awareness at the front end, but we’ve realized that we need to help both our partners, workers and citizens to understand the value of participating in this process,” Fitch adds.

The Commonwealth of Pennsylvania received $1.1 million in 2013 to deploy an identity exchange. The state is developing an online identity solution for accessing government services across multiple agencies, enabling new types of transactions and increasing convenience. The goal is for citizens to obtain a Keystone ID through two identity proofing mechanisms. The single credential would enable them to conduct online transactions across state government. “We have had a history of everybody building their applications in a silo,” Frank Morrow, program manager for identity and access management for the Commonwealth, said in the IDESG Outbrief in May. “As a result, a citizen who wants to deal with multiple agencies has to recall multiple identities for each agency or even for each application within an agency.”

OBJECTIVES

Advance a single, secure online credential Reduce fraud as well as stolen or outdated identities by using identity verification

“Our pilot is still underway. The products and services are in use and we are looking at expansion,” says Pennsylvania Chief Information Security Officer Erik Avakian. “A new application from the Human Relations Commission is live and intended for statewide rollout. It replaces a legacy paper-based system for filing discrimination complaints and leverages the identity exchange to verify the identity of users submitting complaints.” The state now has a centralized identity management system in place with two attribute verifiers. The Pennsylvania Department of Transportation verifies driver license and state identification numbers, and Experian verifies identity through knowledge-based questions. Citizens are able to register just once to access many services, and multi-factor authentication will be introduced in the coming months.

LESSONS LEARNED “There was a lot of hesitation up front by some of our agencies – ‘this is new, unproven, not standard’ – but with some successes and a lot of talking to people, we are socializing it and gaining more and more acceptance,” Morrow says. Some agencies have been hesitant to participate in the project. “Many of the relying parties or agencies have their own priorities, and in Pennsylvania we had a change of administration in the November election,” Morrow says. “Challenges include working with the third parties, trying to understand their existing mechanisms and what they need from us.”

Note: The Michigan and Pennsylvania pilots are funded and managed separately from the other NSTIC pilots, so their timelines differ. Their projects are in early phases, so there are no outcomes to report.

Fall 2015

Internet2: Bring multi-factor authentication to campus Awarded in 2012 University Corporation for Advanced Internet Development (UCAID), also known as Internet2, was granted more than $1.8 million in 2012 to develop and advance privacy-enhancing technology for the Identity Ecosystem. Now in its third year, much of the pilot’s focus has been on the attributes that would provide the authorization and access control for the ecosystem. “Providing management infrastructure at the enterprise level turned out to be really important,” Ken Klingenstein, director of Internet2 Middleware, told the IDESG May Outbrief. “There’s a lot of management under the hood of a multi-factor authentication deployment and we built management infrastructures for a number of the software platforms that the identity providers use.”

OUTCOMES

Smartphone-based multi-factor authentication deployed across three major campuses – Massachusetts Institute of Technology, University of Texas and University of Utah Developed and made publicly available a simplified multifactor authentication enablement of Shibboleth IdPs that has helped more than 140 universities begin to deploy multifactor Identified barriers to the widespread adoption of anonymous credential technologies and published a white paper outlining steps to resolve these barriers Developed an open-source privacy manager called PrivacyLens that gives users methods for transparent, granular, consent-based release of personal information or attributes associated with their credentials Developed and published the “Periodic Table of Trust Elements” Internet2’s other partners include the Carnegie Mellon and Brown University computer science departments. Their goal is to create tools for preserving individual privacy as well as a scalable privacy infrastructure for the broader community.

LESSONS LEARNED “The most important metrics for multi-factor authentication is not the number of licenses or tokens. It’s the number of applications that an enterprise has that use it, and that’s what we’re starting to track now,” Klingenstein says. “We’re starting to work now with accessibility and multi-factor authentication to make sure that the second factor is accessible to people with challenges and disabilities.” There are also issues with applications and data minimization. Most applications lead

with an identity request and relying parties and application need to lead with privacy. That will be an issue in building an identity ecosystem. “Very few applications are privacy preserving,” Klingenstein says. “This is going to be one of the hardest parts of building an identity ecosystem.”

SIMPLIFIED MULTI-FACTOR AUTHENTICATION FOR SHIBBOLETH TO HELP 140 UNIVERSITIES DEPLOY STRONG AUTHENTICATION

The pilot also looked at the possibility of an anonymous credential. “Anonymous credentials are still really hard to deploy. They’re just several steps short of a deployable infrastructure,” Klingenstein adds.

Fall 2015

Resilient: Build trust network for health care and education Awarded in 2012

San Francisco-based Resilient Network Systems is a provider of software designed to elevate access control and trust management. The company was awarded nearly $2 million to conduct pilots in health care and education. The company worked with about 20 organizations, connecting the services on its Trust Network infrastructure. The pilots concluded in May 2014. “The health care pilot was focused on what we call patient centered coordination of care,” says Britton Wanick, executive vice president for Customer Relations with Resilient. “It was designed to provide a national scale capability for the sharing of referrals or health information amongst physicians on behalf of a patient.”

LESSONS LEARNED Defining what an identity consists of and its attributes can vary among different parties. “What you might define as an identity will be different than what I define, and we may choose independent third parties that will define it differently yet again,” says Wanick. There are key issues that revolve around authentication, authorization and context, Wanick explains. Individuals might be authenticated and authorized but the context might not be correct – for example, logging in at 3 a.m. from Beijing when the individual never leaves North America. “There’s a context to that situation that is important, but based solely on identity and authorization, they might be authenticated and authorized but they actually can’t be trusted,” says Wanick. “If you were able to monitor and provide inputs from other activities on the network, you could determine that their behavior is something that shouldn’t be trusted.” The pilots attempted to show how context plays an important role with the identity ecosystem, Wanick says. “We tried to bring some of that to bear when we talked about the relationship between a student and a teacher or the relationship between a patient and a provider acting on that patient’s behalf,” Wanick explains. “It wasn’t just enough to know that he was a doctor, we needed to establish that context in the relationship (to the patient).”

OBJECTIVES

Health care: Enable convenient multi-factor, on-demand identity proofing and authentication of patients, physicians and staff on a national scale. Facilitate coordination of care among selected primary care physicians and cardiologists. Enhance HIPAA-compliant access to electronic referrals, including medical records. Education: The education pilot focused on the secure sharing of educational records with students, teachers and parents, as well as providing students with secure, multi-factor access to online learning content. While none of the pilot participants are still using the Resilient system, a school district familiar with pilot outcomes is pursuing approvals to implement the trust network for a regional education information-sharing environment.

ENABLE CONVENIENT MULTI-FACTOR, ON-DEMAND IDENTITY PROOFING AND AUTHENTICATION OF PATIENTS, PHYSICIANS AND STAFF

FOR MORE NSTIC PILOTS, GO TO PAGE 60 » 26

Fall 2015

BIOMETRICS SECURING CONSTRUCTION SITES TECH SAVES MONEY, INCREASES SECURITY AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

As ground breaking loomed for the construction of the 2012 Summer Olympics venues in London, planners were tasked with finding a way to secure a job site that would admit 81,000 workers during a five-year build. But securing a construction site, particularly one of that scale, means having to address a unique set of challenges. There are multiple access points and countless subcontractors with a work force that changes from one day to the next. London Olympics planners found their answer in the form of an access control system powered by biometric hand readers, which are still in place today, to make sure only authorized workers enter the site. Motivated by projects like the London Olympics, companies are tapping into a demand for biometrics and identity technologies to secure construction sites, specifically where there’s a need to track employee time and control access to sites. The demand is stronger in places like the United Kingdom, where strict laws govern construction site access. But inroads are also being made in the U.S. as companies

Fall 2015

that manage with multiple, remote work forces struggle to avoid wage fraud, theft and other problems. “If you’ve got a large site with multiple access points and you can’t have somebody overseeing everything, you want to make sure you only have the right crew and the right people on site when they’re needed,” says Susie Osowski, biometrics product manager for Allegion, a global provider of security products that deployed its Schlage biometric hand readers for the Olympic Park construction site in London. Time management and access control systems need to be tailored to the construction industry, since job sites tend to be located in harsh environments where traditional systems might not hold up to the unique demands. Entry points are often transitional unlike a normal building’s doors and entrances. Sites are typically outdoors, which can create lighting problems for biometric imaging and recognition software. Workers who clock in and out often enter the checkpoint with dirty hands, wearing gloves and carrying heavy equipment.

“Buddy punching – one worker clocking in for a friend who might be running late or is absent – is a common problem. This presents an even bigger challenge when you consider that companies simultaneously manage multiple job sites at any given time. To address these challenges, companies are deploying a range of access and biometric technologies, including facial recognition software, hand scans and fingerprint sensors. And of course, companies also rely on the tried and true ID card to control site access.

BIOMETRICS AT THE OLYMPICS The use of biometrics at Olympic construction sites dates back to the 1984 games. The first large scale test, however, occurred at the 1996 games, as hand geometry readers tracked 65,000 people and more than 1 million transactions in 28 days. This was also the first wide-scale deployment of ID cards linked to hand geometry readers through radio frequencies, according to Allegion.

With a card-only system, security guards would verify each employee against the ID card, and then manually enter each person’s information into the register. But the system was labor-intensive, and the use of smart cards often allowed workers to clock in and out for each other. With a multi-site environment such as an Olympic venue, there is a much greater risk of security breach, buddy punching and incorrect payments to contractors. London, like other games before it, selected biometric hand geometry templates. Workers clocking in and out with dirty hands or gloves ruled out fingerprint readers as an option, and with many of the construction sites outdoors, background lighting would get in the way of facial recognition software. Hand geometry readers verify an individual’s identity using just the shape and size of that person’s hand. It does not rely on fingerprints or palm prints, which can be more difficult to capture in harsh environments. “I can literally dip my hand in black paint, put it in that device, and it’s going to verify my identity because it’s not looking at that other information,” Osowski says. “It’s purely taking the geometric measurement of my hand.” Human Recognition Systems of Liverpool provided the Biometrics Information Management system, which uses Schlage HandPunch readers along with smart cards. The access control system has been in place since the early stage of construction at Olympic Park. Workers also used the system during the transformation of the site after the event and then again for an upgrade of the site, which started this year and will continue into 2016.

TIGHTER CONTROLS IN EUROPE The demand for biometrics to secure construction sites is taking off in Europe, and in the United Kingdom in particular. HID Global provides biometric access control systems for construction companies throughout the U.K., Europe and the Middle East. “We don’t see as much of this yet in the U.S., but the U.K. has taken the lead

enforcing a lot of these regulations,” says Bill Spence, vice president of sales for North America, Europe and Australia for HID Global. Europe has a much tighter regulatory framework governing how its construction workers are controlled. It’s illegal for companies to employ workers if they can’t prove where those workers are from, he explains. Aurora, a U.K.-based biometric research and development company, has

a lot of safety equipment. “It slows the whole process if they have to take some element of that off before they go through,” he adds. Additionally, stopping to set down tools and materials in order to retrieve and present an ID card hampers productivity. The Aurora unit consists of a box on the wall with a screen at the bottom that captures the worker’s image through an infrared camera. The unit can also be mounted inside a secure turnstile that won’t open without the correct verification. For smaller

U.K.-BASED AURORA USES FACIAL RECOGNITION TO SECURE SOME OF LONDON’S LARGEST HIGH-RISE CONSTRUCTION SITES

deployed its facial recognition software for the construction of some of London’s largest high-rise buildings, including The Shard, a now iconic 87-story skyscraper that opened in 2013. Aurora’s system uses infrared instead of visible light to avoid lighting challenges at different times of day and in unique environments. The system can work even in complete darkness, explains Gary James, head of sales and customer relations for Aurora. “As long as you have the same face on today as you had yesterday, you’re going to get through very quickly,” says James. One of the big advantages of facial recognition, James says, is that there is no contact necessary, which is important for construction workers who wear and carry

job sites, a cloud-based option works with smartphones and tablets. James says the most powerful aspect of facial recognition is that the system takes pictures of every event. So in case of a situation, such as a terrorist attack where suspects would need to be identified, there are pictures available of everyone who has ever entered the site. “If you think about the other kinds of biometrics, we cannot run around the site with a photograph of somebody’s fingerprint or a scan of an eyeball and try to work out who that person is,” he says. Other tech companies have discovered their own workarounds to the challenges that come with identifying workers on a construction site. HID Global developed its Lumidigm fingerprint sensor to overcome

Fall 2015

the fingerprint capture problems found with conventional imaging systems. The Lumidigm sensor captures images even when it’s difficult to distinguish fingerprint images in harsh environments. “From the very beginning, we designed the technology to be able to work in these difficult environments,” says Spence. Ievo, a U.K. biometric manufacturer, develops fingerprint readers for a range of applications, including construction sites. Ievo biometric access control readers use Lumidigm imaging technology, and its fingerprint readers have been used on Crossrail railway construction sites in the U.K. “Adopting a biometric technology is the first line of defense, not just for the security aspects but also for health and safety implications,” says Shaun Oakes, CEO and owner of Ievo.

CONTRACTORS CUT LABOR EXPENSES The demand for biometric access control on job sites is growing as companies realize the money these systems can save in wage fraud. It’s accurate and simply a more efficient way of doing things, James says. “Lots of people still keep the old fashioned time sheets, and this obviously eradicates all of that administration,” he adds. Through its construction site access control system, New York-based safety and security provider Allied Risk Management was able to recover nearly $1 million for one of its clients, Tishman Construction Corp. of Boston, says Kerry Madden, administrator for Allied Risk Management The construction company was being billed by multiple subcontractors at the site but had no way of keeping track of who was actually there. Allied Risk Management set up a system that ensured everyone entering the site swiped an access control card with the worker’s picture and employer’s name. At the end of the day, the contractor had work force records to match against the subcontractors’ invoices. Allied Risk Management’s access control services took off following its work for Tishman.

Fall 2015

CONSTRUCTION COMPANIES DON’T OFTEN THINK ABOUT THE VALUE OF SITE SECURITY UNTIL THERE’S AN INSTANCE OF THEFT OR VANDALISM Through its issuance partner, IDSecurityOnline.com, the company provides proximity cards to workers at construction sites throughout New York City. To ensure that production and personalization of worker badges does not impede progress on site, pre-programmed cards are sent from IDSecurityOnline to Allied for centralized personalization and distribution to the field in just 24 to 48 hours. Madden says construction companies are starting to recognize the need for securing their sites. “Unfortunately, theft and disgruntled workers are always going to be around,” she says. But, she explains, sound access control policies and systems can alleviate the risk. Chelmsford, Massachusetts-based Kronos Inc. has also found a niche helping U.S. construction companies reduce their labor costs by securing site access. Kronos uses touch ID technology to provide automated workforce management for Crossland Construction Company Inc., which had been manually tracking employee time. The challenge for Crossland was that it sometimes forgot to include the time of employees on a job, or identify those who worked on multiple projects.

Buddy punching was another issue for Kronos’ clients. “With biometric technology, you can’t do that anymore – it’s a significant cost savings for an organization,” says Kylene Zenk-Batsford, senior manager of manufacturing for the construction practice of Kronos Inc. Crossland placed Kronos biometric data collection terminals at each of its construction sites, and by paying employees for only their time worked, saved $850,000 on labor in its first year alone, explains Zenk-Batsford. Madden says construction companies don’t often think about the value of site security until there’s an instance of theft or vandalism. If a subcontractor is fired from a project, disgruntled employees might go back and rip out work or steal equipment. But when construction companies set up access controls, they help eliminate these risks, she says. “It’s a common thought that things are going so well that a company doesn’t need security,” says Madden. “But most of the time, things are going well because there is security there.”

Assured Authentication

Lumidigm® is now HID Biometrics. Sometimes you need more assurance about who is requesting access. Only biometric authentication verifies who is present... and only Lumidigm® multispectral imaging provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose HID Biometrics.

Your Security. Connected. Visit hidglobal.com/lumidigm to see what we’re all about. Fall 2015

THE HIGHWAY TO TWO-FACTOR HELL PASSWORD HELL IS BAD, BUT THE POPULAR FIX COULD BE WORSE ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY

Today we are in password hell. Mainstream media have regular stories about user issues, and massive data breaches are regularly happening to online services – even to large, respected brands that are well-funded and well-managed. The evidence is clear that both users and online services are struggling with passwords. Users are faced with an awful tradeoff between the risky choices of being non-compliant by making some of their passwords the same, or be compliant and face password recall issues when trying to access services. Web services similarly struggle by admonishing users to make passwords

Fall 2015

longer and more complex – a measure that has done nothing to quell the data breaches. Crooks only need to correctly guess one password in a hashed database of passwords to reverse engineer the contents of the entire database. A good starting guess for crooks to reverse engineer the contents is to try ”password123” or “letmein” if recent studies of popular passwords are accurate. Two-factor authentication is often used to strengthen password security. Two-factor is typically implemented in a device like an RSA token, an app on a smart phone, or even an SMS message. Two-factor can reduce the attack surface

for crooks but with the current course and speed of these implementations we are going to move from password hell to twofactor hell – and it will be much worse! Users interact with way too many sites to configure two-factor consistently, and worse yet, not all web services will implement two-factor the same way. It will likely be an SMS here, an app over there, here an RSA token, there a Yubico key, and so on. Do you really want to have two-factor for every web service you currently have a password for, and re-pair to the site when you lose or change devices? The number of passwords that users manage ranges from 13 to 300. That’s a lot

IF IDENTITY AND ACCESS MANAGEMENT WENT THE WAY OF PAYMENT NETWORKS, WE COULD MOVE BEYOND INANE PASSWORDS AS THE PRIMARY ACCESS MECHANISM

of SMS codes to re-type after typing in a user ID and password. And what if you change phones? Do you have to re-pair your mobile phone to every website? But two-factor is here to stay and it will be part of the path forward to increase business confidence for online transactions, so how should it unfold? Imagine for a moment you had to have a unique credit card for every merchant you purchased from. What would that be like? A complete pain might be an understated description. Consider these interesting things about credit cards: credit cards are federated; cards issued by trusted providers are accepted at all destinations; and credit cards are the biggest example of twofactor authentication in the world now that there are approximately 3.4 billion EMV cards in circulation globally. That’s right, EMV is two-factor – a strong security token in the chip along with a PIN. Think about this for a moment. Your favorite social media website has a set of painful password obligations in the form of length, complexity, duty to change frequently, etc. But an EMV payment card only has a four-digit PIN. It sounds like a security paradox – why aren’t the banks losing money? The banks are safe because the use of EMV chips has hidden the security complexity in the chip so the user does not have to be burdened with the details. Three things keep the global payment network safe:

The card cryptographically signed the transactions and the card cannot be cloned. The person conducting transaction knew the PIN for the card. The person to whom the card was issued had not called up to have the card revoked. If identity and access management went the way of payment networks, which is the argument of this article, some important things would occur: We could move beyond inane passwords as the primary access mechanism by leveraging more robust protocols like Global Platform’s Secure Channel Protocol, implemented securely into smart

and provides transparency regarding which organizations have access to data, and allow for better user revocation mechanisms. Two-factor on its own sounds like a great step forward, until you dig into the details and realize that it simply transfers the same password proliferation issue to a second factor. Double the authentication, more than double the Hell! Until the industry finds a better model to secure identities in an increasingly connected world, we’re simply doomed to repeat the same issues like a password Groundhog Day. Can we really expect a different outcome? Instead, use the two-factor capabilities in today’s devices to federate authen-

UNTIL THE INDUSTRY FINDS A BETTER MODEL TO SECURE IDENTITIES, WE’RE SIMPLY DOOMED TO REPEAT THE SAME ISSUES LIKE A PASSWORD GROUNDHOG DAY consumer devices, leveraging hardware capabilities of such devices where possible. Federated identity and access would be conducted by a smaller set of trusted issuers who provide assertions on behalf of users who need to prove identity online. State governments, banks and wireless carriers, among others, are well suited to serve here. User centric protocols, like User Managed Access, enables users greater control

tication to the services that consumers wish to use, without requiring them to have to maintain the same one-to-one, user ID-to-service issue that yielded the current password mess. Rather, use the one-to-many model using devices and a smaller set of trusted identity issuers that can prove identity online and we’ll finally crawl out of password hell and be on a better path to identity heaven.

Fall 2015

DRIVER L A DECADE AFTER REAL ID DRIVER LICENSE SECURITY IMPROVING, BUT HOLDOUT STATES RISK RESIDENT’S ABILITY TO FLY A decade has passed since REAL ID was signed into law. The controversial driver license legislation was met with staunch opposition from many states, some going so far as to legislate against compliance. For the most part, however, the opposition has subsided and there has been significant improvement to both issuance processes and document security.

that have either met the law’s standards or have received extensions. Four states and one U.S. territory are non-compliant with the act and have not requested extensions. Another 27 states and territories have extensions that expire in October 2015. Homeland Security officials denied interview requests for this story. Enforcement of REAL ID has already started in some places. As of this January, some federal facilities ceased accepting licenses from states that were not compliant and did not have an approved extension. In January 2016, things get real from REAL ID. On that date, license holders from non-compliant states will need another form of acceptable identification in order to board a commercial airline. No license, no flight.

THE SIGNIFICANCE OF REAL ID IS THAT IT WAS A STAKE IN THE GROUND THAT SAID A DRIVER LICENSE IS MORE THAN A DOCUMENT THAT SAYS YOU KNOW HOW TO DRIVE The U.S. Department of Homeland Security estimated that 70% to 80% of all U.S. drivers hold licenses from jurisdictions

Fall 2015

If a state is compliant, not all license holders will be required to have a new document for airline travel in 2016. Individuals will have until 2020 to obtain a compliant license.

BETTER SECURITY LONG-TIME COMING Many states were working to improve driver licenses long before REAL ID, says Ian Grossman, vice president of member services and public affairs at the American Association of Motor Vehicle Administrators. “A lot of these efforts began two decades ago,” he explains. This was when license issuers realized the credential was used for much more than its intended purpose, says Jenny Openshaw, vice president of state and local sales at MorphoTrust, which supplies driver licenses to 42 states. “The signifi-

LIC

REAL ID REAL ID Map Does it affect me?

Blue states are not compliant and do not possess an extension. Federal agencies are prohibited from accepting driver licenses and identification cards from these states

Alaska As of July 13, 2015

Washington Montana

Maine

North Dakota Minnesota

Oregon Idaho

Wyoming

Northern Marianas

Ohio

Illinois

Oklahoma

Arizona New Mexico

Missouri

MD DC

North Carolina

Tennessee

South Carolina

Arkansas Alabama

American Samoa

Georgia

Texas Hawaii

Louisiana

Puerto Rico Guam

Virgin Islands

If you don’t have REAL ID, you better have one of these … According to the Transportation Security Administration, if an individual does not possess a REAL ID compliant license or ID card after January 1, 2016, they will be required to provide one of these alternate acceptable IDs for screening purposes.U.S. passport

RI NJ

Colorado Kansas

Iowa

Utah

California

✪

New York

Michigan Nebraska

Nevada

Wisconsin

South Dakota

Federal agencies are prohibiting from accepting driver’s licenses and identification cards from these states. Federal agencies may accept driver’s licenses and identification cards from these states.

U.S. passport card

Border crossing card Foreign governmentIf the state of residence is marked in blue, you willissued need to present passport DHS trusted traveler cards DHS-designated enhanced a form of acceptable ID other than a driver’s license or state-issued (Global Entry, NEXUS, driver license Canadian provincial SENTRI, FAST) driver’s license or Indian identification cardrecognized, to access this facility. Federally and Northern Affairs U.S. military ID (active duty tribal-issued photo ID Canada card or retired military and their The list of jurisdictions subject to enforcement changes over time. For the most HSPD-12 PIV card dependents, and DoD Transportation Worker recent list, please visit http://www.dhs.gov/secure-drivers-licenses#1. Airline or airport-issued civilians) Identification Credential ID (if issued under a TSA Permanent resident card approved security plan) Department of Homeland Security Office of Policy www.dhs.gov/secure-drivers-licenses

cance of REAL ID is that it was a stake in the ground that said a driver license is more than a document that says you know how to drive,” she adds. Even many states that passed laws saying they would not comply with REAL ID are making efforts. Arizona, for example, was vocal against the law but is in the process of creating compliant documents and processes for its citizens.

REAL ID impacts every aspect of the driver license issuance process, not the least of which are the documents themselves. “States were all over the map when it came to securing documents against counterfeiting and forgery,” Openshaw says. REAL ID is changing that. AAMVA created a minimum level of security features for the documents and almost every state has adopted those stan-

dards, Grossman says. “States are including more sophisticated security features in the physical card,” he explains. “Overt and covert security features make licenses and IDs more difficult to counterfeit.” Major changes have been made to the process as well. To start, applicants are having their photo taken first instead of last. This serves two purposes. It enables the headshot to be

Fall 2015

run through a facial recognition system to see if any other names match the face, and if someone is trying to obtain a license with false information a photo of that individual is now on record. According to Openshaw, facial recognition technology has now been deployed by 33 states. States are also asking for more documentation prior to issuance. Birth certificates and Social Security cards are a necessity to get a REAL ID-certified license. These documents are presented, scanned and verified for authenticity before an individual is allowed to go further. All compliant states link to the Social Security Administration for real-time

verification of presented numbers. Additionally, many states are using third-party services to validate breeder documents like birth certificates or biographic data like addresses from utility bills. “One of the biggest process changes is strengthening and authenticating the documents that people have to bring in to receive a license,” Openshaw says. These added steps have added time to the issuance process, and some states are working to ease the wait time by enabling citizens to pre-enroll. By reviewing and presenting certain information beforehand, an individual can be pre-vetted when they show up, Openshaw explains. Florida and Mississippi currently offer this feature.

State-to-state verification still in the works One of the more controversial parts of REAL ID was the state-to-state pointer system. This system would enable one state to check with others to make sure an individual wasn’t already licensed in that state as well.

GEORGIA ON MY MIND But even those renewing licenses with a spotless record have to come into the DMV with the new documents to receive a license. This has been one of the tougher sells to citizens who were previously able to go online to renew their license, says Rob Mikell, commissioner of the Georgia Department of Driver Services. This led to longer lines when Georgia made the switch to a REAL ID-compliant document in 2012, Mikell says. The changes in processes and verifying documents was just one hiccup for those coming to the office, the other was making sure they had the right documentation. “We turned away thousands of people because they didn’t have the necessary documentation,” he explains. In order to alleviate some of the customer frustration, the department put computers in the office that customers could use to

Skeptics saw this as a framework to create a national ID system, and states bemoaned the difficulties inherent in creating such an infrastructure. Well, they may have been correct, as the network does not yet exist. The American Association of Motor Vehicle Administrators, however, started a pilot this summer that will test such a system with 11 states, according to Ian Grossman, vice president of member services and public affairs at AAMVA. The key drivers for the systems will be: Limit a person to one driver license or ID card Enable a state to determine if a person holds a license or identification card in another state Enable a state to send a request to another state to terminate a driver license Provide information on all state issued driver licenses nationwide Enable states to verify licenses and ID cards presented as a form of identification

Fall 2015

GEORGIA HAS RE-ISSUED 4 MILLION OF ITS 7.6 MILLION DRIVER LICENSES

✪

print out some of the necessary information, Mikell says. “People could go and print out a bank statement or go to the Social Security Administration and print out the documents so they didn’t have to go home,” he adds. They also had to be flexible when it came to some of the rules. When married women came in after a name change and they couldn’t find a copy of their marriage certificate they were turned away. But if the woman had changed her name with the Social Security Administration, and had that documentation, they would be able to complete the transaction, Mikell says. “After we did some validation we made some changes to the rules,” he explains. “We had to stay flexible and make sure that we were doing everything we could to interpret the rules correctly.” At the same time, Georgia also switched to central issuance. In the past, licenses were printed onsite at the local department office while the individual waited. Today, applicants are given a temporary license with limited security features to use until the official document arrives in the mail. He cautions that there can be challenges with the acceptance of temporary licenses and he found education was key. There was a problem with this document being accepted by the Social Security Administration, so the department had to work out a specific agreement, he explains. Georgia has re-issued 4 million of its 7.6 million driver licenses and is reaching out to the remaining individuals to have them receive new documents. While the process wasn’t necessarily easy, Mikell says it was worthwhile. “The citizens of Georgia are glad to have a more secure document, and while there was frustration and it took some

States ranked by identity practices The Secure ID Coalition released a report “State Secure Identity Practices and Policies” ranking ten states on their secure identity practices. The vast majority of identity credentials used by U.S. citizens – driver licenses and benefit programs such as Medicaid and food assistance – are administered by the states, says Kelli Emerick, executive director at the Secure ID Coalition. But while the states issue the credentials, the funds come from the federal government. The report focuses on 10 states that were chosen for reputation as technology leaders with innovative identity initiatives. The 10 states account for a majority of the overall U.S. population. This report ranks states using a composite score derived from five categories: Primary Identity Documents, eGovernment Practices, Benefit Card Identity Management, Health and Safety Identity Documents and Legal Landscape. Each category contains three to six individual variables that measure the state’s progress, with a total maximum score of 100 points. The results of the survey are as follows: Pennsylvania 60/100 Pennsylvania is a leader with respect eGov Practices and Health and Safety Identity Documents. The state’s NSTIC pilot involves an interoperable “Keystone ID” that enables citizens to access online services hosted by multiple government agencies. The state has mostly done away with paper-based benefit cards, however it could significantly improve both identity security and the accurate distribution of welfare benefits through the adoption of chip-enabled payment cards. The Keystone state was also the weakest state when it comes to Legal Landscape. Texas 59/100 The state’s ranking was primarily driven by its practices related to Benefit Card Identity Management. The state’s decision to do away with most of its paper benefit cards and institute a chip-enabled benefit card improved its standing and will continue to reduce benefit fraud. Although Texas is not currently implementing an NSTIC identity and access management pilot, its relatively secure primary identity documents along with its decision to participate in First Responder Access Credential is also commendable. Virginia 55/100 Virginia, which came in third, is recognized for its innovative eGov Practices. The state’s decision to participate in an NSTIC pilot, maintain a centralized cybersecurity office, and participate in First Responder Access Credential stand out. Still, Virginia has significant work ahead to revamp its Benefit Card Identity Management. Illinois 41/100 Illinois came in last of the states examined in the report. The state has work to do in the areas of Benefit Card Identity Management, eGov Practices, Primary Identity Documents and Health and Safety Identity Documents. Illinois still uses paper cards to distribute public assistance funds, which are insecure and limit interoperability.

Fall 2015

time to get an understanding of the improved processes, we’re in a good place today,” he says.

VERMONT STICKS WITH OVERTHE-COUNTER ISSUANCE Annoyance from citizens was common in Vermont as well, says Robert Ide, commissioner of the state’s Department of Motor Vehicles. “People were frustrated that they had to bring in documents that they may already have presented,” he explains. “If you’re 60 and have to re-prove your identity, we know that this can create some angst.” Even those with good driving records had to visit a DMV office to receive a new license, Ide says. “We’ve always had an online system, but this forced everyone to come in over a shorter period of time and increases our wait times,” he adds. Vermont didn’t have to change its issuance process and still performs overthe-counter issuance, Ide says. Vermont citizens also have a choice of getting a driver privilege card that is not REAL ID compliant. “We wanted to offer an alternative to those who didn’t have permanent residence,” he explains. For Vermont, becoming REAL ID compliant hasn’t been easy. “REAL ID is a change, and while we found the people at the federal level were very helpful to work with, it’s a little painful going through the process,” Ide says. Many states have already gone through the process, and though they may be not have emerged unscathed, they have emerged stronger than before. For any state that has not started the process, deploying

Fall 2015

North Carolina increases document security The North Carolina Department of Motor Vehicles made a point of increasing its document security with REAL ID compliance, according to Kelly Thomas, commissioner of the agency. The department had been issuing a PVC card that could scarcely see out its prescribed five to eight year lifespan. “It broke, cracked and faded – it wasn’t durable at all, Thomas says. With REAL ID the state moved to a central issuance model. The new design aims to prevent counterfeiting, reduce the risk of identity theft, decrease the potential for fraud and meet federally recommended security features. North Carolina began issuing the new license this summer. The new licenses are no longer constructed from pure PVC but instead use more durable, flexible and fraud resistant composite construction. It has a core made from a material called Teslin that helps protect it from cracking and fading. New security features include high-resolution graphics and laser-etched verbiage, as well as overlapping “ghost images” in various colors. Front laminate highlights include images of the State seal, the State abbreviation “NC” and “1775,” the year of the Mecklenburg Declaration of Independence. The license can also indicate active military or veteran designations, as well as organ donor status.

will be tough in the short time remaining before the January 2016 deadline. Ide suggests that the only way this works smoothly is to take advantage of the normal cycle of license renewals, however

this would entail beginning the migration long before the looming deadline. “The states that are not going through renewals are going to be in a world of hurt,” he says.

SPONSORED BY

THE LATEST TECHNOLOGIES TO

SECURE YOUR BUSINESS • 200+ Brands • FREE SIA Education@ISC • Crack the Tap Reception ...All in your backyard

EXHIBIT HALL & SIA EDUCATION@ISC

November 18-19, 2015

Javits Center North New York City, NY

Endorsed by

Corporate Sponsors

Fall 2015

UNIVERSITY OF TEXAS OFFERS MASTER’S IN IDENTITY MANAGEMENT GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

ecurity and identity are intertwining for an advanced degree program at The University of Texas at Austin. The new master’s program is being touted as the first of its kind.

Fall 2015

The Master of Science in Identity Management and Security (MSIMS) program is slated to welcome its inaugural class in the spring of 2016, with all applications due November 1. The program is designed to help fill a growing demand for jobs around trusted transactions, secure identity and privacy protection. The MSIMS degree is a collaboration between the university’s School of Information and Center for Identity. Administrators say the program is a response to an identified need in government, law enforcement and business. Organizers have compiled courses to incorporate training from multiple fields. Faculty members from across the UT Austin campus with expertise in technology, engineering, business, communications and public affairs will teach in the MSIMS program. “Identity is not something that has formal programs built around it in a way that technology or even security might have,” says Lance Hayden, adjunct professor at UT’s iSchool. Hayden is also managing director of the Berkeley Research Group, a consulting firm with a technology advisory practice. He has seen firsthand the need for more identity experts in the marketplace. “If you are interested in information and how it specifically applies to identifying and managing that border between the virtual and the real in all different aspects – legal, business, technology and social – there’s going to be something in this program for you,” Hayden explains. “I haven’t seen anything else that takes that approach or covers it that widely.” The master’s degree features nine courses with names like “Identity Communication” and “The Policy of Identity.” The university wanted the two-year program to be accessible for working professionals, so courses will be offered one weekend per month. Up to half of the students will have the option of attending via synchronous online learning, with enrollment likely to be capped at 25 students in the beginning. “There aren’t any industries or any public, private or industrial sectors that don’t rely on information in today’s economy,” said Hayden, who will lecture on cyber and information security. “So I think that we’re going to get a wide variety of people in the program. They’re not all going to be technologists. They’re going to come from a wide range of fields.” The partnership between the iSchool and the Center for Identity was born out of discussions around the need for a new kind of profession. Identity management has become a key player in government, corporate and industrial settings. But Andrew Dillon, dean of the iSchool, says the skills needed to provide such secure environments aren’t always well-defined or tied to any one discipline. So faculty members conceptualized what a degree program in this space should look like.

THERE’S A SHORTAGE OF TALENT AND WE SEE TREMENDOUS GROWTH POTENTIAL IN THE NUMBER OF INFORMATION SECURITY JOBS AND IDENTITY MANAGEMENT OFFICER POSITIONS

“We think there’s not really a single disciplinary title you could say this is. It’s partly technical, there’s a lot of computational science, there’s some policy, there’s some law, there’s some social science in it – we have to understand human behavior,” Dillon says. “Today’s identity management workforce needs leaders who are as comfortable making policy recommendations and risk management assessments as they are making technological decisions.” Many companies have grown their own local experts with the blossoming of the digital age. For years, employees from a variety of educational disciplines have been able to handle the technological needs of the workplace. But Dillon says that’s no longer enough. “I think that we’ve just seen the explosion in information management, information security, privacy issues, concerns with managing consumer data through time,” Dillon says. “It’s necessary now that we formalize the kinds of credentials and the kind of educational prep that professionals who want to work in this area can receive.” Early in the MSIMS program, Dillon expects that most of the students will come bearing degrees in IT, computer science, and engineering. But he believes that anyone who is well-educated, even in the liberal arts, can bring as much to this area as someone with a more computational or technical background. “We might find some of our strongest applicants actually come from social sciences and the humanities because they’re asking intelligent questions about issues related to policy, security and

information management,” Dillon says. “But they themselves, not having the technical skills, will come for the master’s which they hope will give them those sorts of skills.” With Austin as the state capital, Dillon says a number of government agencies have expressed interest in sending their personnel to the program so they can then return to the government sector as information security analysts and identity management professionals. “Companies increasingly recognize that this is an area where they can’t be vulnerable and that there’s a shortage of talent,” Dillon explains. “In the commercial sector, we see tremendous growth potential in the number of information security jobs and identity management officer positions.”

IDENTITY AS A FORMAL DISCIPLINE MSIMS graduates will be apt to join some of the fastest growing careers in today’s market, according to the Texas Workforce Commission. Administrators say the program will prepare students for mid- and executive-level leadership positions in government, law enforcement and the private sector. In a workforce study on identity management and security, UT asked companies what kind of knowledge, skills and abilities they want in prospective employees. The study found that jobs requiring attributes provided by the new master’s program have grown by more than 150% over the last four years.

Fall 2015

“We’re focusing on this sensitive, personal identifiable information, and the solutions that we need to better manage that information, secure it and protect it from theft and fraud,” says Suzanne Barber, director of UT’s Center for Identity. “That’s where you get that multi-disciplinary solution that is so unique.” Barber sees a high demand for employees who understand all the ways that information needs to be managed and secured. “Try to buy anything, try to do anything on the internet without providing information about yourself. Your identity is currency online,” Barber says. “So we really have got to figure out, in order to secure our information, how to conduct these more secure transactions.”

Fall 2015

“Think about all of the passwords and the key cards to get in buildings. Managing this is an important part of the leadership that an organization needs,” adds Barber. “Any organization that is collecting PII and is therefore responsible for its management and caretaking will need leaders in this area.” For Hayden, a security expert for 25 years, this new program is about creating experts who understand the phenomenon of implementing evolving and better solutions for identity. “You’ve got identity theft and you’ve got hackers stealing passwords and credentials. We’re not going to put that genie back in the bottle,” Hayden says. “The digital age is here and identity is a core component of it. We have to be able manage and protect it effectively to achieve its full value.”

COURSES

Identity Communication

Introduction to Identity Management, Security, and Privacy This course provides a fundamental understanding of the issues surrounding identity management, security and privacy. Topics addressed and questions answered include: What is an Identity? Identity attributes, personas and relationships for people, organizations and devices Cyber and physical threats to identity security and privacy Applications for identity enrollment and authentication Information in Cyberspace – Who knows what? How do they use it? A Historical Perspective on the Largest Information Breaches Identity Governance – Who polices this? What is the best model for the future? Identity in Society and Community Identity, security, and privacy have different meanings and different values, depending on geography, age, culture and a number of other societal factors. In order to address those differences, this course provides an anthropological study of identity, including topics like: Societal norms surrounding identity and privacy Individual, communal and organizational identities History and future of personal, organizational and device identities.

Effective communication strategies surrounding the collection, sharing, storage and use of identity information drive a corporation's ability to prepare for (and recover from) data breaches. This course provides a solid foundation in the best techniques, with emphasis on: Framing messages and the impact on identity and privacy Effective crisis management Planning for communication and business continuity Time management Sense making processes in organizational crisis Strategies for reputation management Business Practices and Governance Making the case for managing identity information as an asset, this course examines the best business practices for reducing identity-related risks and maximizing returns from identity assets. Topics include: Risks and returns surrounding identity information Governance and control frameworks Ethical issues surrounding identity information Identity Security Course topics include: Identity enrollment and authentication for access and transactions Biometrics Device identity security

Identity Risk and Benefit Analysis

The Policy of Identity

As corporations, law enforcement and government agencies collect, share, store and rely on PII, risks and benefits associated with that information must be assessed and managed. This course provides insight into that assessment process across multiple sectors, including financial services, health care, consumer services, government, education, energy and many others.

A fundamental understanding of the historical and current policies guiding the collection, use, and protection of identity information is necessary to guide business decisions about identity management, security and privacy. In order to develop that understanding, this course focuses on: History and present review of public policies impacting identity management, security and privacy

A study of privacy issues and the policies surrounding business and government A critical analysis of the surveillance that governments, private entities and individuals practice and the policies that guide surveillance practices Identity and Law The legal landscape surrounding PII is complex and changing. A clear picture of this landscape is fundamental to effective stewardship of identity information. This course provides insights into that landscape, covering: Overview of laws governing identity management, security and privacy National security and identity Legal issues surrounding government, corporate and personal surveillance Laws governing the collection, use and sale of identity information Liability of identity fraud, misuse and abuse Liability with regard to data breaches Identity Information Management and Repositories With a view of both the technical and organizational aspects of identity management, this course equips students with the skills and knowledge to develop both enterprise and IT solutions to protect, access and rely on identity information. Course topics include: Knowledge and data management Data stores and data mining Data breaches Information representation and algorithms in support of enrollment, authentication, fraud detection and fraud prevention Information management applications in all market sectors MS Degree Report As the culmination of the knowledge acquired in the program, students engage in an independent study course, producing a report on a topic selected by student and faculty supervisors.

Program tuition is $45,000 for the complete two-year program.

Fall 2015

SECURITY INDUSTRY READIES TO TACKLE THE INTERNET OF THINGS KELLY VLAHOS, SECURITY INDUSTRY ASSOCIATION

The thought of a computer hacker miles away taking over an Internet-connected vehicle while someone else is driving seems far-fetched, but this foreboding vision is likely keeping carmakers and dealers awake at night. Security researchers Charlie Miller and Chris Valasek recently demonstrated that above scenario isn’t some dystopian fantasy. Cars with online technology – including sensors that control dashboard components, the entertainment system and even the engine – can be hacked and manipulated. The two men revealed this with a Jeep Cherokee driven by a Wired reporter, who later published the account. After messing with the radio stations and engaging the wipers, Miller and Valasek, who were sitting in a basement with their laptop, cut the Jeep’s transmission. The reporter was on the highway. It’s for reasons like this that the IoT has been described as a “ticking time bomb,” if developers cannot find a way to secure it, says Deepak Taneja, founder at Aveska Inc. But despite the clear risks, the advantages of IoT for a myriad of industries, as well as consumers, are immense. In the vast IoT future, Web-enabled sensors connected to products could identify changes in supply chains down to the smallest detail and then communicate that knowledge to distributors and stores via mobile applications. Traffic signals can adapt to volume on the roads, which would also be embedded with sensors that gauge physical integrity and provide that data to both engineers and drivers in their cars. With new wearable technology, health care specialists could monitor a patient’s chronic respiratory illnesses without a stethoscope and without even being in the same room. According to Gartner research, 4.9 billion devices will be connected in this way by the end of 2015, up 30% from 2014, and will reach 25 billion by 2020. As members of the Security Industry Association (SIA) are discovering, the nexus of IoT and security systems will serve as the next revolution in their field. Just as physical building security – controllers, card access, alarms, video surveillance and emergency systems – embraced wireless communication, it will

Fall 2015

soon see devices sharing critical intelligence data in the Cloud. Providers, meanwhile, will be taking advantage of lower-cost solutions in universal applications and standards. The industry can either wait for this to happen or actively anticipate where IoT is going, says Jeremy Brecher, chair of the SIA Standards Committee Cloud and Mobility Working Group and vice president of electronic security technology for Diebold. His working group is tackling the “time bomb” challenge before it puts security providers on the defensive. The working group knows that IoT is not only next generation, but also the natural nexus of cloud and mobility. He says you can’t talk about one without the other two. “A lot of things in the IoT are starting to encroach into the security space, and it is important to get on it, and move it forward,” says Brecher. The group’s first step is to define terms and sketch out the initial impact of this new “mega trend” on the security industry. “You have this proliferation of new devices that are online and communicating, as well as producing data and awaiting commands. What we have to do is determine how they will interact with security systems and become part of it,” Brecher explains. “We’re looking at what the movement does, what it means for standards and improving the overall security posture.” SIA members need to pay attention to the IoT or face the prospect of their systems being left behind. Steve Van Till is the president and CEO at Brivo Systems and chair of the SIA Standards Committee. He calls IoT one of four megatrends – the others being cloud, mobility and social media – that have vast implications for the industry. Van Till breaks down IoT’s pros and cons. On the plus side, he says IoT will bring more devices online, more data and better analytics, new standards and earlier warnings. Negatively, the expansion of IoT makes current systems more vulnerable to hacking, encroaches on personal privacy and invites compatibility risks.

INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.

“The security industry is about five years behind any major trend that is out there. They are late to the party – a lot,” Van Till says. “What I am trying to do as chairman is make things more relevant to get the industry caught up so they can do what’s best for their customers.” As Van Till describes, the cloud is “the sum total of all the online computing in the universe,” and the security industry has just begun operating in the realm of delivering hosted services over the Internet. Mobility, on the other hand, is the application of these hosted services over different platforms and devices. According to the working group, practitioners estimate that 75% of all security video, for example, will soon be accessed via mobile devices like smart phones and tablets. IoT will incorporate all of that, taking security product capabilities to the next level. Devices will be talking to each other, setting up algorithms for generating data, and then aggregating, sharing and storing that data across networks. All this will occur with very little human intervention. On one end, the industry can benefit from intelligence and greater efficiency gleaned from its own devices, but it will eventually exploit data produced by other, seemingly disconnected devices like residential utilities, cars and even household appliances. Van Till gives the example of a Web-embedded electric toothbrush, whose sensors determine that’s its been dropped in the middle of the night. Putting that together with other indicators in the house, a break-in could be detected, setting out early warnings and serving as a sort of electronic trail of footprints in what might later become a criminal investigation. “Almost every device has the capability, like that toothbrush, to report environmental information and can provide data that is relevant to security,” Van Till explains. That is why the committee wants to explore standards of communication, in other words how devices will talk to each other via Internet protocols. Right now, there are a myriad of protocols for the IoT, and universal standards have not yet congealed. Experts say the standards will be necessary for critical functions across industries, such as collecting device data and communicating it to servers,

connecting devices to people, integrating intelligent machines and connecting servers to each other. “Clearly there are a bunch of standards that are starting to emerge in the IoT space,” says Brecher. “As we look at common protocols, it is important to look at this from a security industry perspective.” A number of major tech consortiums are already working on interoperability standards, so he believes there is no need to reinvent this wheel. Instead, the working group wants to examine trends and perhaps make recommendations to SIA members. In the near future, the panel might suggest SIA work directly with the consortiums in their quest for universal protocols and keep members educated about developments and security-specific frameworks. Meanwhile, anticipating the security risks that networks and devices face in the IoT is just as important as compatibility, said Brecher. Which takes us right back to the hackers and the Jeep Cherokee. “One of things left wanting in the IoT space is security,” he acknowledges. “You open up a whole new level of risk if there is a breach.” He says the subcommittee will be exploring key cybersecurity technologies and practices as they relate to IoT in the security space, including encryption, network security, authentication and architecture. Here, too, they will look at the rest of the IT universe as a guide. “We want to pull together the bare essentials that could eventually enter into standards and highlight very specific things that are important to integrators, manufacturers, and customers,” Brecher says.

SECURITY INDUSTRY COMPANIES NEED TO PAY ATTENTION TO THE IOT OR FACE THE PROSPECT OF THEIR SYSTEMS BEING LEFT BEHIND

Steve Van Till will discuss his outlook on megatrends in the security industry at the upcoming SIA Securing New Ground conference, an executive gathering in New York City on Oct. 28-29. He plans to outline how these megatrends are transforming the physical security industry much faster and more deeply than in any previous era, with profound implications for market dynamics, channel structure and the knowledge base required for practitioners. For more information and registration, visit the conference website at http://www.securingnewground.com.

Fall 2015

‘CYBER SPRINT’ FORCES TWO-FACTOR AUTH INTO FED GOVERNMENT MASSIVE OPM BREACH GIVES OMB THE AMMO NEEDED TO DRIVE PIV USE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

The goal of HSPD-12 more than a decade ago was simple. Federal agencies were to deploy a secure, interoperable identity document for physical access to facilities and logical access to networks and applications. The actual rollout has been anything but simple. Eleven-years since HSPD-12 was signed and five-years since the White House mandated logical and physical security systems use the PIV, and still half of all federal agencies don’t use the credential. They have issued it … they just don’t use it. The smart cards are in the hands of more than 90% of agency personnel, but agencies are still bucking the actual use of the card. A White House Office of Management and Budget (OMB) report released in 2015 showed that just 42% of federal agency employees – outside of the DOD – were using the PIV for access to secure networks and applications. The White House Office of Personnel Management (OPM) – the target

Fall 2015

of a massive data breach where more than 25 million current and past government employees had their personal information stolen – was one of the worst offenders. In 2013 no OPM employees were using PIV for logical access, and at the end of 2014, that number had climbed to only 1%.

beef up cybersecurity mandated by OMB. A primary goal of the sprint was to accelerate implementation of multi-factor authentication, especially for privileged users. “Intruders can easily steal or guess usernames and passwords and use them to

AGENCIES ARE NOT DOING SO WELL WITH THE DEPLOYMENT OF PIV AND STRONG AUTHENTICATION. THEY NEED A CARROT TO HELP GET PIV IMPLEMENTED The records reportedly were stolen in more than one breach. One of those breaches was linked to a contractor’s user name and password being hacked while another was linked to a “zero-day bug” that lived in the system. In the wake of the OPM breach, federal agencies started a “30-day cyber sprint” to

gain access to Federal networks, systems, and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems,” according to a white house statement.

Results: Cyber Sprint increases PIV usage In the wake of the U.S. Office of Personnel Management data breach, federal agencies undertook a 30-day “cyber sprint” that ended in July. The goal was to better secure federal networks and increase PIV usage. A priority of the sprint was adding two-factor authentication for user access. The cause of one of the OPM breaches was a corrupted contractor credential, which enabled hackers to access the federal systems and steal more than 4 million records.

Hackers target privileged users in an enterprise because they possess elevated access to federal systems. Among these privileged users, OMB says PIV use

increased from 33% to nearly 75% via the sprint. At the time of the OPM breach, 18 of the 24 total Civilian agencies did not mandate that

privileged users login using PIV authentication. Today, OMB reports that thirteen agencies have now implemented PIV access for nearly 95% of their privileged users.

CYBER SPRINT RESULTS STRONG AUTHENTICATION IMPLEMENTATION FOR CIVILIAN AGENCIES, PRIVILEGED AND UNPRIVILEGED USERS

According to the White House Office of Management and Budget (OMB), agencies made significant steps toward increasing PIV usage during the sprint. “Federal Civilian agencies increased their use of strong authentication for privileged and unprivileged users from 42% to 72% – an increase of 30% since agencies last reported their quarterly data on Performance.gov,” according to a July 31 summary report from OMB.

Privileged users, of which there are more than 134,000 across the government, possess elevated access to federal systems and are the ones that enable other employees’ access to different systems. For example, if a new employee needs access to a cloudbased app for accounting, a privileged user will be the one to enable that access. At the time of the OPM breach, eighteen agencies did not mandate that privileged users login using PIV authentication. The cyber sprint concluded in mid-July and OMB officials reported an increased use of multi-factor authentication for privileged users. While enabling PIV for privileged users is a key cybersecurity measure, OMB is pushing that more agencies start to use the smart card across the board. “We’re not doing so well with the deployment of PIV and strong authentication,” says

Trevor Rudolph, chief of the Cyber and National Security Unit in the Office of EGovernment and IT at OMB. “Agencies need a carrot to help get PIV implemented and we’re deploying the resources to the agencies to solve these problems.” Technically this isn’t anything new. In 2011, OMB issued a memorandum stating that all new purchases dealing with physical or logical access needed to be HSPD-12 compliant. Still, many federal agencies rolled their eyes at the mandate and kept doing what they had been doing.

CULTURAL ISSUES REMAIN PRIMARY OBSTACLE The three biggest issues when it comes to using the credentials have been funding, technical issues and cultural challenges, Rudolph says. “With the cultural prob-

lems, people just don’t want to do it,” he explains. “They have the cards but don’t want to use them because they think it’s a burden.” OMB is working on ways to solve all three of these issues. “We’re documenting all the challenges on why agencies can’t use PIV, and we’re deploying resources to solve these problem,” Rudolph says. “Some of the problems are technical but most of the time it’s cultural.” Some agency and IT leadership have stubbornly refused to take any real steps to strengthen user authentication, insiders say. That is likely the attitude that OMB folks are gently referring to as cultural issues. Such cultural issues are getting more attention, says Grant Schneider, federal cybersecurity advisor at OMB. At the highest levels, agencies are meeting regularly

Fall 2015

with OMB related to identity and access management. Schnieder and Rudolph both made the comments at the Smart Card Alliance’s Smart Cards in Government conference. Often, if the cultural issues become too much of a problem phone calls can be placed. “We make a phone call to the secretary or deputy secretary and they make the changes overnight,” Rudolph adds. Rudolph and Schneider both say PIV can also make life easier for employees. Agencies that deploy PIV-enabled single sign-on systems eliminate the need to remember usernames and passwords for different applications. “I just have the PIV and a six digit PIN,” Schneider says.

On the budget side of things, agencies have had years to procure PIV-enabled systems. “I don’t think is has been an unfunded mandate,” Schneider says. “Over the years the funding has been pretty good for agencies to make the changes and get these things done. Agencies could have done more.” OMB is also working on ways to help agencies solve the technical issues. There is a 500-page Federal Identity and Access Management Roadmap that can guide agencies but that document isn’t without its issues. OMB is creating “playbooks” that look at some of the problems agencies experience with PIV and how to solve them, Schneider explains.

Will the IRS breach force better KBA? In October 2014, President Obama signed an executive order requiring federal agencies that deal with citizens’ personal information to deploy multi-factor authentication. A plan to roll out this system was to be presented to the president in January 2015 with deployment of the systems by March 2016. Multi-factor will likely help protect data when rolled out, but it’s too little too late for some 100,000 citizens whose information was stolen in this summer’s breach of the Internal Revenue Service’s “Get Transcript” feature.

address before accessing IRS systems. Then they had to pass an additional step, correctly answering a series of knowledge-based authentication questions designed to be known only by the taxpayer. The IRS believes that fewer than 15,000 fraudulent returns were processed as a result of the breach, likely resulting in refunds totaling around $50 million.

By all accounts, this was a sophisticated attack where the hackers possessed a great deal of detailed information about a certain group of taxpayers.

This breach is different from others for two reasons; first, hackers used data stolen from prior breaches as a stepping-stone to attack the IRS system. With millions of stolen identity records for sale online, this is hardly surprising. But it shows that hackers are doing more with the original breached data that is floating around on the dark web.

The fraudsters cleared a multi-step authentication process that required data including Social Security information, date of birth, filing status and street

Filing fake tax returns is just one thing that can be done, but criminals could also use these returns to apply for mortgages and other loans. Access to valid tax

Fall 2015

returns opens up a whole new dimension of fraud possibilities. The second takeaway is that this shows that there are weaknesses with knowledge-based authentication. IRS reports suggest that the hackers attempted to access 200,000 records and were successful about 50% of the time. Looked at from the positive angle, however, knowledgebased authentication likely prevented the remaining 100,000 accounts from being breached. And though we may never know, if it had not been in place, the breach could have impacted millions of taxpayers. Hackers likely started with millions of records, but only actively went after those they were able to obtain sufficient personal data to warrant an attempt on the knowledge-based questions. Likely they didn’t even attempt to breach millions of other accounts.

Beyond increasing usage of the PIV, Schneider says OMB wants to see attributes shared across agencies. If a Defense Department employee goes to Homeland Security, the PIV should be electronically verified before the employee is allowed entry. Today, a visual inspection of the badge is still all that generally takes place.

TOO LITTLE, TOO LATE While it’s been years since OMB has publicly talked about pushing agencies to use the PIV, some vendors are saying that it’s beyond time. “The penetration is tragically low,” says Neville Pattinson, senior vice president for government sales at Gemalto North America. “The government needs to do this, the writing is on the wall, there are so many vulnerabilities and they just lost the personnel records of the entire federal government.” The cyber sprint was a reaction to the OMB breach, but there still aren’t any penalties if an agency fails to comply. “It’s something that should take a higher priority,” Pattinson says. “The agencies need some motivation.” Dinging their budget might work, says Rick Patrick, senior vice president of the Identity Group-North America at Oberthur Technologies. He suggests annual audits, and if the agency doesn’t pass they get less money in subsequent budget cycles until they comply. “The problem is impacting national security,” he adds. Greater accountability of how agencies are using the PIV would also be welcome Patrick says. The FISMA report released earlier this year gave some insight into PIV usage but not a lot of other details. “How many of the agencies are maximizing the full use of the PIV as intended in HSPD12?” he asks. Another issue around the PIV has been the FIPS 201 standard. FIPS 201-2 was release in 2013, yet the special publications that define the specific parts of the standard have not all been updated and test tools developed, says Christophe Goyet, director of Technical Marketing, ID and Government Programs at Oberthur Technologies.

The latest special publication draft was released in May for the PIV interface model (SP-800-73-4). This is only a draft and comments are expected to go back and forth before a final spec is released. From there, test tools will need to be created and finally products can be tested, Goyet says. It will likely be 2016 before cards that are compliant with all the specifications can be approved and agencies can roll them out.

CHANGE FINALLY ON THE HORIZON?

White House executive office deploys PIV The White House Executive Office of the President has deployed PIV credentials for logical access.

It’s been more than a decade since the order mandating a standard identity card for federal employees was issued. Some delays are understandable, but it seems inexcusable for agencies to outright refuse use of the credentials. Perhaps for the first time, however, there is an agency with overarching reach stepping up to push foot-draggers to get on board. OMB seems positioned to make things happen, if they can sustain the momentum provided by the unfortunate OPM breach.

The office has issued roughly 6,000 PIV credentials and they are mandatory for access to the White House network, says Russell “Haj” Ramos with the Executive Office of the President. He addressed the Smart Card Alliance Smart Cards in Government Conference this summer. Contractors that will be there for 90 days or more will be issued a PIV. Interns will also be issued PIV credentials. Federal employees detailed to the White House will have their existing PIV card enabled to work on the network. The importance of the PIV is told on the first day of work at the White House, Ramos says. The employees go through orientation and are then taken to the PIV issuance office where the credential is issued. Background checks are conducted prior to orientation. At the White House, no one is exempt from using the cards, Ramos says.

Certification Training for E-PACS About CSEIP • The Certified System Engineer ICAM PACS (CSEIP) Training and Certification Program provides advanced training for systems engineers configuring and testing E-PACS to align with government-wide specifications • This training and certification is recognized and approved by GSA About the Training • Comprehensive three-day program includes expert classroom instruction, hands-on training using commercial E-PACS equipment and testing for competency on course objectives • Course offers instructor-led training on how E-PACS work, how PKI is managed, and how PIV/PIV-I credentials interface with security systems • Individual test workstations using commercial E-PACS hardware and software provides hand-on exercises for configuration of live PKI-based access control systems • A comprehensive written and practical exam wraps up the program with certificates issued upon successful certification

Who Should Attend? • Commercial security firms looking to sell and install ICAM PACS to GSA managed properties under updated GSA procurement guidelines for vendors and integrators • Physical access control vendors who need to train their employees and resellers about proper steps to configure PKI-based PACS • Government security officials responsible for implementing and operating PACS at their department or agency Meets Federal Requirements and Highest Industry Standards • Certification means that you have passed a rigorous, GSA-approved training program which demonstrates your ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACs • CSEIPs demonstrate knowledge of the latest security industry standards and meet federal procurement requirements

Learn More Today Visit the CSEIP section of the Smart Card Alliance website for complete training information, prerequisites, exam dates, and a full description of this program; http://www.smartcardalliance.org

TECHNOLOGY ADVANCES IMPROVE PASSPORT ISSUANCE AND CONTROL NEVILLE PATTINSON, SENIOR VICE PRESIDENT FOR GOVERNMENT SALES AT GEMALTO NORTH AMERICA

Without a passport, legal international travel is virtually impossible, but the potential to cross international borders using fraudulent documentation continues to open sovereign nations to major security threats. Rigorous standards to ensure that all international travel documents are valid and legitimate are critical in matters of homeland security. These standards have evolved over the last decade to incorporate technological advances, but it is not clear whether these improvements are being utilized globally to the fullest extent. The International Civil Aviation Organization (ICAO), under United Nations charter, develops standards for passports

Fall 2015

and other official international travel documents. In most nations, standard passports have long since transitioned from paper-based documents. Today secure plastic-laminated papers or fullpage plastics, such as polycarbonate, provide additional surface features to make the passport more durable and far more resistant to tampering or forgery.

In the last 10 years, another major change to the ICAO passport standards is a mandatory transition to machinereadable passports, visas and other travel documents necessary for border crossing. All non-machine readable passports must be out of circulation by November 2015. Typically, a transition to machinereadable cards means the inclusion of contactless smart card technology, which improves security by making forgery even more difficult. A smart-card enabled electronic passport (ePassport) contains both a security key that is unique to the passport and cannot be fraudulently generated as well as an embedded microchip that cannot be read without this security key. The chip contains a duplicate of all the information physically presented on the passport, including name, date and place of birth, and an electronic copy of the passport photo. With an ePassport, border security officials can scan the document through a machine to read the embedded electronic information and quickly determine its authenticity.

The chip also enables rapid automated reading, reducing waiting times and eliminating errors when processing passengers. ePassports feature multiple layers of security to protect an individual traveler’s personal information and photograph for a higher level of security. The chip’s software contains an arsenal of technical measures to ensure any modification is not only extremely difficult but also easily detectable. The data is stored securely and cryptographically signed by the government agency that issued the passport. The passport readers at border crossings verify not only the identity of the citizen, but also the authenticity of the document. If the data has been modified, the digital signature will no longer correspond and the document will be flagged as false. This transition has not been seamless, however. Despite the fact that more than 600 million ePassports have been issued globally – including in the United States – it is unclear whether border control authorities worldwide have reduced their reliance on physical document inspection in favor of electronic checks of the ePassport’s chip. Anecdotal data suggests the number of authorities scanning the chip is far too low. Whether due to lack of proper training, equipment or some other reason, the promise of the ePassport has not been fully realized.

EVISAS OPEN NEW DOORS This is also true of the ePassport’s counterpart: the eVisa. With eVisas, an individual submits their documentation via mail or directly at the embassy for approval by the issuing authority. The applications are then verified via multiple factors that include not only document authentication, but also biometric data as well as automatic crosschecks with national and international databases such as INTERPOL.

PASSPORT READERS AT BORDER CROSSINGS VERIFY NOT ONLY THE IDENTITY OF THE CITIZEN, BUT ALSO THE AUTHENTICITY OF THE DOCUMENT Once all authentications are verified, the visa is issued and logged into a national Visa Information System, a comprehensive database that anticipates all movement of foreign nationals into and out of the country. At the entry point, the eVisa “stamp” can be digitally incorporated directly into the ePassport, again significantly reducing the possibility of fraudulent documentation. Many countries – particularly throughout Asia and the Middle East – have transitioned to eVisa technology. The transition to the eVisa in the U.S. could significantly reduce the ongoing challenge of visa overstays. This year, Customs and Border Protection issued its “Vision and Strategy 2020,” which outlines a number of policy improvements, including international partnerships to implement entry/exit strategies that “promote greater transparency and enable enforcement and interdiction of both travelers and cargo leaving the United States.” The point is a critical one because currently foreign nationals are only logged upon entry through the U.S.

border. Should eVisas be implemented, the technology and security improvements could be vast. eVisas could provide electronic verification of exit that could be automatically recorded in a central database as soon as the visitor steps through the airport gate. The process of obtaining a visa, whether for tourism or for approved overseas work, could be significantly eased for visa applicants, as well. Visas could be securely requested over a smartphone or other mobile device, and after rigorous verification as noted above, the issued visas could be written directly onto a passport’s chip. This would make it even more secure and improve the government’s ability to prevent overstays via the database.

REVISED ICAO STANDARDS IN THE WORKS This technology is likely to become more common further into the future, with the next generation of ePassport standards under development by ICAO. Called Logical Data Structure 2.0, these stan-

Fall 2015

dards will focus on electronic requirements for the rest of the passport apart from the data page, including visas. Additional biometric improvements to international passport standards are also on the horizon. The most recently issued ICAO standards include a new globally interoperable standard for biometric identification of the holder and for the storage of the associated data on a contactless integrated circuit. Biometric identification is most likely to continue to favor mostly fingerprints, but iris scans or facial recognition is also possible. Obviously, protection of an individual’s biometric data against identity theft is a major concern, particularly if a passport is lost or stolen. Currently, the majority of issued ePassports include Basic Access Control protections, to ensure that only authorized parties, such as immigration officials, can wirelessly access the personal information stored on the ePassport’s chip. The ICAO’s Extended Access Control standards are advanced features that protect additional biometric data stored on the passport as well. While Basic Access Control standards are required, Extended Access Control is optional for individual nations issuing the next generation of machine-readable travel documents.

GHANA RAISES THE BAR An excellent example of a country that has fully upgraded its border management technology from end-to-end is Ghana. Ranked among the world’s top-ten fastest growing economies,

Fall 2015

Ghana has outstripped growth in African countries annually since 2008. To steward the country’s booming economy, the government moved migration to the top of its agenda, especially as Ghana becomes an increasingly desirable destination for business investment and tourism. As part of a comprehensive overhaul of immigration procedures, Ghana transitioned from manual, decentralized documentation issuance to a centralized, thoroughly modernized system that is operational at six points of entry. The system includes an online portal for visa and permit requests; eVisa application and issuance; and the integration of biometric identification capture for foreign nationals entering the country to facilitate flow and tracking. Overall, improvements to the integrity and durability of passports and other international travel documents over the last decade have been tremendous. The next step for the international community is to better utilize the technologies that are available, including electronic verification of the passport, automation through borders via e-gates or kiosks, and eVisa usage to better manage the flow of international arrivals and departures.

October 28–29, 2015 • Millennium Broadway Hotel • New York City

EXECUTIVE STRATEGIES FOR SECURITY SUPPLIERS AND PRACTITIONERS

Steve Van Till President and CEO Brivo Systems

Thanasis Molokotos President and CEO ASSA ABLOY Americas Division

MEGATRENDS: CREATING BIG CHALLENGES AND GREATER OPPORTUNITIES Join Steve and Thanasis at SNGTM as they explore five ‘megatrend’ technologies that are inevitably pushing their way into today’s electronic security landscape, and inspiring companies to acquire new customers, defend existing relationships and innovate. REGISTER BEFORE SEPTEMBER 8 AND

SAVE

AT SECURINGNEWGROUND.COM

SPONSORS

INDUSTRY PARTNER

MEDIA PARTNERS

Regarding ID Magazine

re:ID NATIONAL eID SERIES:

DIFFERENT AMERICAS ADOPTION DICHOTOMY SHOWS NORTH AMERICA BEHIND ITS SOUTHERN NEIGHBORS ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS

The rise of eID credentials is a trend that’s made landfall with countries in virtually every corner of the planet – but not every corner. The reach of eID is yet to completely saturate the globe, as evidenced by the next installment of the re:ID eID series. The Americas lie in direct opposition to one another in terms of their implementation of national eID credentials. South America has a stable of countries, eight as of 2015, with eID credentials. North America, however, is yet to climb aboard. Central America and the Caribbean falls in the middle both geographically as well as in the adoption of eID. Acuity Market Intelligence’s “Global National eID Industry Report,” estimates that annual eID volumes will rise in the Americas through 2017 at which point adoption will taper off – a similar arc that holds true for other global regions. Drivers for eID in South and Central America center on fraud reduction and security, with infrastructure, enrollment and centralized registries being the major challenges.

NORTH AMERICA Let’s acknowledge the elephant in the room – North America is not doing much in the way of eID. “Mexico had ambitious plans that have stalled, and the U.S. is years, if not decades, away from any kind of national ID,” says Maxine Most, principal and founder of Acuity Market Intelligence and author of the eID Industry Report. “Canada may be slightly closer, but not by much. There’s a clear cultural resistance to national IDs in North America.” It’s all about the driver license in North America. “There is no federal-level ID card issued to U.S. citizens nor is there one being planned,” says Mizan Rahman, founder, CEO and CTO of M2SYS. “Driver licenses issued by states and territorial governments have become the de facto identity cards and are used for many identification purposes.”

Fall 2015

Mexico initiated a national ID system for the country’s 110 million citizens in 2011. “They were building a biometric national registry that included a facial image, two iris images and ten print AFIS for all citizens above the age of four. A digital signature would also be captured,” says Most. “Initial enrollments began in 2011 with children from the age of four to 17, with adult enrollment slated to begin in 2013.”

THERE’S A CLEAR CULTURAL RESISTANCE TO NATIONAL ID IN NORTH AMERICA THAT WE DON’T SEE TO THE SOUTH But, as of September 2013, just 15% of the country’s 25.7 million children had been enrolled, and there are no reports of adult enrollment proceeding. In North America eID has been all but completely spurned, Rahman says. “Privacy and protection of civil liberties coupled with a deep misunderstanding of biometric and eID technologies are the largest and most difficult challenges faced,” he says. “Until the general public becomes more accepting of biometrics, eID programs in North America will never materialize.”

SOUTH AND CENTRAL AMERICA Standing in stark contrast, South and Central America has seen a solid number of eID implementations. In the region, there is a need for governments to serve a more sophisticated citizen electronically, says Edgar Betts, associate director at the Smart Card Alliance’s Latin America and the Caribbean chapter. “Most of the national identity cards in the Americas have evolved from paper-based credentials to more sophisticated

Global and American eID card volume forecast Unit Forecasts (millions)

1500 802 1200 681

Global

627

900

741

540 459

600

300 41 2013

43 2014

2015

2016

The Americas 23 2017

19 2018

Source: Acuity Market Intelligence, “The Global Automated Border Control Industry Report”

National eID card volume share (The Americas) 2013

2018 BOLIVIA BRAZIL CHILE ECUADOR GUATEMALA PERU URUGUAY VENEZUELA

2013 - ARGENTINA AND PERU ACCOUNTED FOR LESS THAN 0.01% OF VOLUME

2018 - ARGENTINA, BARBADOS AND JAMAICA ACCOUNTED FOR LESS THAN 0.01% OF VOLUME

Fall 2015

documents that incorporate multiple security features to avoid counterfeiting,” he explains. Another driver for eID credentials is the region’s close proximity between national neighbors. “Easing travel between countries using an ID card is driving adoption, as many countries have bi- or multi-lateral agreements enabling citizens to cross borders without passports,” says Stefan Barbu, head of ID sales and marketing Americas at NXP Semiconductors. “The compatibility with the ICAO infrastructure for electronic documents is both a driver and an enabler.” Still, the main drivers in the region are law enforcement and security, followed by reduction of fraud and abuse. “Several countries have strong policies from government to stimulate the development of the ‘digital economy,’ and the adoption of eID is a fundamental component,” says Barbu. “As an example, in countries like Brazil and Costa Rica there is widespread use of PKI-enabled cards for electronic signature.” Another country that has made strong progress on the eID front is Guatemala. Guatemala issued a polycarbonate chip-based ID card that had full rollout in 2011. To accompany the credential, Guatemala also created a new civil registry with fingerprint and

facial biometrics. The program uses match-on-card biometric capability, contains an electronic signature, and supports e-identity, e-purse and e-vote applications, says Most. Ecuador boasts another sophisticated eID program with multiapplication cards deployed to all citizens. NXP worked with Ecuador to deliver the project, which uses NXP’s SmartMX platform of dual interface chips and applications including eGovernment, banking and public transport, Barbu says. The country of 15 million is deploying a number of digital public services to citizens, companies and organizations. In addition to traditional ID vetting use cases, Ecuador’s eID cards enable citizens to travel inside the Andean Community, perform electronic signature operations, and access social benefit and welfare services provided by the Ecuadorian government.

THE CHALLENGES Despite South and Central America’s willingness to adopt and issue eID credentials, the region has still faced its fair share of challenges. Fragmentation and the lack of centralized registries has been a concern, Betts says. “The use, feature, formats and mechanisms for authentication vary from country to country. These aren’t interoperable, can’t be verified, and yet are often accepted as legitimate documents in neighboring countries,” he says. “The acceptance is mostly through legal agreements among countries that have bilateral trade or regional obligations.” The greatest challenge to implementation is the use of proprietary, non-interoperable identity solutions, Betts says. “Some vendors in the market use proprietary solutions to tie government agencies to their solution, making it difficult to modify or change the established vendors in an identity project,” Betts explains. “This creates a barrier for other countries

BOTH ARGENTINA AND BRAZIL ARE REPLACING CURRENT ID CARDS WITH A NEW SMART CARD THAT INCLUDES DEMOGRAPHIC AND BIOMETRIC DATA

Fall 2015

wanting to adopt an eID system, given the experience of their neighbors.” Another key challenge is access to impartial information during the project scoping process, Betts says. “Most of these identity discussions are done behind closed doors, for ‘security reasons,’ which enables partisan information to enter the public tender,” he explains. “In some cases this has led to significant corruption scandals and a loss of credibility for important government organizations and companies.” Institutional barriers can mire, if not halt completely, eID implementation, Barbu says. “With the increased number of use cases, more government entities get involved in the definition of the eID system,” says Barbu. “This institutional complexity makes the projects much more difficult to take off.” This complexity is reflected in the fragmented variety of national credentials being issued across the Americas. “eID in the Americas has very diverse forms, making it difficult to place the whole region into one category and compare it to the rest of the world,” says Barbu. He points to the different ID types around the Americas: PIV in the U.S. for federal employees; National eID in Ecuador, Guatemala and Chile; Service cards in Canada and Brazil; and driver licenses in Mexico. Cultural considerations aside, the main challenge for countries are the deployment of services associated with eID, Barbu explains. “It is only when these services are in place that a government gets the full benefits in terms of return on investment – cost reduction for the government operations, reduction of waste, fraud and abuse.” For the region as a whole, M2SYS’ Rahman suggests that there are certain cultural challenges that apply across the board. “Cultural and social attitudes regarding data sharing are also important factors,” he says. “Privacy activism in Latin America is on the rise, which might threaten the pursuit of government-run identification systems.”

AN IDENTITY GAP At the heart of the cultural and social considerations associated with eID credentials, is the idea that an identity gap exists between developed and developing countries. Despite the adoption in the region, there are still some South American countries that are lagging in terms of ID technology. But M2SYS’ Rahman believes that the examples are in place for developing South American nations to learn from their neighbors’ experiences. “Formal identity is a prerequisite for development but some Latin American countries are still relying on paper-based identity documents,” says Rahman. “These countries should follow the footsteps of Argentina and Brazil to bridge the ‘identity gap’ and establish a biometric backed national identification system. Both countries have demonstrated that implementing a national ID card system is a smart way to more efficiently distribute social services.”

Both Argentina and Brazil could lead by example as they plan to replace their current ID cards with a new smart card that would include demographic details and biometric credentials. “They want to deal with the increasing rate of terrorist activities, crime and immigration issues,” Rahman says. “These adoptions have strong potential to impact other Latin American countries and influence their decision to adopt similar technology.” Brazil has taken the lead on eID, in part, due to concerns over security in the run-up to the country’s upcoming Olympic games. “It’s a unique situation that motivated them to more comprehensively investigate adopting eID,” Rahman adds. A poor identity system – often a byproduct of the identity gap – is also seen as a good environment for human trafficking, terrorist activities and drug-related crime, Barbu explains. “There are a number of countries experiencing these issues,” he says. “They must invest a lot of effort in modernizing their Civil Registries and ID-related processes nationwide to combat these issues.” Understandably, countries at opposing ends of the identity gap deal with very different challenges. “Developed countries like the U.S. are confronted now on a regular basis with massive attacks on their identity systems. Recent data breaches have compromised the identity data of millions of Americans,” explains Barbu. “This data is much more attractive to criminal organizations as the financial and security impact is significantly higher compared to emerging countries.” Barbu acknowledges the identity gap and sees it impact a country in three ways: Human development: In Latin American countries, poor ID systems expose people to certain types of crime and inhibits their access to welfare programs. Financial exposure: In North America, inability to protect identity data leads to substantial financial risks for citizens. National security: Organized crime and terrorism thrive in environments with poor ID systems. When it comes to national eID, the Americas are a region driven by social, cultural and political motivations. But what sets the region apart more than anything is the clear contrast on the subject by North and South America respectively. Nowhere else is there such staunch opposition to eID, or national credentials in general, than there is in North America. A majority of South America, meanwhile, is following suit trend with countries around the world and adopting eID credentials. In the end, however, the adoption of eID credentials boils down to citizen service. “Identity is important because a person who has an identity will have greater access to basic services such as school resources, healthcare services, transit and more,” says the Smart Card Alliance’s Betts. “Governments must guarantee the basic human rights of all citizens, which includes the right to have an identity.”

Fall 2015

THE THREE PILLARS OF A SECURE ID: CARD MATERIALS, PERSONALIZATION AND ISSUANCE MODELS

There is more than one way to produce a secure identity card. Dye sublimation, retransfer, inkjet, laser printing and laser engraving are all commonly used personalization technologies. And then there is the issuance model. Will card production be centralized or distributed to numerous over-the-counter locations? The choice of card materials impacts both the personalization technology and issuance model. Thus it is crucial that an issuer understand the capabilities of the card materials when evaluating personalization technologies and issuance models. In a very real sense, the three decisions go hand in hand forming the three pillars of secure ID issuance. The majority of high security ID cards are composites, meaning that they are made of more then one type of material. Though 100% PVC cards are common for low security uses, it would not be a choice for government-issued IDs or other mission-critical documents. “A straight PVC card would crack like a saltine in the Sahara,” says Robert Jones, chief scientist at MorphoTrust. Jones explains that secure issuers rely on layered card materials to create composite cards that meet the application’s desired goals. Consider these examples: Straight PVC may be prone to cracking, but layering it with other specialized materials can add flexibility, durability, security and lifespan to the finished product.

Fall 2015

Polycarbonate adds unique personalization-level security options but is often brittle if used alone, a problem that commonly arises when chips are embedded. Synthetic materials like Teslin substrate can deliver durability and antifraud capabilities, but they need to be bonded to another substrate to create a finished card. “The key is to carefully select individual materials to deliver a composite credential that performs optimally,” says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. “In this way, you capitalize on the best characteristics of various material components.” As Jones points out and these examples show, composites make the secure ID world go round.

THE MARRIAGE OF MATERIALS AND MODEL For many secure ID programs, the first decision is the choice of issuance model. Will the cards be issued from one or more central production facilities or will they be produced in the field via an over-thecounter, decentralized issuance model? There a commonly accepted pros and cons to each model. Central issuance affords an element of additional vetting time that can enable

stronger background checks and breeder document checks. It can also give an organization more control over document security features. A central facility that produces cards in bulk can focus resources on a small number of powerful issuance stations. Thus, it often has the luxury to embed more advanced security technologies and forensic features into IDs. Security features such as laser engraving and high-end holography are more readily available at centralized facilities than via smaller-scale desktop printing environments. Protection of the card stock and production equipment can also be more tightly controlled when confined to a single or small number of central facilities. All of these factors can be key in efforts to deter counterfeiting, card alteration or illicit production of fraudulent IDs using real materials and technologies. Finally, agencies only need to replenish consumables such as printer ribbons and card stock, store spare equipment and maintain repair services in the single location. But over-the-counter issuance has advantages as well. Customer service is one of the main reasons some issuers choose over-thecounter issuance. Modern printers and personalization systems can enable rapid and secure creation of cards on the spot, and this instant issuance makes customers happy.

With centralized issuance, on the other hand, the credential must be produced and then distributed to the cardholder at a later date. For security reasons, programs often prohibit mailing the card directly to home addresses, instead shipping them back to the local issuing office. This forces the individual to yet again visit the agency or office to prove identity and then claim the ID. Because of the time lag between enrollment and receipt of the credential, a temporary document may need to be issued, adding cost and complexity to the process. So is one model better than the other? “It has been our experience that central issuance security beats local issuance hands down,” says Scaglia. “These are highly secure facilities that can use the most sophisticated security technologies.” He poses the following question: “If you are printing a card via local issuance, how hard do you think it is for a counterfeiter to do the same?” Still, proponents of over-the-counter issuance argue that, if properly designed and operated, either model can accomplish the goal of secure issuance.

CENTRAL ISSUANCE In a central issuance scenario, the type of card materials drives the specifics of the personalization process. Regardless of the material choice, the first round of personalization is typically done on large sheets, for example 18-inch by 12-inch sheets that will ultimately be die cut to produce 21 finished cards. These sheets are fed into a printer to apply fixed graphics such as static background images and other standard security features such as guilloche printing or micro text. In some cases, personalized data – name, ID number, date of birth, photo – is applied at the same time. More often, however, such as when using synthetic materials like Teslin substrate, variable data is added in the separate process using inket or laser printer technology. Many states in the U.S. are using Teslin and central issuance for driver licenses, Jones explains. “The personalized information is laser printed on the Teslin substrate

Myth: Laser engraving is only for central issuance Laser engraving and polycarbonate cards are a popular combo, but it’s not the only pairing. PVC and Teslin can also be laser engraved, says Robert Jones, chief scientist at MorphoTrust. “There’s probably a half dozen states or more using a combination of laser engraving and laser printing for their driver licenses,” he explains. “When you have these two modes of personalization it enhances the security of the card substantially.” And if you don’t want to use laser engraving, polycarbonate can still be an option. There are some issuers using a polycarbonate and Teslin composite card for over the counter issuance, Jones says. “You have a combination of materials that lend themself to a nice, secure, durable card architecture with materials that support a broad range of personalization technologies and security features,” he adds.

and other security features are layered on top of that, sometimes including laser engraving,” he says. When polycarbonate is personalized, the variable data is added later in the process using a laser engraver, often after the cards have been die cut from the larger sheet. Such is the case with the U.S. passport card, a polycarbonate ID that is personalized 100% via laser engraving, says Jones. If contactless chip and antennae are to be used, they are often combined in an inlay that is added as one of the unique layers that in the large sheet. If however, contact chips are included, the integrated circuits are normally embedded after dye cutting. Regardless of the specific steps described above, in the end the finished sheet is laminated and each single card die cut from the larger sheet. Finally, these individual cards are encoded and tested.

OVER-THE-COUNTER ISSUANCE In an over-the-counter issuance model everything is done while the customer waits, and they walk out of the office with a finished ID. Instead of working with large sheets, each facility receives card blanks, which often have certain security features already embedded. The same card materials used in central issuance environments can also be issued over the counter. Most often, however, decentralized issuance models make use of more common dye sublimation or retransfer ID card printers. With Teslin or other composite cards, the personalized data is most often printed on

an outer card layer via dye sublimation or printed on a clear overlay via retransfer. Next, a final polycarbonate or polyester overlay helps to protect the card and the information, explains Scaglia. In other cases, the Teslin substrate can be personalized using inkjet or laser printing and then thermal sealed in a secure layer prior to final lamination. “When you personalize on Teslin substrate and then overlaminate, you have multiple layers of security and the personalization is embedded into the card,” he explains. Polycarbonate cards can be issued over the counter as well, but in order to take advantage of laser engraving issuers would need to deploy numerous desktop laser engravers. These card printers are significantly more expensive than traditional ID card printers, but they do enable some degree cost savings, for example, by eliminating ribbons. Still, deploying a significant volume of expensive issuance systems across a large geographic area can quickly become costly and challenging to manage.

CONCLUSION Choice is a good thing, and when it comes to secure card production, choices abound. The choice of card materials, personalization technology and issuance models each is crucial to a secure issuance, and each has impacts on the others. When properly evaluated, selected and deployed, these three pillars of secure ID issuance can work together to build a strong, fraud-resistant foundation.

Fall 2015

Why connected devices need usermanaged access An appliance that was previously “dumb,” like a refrigerator, can now have sensors and be network addressable. When a user buys a smart refrigerator they are likely to sign up for a number of features including: • Multi-zone temperature settings to keep beer icy cold and lettuce just cool enough • Stock management to lock specific drawers and scan groceries to help users maintain dynamic grocery lists • Alerts that let users know if the eggs have gone bad or if they are out of that icy cold beer • Cameras to check in real time if a user has milk It’s also likely that those same users are subject to features they did not sign up for such as: • Customer insights and profiles detailing which brands the user prefers • Usage patterns that could identify if a user is a heavy drinker • Probability that a user will buy a certain product • Or even being part of a botnet attack – recently a refrigerator was used to send 750,000 spam messages UMA provides a comprehensive, yet simple, open-standard approach to address these issues over a broad and growing set of use cases.

Fall 2015

USER-MANAGED ACCESS ENABLES CONSUMER CONSENT FOR DIGITAL ID EVE MALER, FORGE ROCK AND JONI BRENNAN, KANTARA IMITATIVE

Existing notice-and-consent paradigms of privacy have begun to fail dramatically, and as recent consumer surveys and press reports have demonstrated, people have begun to (ahem) notice. The discipline of privacy engineering aspires to be a craft, but finds it hard to break out of the compliance rut. Enter User-Managed Access (UMA). UMA is an industry standard developed by the Kantara Initiative through an open community process. Through industry expert input and implementation, UMA is now a Version 1.0 Kantara Initiative Recommendation – the highest form of recognition possible in the organization.

HOW UMA WORKS UMA-enabled online services give individuals a unified control point for authorizing who and what can get access to their online personal data – such as email addresses, phone numbers, content such as photos, and services, for example Twitter and electronic health records – no matter where those resources live online.

UMA is built on top of OAuth V2.0 and OpenID Connect. These are the technologies that enable the “Do you want to allow your identity data to be shared from Facebook, or Twitter, with this app?” consent dialog boxes seen on many websites and mobile applications. The Identity Engineering Task Force standardized OAuth 2 in 2012, and the OpenID Foundation approved the OpenID Connect spec two-years later. To these groups, UMA adds two essential elements that change the privacy game: asynchronous consent and centralized consent management. Together, the three standards form a powerful triad of lightweight, enabling technologies that are solving modern identity and access challenges.

UMA IN A CONNECTED WORLD OF PEOPLE, SERVICES AND NOW DEVICES Digital identity has evolved from a world of perimeter-based, enterprise-focused authentication and authorization to a borderless environment where users leverage online personas to access an ever-growing number of resources and services. Resources are no longer merely software-based and virtual, either. Increasingly these resources include Internet-connected devices that deal in sensitive personal data. This new world includes an ever-growing array of devices from computing and mobile to wearables, home automation and beyond. These new data generation points increase the need for individuals to have control over elements of their online identity. UMA is ideally situated to serve this rising need of personal privacy protection.

OAUTH, OPENID AND UMA FORM A POWERFUL TRIAD, SOLVING MODERN IDENTITY AND ACCESS MANAGEMENT CHALLENGES

OP E

OAUTH

NI DC ON N

OAuth is an open standard used that enables institutions to authorize external client applications to access resources on protected servers. It grants access tokens and uses them in a standard way for web, mobile and desktop applications. OpenID Connect is an open specification that enables organizations to federate identity. It adds an identity layer on top of OAuth such that application providers can verify the identity of end users. UMA is a standard that enables individuals to control what attributes are shared with a relying party when that individual attempts to access the relying party’s site or service. Essentially, it fosters privacy by providing a standardized approach to user control in OAuth environments.

CIOs must tackle the “Four P’s” of this newly connected world: Potential – The IoT connected world presents a significant opportunity for connection between people, entities and things. To realize this potential, while minimizing risks, CIOs will need to have a clear understanding of developing technology, services and policy. Patterns – Adoption of IoT devices has a side effect in that it reveals interesting data patterns that can be helpful for users, businesses, and governments. Unfortunately, these patterns can also be helpful for criminals. Think of products like Google’s Nest or the Belkin WeMo that contain settings for use. When usage is reviewed over time, a pattern could reveal when a person is home and when they are on vacation. Privacy – Pervasive collection and use of data with out transparency, accountability and user engagement can be very concerning. Users may feel they are not being respected and could feel “creeped out” about using new technology. Businesses and governments may not know how to protect data appropriately. People – People who use sensor-enabled apps and devices are generating the data that is seen as the fuel for generating opportunities and risks associated with IoT adoption.

USE CASES FOR A CONNECTED WORLD There are numerous benefits to UMA adoption across digital environments. The technology provides flexibility in binding a user to a device and to a corresponding cloud service account. This is essential in the modern world of SaaS architecture, dispersed web services and looming IoT. Additionally, centralization of controls makes UMA userfriendly for consumers. Users can specify what to share across apps and devices they actually use as well as with third parties. Finally, UMA provides a degree of future proofing if protections need to be outsourced to another body due to regulatory or other market changes. The User Managed Access Working Group has published detailed use cases addressing personal data sharing management for scenarios including: health care, personal, finance, media, citizen, academia and more. Solving a critical emerging technology scenario, UMA provides approaches for authorization and management of data resources that will be critical for enabling user engagement in an IoT connected world.

Fall 2015

Criterion: Implement attributeexchange network

MorphoTrust: Secure citizen access to health services

Awarded in 2012

Awarded in 2014

Criterion Systems and its subcontractor ID Dataweb (IDW) were awarded a $3.2 million grant in 2012 to implement projects with IDW’s Attribute Exchange Network. Criterion provides information security, cloud computing and software development to civilian agencies, the Defense Department and the intelligence community. IDW, meanwhile, operates a cloud-based identity verification and credential federation service for consumers, business and government. For the pilot, IDW delivered the system and business model to simplify online identity verification for attribute providers, identity providers and relying parties. “A number of large, high-profile companies and government agencies agreed to participate and pilot the system including Broadridge, GE, the Department of Homeland Security and the U.S. Census,” says David Coxe, CEO of ID Dataweb and co-founder/senior vice president at Criterion Systems. “IDW’s attribute-exchange network provides customers competitive choice to more than 20 attribute providers including Experian, Equifax, TransUnion and LexisNexis,” Coxe says. “On first use, users provide attribute information which is verified via the attribute exchange network at attribute providers selected by the IDW customer web site.”

OUTCOMES

The goal of the pilot was to enable an online identity ecosystem and validate a viable business model using the attributeexchange network as an interoperable, user-centric identity service infrastructure. Using the IDW attribute-exchange network, Criterion successfully demonstrated that federation of interoperable credentials benefits an identity ecosystem, Coxe says. He says they’ve “successfully graduated from the NSTIC program” and two participants in the pilot, Broadridge and GE, are still using the attribute exchange network. The government agencies, however, have not yet released requirements on how they will use such a network.

LESSONS LEARNED “These benefits manifest whenever relying parties leverage the attribute exchange network since individuals voluntarily choose to use a secure, interoperable, and privacy-enhancing credential – OpenID, SAML, smart identity card or cell phone digital certificate,” explains Coxe. “The attribute-exchange network business model is critical to overcoming historical implementation barriers and expanding the participation of relying parties,” says Coxe. “The attribute-exchange network provides relying parties, ID providers and attribute providers a common gateway to interact using a one-to-many relationship model that reduces barriers to entry in the Identity Ecosystem.”

Fall 2015

MorphoTrust USA offers solutions throughout the identity life cycle, including the enrollment of trusted identities, the issuance of electronic and physical credentials and the verification and authentication of those credentials. The company and its partners, including the North Carolina Department of Transportation and Health and Human Services, received a $1.47 million grant in 2014 to create an electronic ID for accessing online services that would offer the same level of security, privacy protection and identity authentication as in-person transactions. The project is going well and has been awarded a second year of funding, says Mark DiFraia, MorphoTrust’s senior director of market development. “We’ve been doing a combination of deliverables through the project as funded by NIST, as well as conducting our own internal research and development.”

OBJECTIVES

Prove that an eID could be created that carries the trust of a driver license and could be used to eliminate inperson identity proofing requirements for transactions Demonstrate that trust could be elevated using facial recognition biometrics as part of a multi-factor authentication process Find a framework through which state and commercial entities could trust each of these eIDs and transactions

MorphoTrust views the NSTIC project as step one. The ultimate goal is to build a system that can be used and trusted by government agencies and commercial entities, DiFraia says.

LESSONS LEARNED “I think the biggest lesson that we’ve learned is just how important privacy is in this whole dialogue,” says DiFraia. “Personal privacy, the protection of PII – individual’s personal information – is really paramount.” Privacy must be thought of before the project even begins, DiFraia says. “It’s actually the consideration that you use to build your entire solution around,” he says. “More and more project teams that are working with personal information are adding dedicated staff members specifically focused on the privacy concerns of the solution.” DiFraia says the next step for the project is delivering a mobile app that will house this electronic ID for users. “We’re at a point now where we’re actually seeing the handset photo being taken, and we’re able to start to see some of the biometric matching results,” he says.

ID.me: Deploy privacy-enhancing authentication engine Awarded in 2013

ID.me was granted $1.2 million in 2013 to pilot trusted identity solutions around its digital authentication engine Troop ID. The company initially focused on military members and their families but has expanded to include first responders, teachers and students. ID.me is a digital identity network that enables consumers to prove who they are online while controlling how their information is shared with brands, says co-founder Matthew Thompson. “For participating organizations, ID.me acts as a trusted intermediary capable of verifying consumer identity and group affiliations in real-time.” Services include retail, financial, government - and soon health care. More than a million customers now use ID.me credentials for online discounts and benefits. The pilot is in year two of funding and is in the process of extending its identity and attribute service to operate as a fully certified FICAM Level of Assurance one through three interoperable credential. “This will enable our user population to cross the chasm from the retail environment to higher risk, higher value resources, services and benefits provided by governments and commercial organizations without having to create new credentials at each relying party,” Thompson says.

AS A RELYING PARTY FOR FEDERATED DIGITAL ID, UNDER ARMOUR INCREASED ITS AFFILIATE REVENUE BY DOUBLE DIGITS

OUTCOMES

Membership has tripled and the number of relying parties using the service has increased more than 150% Results were published showing the impact that federated identity solutions can have on relying parties’ revenues. For example, Under Armour’s customer base expanded and 30% of revenue growth in the military and first responder market came via the project. ID.me can now provide federated logon for government services after being certified by Kantara as a credential service provider.

LESSONS LEARNED An impediment to secure digital credentials has been the lack of accreditation and trust marks, says Thompson. “The establishment of commercially recognized accreditation and trust marks will speed adoption,” he adds. Obtaining a credential also can’t be an arduous task. “Reducing friction associated with user on-boarding is key to increasing the adoption of trusted credentials,” Thompson explains. “ID.me’s network provides a channel for users to enter with minimal friction by establishing a LOA-1 identity credential.” “This network also allows users to bring tokens from other IDPs at the LOA where the IDP is approved,” explains Thompson. “The user’s credential is then elevated gradually as the user encounters relying parties within the ID.me ecosystem that require higher levels of assurance.”

Fall 2015

GTRI: Develop Trustmark framework for online ID Awarded in 2013

UK’s version of NSTIC: Verify Citizens of the UK and the U.S. have some things in common, a love of fried foods, good ales and no national ID programs. While other countries issue national ID cards that can be used for in-person and online verification for different services, both U.S. and UK citizens have opposed such efforts. Instead, both countries have embarked on initiatives to provide consumers a better way to secure online identities. In the U.S. there is the National Strategy for Trusted Identities in Cyberspace and in the UK it’s Verify. While both projects have the same goals they are going about it in very different ways. NSTIC is working with the private sector to catalyze digital identity in the U.S. Across the pond, Verify is planning to enroll all 49 million UK citizens and have them use it for access to government services. “It’s the most ambitious identity effort on the planet,” says Don Thibeau, executive director at the OpenID Foundation. The organization’s OpenID Connect is one of the standards being used in the Verify project. “The government is committed to it and they know it’s the only way they can meet the needs of citizens,” he explains. The UK government is building the online verification component of the system. To be verified, citizens must choose which identity provider they want to use, provide a valid passport or driver license number, and answer a set of questions. With this system, the identity provider handles all personal information, such that the government doesn’t store any personal data. The system also requires a mobile or landline number. Verify sends a one-time password to the phone to link the number to the citizen. Subsequently, it can be used for two-factor authentication on future logins. The initial verification takes 10 to 15 minutes with subsequent logins taking less than a minute. The project is in Beta now and will soon see close to 1 million citizens testing the system, Thibeau says. The applications are all government-to-consumer but the hope is to expand the project in coming years. Emma Lindley, founder and managing director at Innovate Identity, says Verify will make a lot of government tasks easier. She gives an example of trying to get a handicapped placard for a car. The old fashioned way could take 10 days and lots of paper work. With Verify, however, the citizen will go online, apply for the parking badge and consent to share required attributes with the local jurisdiction. “It takes the application process from 10 days to just 10 minutes,” Lindley says.

Fall 2015

Georgia Tech Research Institute (GTRI) is the applied research arm at the Georgia Institute of Technology. In 2013, GTRI was awarded $1.7 million to develop and demonstrate a Trustmark Framework for the Identity Ecosystem. “So many trust frameworks exist today. As you can imagine, this can lead to trust frameworks or federation silos that don’t trust or interoperate with each other,” says John Wandelt, research fellow at GTRI and executive director of the National Identity Exchange Federation (NIEF). “We ran into this challenge firsthand with the NIEF, which started out as a collection of law enforcement agencies in the United States sharing sensitive information.” The GTRI team took the view of a trust framework as a set of components that can be standardized for reuse in different business contexts. The first involved developing the trustmark framework. In year two, GTRI began piloting the framework in the NIEF. The project has been extended through April 2016. “We are now working to roll out to mental health and substance abuse councils in Alabama to facilitate the sharing of information to support the continuity of care for prisoners reentering into society,” Wandelt says. “This is just one example where different communities of interest, operating under different rules, need to trust and interoperate.”

OUTCOMES

Developed a framework to facilitate greater trust and interoperability of trustmarks across the Identity Ecosystem Crafted more than 60 unique trustmark definitions Issued more than 90 trustmarks to NIEF organizations Developed software tools for defining, assessing, managing and facilitating trustmarks

LESSONS LEARNED “It works, with real agencies signing trustmark agreements with real transactions and trust decisions being made,” says Wandelt. “Getting the granularity and componentization right for reuse is important. Bridging strategies is important for adoption. “With any new technology, on day one you need to figure a way to make it usable with the existing infrastructure and products that are deployed,” he explains. “We had to figure out how to use trustmark technology without requiring custom changes to existing products.” Associated with each trustmark is a set of conformance criteria and assessment steps that must be satisfied prior to someone earning a trustmark, says Wandelt. “For example, in order to earn a particular privacy trustmark, you might have to demonstrate that you have implemented a privacy policy for minimizing the collection, use, and dissemination of user data,” he adds. “One of the challenges is that there is a lot of informal trust being leveraged among partners today, and formal policy documentation is weak or non-existent. So in order to be able to issue trustmarks, we often have to assist the trustmark recipients to get their house in order so they can legitimately earn them.”

TSCP: Test trusted credentials for financial services Awarded in 2013

The Transglobal Secure Collaboration Participation Inc. (TSCP) was awarded $1.26 million in 2013 to deploy trusted credentials for conducting secure transactions among small and medium-sized businesses and financial service companies, such as Fidelity Investments and Chicago Mercantile Exchange. TSCP was charged with developing an open source, technology-neutral Trust Framework Development Guidance document to help guide cross-sector interoperability of online credentials. TSCP is a non-profit technical trade association that relies on a government-industry partnership to accomplish managed trust through a federated Trust Framework. The association consists of defense industry stakeholders who want to address security issues, like finding ways to securely share documents and trust each other’s issued credentials. “TSCP has graduated from our second year NSTIC funding, and we are offering an operational Trust Framework to our members,” says Keith Ward, president and CEO at TSCP.

OBJECTIVES 1. 2. 3. 4.

Increase use of secure credentials for commercial Internet transactions Expand a community Trust Framework to encompass other communities within the Identity Ecosystem Enable operational federation through a commonly developed and accepted multi-lateral agreement model Unify PKI and non-PKI Trust Framework

OUTCOMES

Piloted PIV-I credentials with Fidelity’s Net Benefits application to prove the technical capability of using strong corporate credentials to access 401k accounts Built out the TSCP Trust Framework for levels of assurance two through four Created the Trust Framework Development Guide Pinpointed the challenges of large financial organizations adopting federated identity solutions

LESSONS LEARNED Using a trust framework from one market in another can make deployment a little easier, says Ward. “Using an existing trust framework proven in one sector as the basis for a trust framework for another sector accelerates the development process,” he explains. “Using TSCP’s Trust Framework as a base combined with our experience, we could explain and bootstrap individuals up to a common level of understanding.” Education for executives is requisite for federated ID systems. “Do not underestimate the need for significant Identity Access Management education for the decision makers. Many organizations are not organized to focus on identity management,” Ward says. “As a result, there is typically no cohesive set of internal policies and standards. Performing real-time technology demonstrations and a pilot is key to opening meaningful dialogue with relying party decision and policy makers.”

Fall 2015

Daon: Authenticate seniors via mobile biometrics

Confyrm: Prevent account takeovers by ‘sharing signals’

Awarded in 2012

Awarded in 2014

Daon provides identity assurance software for governments and enterprises, with a focus on mobile biometric authentication. In September 2012, the company was awarded a $1.8 million grant to explore how senior citizens could benefit from secure digital identity. Major goals were to test the willingness of users to accept the credentials and the willingness of relying parties to move to external identity providers. “The pilot established a federated identity service around Daon’s Identity X strong credentialing platform that could be used by a variety of relying parties,” says Cathy Tilton, former vice president of Standards and Technology at Daon (since this interview, Tilton has moved to a position at CSC). Team members included AARP and the American Association of Airport Executives. AARP members were able to access their health records using mobile biometric authentication. The pilot concluded in April 2015 and neither relying party has any active users. Both the AARP and AAAE are using the pilot experience to redefine future identity strategies.

OUTCOMES Daon built out that federated identity, Trust X, and deployed it within several operational pilots. “We were researching mobile biometrics and privacy enhancing technology. That was very successful,” Tilton says. “We had real people using the system and we also looked into the privacy and security aspect of that.”

LESSONS LEARNED “Relying parties are generally conservative, and they’re not necessarily willing to jump into the use of third party identity providers and federated identities for their higher assurance levels,” Tilton says. “Identity within a relying party’s organization does not reside within a single entity. Many stakeholders in an organization get involved in that, and so the process that you have to go through to introduce any change is very slow. “There are some implications of interoperability that aren’t immediately apparent,” Tilton explains. “The fact that a user could use the same strong credential at multiple relying parties – wasn’t necessarily seen as a benefit. Some relying parties saw it as a competitive disadvantage, ‘Why would I go through the trouble of working with an identity provider to issue strong credentials to my customers, but then let my customer can use it at my competitor?” “Also, if you have a credential that’s used across multiple relying parties, and one relying party decides to block that subscriber, how does that affect the other relying parties?” Tilton asks. “Interoperability is a great thing, but especially at the higher strength levels it presents unforeseen challenges.”

Fall 2015

Confyrm was awarded $2.4 million in 2014 to demonstrate ways to minimize loss when criminals take over online accounts or create fake accounts. The project aims to tackle a key barrier to federated identity: knowing whether accounts used in identity solutions are legitimate and being controlled by their rightful owner. Confyrm will demonstrate how a “shared signals” model can mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, says Andrew Nash, founder and CEO at the company. The company is working with partners to build out use cases for sharing information between enterprise, consumer and government participants. The premise is simple. If an ID provider notices a password change or suspicious behavior, this system would take action. Google demonstrated Confyrm’s system at the Cloud Identity Summit in the instance of a password reset, Nash says. The demo showed a user legitimately changing a password, as well as what happens when the user visits sites that had previously been federated with that identity. Depending on the type of transaction the user attempted to conduct, different actions were required. If the user was simply looking at information, no further action was necessary. But if a purchase was being made or a risker transaction conducted, more information would be requested of the user. “What we’re doing is sharing account level information that allows you to understand this inter-network or connection of all of these accounts that you have built up over time,” Nash says. “This shows how something that happens to one account manager might be useful for another to know in order to keep you safe, but we want to do this while hiding your identity to the best of our ability.” Little information has been released about the pilot partners, except that they include an Internet email provider, a mobile operator, a financial services company and multiple e-commerce sites. The pilot is in the early stages, so no outcomes are available. “We are actually providing value that is independent of identity technologies, protocols and infrastructures,” Nash says. “We can improve the value of really basic password-based systems right now so we can make an impact over the next year or two that will directly improve the trust and the confidence in consumer identities.”

LESSONS LEARNED The most important thing is to keep the technology simple, Nash says. If an ID provider notices a breach or abnormal behavior, it must make sure to communicate that simply to the user.

Privo: Secure kids’ identities online Awarded in 2013

Privacy Vaults Online, Inc. (PRIVO) certifies client compliance with regulations related to children’s privacy. The company delivers services for registration and parental permission management. PRIVO was awarded $3.2 million in 2013 to pilot tools for keeping families safe online and helping service providers comply with the Children’s Online Privacy Protection Act (COPPA). The end goal is a solution that provides families with COPPA-compliant, secure credentials. PRIVO will be working on deliverables through the end of the year. “When we deliver this framework, it will address both COPPA for commercial purposes and the Family Educational Rights and Privacy Act (FERPA) for education,” says Denise Tayloe, CEO and co-founder of PRIVO. “It will house a directory of compliant relying parties, identity providers, attribute providers and a new type of provider that our framework addresses, consent management authorities.”

OBJECTIVES

Build the Minors Trust Framework Refactor PRIVO’s existing technology and map it to the Minors Trust Framework, enabling the company to deliver parental consent at Internet scale Create curriculum explaining consumer data privacy rights and responsibilities surrounding custodial account management, a social responsibility program for employers and a lesson plan to teach kids to create safe passwords.

LESSONS LEARNED “You really have to take into consideration impacts on the organizations that are attempting to consume these credentials. It is not easy for relying parties to drop what they’re doing, change a behavior and adopt new privacy preserving capability,” says Tayloe. We learned that kids don’t know their parent’s email address, explains Tayloe. “In the world of COPPA, you’re reliant on a child to initiate the process, and you can only collect an online identifier from a child in order to do that.” “Anytime you’re dealing with somebody other than the originator of the account – i.e., a parent has to consent for a child for disclosure of their information – you have drop offs along the way,” Tayloe explains. “So usability is really critical, and I don’t believe that we budgeted enough within our own pilot to handle the actual streamlined nature of what we need to deliver to the marketplace to get widespread adoption. So we’ve been back refactoring the new stuff as we’ve been trying to take it to market.”

Fall 2015

FAKE COMPANY LURES HACKERS TO DECIMATE SMALL BUSINESS It took less than one day for the Jomoco Coconut Water Company to be overtaken by hackers. Hour by hour, Jomoco employees watched as they lost control of their emails, social media accounts and credit cards. The little company was swiftly decimated by strangers lurking on the internet, and that was the plan. The idea to create a fictional business was hatched a year and a half earlier at CSID, an identity protection and fraud detection firm. CIO Adam Tyler started talking about how easy it would be to exploit a small business online. He leads analyst teams that seek out communities on the dark web where identity information is bought, sold and traded. “If you were running an email hosting server, a basic web server, or even just running a business through your Gmail account, he had a number of hypotheses on how you could go about exploiting that company,” says Joel Lang, development director at CSID. So, the team decided to build a case study. Their experiment was accepted as part of the speaker agenda at South by Southwest 2015, a major technology conference held annually in Austin, Texas. Three CSID team members got to work creating what looked like a legitimate business. They built a backstory around a company that sells exotic coconut water. They combined the first two letters of each of their names – Joel, Morgan and Cody – to come up with the business name Jomoco. Then, they set up a website and an email server. “We created a handful of fake personas for employees at Jomoco. We created their email addresses, social media accounts, gaming accounts – things like Xbox Live,” Lang says. “We created some email streams between them so that if someone were to access the email accounts, he’d be able to see actual strings of conversation.” They also took out pre-paid credit cards, and that’s what they were aiming to have exploited. “We were hoping that the information that we would exchange on these private email threads would be exploited by the bad guys,” he adds. The prep work took about a month and a half. The main cost was the few hundred dollars spent on pre-paid cards. Jomoco launched in early March, two weeks before the South by Southwest conference. “The trick here was putting the exposed information in the right place at the right time so it could be picked up by the bad guys,” Lang says. The scenario involved a Jomoco employee who was a prolific gamer. The employee’s Jomoco email and password were exposed during the breach of an Xbox gaming forum. “The

Fall 2015

THANKS TO ONE EMPLOYEE’S REUSE OF A SINGLE PASSWORD ACROSS MULTIPLE ACCOUNTS, IT TOOK LESS THAN ONE DAY FOR EVERY COMPANY SERVICE TO BE HIJACKED password on that Xbox Live forum was the same password she used to access her Jomoco corporate email account. We took that exposed information from the fake data breach and put it on a site that is known to traffic in this kind of information.” Thanks to one employee’s reuse of a single password across multiple corporate and personal accounts, it took less than one day for every account related to Jomoco to be hijacked. Within a couple of hours, the website went down. The pre-paid AMEX and VISA cards were soon maxed out, then social media profiles were taken over. “When the data breach of the online gaming forum happened and that password was exposed, one of the emails that she mailed off to her boss contained the email server password,” Lang says. “That resulted in the taking over of the website and the email accounts. So as far as password management goes, don’t reuse passwords. Figure out some secure way – some kind of two-factor way – of sending passwords to people, like emailing a username to somebody and texting them the password.” Jomoco has been retired. CSID analysts were able to reassert control over the various fictional accounts and shut them down. The CSID case study, “Hacking the Hackers,” sheds light on how damaging one security breach can be. Lang says conference attendees were taken aback by how quickly an exploit can happen once sensitive information has been exposed. “I think what we really learned is no matter the size of the third party data breach, someone is going to get hurt – whether it’s a really small mom and pop business or some big company,” Lang says.