Page 1




Bringing security to your world

Delivering ID programs that fit your country Government identity solutions from HID Global. The right interoperable products, the right field-proven brands like LaserCard® Optical Security Media (OSM), ActivIdentity® Credential Management System and FARGO® ID card printers and encoders. Tailored processes backed by years of the right design and integration expertise. We power the world’s most secure ID credential programs — including the US Green Card. We’re HID Global. Learn more at hidglobal.com/citizen-ID


Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

Print and encode your cards in volume !

The flexible printing system for centralized personalization of plastic cards Quantum is a true desktop machine to personalize plastic cards in high volume. Innovative. Efficient. Modular.

Quantum is user-oriented. The printer is designed to ease and speed up operating and maintenance tasks.

Quantum optimizes your card personalization process. The system is shipped with distinct encoding and printing modules. The encoding module is reversible: you print and encode one card in a single pass without flipping it over.

Quantum is the affordable alternative to expensive industrial machines!





Cover story Prior to the release of the National Strategy for Trusted Identities in Cyberspace the term identity ecosystem wasn’t widely used. But in the year since the NSTIC release, the term is often spoken but rarely defined. The cover story attempts to remedy that, defining the components and highlighting key issues yet to be tackled to deliver on the promise of an identity ecosystem.


Cloud-based physical access control Taking computer applications to the cloud is all the rage, but physical access control has been late to the game. Deployments of cloud-based physical access systems are just now starting to emerge. One high profile General Services Administration building in Iowa could link other federal buildings to the shared system. Is this the next great revolution in physical access?


EMV approaching MasterCard and Visa insiders help clarify their approaches to EMV in the U.S. but that doesn’t mean hitting the initial April 2013 deadline will be easy. The aggressive expectations and timelines for acquirers and merchants are detailed, and insiders predict how the U.S. rollout will differ from the rest of the world.




Open-loop transit

ID Next Gen

Tokens, cash and proprietary magnetic stripe or contactless cards have been the norm for users of public transportation systems around the globe. But this is starting to change as transit agencies seek to save money and reduce workload by enabling commuters to pay with the new generation of bank-issued contactless cards.

The first iterations of online identity have failed, and it’s time to think about what’s next and how the pieces should fit together. Identity Next-Gen won’t completely abandon what exists today, but it must address attribute leakage and privacy concerns for consumers while still attracting merchants and service providers.

Summer 2012



6 | Perspective | The identity ecosystem

46 | Mobile ID | Enabling smart cards on Apple devices

8 | ID Shorts | Highlights from the web

48 | EMV | First U.S. EMV deadline approaches

26 | Cover Story | What is an identity ecosystem ?

50 | Transit | Open-loop transit on the rise

34 | Issues | Researchers test privacy and mobile ID

54 | Airport ID | TSA automates ID and boarding pass authentication

36| PACS | Physical access control goes to the cloud 40 | Gov ID | Contractors fear PIV-I gutted by current OMB regs 42 | Border Control | Biometric border crossing goes multi-modal 44 | issues | Obama wants mobile strategy


Summer 2012

57 | Security | Smart card systems targeted by hackers 58| Innovation | Entrust enabling mobile ID technology

INDEX OF ADVERTISERS 2 Evolis www.evolis.com 5 AOptix www.aoptix.com/iris-recognition 7 CSC www.csc.com/identitymanagement 23 Lumidigm www.lumidigm.com 33 Entrust www.entrust.com 41 Digital Identification Solutions www.matica.us 45 Salto www.saltosystems.com

60 | Digital ID | Identity reassembled

55 The CBORD Group www.cbord.com

64 | Review | Moneto for iPhone 4

67 Datacard Group www.datacard.com/id 68 HID Global www.hidglobal.com/future-REID

Dynamic Duo The New AOptix InSight ÂŽ Duo Combines the Performance of Iris and the Utility of Face

The AOptix InSight Duo is the first and only system to simultaneously capture both an ISO / ICAO compliant face image and one or two ISO-standard iris images. The fast, automatic, non-contact capture takes mere seconds and is effortless for subjects, and if present, operators. Bringing seamless multi-modality and potential for biometric fusion, InSight Duo heralds a new era in conclusive authentication for identity-dependent applications including aviation security, expedited passenger processing, transportation, and border security.

For a demonstration or more information, please contact us or visit us online at www.aoptix.com/iris-recognition Š 2012 AOptix Technologies

T. 408.558.3300



EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Ryan Clary, Liset Cruz, Jill Jaracz, Gina Jordan, Ross Mathis, Denise Trowbridge ART DIRECTION TEAM Franco Castillo, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http:// subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2012 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.


Summer 2012


Ask the Average Joe about identity attributes and he is not going to know what you’re talking about. The same goes if you ask him about relying parties or trust frameworks. Think about how you would explain an identity attribute to a friend. “Well, it’s your name, email address, physical address, that sort of thing.” “How is that different from my identity?” he would ask. And then you try to explain the differences, ignoring the fact that his eyes have glazed over and he is no longer listening to you. As I dived into the weeds for this month’s cover story on the components of an identity ecosystem, I learned a lot. While those creating the ecosystem are concerned with the details, I realized that consumers aren’t going to care. They just want two things: something that’s easy to use and secure. If it isn’t both of these things, it will not be used. The idea behind the National Strategy for Trusted Identities in Cyberspace is to come up with a solution that is easier and more secure than user names and passwords. I hope that the vendors and organizations involved with putting

together the ecosystem remember this and make sure end users don’t have to jump though a dozen hoops to get the new identity to work on their banking site, pay for utilities and log on to social networks. The new identity must be seamless and perform tasks in the background such that the user doesn’t realize anything is happening. Insert a card, enter information into the mobile, download a certificate or use one of the other form factors that should be available. The rest should be invisible. I know this isn’t easy to set up and some of the technical details that go into creating the ecosystem are complex. I just hope that these complications aren’t forced on the end user. If they are, I fear we will be stuck with user names and passwords for a lot longer.

THE ISSUE WITH ATTRIBUTES Part of this complexity surrounds attributes. These individual pieces of identity information are crucial, yet most people don’t understand their value. Because of this, they are too often given up with little concern – a problem known as attribute leakage. Facebook is one of the most visible offenders when it comes to attribute leakage. The Facebook Connect feature replaces the need to create an entirely new login and instead, a user can extend


his Facebook login, using it to access participating sites. But in addition to login details, the user’s name, location, friends and other personal information is often shared. While some are unhappy with that leakage, the alternative – another username and password – may be less attractive. I have major issues with it. But at the same time I am so frustrated by the multitude of logins that I have opted-in a handful of times. An identity ecosystem would presumably fix attribute leakage, giving only the necessary data to the relying party while making sure it’s clear to the end user what information is being given up. It’s going to be interesting to see whether Web operators will be willing to deal with less information than a Facebook Connect type of system.

BRINGING RELYING PARTIES TO THE TABLE Another concern with the identity ecosystem is around relying parties, those organizations who will accept and consume these new credentials. Officials with the Open Identity Exchange and the NSTIC project management office say that more relying parties must be brought to the table. Having covered the smart card and identity industries for more than a decade, I am all too familiar with the chicken and egg problems that have plagued this industry. Will relying parties step up to accept the new credential even though utilization will be low to start? Will credential issuance providers step up when there are few relying parties?

Ultimately life will get easier for the relying parties because they won’t have to deal with identity management systems and the hassles that go along with them. For credential issuers there’s an untapped market in high-assurance IDs. Everyone should win. But clearly, everyone needs to be at the table to make sure an identity ecosystem succeeds. Enjoy the latest issue of Re:ID and let me know your thoughts: zack@avisian.com.



OF A DOUBT Government and business rely on trusted identities. Whether you are protecting vital information or securing a border or critical infrastructure, you need to establish, with absolute certainty, that someone is who he or she claims to be. At CSC, we deliver comprehensive identity management solutions that not only provide foolproof identification but also rigorously protect the personal information of citizens and customers. Drawing upon our worldwide identity management experience, we seamlessly integrate the latest technologies, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Public Sector CSC.COM/IDENTITYMANAGEMENT CSC





GPO REACHES E-PASSPORT MILESTONE The U.S. Government Printing Office (GPO) has produced 75 million electronic passports at its secure production facilities in Washington, D.C. and the Stennis Space Center in Mississippi. The e-passport program launched in 2005 and includes an integrated microprocessor chip, antenna and numerous security features. GPO and the Department of State developed the U.S. e-passport in

response to the requirements for Visa Waiver Program countries in the 2002 Enhanced Border Security and Visa Entry Reform Act. The Department of State loads personal information, including the traveler’s photograph, digitally onto


Summer 2012

the chip in each passport. This is the same data that is visually displayed on the photo page of the e-passport. No personal data is handled by GPO or its suppliers.


HID, IRIS ID FUSE BIOMETRICS AND NFC Iris ID Systems, formerly LG Electronics’ Iris Technology Division, and HID Global announced that the IrisAccess iCAM7000 can be used with select near field communicationsenabled BlackBerry 7 smart phones. The BlackBerry Bold 9900/9930 smart phones with HID Global’s iCLASS digital credentials will be compatible with the installed base of iCLASS readers that are embedded in the iCAM 7000 series iris reader.

Using a NFC-enabled BlackBerry smart phone, the iris template of a user is securely stored to the iCLASS credential on the phone instead of on a smart card. That credential can then be presented for authentication by simply holding the NFC-enabled BlackBerry smart phone in front of an iCAM7000 series iris camera, just like users do today with a physical iCLASS smart card. The iris camera then matches the presented iris with the one stored on the phone to grant or deny access. Pilot programs using BlackBerry smart phones activated with iCLASS digital credentials and iris identification are planned for later this year. HID Global expects that its embedded iCLASS technology will be generally available for the BlackBerry Bold 9900/9930 and BlackBerry Curve 9350/9360 smart phones later this year.





MRTD 2012 Eighth Symposium on and Exhibition on ICAO MRTDs October 10-12, 2012 ICAO Headquarters Montreal, Canada

Cartes 2012 Exhibition and Conference November 6 – 8, 2012 Paris-Nord Villepinte exhibition centre Paris, France The 11th Annual Smart Card Alliance Government Conference November 28-30, 2012  Walter E. Washington Convention Center Washington DC


a daily basis, meaning that someone who enters the country under one name can’t show up on a registry under a name that hasn’t entered the country. When the CIA is working alongside a foreign intelligence agency, this isn’t as much of a problem, but when it’s conducting an operation unknown to a foreign country, this can become an issue. Other countries’ intelligence agencies are facing similar problems, including Israel’s Mossad. To combat the technology, according to Gizmodo, the has CIA stepped up its recruiting of locals in foreign countries who have access to systems like immigration records, but the agency won’t say what its thoughts or plans are regarding getting around the new e-trail.

Biometric Consortium Conference & Biometric Technology Expo September 18 - 20, 2012 Tampa Convention Center Tampa, Fla.

2013 Payments Summit February 5-7 Grand America Hotel Salt Lake City, Utah



ASIS 2012 September 10-13, 2012 Philadelphia Convention Center Philadelphia, Pa.

ISC West 2013 April 9 – 12, 2013 Sands Expo and Convention Center Las Vegas, Nev.


With many national governments and businesses such as airports and hotels moving toward e-passports and biometric identification, CIA agents and other country covert ops may have problems moving around the world under assumed identities. Before 9/11, undercover agents could easily use multiple false passports when moving around a foreign country. Today, if an agent has to undergo biometric scans upon entry to a foreign country, he is tied to the identity on the passport. Businesses like hotels and car rental agencies request passport information upon check-in and share it with local immigration authorities on



CTIA Wireless 2013 May 21 - May 23, 2013 Las Vegas, Nev.

Summer 2012





The Centers for Medicare & Medicaid Services (CMS) selected Experian and Symantec’s joint two-factor credentialing product for remote identity proofing and multi-factor authentication. This decision is part of SAIC’s $78 million contract to help CMS solve problems in conjunction with serving the uninsured population.

The Defense Advanced Research Projects Agency (DARPA) is recommending the elimination of password usage in favor of biometric recognition. DARPA said on its Active Authentication site that complex passwords are too cumbersome to create, remember and manage. Additionally, active sessions do not have the capability to recognize whether the current user is the one who was originally authenticated. Rather than rely on one-time, two-factor authentication, DARPA believes that it should implement a system for continual user verification based on behavioral traits such as individual typing style. To that end, DARPA solicited responses for its Active Authentication program, which were due at the beginning of March. This program will start with a research phase, followed by work that will combine biometrics and new authentication methods to be used on Department of Defense desktop and laptop computers.


The joint credentialing product cuts down on fraud risk and gives more than 35 million U.S. citizen secure online access to the State and Federal Health Insurance Exchange. The system complies with NIST SP 800-63-1 and has Level 3 Assurance. The product draws on Experian’s Precise ID platform and Symantec’s Validation and ID Protection Service. Precise ID features risk-based identity proofing through a multi-factored risk assessment. The cloud-based Validation and ID Protection Service allows CMS to provide secure online access and transactions, enabling compliance and reducing fraud risk. This occurs through generation of a one-time password via the user’s credential.


Summer 2012



ACTIVIDENTITY PRODUCT TARGETS BANKS ActivIdentity has added a fraud detection service and authentication capabilities to its 4TRESS Authentication Appliance. Targeted to the banking industry, 4TRESS offers multi-layered strong authentication for both network and cloud services. 4TRESS provides real-time fraud prevention and helps banks protect against cyber attacks and meet FFIEC regulations. It delivers two-factor authentication through a device ID coupled

with a user password or PIN. Banks can define further FFIEC-compliant authentication policies should anomalies be detected on the device. The appliance also has more than 15 FFIEC-compliant multi-factor authentication methods to enable banks to provide extra device profiling while maintaining transparency and a secure environment for online transactions. Banks can add an

out-of-band transaction-level verification for large transactions. Other supported authentication methods include Web, mobile and PC soft tokens.


THURSBY LAUNCHES MAC SECURITY SOFTWARE Thursby Software Systems released ADmitMac PKI v4, the fourth generation of its two-factor security software for the Mac supporting the Lion and Snow Leopard operating systems. ADmitMac PKI v4 is targeted toward government agencies and corporations that use Common Access Cards, PIV or other smart identification cards to enable direct connectivity to a Microsoft Windows-based infrastructure. This version offers full network logon and integration with SSO, PKI, VPN, Microsoft Active Directory, Microsoft Group Policy, Mac Work Group Manager and Microsoft DFS and Microsoft SMB/CIFS network resources. Customers with a current support contract who need to upgrade to this version can do so free of charge.



GHANA PREPS FOR FIRST BIOMETRIC VOTE Ghana is getting ready for its first-ever biometric voter registration ahead of December ’s general elections. The $45-million project has been piloted in some areas, but social and technological difficulties remain. Ghana joins Nigeria, Kenya and the Democratic Republic of Congo who adopted the fingerprint scanning technology to help prevent electoral fraud. Ghana hopes the biometric system will verify that those who are voting should be voting and that each only votes once.


GLOBALPLATFORM RELEASES NEW CARD SPEC GlobalPlatform released a security upgrade for managing the content of applications on secure chip technology compliant to GlobalPlatform Card Specification v2.2. The technical document references new cryptographic schemes based on Elliptic Curve Cryptography and up-todate RSA algorithms and keys. GlobalPlatform released Amendment E to its Card Specification v2.2 to meet the long-term requirement for stronger cryptographic technology from players in the smart card community. The need to migrate is being driven by government mandates for Elliptic Curve Cryptography or extended length RSA keys to support digital signatures, as well as service providers in the mobile contactless market who want to confidentially load applications and manage keys in secure elements. The document, which will be of particular interest to card manufacturers and application developers, details the use of Elliptic Curve Cryptography and new schemes for RSA with respect to

signing, encryption and padding operations. Additionally, a new scenario for confidential key generation based on Elliptic Curve technology is available and meets the requirements of implementation models for secure applications involving service providers, issuers and third parties such as trusted service managers.


ARTISTS LAUNCH UNOFFICIAL FACEBOOK, GOOGLE+ ID CARDS Two German artists created unofficial ID cards for Facebook and Google+ users to highlight the importance of an online identity as opposed to government-issued identity. Artist Tobias Leingruber created a project called FB Bureau, in which he creates ID cards with Facebook information, including real name, username, gender, location, date the cardholder joined Facebook and a QR code that

goes to that person’s Facebook profile. Leingruber imagines a world where a Facebook identity is more valuable than a government-issued ID. Artist Moritz Tolxdorff took that idea and used it to create a similar ID card for users of Google+. Due to high response, he created a Web site where people can create their own Google+ ID cards.


AGREEMENT FOSTERS EXPANSION DIGITAL IDS In an effort to promote efficiencies and reduce paperwork, three leading identity trust hubs and a certification authority have signed an agreement to promote the use of digital identities and public

THE ORGANIZATIONS PLAN TO EDUCATE THE PUBLIC AND PRIVATE SECTORS ABOUT PKI TECHNOLOGY key infrastructure for employees in both the private and public sectors. The three trust hubs serve different facets of government and industry. The Federal PKI Architecture, a unit of the U.S. Government Services Administration, serves federal agencies. CertiPath serves various industries, including aerospace and defense. SAFE-BioPharma serves the global biopharmaceutical and health care sectors. Research and Education Bridge Certification Authority, targeted toward the education and research sectors, also signed the agreement. The four are also members of the Four Bridges Forum. With the agreement, the organizations plan to educate the public and private sectors about PKI technology and how it can protect business and government transactions from fraud and theft, as well as enable valid digital signatures for signing documents. The three trust hubs, which are a group of digital credential issuers that create inter-organizational interoperability based on PKI technology, and the certification authority is developing a PKI bridge. The group plans to document best practices through literature, media outreach, industry meetings and the Internet.

Summer 2012




DISNEY TAKES FASTPASS TO THE NEXT LEVEL WITH RFID Disney World is trialing a new FastPass system that utilizes RFID technology to speed up ticketing lines at the resort’s popular rides and theme park attractions. As part of the new trial, guests will be able book their rides and attractions for specific times in the future, even before entering the park. Each guest receives an RFID card to wave by scanners placed at participating attractions in order to check-in their arrival. Disney’s current FastPass system enables park goers to receive paper passes, return to attractions at a future time, and then bypass the lengthy lines. The RFID-based system is expected to replace the existing paper tickets, according to ITWeb, however no information regarding a full roll out has been released.


KEY SOURCE INTEGRATES LUMIDIGM SCANNERS Key Source International announced that it has integrated the Lumidigm Mariner fingerprint reader into the KSI-1700 professional series keyboard system, offering integrated security in a HIPAA-compliant desktop solution. Lumidigm’s multispectral imaging technology is designed to overcome the fingerprint capture problems that conventional imaging systems face in less-than-ideal conditions, such as those found in health care. Capable of viewing both the external and internal


Summer 2012

fingerprint below the skin’s surface, the Lumidigm Mariner does not require clean and perfect contact between the finger and the sensor to quickly and reliably authenticate users. Key Source brings the Lumidigm scanners to a range of business opportunities such as secure data access to multiuser workstations, electronic medical records, enterprise single signon, point-of-sale applications, time and attendance data collection, laboratory equipment sign-on and other Windowsbased applications in which organizations need to get a fast fingerprint read on the first try.


HID REVAMPS SECURITY AT CHINESE AIRPORT The Nanchang Changbei International Airport in China selected HID Global to provide its networked access control solution, contactless smart cards and readers to safeguard terminals and increase airport security. Changbei International Airport leveraged HID Global’s VertX V1000 controllers, the VertX V100 door/reader interface and iCLASS R10 contactless smart card readers in six core areas, including boarding gates, equipment rooms, management offices and the entrance to the aircraft operations area. As part of increasing airport security, iCLASS smart cards have also replaced the airport’s old employee photo ID badge system. Staff members are now required to present their iCLASS credential to readers at entry points for identity verification.

The new system enables up-to-theminute record transmittal to the central server for report generation and real-time monitoring. It also offers the ability to manage and restrict entry to specific areas based on the time of day, limit access to critical zones to authorized personnel only and define staff access control levels according to job titles.


KANTARA ACCREDITS ELECTROSOFT The Kantara Initiative announced that Electrosoft is the latest Kantara-Accredited Assessor able to perform Kantara Service Assessments at Assurance Levels 1, 2, 3 and 4. The certification provides a way for relying parties to understand the trustworthiness of electronic identity credentials issued at commonly agreed levels of assurance. The identity assurance framework specifies the verification and proofing checks that credential service providers carry out on entities, the way that providers run their services and how the organizations are assessed by accredited bodies to verify they are operating their services in conformance with their proclaimed levels of assurance. Based on adoption of the identity assurance framework, Kantara has been approved by the U.S. Federal Government Federal Identity Credential and Access Management team as a Trust Framework Provider qualified to operate at Assurance Levels 1, 2 and 3 non-crypto. Kantara-Approved Services are qualified to issue and manage credentials that can interoperate and access U.S. Government online services such as National Institute of Health research libraries or Veterans Association benefits. Kantara also actively works with international governments in regions


including North America, Europe and Pan-Asia, to align this program for multi-jurisdictional adoption. The Kantara Initiative Assurance Review Board reviews applicant Assessors to ensure applicants have the skills, knowledge, experience and processes necessary to reliably perform assessments of Credential Service Providers on the behalf of Kantara Initiative.


FACIAL RECOGNITION SOFTWARE TO IDENTIFY SUBJECTS IN ART Three University of California, Riverside scholars received a $25,000 grant from the National Endowment for the Humanities to use facial recognition software to identify unknown subjects in portrait art. The project, called “FACES: Faces, Art, and Computerized Evaluation Systems,” will attempt to identify those subjects in portrait paintings who were typically from prominent families, but whose identities have been lost throughout history. Because facial recognition software generally reads photographs, the researchers face a challenge in attempting to identify portrait subjects based on an artist’s interpretation of the subject’s appearance. To that end, the researchers will first look at 3-D images of known subjects, using death masks and busts, and compare them to a 2-D portrait of the same person. The researchers hope that facial recognition software could be refined for this use, which could be beneficial for application in museums and art conservation labs.

PODCASTS EPISODE 91: MASTERCARD ELABORATES ON ROAD MAP EMV is the future of payments but MasterCard doesn’t want to stop there, says Colin McGrath, vice president of development in U.S. Markets at the payments company. “We very much see this path and this evolution as really about enabling the next generation of payments,” McGrath tells Regarding ID’s Gina Jordan. “It’s about providing a globally interoperable secure platform for people to be able to make the investments necessary to enable that next generation.” The future isn’t just about putting chips onto plastic cards, he explains. “But also, you want to have a framework that encourages growth and the adoption of new technologies, and we feel that we’ve done that. So, it’s not about one technology kind of supplanting or replacing another, it’s a recognition that there are a variety of different technology needs and considerations, a variety of different business approaches.”

EPISODE 92: MOBILE BIOMETRIC FORECAST There are a handful of drivers for adding biometric technology to mobile devices, says Alan Goode, founder of Goode Intelligence and author of “Mobile Phone Biometric Security Analysis and Forecasts 2011-2015.” Many mobile phones are easy to break into, enterprises are enabling users to use their own mobile phones and NFC payments may require additional security. Goode predicts that mobile phone biometric security products and services generated more than $30 million in 2011 and that the market will grow to over $161 million in revenue by 2015. “These are not phones anymore,” Goode says. “These are small computers which have access to a lot of private data and they’re accessing some sensitive networks. So these are devices which are being used all the time. We have them in our hands all the time. We’re glued to them, you know, we have a blue glare on our faces as we’re walking around about town because we’re constantly updating Twitter or constantly looking at Facebook and texting. So there’s much, much greater risk of these devices being lost or stolen. As authentication vendors look to enhance their solutions, I would think there would be greater use of biometric.”

Summer 2012



PODCASTS EPISODE 93: HOW CARD MANUFACTURERS ARE PREPARING FOR NFC Payment card manufacturers have a set way of doing things. With near field communication on the horizon it could be seen as a disruption to some in the industry. The Datacard Group partnered with DeviceFidelity Inc. to offer the company’s In2Pay suite of solutions that use microSD technology in smart phones for contactless payments. The end result is a mobile wallet customers can use at contactless point-of-sale terminals featuring debit, credit or prepaid accounts. Regarding ID’s Gina Jordan spoke with Matt Stern, vice president of business development at Datacard about the partnership and what NFC will mean for card manufacturers. “In the near to medium term we’re in a transitional phase. So clearly there’s a fair bit of interest on the part of players in the ecosystem, somewhat on the consumer side, but also in the financial institutions, the telecom operators and to some extent the device makers as well. Not to mention people like Google, whom are all trying to provide an elegant cost effective solution for customers to use NFC for mobile payments. We see that trend coming. I think it will continue to come for the next number of years. The real challenges are going to be twofold. I think one – consumer adoption, and two - merchant adoption.”

EPISODE 94: IDENTITY WITH HIGH-PROFILE EVENTS Large, high-profile events, like the London 2012 Olympics, need to be secure while also enabling individuals to get where they need to go without too much of a security hassle. Mark Joynes, director of Product Management at Entrust, explains how security and identity plans for these events are created. He also discusses Entrust’s involvement with the Interpol employee credentials that is used for crossing borders as well as physical and logical access to Interpol facilities and networks. “Events like the London Olympics are massive and anytime you’re bringing people together from all over into an environment, which by its nature can be some sort of a target, it goes to the planning stage.” Security with these events as well as with electronic passports also need good identity vetting. “Need a good assessment up front,” Jones says. If strong identity is important you need strong processes upfront to make sure that person is who they say they are.”


Summer 2012


PEARSON VUE ENHANCES TEST TAKER IDENTITY AUTHENTICATION Fujitsu Frontech North America and Sensometrix are adding biometric authentication to Pearson VUE’s test administration services. Pearson VUE deployed Fujitsu’s PalmSecure biometric identification technology at more than 500 of its test facilities. Test takers are able to accurately establish their identity by placing their palm over the reader before proceeding with scheduled tests. Under the new multiyear agreement, one-tomany matching has been introduced to provide an extra layer of fraud prevention, utilizing the SensoBrain distributed biometric acceleration technology. The Sensometrix technology compares each test taker’s biometric to those of everyone else in a client’s testing program, ensuring that someone cannot take the test for someone else. PalmSecure works by emitting a near-infrared light aimed at a person’s palm to map the person’s vein pattern and generate a baseline, encrypted, unique biometric template linked to the person’s confirmed identity.


HONG KONG POLICE FORCE AWARDS TEN-YEAR BIOMETRICS CONTRACT The Hong Kong Police Force (HKPF) has awarded a 10-year contract to 3M Cogent to provide high-resolution LiveScan booking systems and biometric identification products, using ten print and palm print scans in accordance with the HKPF’s ANSI/NIST standard. Per the terms of the contract, 3M Cogent will provide 92 LiveScan booking stations that have adjustable cabinets and FBI-certified 1000-PPI livescans for ten-print and palm


capture. The stations will be installed in 32 HKPF branches and three immigration locations across the Hong Kong Special Administrative Region. They will connect to HKPF’s backend systems to enable electronic scan submissions.


UK AGENCY TAPS GEMALTO FOR CITIZEN IDS Gemalto was awarded a multi-year contract from the UK’s Driver and

cy will begin deploying the products in 2013 using Gemalto’s EU-compliant Sealys polycarbonate portfolio of secure documents. It includes security features such as Sealys Edge Sealer, a laser engraving process applied during the production stage to the edge of the polycarbonate document. The move by the United Kingdom’s Driver and Vehicle Licensing Agency is in keeping with the European Commission initiative to create a standard format driver license across the European Union, made of high-quality


GERMAN HEALTH SCHEME ORDERS MORE CARDS Gemalto will issue an additional 15 million second-generation German eHealth cards in 2012. AOK (Allgemeine Ortskrankenkasse), the German Health Insurance Fund, looks after around 25 million people, approximately one-third of the country’s population. Gemalto is responsible for the entire card production process for Germany’s largest health insurance company – from production and personalization through to fulfillment services. Last year, Gemalto issued 2.5 million health cards for the German National Health Insurance Scheme. The new Sealys eHealth card features a photo of the insured person on the front. In addition, the card will enable secure access to an online patient file and store electronic prescriptions. With the holder’s consent, additional personal information can be stored on the card, including emergency data such as allergies or drug intolerance.



Vehicle Licensing Agency to supply 40 to 80 million secure Sealys documents for a variety of official permits. These include digital tachograph cards, the next generation of polycarbonate driver licenses and biometric residence permits. The Driver and Vehicle Licensing Agen-

polycarbonate documents with high level security features. Gemalto’s Sealys Biometric Residence Permit is compliant with European specifications and the latest ICAO standards, providing temporary residence entitlement for non-EU citizens.

In the wake of information leaks to Web sites like WikiLeaks, the Department of Defense is instituting a PKI hardwarebased authentication system on its classified network, known as the Secret Internet Protocol Router Network (SIPRNet). To that end, it’s evaluating a new smart card for use as a hardware token. Barksdale Air Force Base in Louisiana is conducting the evaluation, in conjunction with Air Force Global Strike Command and members from select units and combatant commands. The SIPRNet token is similar to the current Common Access Card, each

Summer 2012



serving as a hardware token that is cryptographically tied to one identity. Like the CAC, the SIPRNet token also contains individual PKI certificates for logging onto the network, authenticating Web sites and enabling secure e-mail. The SIPRNet token doesn’t outwardly contain any identifying information, such as picture, name, grade or service component. At Barksdale AFB, 1,607 SIPRNet tokens have been issued, covering 63% of the base. While there have been some glitches with the program, the DOD hopes to keep the program on track for its December 2013 implementation deadline. The second phase of rollouts will include F.E. Warren Air Force Base in Wyoming and Malmstrom Air Force Base in Montana.

FIPS 201

GSA CERTIFIES 3M COGENT PACS READER 3M Cogent announced that the U.S. General Services Administration, in accordance with FIPS 201, has certified its MiY-ID Gov biometric access control reader as an approved biometric authentication system standard. At a high-level, the Biometric Authentication System performs: one-toone biometric match, validation of the biometric signer’s certificate and interfacing with Online Certificate Status Protocol and Server-based Certificate Validation Protocol.

FIPS 201

XTEC, U.S. COURTS DEPLOY PIV-I XTec announced it has been awarded a five-year blanket purchase agreement by the Administrative Office of the U.S. Courts to carry out a deployment of PIV-I credentials. Using its GSA IT Schedule 70 products and services, XTec will supply the Federal Judiciary with PIV-I facility access cards usable for both physical and logical access, including access to GSA facilities in which the Federal Judiciary leases office space. XTec will also provide its cloudbased AuthentX identity management system (IDMS), in addition to providing enrollment stations, training and support to enable court facilities nationwide to issue and manage the PIV-I facility access cards. The new cards present a standardized replacement for the existing credentials, which had been issued locally by each court.


Summer 2012

current standards and adapt to changing standards without having to replace their PACS readers.


U.S., AUSTRALIA EXPLORE CUSTOMS CLEARANCE SWAP The U.S. Department of Homeland Security and Australia’s Attorney General and Ministry of Defense are exploring ways to reciprocate to enable fast-tracking each other’s citizens through customs checks in both countries. The U.S. government hopes to find a way to allow Australians with e-passports to use the fast-track Global Entry lane at airport customs and immigration entry points. In return, Americans with e-passports would be able to use Australia’s SmartGate lines at their international airports. The two countries have signed a Joint Statement on Frequent Traveler Facilitation to look into this possibility but did not specify how long this process might take. At border checkpoints, travelers would be confirmed with their electronic travel document and a biometric.



MiY-ID is 3M Cogent’s biometric access control reader. As new security standards emerge, organizations are looking for a security product that meets current physical access control system standards for PIV, CAC, TWIC, and others. 3M Cogent’s MiY-ID-Gov enables them to meet

The South African Ministry of Home Affairs announced the expansion of its smart ID card pilot program. According to the Home Affairs director-general, the smart ID card program is part of an effort by the national government to shed its racist past and create one identification card for all citizens. It will replace the current civic and immigration identity systems and capture demographic and biometric data of all South Africans and foreign nationals. A pilot program will help the ministry test its systems and prepare the amount


of machinery necessary for full-scale production. The Government Printing Works will be responsible for producing the cards in-house. The smart ID card system will link to other governmental systems for movement control, permitting, and asylum seeker and refugee management.

The government plans to issue the first card free of charge, but replacement cards will have a fee attached. The pilot will run through this year, with hopes for full implementation rolling out next year.

permit’s design or production. The county sheriffs’ organization contracted with Multicard to develop the permit design, securely produce the pre-printed card templates, and consult on implementation. A design template incorporating all required information and additional security features was created and preprinted on standard CR80 size PVC card stock, which is similar to a credit card in size and thickness. The pre-printed card stock was then distributed to the counties for issuance. Additionally Multicard is supplying the fully compatible ID systems needed to print the final permit, which include a configured production software module and printer. “Without a state standard, it was difficult for law enforcement to verify a valid permit if issued from other counties. This also left room for forgery and fraud,” said Steve Benitez, vice president of sales for Multicard. “The permit design needed to address previously established requirements including the permit holder ’s photograph and other identifying information, as well as the signature of the sheriff issuing the permit.”



Multicard announced that it has developed and implemented a standardized concealed carry handgun permit for Colorado’s county sheriffs’ association. Multicard designed and produced the secure, pre-printed identification card to be used statewide. Concealed weapons permits are issued through the local sheriff’s office in each of Colorado’s 64 counties. While the application process is the same statewide, prior to this project there was no unified standard for the

Hooters Restaurants has implemented biometric fingerprint readers as a means to prevent loss in transaction and payroll fraud at the restaurant level. Hooters contracted with DigitalPersona to install the U.are.U fingerprint readers with ITWercs point-of-sale systems in its locations. Hooters employees use the readers to authenticate transactions and clock in and out for shifts. The fingerprint readers replace a PIN and swipe card system that proved difficult to manage and track unauthorized voids. The new readers will tie a





specific individual to each transaction and track additional manager oversight. The system also enables greater accuracy in the company’s time-andattendance system.

HOOTERS EMPLOYEES USE THE READERS TO AUTHENTICATE TRANSACTIONS AND CLOCK IN AND OUT FOR SHIFTS. Hooters tested the readers at its Texas locations, eventually expanding to other sites. Nearly 4,000 employees currently use the new system.


TSA EXPANDING PRECHECK SCREENING PROGRAM The Transportation Security Administration announced that it’s expanding the PreCheck screening program that enables prescreened individuals expedited passage through airport security. Thus far PreCheck has been rolled out at nine airports and 460,000 travelers have gone through the screening process. PreCheck enables travelers to keep on shoes and light jackets. It also allows them to keep laptops and plastic toiletry bags in carry-on luggage. Eligible participants include certain frequent flyers from participating airlines as well as members of Customs and Border Protection’s Trusted Traveler programs – Global Entry, SENTRI, and NEXUS – who are U.S. citizens and fly on a participating airline. By the end of 2012 the TSA expect to be offering passengers at 35 of the

Summer 2012



country’s busiest airports the expedited screening with TSA PreCheck. By the end of March, the TSA will expand the PreCheck population to include active duty U.S. Armed Forces members with a Common Access Card traveling out of Ronald Reagan Washington National Airport. Service members will undergo the standard TSA Secure Flight pre-screening and if it is verified that the service member is in good standing with the Department of Defense by scanning their credential at the airport, they will receive TSA PreCheck screening benefits. In addition to active duty members of the United States Army, Navy, Air Force, Marine Corps and Coast Guard, this evaluation will also include active drilling members of the U.S. National Guard and reservists.


TSA CONSOLIDATES ENROLLMENT SERVICES The U.S. Transportation Security Administration has opted to consolidate its multiple enrollment and registration programs into one Universal Enrollment Service. The new system incorporates facial and fingerprint biometric readings and biographic data to check individuals’ backgrounds before enabling access to critical segments of the country’s transportation system, infrastructure or sensitive materials. The TSA will transition programs to the Universal Enrollment Service as contracts expire, new regulations and policies are implemented, new legislation is enacted, or as new programs and initiatives are activated. The first program to move over to the system will be the Transportation Worker Identity Credential (TWIC) followed by the Hazardous Materials Endorsement Threat Assessment Program.


HID RECEIVES ADDITIONAL GREEN CARD ORDER HID Global has received a follow-on order for the manufacture and supply of U.S. government Permanent Resident Cards, also known as Green Cards, issued to all legal foreign residents of the United States under the U.S. Citizenship and Immigration Services (USCIS) border security program.


Summer 2012

More than three million multi-technology HID Global eID cards have been issued as Green Cards, in addition to more than 30 million of the company’s first-generation Green Cards that have been issued since 1997. Launched in mid-2010, the re-designed U.S. Green Card combined HID’s LaserCard optical security media technology and an embedded RFID tag with other security features.

MORE THAN THREE MILLION MULTI-TECHNOLOGY HID GLOBAL EID CARDS HAVE BEEN ISSUED AS GREEN CARDS Customized for USCIS, the optical security media provides visual security in an era when 90% of eIDs are still authenticated by the human eye. The RFID tag was incorporated to accelerate legitimate passage at U.S. land borders.


the Army issued more than 700 smart cards to Army spouses and active-duty, Reserve and National Guard retirees. Surveys showed overwhelming support for the smart card alternative. The Army will continue to collect feedback from users as the pilot continues. It is also considering other login options for these user groups.




U.S. ARMY EXTENDS SPOUSE AND RETIREE SMART CARD PILOT The U.S. Army will extend the smart card pilot program for Army spouses and retirees through September 2012. The smart card is an alternative means of identification to a username and password for logging into many Army and Department of Defense Web sites that contain personally identifiable information. Spouses and retirees living near Fort Belvoi, Va.; Fort Bragg, N.C.; and Fort Jackson, S.C., may renew or register for the smartcard pilot through the Army Knowledge Online Web site. During the original pilot period that ran from October 2011 to March 2012,

Passtouch is introducing a signaturebased password alternative and Web browser for touch screen devices like the iPad. Passtouch works like a signature but offers more creative freedom to the end user. Users create their own Passtouch design by drawing a single continuous line over an interface in the PassTouch app, taking advantage of the iPad’s touch screen. Since Passtouch can be a free form, natural and intuitively interactive, it produces a significant amount of authentication data unlike traditional password security. Another feature is the graphical user interface. It is built on fundamental visual elements that serve as a vivid roadmap to guide users along their signature path. The colorful design and circular framework of the interface encourage users to create entries that are fluid, well balanced and ultimately more secure. After a handful of entries, a Passtouch begins to develop a certain feel and muscle memory kicks in. This combination of universally recognized visual cues in the interface along with muscle memory is designed to make Passtouch easy to remember. The Passtouch Web browser enables multiple users to create private profiles, each with their own history and bookmarks. A single Passtouch signature pro-

tects profiles, no typing required. While browsing, Web site login details can be saved as bookmarks, which provide onetouch access to password-protected sites. Free and paid versions of the app are available in the iTunes App store.


MULTOS SHIPS 100M CARDS IN 2011 MULTOS technology providers saw a record breaking 2011 with more than 100 million chips delivered to customers during the year. This brings the current MULTOS issuance total to more than 300 million cards, according to MAOSCO Ltd., the Secretariat of The MULTOS Consortium. MULTOS products are deployed for EMV migration, government ID and embedded security markets. The 2011 rise was credited to the uptake of MULTOS cards within the banking industry for EMV migration including local and regional ATM/debit card schemes.


LEXISNEXIS ADDS VOICE BIOMETRICS FOR IDENTITY PROOFING LexisNexis Risk Solutions has added interactive voice response technology (IVR) from Angel, a provider of cloud-based customer engagement management products, for its IVR on Demand for Identity Proofing and Voice Biometrics product. IVR on Demand enables LexisNexis customers who need identity proofing and multi-factor authentication services for access to high-risk or high-value information to create and deploy identity proofing and voice biometrics for user verification and authentication via the cloud.

Summer 2012




NIST: IRIS RECOGNITION BECOMING EASIER The National Institute of Standards and Technology released a report detailing its evaluation of iris recognition software from 11 different organizations. It found that this modality is getting easier and faster, albeit with less accurate results. The Iris Exchange (IREX) III report is the first public, independent examination of commercially available iris recognition algorithms that look for matches within a large database of potential identities.

The 92 analyzed algorithms came from nine private enterprises and two university labs that submitted software to NIST’s open competition. NIST then tested the algorithms to identify individuals from a database of eye images representing more than 2.2 million people. NIST found that accuracy rates varied among the algorithms tested. No software was perfect, but success rates ranged from 90 to 99%. Some also produced up to 10 times the errors of others. Speed is a factor in iris recognition, particularly when looking through a large dataset for matches. NIST found that some of the algorithms could be fast enough to go through a dataset of hundreds of millions of records in less than 10 seconds with a standard computer; however, speed had a negative impact on accuracy.


Summer 2012

NIST hopes its findings will be helpful to policy makers around the world who are interested in incorporating iris recognition and other biometrics for identification purposes.


TRÜB UNVEILS NEW SMART CARD OS The Trüb Group has released the second generation of its CombOS Dual Interface operating system for contactless and contact-based EMV compliant smart cards. The new version is based on new specs from MasterCard and Visa. Based on the new M/Chip Advance specification from MasterCard and Visa’s VSDC v1.5.3 and VCPS 2.1.1 specifications, it lowers transaction time and increases security.


NIST PUBLISHES NEW PROTOCOL FOR WIRELESS BIOMETRIC ACQUISITION The National Institute of Standards and Technology (NIST) published a new protocol for devices to capture biometric data wirelessly and securely using Web services. The new WS-Biometric Devices (WS-BD) protocol enables desktops, laptops, tablets and smart phones to access biometric capturing sensors using Web services. This can be used for biometric data such as fingerprints, iris images and face images. With the protocol, set up and maintenance of secure biometric systems for identity verification will be simpler because the protocol provides for interoperable components

CONTACTLESS TRANSACTIONS WITH PAYPASS M/CHIP AND PAYWAVE QVSDC WILL BE 30% FASTER THAN THE EARLIER GENERATION OF OS. The main feature of the new OS is faster transaction processing. Contactless transactions with PayPass M/ Chip and payWave qVSDC will be 30% faster than the earlier generation of OS. PayPass Magstripe and payWave MSD transactions will be 20% faster. CombOS DI v2 includes backward compatibility with M/Chip 4 and M/Chip 2. Issuers can choose different types of data storage, including the new MasterCard Data Storage product, a Mifare emulation or standard ISO commands. These capabilities may be used across transport, loyalty, authentication and physical access functions. Trüb will offer CombOS DI in September 2012.

for biometric systems using a deviceindependent Web-services layer in the communication protocol between biometric devices and systems. Agencies and organizations that utilize biometric systems may benefit from implementing WS-Biometric Devices protocol-enabled equipment because replacement costs in conjunction with replacement parts may be simpler and cheaper to swap in, rather than having to repair or replace system components that may be obsolete. Researchers recently demonstrated the new protocol in their lab with a tablet device that communicated


wirelessly with two biometric fingerprint sensors. NIST developed this solution with support from the Department of Homeland Security Science and Technology Directorate, the FBI’s Biometric Center of Excellence and NIST’s Comprehensive National Cybersecurity Initiative. NIST is working to bring these plug-and-play biometric devices to market through industry input from the Small Business Innovation Research Program.


LES HÔTELS JARO GOES WITH KABA LOCKS Kaba announced that Les Hôtels JARO in Quebec City, Canada has equipped five of its properties with its contactless locking systems. The hotel management company implemented ILCO 790 locks at three of its hotels – Hotel Quebec Inn, Hotel Quebec, and Hotel Must. The Hotel Palace Royal and its sister property, the

Hotel Plaza Quebec, installed Saflok RT hotel door locks with Messenger LENS online wireless system. The upgrade to Kaba’s contactless system enables management to track all key usage and recode doors remotely if needed. Contactless keycards last longer than the company’s previous magnetic stripe keys that were frequently demagnetized by guests. Les Hôtels JARO operates seven hotels in Quebec City. The company’s other two hotels, the Auberge Sir Wilfrid and Hotel Lindbergh, are both scheduled for future upgrades to the technology.

different devices was a significant challenge for IT departments.


MORPHO,AOPTIX PARTNER FOR BORDER MANAGEMENT Biometrics firms Morpho and AOptix have formed a partnership to deploy advanced biometric systems targeted to border management and aviation security industries. Under the terms of the partnership, AOptix products will be integrated


SURVEY: MOBILE DEVICE MANAGEMENT CHALLENGES Network World and SolarWinds teamed to survey 400 IT professionals to understand the challenges of mobile device management for corporate IT departments. While the majority of survey respondents work for companies that issue mobile devices to their employees, a little more than 15% don’t issue company-owned devices with network access. Some of these companies enable employees to BYOD, or bring-yourown-device, for work purposes. The BYOD trend brings with it a new set of problems and issues, particularly when employees look to the IT department to support a wide variety of devices. Anti-BYOD respondents also cited security as a major reason to keep personal devices off of a corporate network. Respondents who were proBYOD did often limit access to specific applications or networks. They also state that BYOD has increased productivity and employee satisfaction. However, these respondents admit that managing so many

into Morpho’s border management product line. This includes InSight Duo, AOptix’s combined face capture and iris recognition system. The combination of products aims to speed up the biometric identification process, as well as offer greater security measures.

Summer 2012




REUSABLE TICKETING WRISTBAND USES NFC MissionTix, a Baltimore-based ticketing service, is offering a reusable NFCenabled wristband for ticketing at event venues including the Recher Theatre and Ottobar. When a customer buys a ticket for a participating venue through MissionTix. com, instead of choosing print-at-home or mailed hard tickets, he can choose to store the digital ticket on the wristband and wear it to the venue where it is scanned and authenticated. The tear- and water-resistant wristbands can be pur-

chased for a one-time fee. MissionTix plans to provide other services via the wristbands including stored value within the venue and at local merchant locations.


CSC, DAON COLLABORATE FOR BANKING ID CSC partnered with Daon to produce a biometric multifactor authentication service for the banking industry. The product, called ConfidentID Mobile, provides in and out-of-band identity authentication for transactions in multiple chan-


$161 MILLION The projected revenue from the mobile biometrics market in 2015, due in large part to the popularity of “bring your own device.”

The amount to be spent on smart cards and identity technology in government, health care and citizen ID in the next five years.

Source: Goode Intelligence

Source: ABI Research

The amount of people believing smart phones will overtake credit cards as the dominant form of payment by 2020.


Source: Pew Research Center’s Internet & American Life Project

The amount of point-of-sale terminals worldwide that accept EMV cards. Source: EMVCo

The percentage of all payment cards in circulation worldwide that use EMV technology. Source: EMVCo

Summer 2012


The number of NFC-enabled handsets sold in 2011. Annual sales are predicted to reach 700 million units in 2016. Source: Berg Insight

3/4 22

nels, including online and mobile. The service, built on Daon’s IdentityX platform, combines passwords, PINs and PKI security architecture along with optional biometric factors like facial, palm or voice recognition. The system can tap into location intelligence for verification, using GPS, IP location and cellular triangulation. It will authenticate both individuals and their transactions and helps address industry requirements such as FFIEC. ConfidentID Mobile doesn’t rely on specific hardware for functionality and it supports the latest generation of smart phones and tablets. The product consists of a server application and an app that resides on a customer’s mobile device. When a customer wants to make


Get security and convenience... along with reliability and a

compelling ROI. With Lumidigm, you don’t have to compromise. We call this the Lumidigm Advantage™. Quite simply, our patented multi-imaging approach to identification and authentication is the best there is. Lumidigm technology was specifically developed to address the shortcomings of conventional sensors that force users to choose between security and convenience. For more information about the Lumidigm Advantage, visit www.lumidigm.com. We are available at +1 (505) 272-7057 and sales@lumidigm.com to answer your questions.



a transaction, the app can authenticate it and inform the service provider of authentication on the back end.


COLLIS ACQUIRED BY UL UL, previously known as Underwriters’ Laboratory, announced the acquisition of Collis, a provider of secure transaction technology and advisory services based in Leiden, Netherlands. The addition positions UL as a global provider of transaction security, conformance evaluation and advisory services for the mobile, payment card, eTicketing and ID management sectors. Collis develops and tests secure transaction technology for banks, governments, mobile network operators and public transport companies. Its solutions include advisory services, test tools and expert training associated with smart card technology, mobile payments, NFC/TSM, security and risk, transactions, cards, devices and central host systems. Collis marks the third acquisition for UL’s transaction security service line, following the additions of RFI Global in June 2010 and Witham Laboratories in January 2012. The growth extends UL into the mobile payments industry.


Summer 2012



LEGIC Identsystems is continuing to expand its partner network in China collaborating on new installations including parking solutions, access control and personal identification. Shenzhen Chuangtong Intelligence Equipment, a Chinese manufacturer of contactless parking solutions and integrated identification systems, will leverage LEGIC based products for access control installations in car parks. Chinese transportation and access control integrator Hebei Volse Science and Technology, will take advantage of LEGIC technologies to develop new readers and devices. “The range of different applications developed by our partners becomes more and more diversified – showing the possibilities of building up an entire LEGIC ecosystem,” says Otto Eggimann, vice president sales and business development of LEGIC.

Evolis introduced its new Primacy printer for instant issuance of single or dualsided cards in medium to large runs. Primacy is equipped for encoding options for magnetic stripes, smart cards or contactless cards. The printer



personalizes up to 210 color cards per hour for single side and 140 color cards per hour for dual-sided printing. The new printer supports applications such access control badges, driver licenses, transit passes, and bank cards as well as industries including health care, education, banks, and government agencies and service bureaus. Primacy is an eco-friendly printer with energy consumption on average five times lower than card printers from previous generations. It operates at a low 48 db sound level.



NFC-ENABLED HEART MONITORING APP LAUNCHES iMPak Health launched RhythmTrak, an NFC-enabled mobile application that enables users to track their cardiovascular health at home. RhythmTrak is a handheld, credit card sized electrocardiogram (ECG) device that documents heart rates and heart rate variability and then calculates intervals and single lead waveforms. Data collected on the device is transmitted wirelessly using a NFC reader or an NFC enabled smart phone or tablet, allowing the user to simply forward the information to their physician. According to iMPak, RhythmTrak is not intended to be a diagnostic device. Rather,

IT CAN BE INCREDIBLY EMPOWERING FOR A PATIENT TO HAVE A TOOL THAT HELPS THEM WORK WITH THEIR PHYSICIAN the device should be used to track patient symptoms during the active management of atrial fibrillation, a condition that affects about 2 million Americans. “It can be incredibly empowering for a patient to have a tool that helps them work with their physician to determine if they may need a change in medication or therapy, especially when it comes to overall heart health,” said Sandra Elliott, director of Consumer Technology and Service Development at Meridian Health. RhythmTrak is available on the Android Platform for both smart phones and tablets for $39.99. iMPak plans to have the application on the iOS platform by the end of the year.

ID TECHNOLOGY NEWS ONLINE EVERY DAY OR VIA A FREE WEEKLY EMAIL Explore online for up-to-the-minute news and insight on identity and security technologies. Articles, podcasts and videos from Re:ID Magazine’s editorial team are added daily to the sites below. Sign-up to receive weekly updates via our free email newsletters. Visit any of the sites below and enter your email in the box at the top left corner of the page to register. ContactlessNews.com : Contactless smart cards for identity, access, payment and transit solutions CR80News.com : Campus cards for primary and university ID, security and payment solutions DigitalIDNews.com : Online and digital ID, securing Web IDs, PKI and digital certificates EnterpriseIDNews.com : Identity management systems, cloud-based access, logical and physical access convergence FinancialIDNews.com : Identity solutions for payment, banking and financial applications FIPS201.com : Approved product listings for the FIPS 201 identity standard, PIV and PIV-I solutions GovernmentIDNews.com : Government ID solutions for citizen ID, driver license, border control and more HealthIDNews.com : Secure ID for health care payers, patients and providers IDNoticias.com : ID and security news and insight translated for the Spanish speaking audiences NFCNews.com : Near Field Communication technology, handsets, tags, applications and projects RFIDNews.org : RFID and sensor technology for logistics, pharma, animal and product tagging SecureIDNews.com : Government and large enterprise ID, smart cards, identification and authentication ThirdFactor.com : Biometric identification and authentication solutions for cross-industry applications

Summer 2012


WHAT IS AN IDENTITY ECOSYSTEM? Public and private sectors work to put the technology and policy pieces together ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS


Summer 2012

The notion of an identity ecosystem seems like a good idea. Provide a single credential that individuals can use for secure or anonymous access to Internet sites without having to remember dozens of user names and passwords. And while it may seem like a simple idea, the implementation of such an identity ecosystem is anything but simple. An identity ecosystem, such as that proposed in the National Strategy for Trusted Identities in Cyberspace, is complicated because one hasn’t existed to the extent that the strategy proposes. Google, Facebook Connect, InCommon, OpenID, the U.S. federal government’s PIV are all identity ecosystems but none fulfill the vision of the national strategy that combines both low and high-assurance identities. Bringing together identity providers, attribute providers, consumers and relying parties for the purpose of issuing, using and accepting a credential is no simple task. Pieces of the puzzle exist but taking what’s out there and making it work in the broader ecosystem is a monumental undertaking. There are many pieces to consider. In the year since the national strategy document was released, progress has been made and the government is working to move the initiative forward. Organizations like the Kantara Initiative have developed identity assurance frameworks and policies to vet organizations so that they can issue high-assurance credentials. From there spawn the companies that issue identity credentials to individuals. Telecommunications companies, financial institutions and credit reporting agencies are among those expressing interest in this arena. There are also attribute providers. These are organizations that enable the credential to be used for different purposes. For example, a credential issued by a financial institution could receive an attribute from a telecommunications company or a social network to perform different tasks. Exactly how these will work and play with the credentials providers is the subject of discussion. Finally, there are relying parties who will accept the credentials issued in the identity ecosystem. Outside of the consumer who will use the credential, the relying party is arguably the most important part of the ecosystem. Thus far, however, they have been virtually silent when it comes to the national strategy, an issue government officials are aware of and are trying to remedy.

MOVING THE BALL FORWARD Jeremy Grant is not new to the identity and credentialing market. As a U.S. Senate aide he helped draft legislation that set the foundation for the U.S. Defense Department’s Common Access Card and the General Service Administration’s smart card efforts.

Grant then went to Maximus, one of the three GSA certified smart card providers at the time, where he led the company’s Security and Identity Management practice working on a number of U.S. smart card projects. He then spent three years with Washington Research Group as the firm’s identity and cybersecurity market analyst. He joined NIST last year to lead the government’s team on the national strategy. “One of the most exciting things we’ve seen over the last year is the large number of stakeholders,” Grant says. “From Fortune 500 companies to niche security firms building predicates to relying parties … they are all participating and think the strategy makes sense. This suggests that the president has been able to move the marketplace forward.” Grant wants to reiterate that it’s not the government making technical decisions. “The implementation needs to be led by the private sector,” he says. “The government should be a facilitator so the evolution of the ecosystem can be realized more quickly.” Funding pilots for the national strategy and establishing the steering committee are two ways the government is helping to move the identity ecosystem along, Grant says.

THE IMPLEMENTATION NEEDS TO BE LED BY THE PRIVATE SECTOR The 27 finalists for pilot grants were notified in April and their proposals were due in early May with awards expected in July. The formation of the steering committee will also move the identity ecosystem forward. One of the first tasks for that group will be coming up with an accreditation program and a trust framework.

WHAT IS A TRUST FRAMEWORK? At its most basic level a trust framework is a set of rules that enable a credential to be trusted by someone who did not issue it. For example, if a financial institution issues a credential to an individual a trust framework would have to be put in place so it could be used on a social networking or telecommunication Web site. The Kantara Initiative works on helping create these trust frameworks, says Joni Brennan, executive director at the organization. For example, last fall Kantara was approved by the U.S. Government Services Administration as a Trust Framework Provider program certifying levels of assurance one, two, and three non-crypto – non-PKI. The Kantara Identity Assurance Accreditation and Certification Program aims for the use of a trust framework model to build a public-private partnership that assures trust in the identity-based experience to end users, relying parties and federation operators. Kantara’s assessors perform testing of credential service provid-

Summer 2012



Trust Framework A trust framework is an agreement between organizations to accept a credential issued by another. They enable a credential issued by one provider to be used at another provider. Trust frameworks put rules and policies in place to make sure that everyone is following the same map for issuance and use of a credential.


Identity Provider The organizations that perform the identity proofing and issuance of a credential are called identity providers. There are a handful of companies performing this task now – from financial institutions to telecommunications firms  – with more expected to jump into the fray in the near future. Whether this identity proofing and issuance is done in person or online will depend on the credential’s level of assurance.


Summer 2012

KEY Trust Framework

Attribute Provider

Identity Provider

An attribute is a piece of information about an individual, such as name, email and telephone number. An attribute provider may be an identity provider or it could be another organization that simply adds attributes to an existing credential. For example, an employee could have a credential used for personal use and the company they work for could add attributes so it can be used for a work credential as well.

Atribute Provider Relying Party

NIST SPECIAL PUBLICATION 800-63 DEFINES THE FOUR LEVELS OF ASSURANCE: Level 1 : Little or no confidence exists in the asserted identity; usually self-asserted; essentially a persistent identifier. Level 2 : Confidence exists that the asserted identity is accurate; used frequently for self-service applications. Level 3 : High confidence in the asserted identity’s accuracy; used to access restricted data. Level 4 : Very high confidence in the asserted identity’s accuracy; used to access highly-restricted data.

WHAT IS FEDERATED IDENTITY? A federation is a collection of organizations that have agreed to interoperate using a common set of rules, particularly in the areas of privacy and security. Because of these agreements, federation members do not have to negotiate individually with every other

Relying Party This is the organization that will consume the identity credentials. Relying parties include banks, utility companies and merchants who will accept the credentials for online access and authorization.

member. Federations also agree on standard methods for authentication and authorization.

Federations include identity providers and service

providers. Identity providers maintain identity databases and authenticate users. Service providers have a protected online resource and authorize users. With sound federation trust agreements, an identity provider need only release the information the service provider requires to make an authorization decision.

The service provider does not need to maintain

user databases. Instead it leverages the identity providers identity system.

Federations will usually define a trust fabric, pro-

vide a set of agreed-on attributes used for exchanging information, offer software to enable authentication and authorization and distribute the metadata necessary for interoperability. Source: InCommon

Summer 2012


ers – also known as identity providers – based on the Kantara Initiative’s Identity Assurance Framework. The Kantara Identity Assurance Accreditation and Certification Program assesses applicants against its criteria ensuring alignment with the NIST 800-63 Levels of Assurance and grants successful candidates of the program the right to use the Kantara Initiative Mark, a symbol of trustworthy identity and credential management services at specified assurance levels. For the past two years Kantara has been working on the foundation for these trust frameworks, Brennan says. Three companies – Deloitte, Electrosoft and eValid8 – are accredited assessors while Verizon has certified to issue credentials up to level three assurance. There are other credential providers working on certification as well, Brennan says. The identity provider may be the most widely known component in the identity ecosystem. Many already exist depending on the desired level of assurance from the federal government’s PIV to self-asserted identities in Facebook. Eventually, an individual will go to an identity provider for identity vetting and to receive the credential. From there the individual will be able to take that credential and use it for access to different sites. But then there are also the attributes. While the credentials may be loaded with identity information and some basic attributes, it also needs other data to enable access to specific sites and functions.

WHAT IS AN ATTRIBUTE? At a very high level, think of a credential as a pass that gets an individual in the front door of an office building. But in order to access the elevator, different floors and offices within the building, attributes on the credentials have to be enabled. There are attributes that are core to an identity and don’t change, others that change infrequently and still others that may change often. “Core identity attributes – such as name, date of birth and biometric information – don’t change,” says Salvatore D’Agostino, principal at IDmachines. Down a level from that is information that doesn’t change very often, such as physical address, email address, banking information and medical records, D’Agostino says. Another level down are attributes that may change more frequently. For example, a physician could have certification updated on the credential or an employer could add information that enables a personal credential to be used for work purposes. Lastly are the attributes that could change often, such as those used to access social networking and ecommerce sites. This is an area where attributes become tricky. Sites will offer the attribute service for a low cost – or no cost – but then turn around and sell it to others. This is what Facebook and other social networking sites do now and will continue to do, D’Agostino says. The problem with this last category of attributes is that in many cases they are already out there in the world, D’Agostino says.


Summer 2012

“Nobody did this intentionally but since no one has been keeping their eyes on the hen house the fox has been feasting,” he says. “At some point there will be push back that results in the fact that a lot of people’s information has been irrevocably leaked.” For example, Facebook users who authorize an application or use the Connect feature have given that organization their personal information. Most people don’t realize the extent of the personal information they’re giving up when they hit that button, D’Agostino explains. This highlights the need to manage attribute providers, which is what the national strategy wants to enable. As it stands now individuals don’t always control their attributes. “They’re given away, gathered or leaked,” D’Agostino says. Before the Internet era the only information readily available about an individual was a listing in the white pages, name address and telephone number. These days it would be rare if that information weren’t available along with much more. “What books have I read? What plane am I on? People put this information out there,” D’Agostino says. “In the meantime some companies have taken advantage that there isn’t control out there and are making money off it.”

RELYING PARTIES Many say the biggest missing piece of the identity ecosystem puzzle is the relying parties. There are people champing at the bit to issue credentials but who’s going to accept them? NIST is going to focus more on bringing relying parties into the national strategy conversation, says Grant. “Many have come to use but it’s probably the group that’s most under represented in our discussions,” he admits. “We’re doing more proactive outreach to bring those parties to the table.”

THE BIGGEST MISSING PIECE OF THE IDENTITY ECOSYSTEM PUZZLE IS THE RELYING PARTIES A lingering question surrounds why corporations should accept credentials that come out of a national strategy, says Gary Moore, chief architect for Government Solutions at logical access solutions provider Venafi. The quick answer is that organizations will save money by not having to run their own identity management system. But these attributes will have to be handled securely, without leakage, and consumers will have to be educated. “Part of this is because of Facebook,” Moore says. “When you link services they tell you what the other site can see but people don’t know what that means. Some don’t want to do that so they just create a separate user name and password.” The federal government has vowed to be one of the first relying parties to accept these credentials. While this is a good first step, the focus should be on bringing in others, Moore says.

“From an altruistic perspective it’s a great initiative but the issue we’re facing is that not everyone deals with the government enough to need that type of credential,” he explains. “To get this really used we need the companies consumers deal with on a regular basis … the banks and utility companies that people are touching regularly.” Progress has to be made to convince these organizations that relying on another identity management system has merit, Moore says. “If these organizations can see the business value of reducing their identity management footprint they will see a benefit,” he says. Don Thibeau, chairman and director at large at the Open Identity Exchange, says the relying parties are waiting for decisions to be made on governance and trust frameworks before entering the fray. But, he says it would be in their best interest to put some effort into identity management. “Ecommerce merchants are making it up as they go along and that doesn’t work for anyone,” Thibeau says. There needs to be a value proposition for retailers, beyond simply not having to maintain their own ID management system, Thibeau says. “When someone goes to Best Buy, be it brick and mortar or Web site, wouldn’t be useful to know the individual walking in the door?” he asks. “If you knew who they were you could make them a special offer and give them a better shopping experience.” There also needs to be a governance structure before relying parties will participate, says Keith Ward, president and CEO at the Transglobal Secure Collaboration Program. Until corporations know what rules they need to abide by they will remain on the sidelines. “Relying parties don’t care about technology, they are focused on the legal and privacy issues,” he stresses.

HOW TO ENABLE TRUST? Thibeau, who is representing Google and others when it comes to discussion of the national strategy, says that identity ecosystems already exist in products like OpenID and Google. “Someone asked Eric Schmidt [Google executive chairman] to describe

IDENTITY ECOSYSTEM: INCOMMON When the National Strategy for Trusted Identities in Cyberspace was first unveiled it reminded Ken Klingenstein of a document InCommon had created more than a decade prior. “The ID service provider, attribute authority and inter-federation were all elements of our world in 2001,” he says. InCommon, with 275 higher education participants and 105 sponsored partners, was created to support a common trust framework for education and research institutions in the U.S. This includes trusted shared management of access to online resources. To achieve this, InCommon helped develop a community-based common trust framework to enable participants to make appropriate decisions about the release of identity information and access control to protected resources. InCommon is intended to enable end-user access to a wide variety of protected resources. Through InCommon, identity providers can give users single sign-on and privacy protection, while online service providers control access to their protected resources. Since InCommon already has established operating principles, technology hooks and agreedupon data exchange elements with each partner a new organization doesn’t have to spend the time or resources to create these. Here’s how it works: a user clicks on a service provider’s resource. Using federated single sign-on software, an identity provider authenticates a user releasing only enough identity data to enable the service provider to make an access decision. InCommon, and many of the institutions it works with, use Shibboleth, a federated identity solution that connects users to applications both within and between organizations. Every software component of the Shibboleth system is free and open source. It provides single sign-on capabilities and enables sites to make informed authorization decisions for individual access to protected online resources in a privacy-preserving manner.

InCommon has many case studies and deployments at colleges and universities. One involved Stanford University and the National Student Clearinghouse. The solution enabled Stanford students to use their university access credentials for access to transcripts at the clearinghouse. Lafayette College, Easton, Pa., used InCommon so students could purchase tickets to different events. Lafayette wanted to provide student-only tickets to campus events through an agreement with UniversityTickets. The Dean of Students office worked with the company, but ran up against the challenge of providing user IDs and passwords for all 2,300-plus students. Lafayette had already been using InCommon for library applications and the Moodle course management system. The school introduced UniversityTickets to InCommon, the company joined and installed the Shibboleth service provider software. Students can now use their university issued credentials to purchase tickets to campus events. In its more than 10-years of existence, InCommon has grown significantly and with the national strategy it sees further growth with the creation of multi-lateral federations, Klingenstein says. “InCommon will grow significantly and evolve into a distinct sub community,” he adds. “Others will evolve into different federations as things become more polished.” The attributes are going to be what causes these different federations to pop up and then connect, Klingenstein says. For example, the attributes that InCommon use won’t work for a K-12 school so separate ones are needed. Additionally, medical organizations have been joining InCommon in preparation for inter-federation with research institutions. This too will necessitate another attribute set. While the majority of efforts for InCommon have focused on federation and single sign-on, these new efforts will add two-factor authentication as well, Klingenstein says.

Summer 2012


TSCP WANTS TO PILOT TRUST FRAMEWORK In April the National Institute of Standards and Technology notified the organizations that made the cut for National Strategy for Trusted Identities in Cyberspace grants. Rules prohibited NIST from announcing the finalists publically but the groups were free to publicize. The only one of the 27 to come forward was the Transglobal Secure Collaboration Program (TSCP). TSCP’s proposal addresses the trust framework, governance, liability and privacy of the national strategy and an identity ecosystem, says Keith Ward, president and CEO at the organization. The proposal wants to look at using high-assurance credentials for purposes other than their original use. “Hundreds of millions of dollars have been invested to deploy high-level assurance credentials,” he says. “But when you look at PIV and PIV-I they’re still single use cards.” TSCP wants to look at the liability and governance structures that would be necessary to use these credentials for other purposes. “How do you take those credentials and put them into the mainstream?” Ward asks. For example, a defense contractor uses his PIV-I for access to networks on the job and to authorize procurements for projects. But when that same defense contactor calls it a day at the office he goes home where he’s a volunteer firefighter and first responder. How can his work credential serve him in his other roles? Can this use be extended to enable secure login to a government Web sites, to reserve a camping site at a federal park or to save information on a federal Web portal? “This last level is where it breaks down,” Ward says. “There’s no way to use that high-level card, without opening up liability and privacy issues.” In other words, taking a high-assurance certificate and opening it up for lower level transactions could jeopardize its integrity. While PIV and PIV-I are used as an example the issue extends to any credential. “We’re trying to address the broader range of the ecosystem,” Ward says.

the difference between Google+ and Facebook,” Thibeau explains. “He said ‘trust.’” This goes to Google+ requiring real names. If an individual signed up with what seems like a pseudonym or fake name their account is suspended. They are then contacted and asked to prove their name by providing a copy of a government ID. Schmidt has made multiple overtures in the media about Google’s ambition to become an online identity provider. Requiring real names is one step, but organizations need a way to vet that name to an individual. That requires trust, the magic word when it comes to the identity ecosystem. “The more you trust something the more you can do with it,” Thibeau says. “Trust has powerful economic definitions, the more you trust a particular brand, the more you transact with it.”


Summer 2012

How to elevate that trust is a topic of major discussion. The American Bar Association Identity Management Task Force has an email list where this is hotly debated. One group favors using a PIV-I type of standard while others favor a solution more akin to Facebook Connect or OpenID. “It’s the very well developed PKI world versus the wild, wild west of social media,” Thibeau says. “ I don’t think we can see that middle ground yet but it’s there.” The middle ground may appear in the form of derived credentials, says Jeff Nigriny, CEO at Certipath. This type of system would have one credential that could spawn others as necessary depending on the level of assurance required for a transaction. For example, a wire transfer exceeding a certain dollar figure would require a high assurance credential and request additional authentication information before the transaction is complete. But if an individual simply wanted access a Web site without creating another login, that original credential could serve as a low-assurance identification token for the site. But it’s easier said than done. “If the entity already has a high-assurance credential, it is easy to understand that should be inherently trusted by an application that wants mid-level assurance,” Nigriny says. “However credential technologies and the software that consumes them are not that flexible. A service that provides a derivative credential in the form factor suitable for the application is likely a winning technology migration strategy.” Conversely, if an individual has a low-assurance credential a higher-level site may want to use it as an index to establish an ID and then prompt that user to step up the identity via a stronger credential. For example, a financial services company could accept a social networking ID to begin the ID process, but then request additional information to complete login and enable transactions. It’s yet to be seen how this will play out in practice and how the business case will develop. Thibeau says the Open Identity Exchange can work with vendors to bring a higher level of assurance to email addresses with PKI. The organization also sees itself having a role in defining, implementing and enforcing this trust framework, Thibeau says. “You need a referee and someone enforcing the trust framework,” he adds. Thibeau says that the Open Identity Exchange is in a perfect position as its membership is really a team of rivals each having a function in the identity ecosystem. Telecommunications, data aggregators and payment companies all are members of Open Identity Exchange and all have a place in the ecosystem. “The common denominator among all these rivals is that they need to figure out how to work with government,” he says. Whether working with the government or the myriad of other of players who make up the puzzle that is the identity ecosystem, progress is occurring. As pilots roll out later this year, trust frameworks and governance models are adopted and the steering committee is put in place, a year from now the identity ecosystem puzzle should have far fewer missing pieces.


App enables relying parties to see only relevant data GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

With the emergence of Google Wallet and the slow migration toward mobile payment transactions, researchers at the University of Toronto had an idea. How about creating an app just for identification purposes? It would act as a simple form of ID, like a driver license, but it would reveal only the specific information needed for the transaction. The security problem with a payment app, according to Andrew Clement, is that they offer too much unnecessary information that could put the user at risk. Clement is a professor in the Faculty of Information at the University of Toronto, where he is leading the Prop ID research project. “The idea project was to develop a prototype of an ID app for a smart phone that would provide a privacy protected alternative to the ways in which we expect most smart phone wallet apps to develop,” says Clement. “Namely that they reveal more than necessary information about the individual when they engage in the transaction.” The Prop ID research project yielded the ID Wallet app. “Prop ID” means that the personal information provided is proportionate to what’s needed for the specific transaction. In other words, only necessary details are transmitted. This is also one of the core principals around the U.S. government’s National Strategy for Trusted Identities in Cyberspace. The idea for the app grew out of several years of research by Clement’s team looking at how people use their physical ID cards. The group was interested in the development of the Ontario Smart Card Project, which was designed to include a lot of personal information for a variety of services. Subsequently, the Toronto researchers became involved with the enhanced driver license that enables a license to serve as a border-crossing card in lieu of a passport. It was part of the


Summer 2012

Western Hemisphere Travel Initiative, the U.S. government’s program to require everyone entering the U.S. to have either a passport, passport card or enhanced driver license. “We became involved in that debate and felt that the proposals and implementations were not secure and potentially very privacy invasive,” Clement says. “We wanted to develop an approach to ID that would enable people to conduct the wide range of daily transactions – shopping, traveling and banking – in ways that wouldn’t reveal any more personal information than is absolutely necessary.”


This is a matter of federal legislation in Canada. No more data is supposed to be collected than necessary for the transaction but the rule is often violated, Clement says. The researchers set out to show the capability of developing technologies that would enable ID-based transactions while respecting the principle of data minimization. The team’s first effort used conventional ID cards like driver licenses and student ID cards. “When people use them, they basically flash the cards for the bartender or gate agent,” says Clement. “So in the case of buying liquor, while you are exposing your whole card, there’s generally not a record made of what’s on the card. It’s particularly problematic in that set-

ting that when you use an ID card, all the information that’s available on it – like your name and address, birth date and various kinds of other identification numbers – they’re exposed but they’re not actually used.” Clement believes problems escalate when these transactions move online. “On the Web much more information is being collected about individuals, partly because it’s really easy to do,” says Clement. The team wanted to address the particular case where a mobile phone is used for an ID-based transaction. “Our concern is that those transactions, like transactions on the Web, will be ones in which people give up a lot more information than is actually needed,” says Clement.

PROPORTIONAL ID PROTECTS PERSONAL DATA Clement’s team developed an alternative – the proportional ID app – to show the feasibility of a privacy protecting approach. “The classic example that we based this work on is buying alcohol and having to prove an age,” says Clement. “In order to buy liquor, you have to convince the person that you are of a sufficient age, but they don’t need to know your birth date. As long as they could verify the card was genuine, you only need to know a year of birth, for instance. So that would be a first step in this idea of proportionality.” They managed to accomplish their plan using physical cards. “We created clear plastic overlays to put on a drivers license that would show only the information needed for that transaction,” he explains. They did something similar for voting credentials, using a driver license with the license number and

age hidden. Clement says, “We cover those up, and this is the basic idea with our minimally-disclosing tokens.” The team took it a step further in the mobile ID app. “The information on the card is transmitted in an encrypted form and can only be decrypted with the public key of the issuing authority, and that makes it clear that this is authentic information,” says Clement. The individual holds the smart phone to the terminal, approves the transaction and encrypted data is sent. After the keys are verified and authenticated the individual’s photo is shown on the clerk’s screen for comparison with the person standing in front of them. The clerk approves that and then is shown a green light if the person is of age to make the purchase. The Prop ID research team has shown this is technically feasible with Android phones using near field communication or Wi-Fi. The encrypted information is transmitted and authenticated with no unnecessary personal information left behind. The app is a working prototype. There are no service providers to put it into play at this point. Clement says the team really just wanted to see what could be done. The school is also making the technology available to anyone, licensing it under a Creative Commons license, so people can try it out as a proof of concept. Clement and his fellow researchers think proportionate ID is an emerging area that will become more important as people realize the possibilities and the risks associated with using smart phones for identity based transactions. “We’re fortunate to be on the leading edge as these wallet apps are developed,” says Clement. “And we hope that this can point the way to alternatives that are more privacy protected.”

Summer 2012



Government and enterprises want centralized security management ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS


Summer 2012

Mike Leete doesn’t like computer servers. The General Services Admintration’s project manager at the Neil Smith Federal Building in Des Moines, Iowa doesn’t care for the resources it takes to operate and maintain a server room. So when the 10-story, 40,000 square-foot building needed to update its physical access control system he sought options that would relieve the need for him to maintain servers. “If you have a server farm somewhere else that I can put one in, it’s an advantage for me,” Leete explains, adding that tech support for servers has always been problematic.

THE SOLUTION? TAKE IT TO THE CLOUD. The Neil Smith Federal Building may be among the first federal buildings to deploy a cloud-based physical access control system, but it certainly won’t be the last. Moving physical access to a centralized server that can communicate with multiple agencies or office locations is a trend many industry insiders are seeing. While this may not be the public cloud that consumers are used to hearing about, government agencies and enterprises are migrating systems to private clouds, linking various locations via servers held in centralized, remote data centers. Organizations are also moving away from proprietary physical access control technology to systems that use open standards. The U.S. government’s FIPS 201 specification is a driver for these standardsbased systems, explains John Piccininni,

vice president of business development at the Identive Group. “Access control systems have been highly-proprietary, but we’re moving away from that to open-source environments,” he adds. The U.S. government is facilitating this move to standards-based, enterprise systems, says Kevin Kozlowski, vice president at Xtec. The White House Office of Management and Budget Memorandum M-11-11 mandates that federal agencies start using issued PIV badges for logical and physical access. Additionally, the growing availability of FIPS 201-based physical access systems is offering another option for enterprises seeking standardized solutions. In Des Moines the switch to the new physical access system was facilitated by both M-11-11 and the need to update an existing system that was 10-years-old, Leete says. GSA officials at the building discussed it for almost a year before deciding they wanted a physical access system that would be remotely hosted. Leete found such a system from BridgePoint Systems. However, the company’s solution had not been certified by the GSA for use in federal buildings or on the GSA network. BridgePoint worked with the GSA to get approval for the system, says Tom Corder, president and CEO at the company. The system went through vulnerability test-

ing and was approved for use on the GSA network. “In the true world of cloud, it will never truly be Software as a Service, you have to have some hardware where you do enrollment,” he explains. But it met Leete’s desire to minimize server deployment. The system is run on a GSA server in Kansas City, Mo. The system can issue new PIV credentials and can also enroll existing credentials into the local system, Corder says. Once enrollment is complete, the data goes to the cloud and privileges for access are downloaded to the building’s network of controllers and door readers. BridgePoint enrolls the signature from the PKI certificate on the credential, and during authentication verifies that enrolled certificate with the one on the presented card. Before the system could be installed all 800 employees and 100 contractors working in the building had to be enrolled, Leete says. That started with many finally receiving their initial PIV credential. “Every agency was different, some had PIV cards, some had never gotten them and few were actually using them,” he says. If employees already had a PIV card, enrolling in the system consisted of entering their PIN, phone number and agency. For employees that knew their PIN, the process took just 90 seconds. “Almost all had to have PIN resets,” explains Leete, a process that added time and complexity.


Moving physical access to a centralized server that can communicate with multiple agencies or office locations is a trend many industry insiders are seeing.

Once the user base was enrolled in the local system, the larger solution could be deployed. A new head controller had to be installed along with networking for that piece of hardware to the security office. Other than that, the existing wiring infrastructure was able to work with the new system. For the

Summer 2012


“Any of those GSA buildings in the Kansas City region can basically jump on our system, and they can do it at a lower cost”

new smart card readers - contact, contactless, and PIN pads – BridgePoint made a special plug to connect the new readers to the existing wiring, Leete says. The installation was done over two weeks, Leete says. The physical access control system required installation of 23 readers on parking gates, elevator controls and automated doors. “We did the elevators first to make sure we didn’t have any unforeseen problems,” he adds. All the work was done in the evening after normal work hours so employees weren’t inconvenienced. Employees typically just use the contactless interface on the card for access to the elevators and other areas, Leete says. There are contact readers and PIN pads as well that can be used in situations requiring heightened security. Perimeter doors are equipped to read the chip’s contact interface and require a PIN for access outside normal business hours.

ISSUANCE AND ENROLLMENT CHALLENGES Deploying and using the system was relatively easy, but communicating and coordinating with all 45 agencies was a more difficult task, Leete says. Simply obtaining the lists of individuals who had to be issued PIV credentials and enrolled in the system took a lot of time. The first day the new system was turned on there were 50 people who still hadn’t come in to enroll in the local physical access system. Others had neglected to turn in old badges. “We had to tell the public service officers not to let people in with old badges,” Leete adds. The building also houses offices for two senators whose staffs are not eligible to receive PIV credentials. HSPD-12 only


Summer 2012

mandates PIV credentials for executive branch employees and the senate staffers are legislative employees. For these individuals, Leete and his team created a different credential that would work with the new system. While the Neil Smith building is the first GSA facility to deploy the cloudbased system, it’s open to others. “Any of those GSA buildings in the Kansas City region can basically jump on our system, and they can do it at a lower cost,” says Corder. “And they don’t have to bid out or evaluate other systems.” The local building would need only purchase an enrollment system and the proper controllers, and could have it up and running easily, Corder says. BridgePoint is fielding questions from other government agencies on the cloud-based system but has no other federal deployments. Since the cloud-based system was deployed last summer, there have been only a couple of problems when there was server maintenance at the Kansas City facility, Leete says. Those issues have since been remedied.

CORPORATE ENTERPRISE FINDS VALUE TOO Corporations are also recognizing benefits that come from migrating separate systems for multiple locations to a single managed service solution. “They want one offering that is more robust,” says Dave Adams, senior director of Product Marketing for HID Global. “They don’t want the physical access control server to sit in a closet somewhere with one person in the control.” The move to a cloud-based solution is in concert with the emergence of near field communication for physical access

too, Adams says. “In the future our ability to connect a trusted source to that cloudbased system and deliver identities directly to a handset will reconfigure how physical access systems work,” he says. Brivo Systems is also seeing corporate clients wanting to move physical access control to the cloud, says John Szczygal, executive vice president at the company. “On the enterprise side, corporations want to get away from their own personal investments and leverage another infrastructure,” he adds. Brivo says physical access from the cloud can be as simple as installing a panel and a new system can be installed overnight, says Szczygal.

FROM PROPRIETARY TO STANDARDS BASED Other than cloud based physical access system, the other trend is the move from proprietary technology to standardsbased systems. One of the drivers behind this is FIPS 201 and federal officials using PIV credentials for physical access control, says Szczygal. The GSA manages many federal buildings – like the Neil Smith Building – that house multiple agencies. The GSA operates the perimeter security for these buildings but then the agencies typically have their own security within. This often led to buildings having multiple physical access control system, Szczygal says. “The typical federal building would have 15 to 30 different access control systems and many different types of credentials,” he adds. Issuing PIV credentials has helped because the credentials use the same standard and appearance but agencies are still deploying different physical access control systems, Szczygal says. This is starting to change.

ENTERPRISE PHYSICAL ACCESS AT DENVER SCHOOL Prior to 1999 Laradon, a Denver-based school for children and adults with developmental disabilities, didn’t have any physical access control system on its 15 building campus. “The buildings were just open and people could come and go as they please,” says Annie Green, deputy director at Laradon. Established in the late 1940s, Laradon is a charitable organization in the Rocky Mountain region offering support, education, and training to children with developmental disabilities. Today, Laradon offers 12 different programs to more than 600 children and adults at their eight-acre campus in northwest Denver. After school shootings at Columbine and other locations, Laradon rethought this open policy. Initially it started checking in everyone who entered the campus but then another shooting at a nearby recreation center caused the school to further tighten security. In 2007 officials decided to deploy a cloud-based physical access control system that uses contactless smart cards, Green says. The school now has access control readers on 15 interior doors and three entrance gates to the campus. Key-Rite Security was the systems integrator for the project that uses technology from Brivo Systems. The system gave Laradon a Web interface so that the 200 employees could be categorized and provided appropriate levels of access, Green says. For example, all the directors have 24-hour access while managers and teachers are only given access depending on when they’re scheduled to work. Access can also be changed via the Web interface so if someone forgets something in a classroom they can be given a temporary window of access to retrieve the item. The system also enables officials to monitor contract work done on the premises. “We recently had some electrical and heat system work done and we programmed Brivo to provide the workers a three-hour window in only that building, and we could monitor how long they actually worked,” Green says.

When corporate enterprises are looking to upgrade their physical access systems, Brivo encourages them to look at the Federal Identity, Credential and Access Road map for guidance and FIPS 201 as well, Szczygal says. “It provides an excellent framework, a great process for credential issuance and it also considers the lifecycle of the credentials … something that is lacking elsewhere,” he says. Standardized technology increases end user options. “Multiple vendors can provide technology and the flexibility to add other applications,” Piccininni says. This is a change for the physical access control vendors, says Xtec’s Kozlowski. “Legacy physical access control systems are based on secrets,” he says. “New systems are moving into a standard environment not based on secrets but sound, robust security.” These new systems are also breaking down the barrier between security personnel and IT staff, Kozlowski explains. The two departments haven’t communicated, but since physical access systems are starting to run on the same network this is changing. “Now that they’re utilizing a common infrastructure they need to work together,” he says. The white whale for physical access control vendors is a converged credential, one that is used for both physical and logical access. Convergence has been discussed for many years, and while FIPS 201 is a converged credential few use it for both purposes. In the corporate world the use is even less but some are taking smaller steps to convergence that take advantage of network-based physical access systems, Piccininni says. He points to the IF Map protocol, which publishes access control logs to a server. Other servers can subscribe to that log and restrict access based on events. For example, if an individual tries to login to the network from inside the building and they haven’t swiped in via the physical access system, they won’t be allowed to access network resources. The next step is to use that same credential for login to the network, but even taking this one step can reduce potential intrusions. “This has cut down some hack attempts by half,” Piccininni says. With networks increasingly becoming the target of hackers it goes beyond good public relations to increase the security of the logical assets as well as the physical, says Szczygal. “Corporations are taking the credential a lot more seriously,” he adds.

“Legacy physical access control systems are based on secrets. New systems are moving into a standard environment not based on secrets but sound, robust security.”

Summer 2012



The idea behind HSPD-12 was to create a secure, interoperable credential to control physical access to facilities and logical access to networks for executive branch employees and contractors. The directive was signed in 2004 and the FIPS 201 standard followed, along with accompanying guidance from the White House Office of Management and Budget. OMB Memorandum 05-24 was released in 2005 to provide implementation instructions for agencies deploying FIPS 201. The memo requires an agency to issue a PIV credential to any contractor employed for more than six months. At the time this made sense. But since the emergence of the PIV-I standard, many government contractors began issuing credentials to their own employees. Many in the contractor community want to the OMB guidance amended so that contractors with PIV-I credentials could use them instead of having to receive a new ID. But some government officials disagree, citing differences between PIV and PIV-I credentials. The former requires an in-depth background check, and there are technical differences as well. It is not a large technical hurdle to


Summer 2012

provision a PIV-I credential on a federal network after the background check is complete, says Nicholas Piazzola, senior director of Government Authentication Solutions in the VeriSign Authentication Group. Changes could be made once the background check is complete to provision the PIV-I on a government network, creating a compromise between the contractor and government positions. OMB declined an interview for the story but responded to questions via email. “Agencies have not raised any concerns to OMB regarding the requirement to issue identity credentials to their employees and contractors who require routine, long-term access (6 months or more) to federally controlled facilities and/or information systems,” a spokesperson states. But agencies aren’t happy and security has become an issue, says Steve Howard, vice president of credentials at CertiPath. The federal government doesn’t have a good track record when it comes to enforcing who is employed by its contracting companies. A host of questions arise. Is Joe Smith still employed by an agency’s cleaning contractor? How would the relying agency enforce this relationship? How quickly can an agency issue a PIV to all employees of the cleaning contractor to ensure they comply with OMB M-05-24? Many agencies report a three to six month window in issuing a PIV to contractors. And during this delayed issuance

window, what happens if the PIV credential applicant leaves his employer? What is done to allow a cleaning contractor access pending receipt of a PIV? Are they always under temporary badge escort rules? And what happens when a contract ends and the contractor moves to a new contract, potentially at a new agency? “PIV-I handles the contractor relationship more elegantly and at lower or no cost to the federal government … all the while reducing security risks to a relying agency,” says Howard. The Federal PKI policies directly tie the employee receiving a PIV-I credential to the human resources database of that employer. If an employee is fired or leaves, the credential is revoked. It’s this revocation process that improves the security of the agency’s relying system. It’s also a matter of who knows the employee better than the contractor, How-

“The ability for employer issued PIV-I credentials to form the basis of agency security decisions is critical to going forward with PIV technology” ard explains, stressing that it’s more likely to be the employer than the contracting federal agency. “The ability for employer

issued PIV-I credentials to form the basis of agency security decisions is critical to going forward with PIV technology,” says Howard. “This is a significant weakness in the view of OMB M-05-24 and the interpretation of HSPD-12.” The problem that arises, especially when dealing with contractors such as cleaning crews, is that they may switch agencies frequently. This can lead to a contractor with multiple agency-issued PIV credentials. If a contract employee changes their relationship annually, they could easily have up to three PIV credentials, one issued by each of the contracting agencies. On the other hand, the individual could be issued one PIV-I by their employer,

obtain one background investigation associated with that single credential, and greatly increase security and efficiency for the federal government, Howard explains. Yet OMB M-05-24 does not allow this behavior. The federal government continues to spend money to credential and recredential contractors, increasing security risks to relying agencies. “Private sector PIV-I credential holders will realize benefits from using credentials on a single identity badge, says Gary Schneider, managing director and North America Public Sector Product head for Citi Transaction Services. “For all participants in the system it will save time, money and resources for their institutions.

They will not have to issue or manage multiple badges for access to multiple locations as one federated credential can be used by all for access.” There’s also the matter of the federal government enabling the PIV-I market to grow. Many companies have spent time and money to become certified to issue PIV-I credentials at the behest of the federal government. “The PIV-I market was created because the federal government asked for it,” says Bob Dulude, director of federal identity initiatives at HID Global. “A lot of time and resources went into creating a process as secure as PIV, and now the federal government is taking half of it away from us.”

Summer 2012


BIOMETRIC BORDER CROSSING GOES MULTI-MODAL US-VISIT adapts to expanding technologies and environments

In January 2004 the US-VISIT biometric border crossing system went live. The program was collecting two-fingerprints for comparison against a watch list of known criminals and terrorists to make sure they weren’t allowed into the U.S. It is one of the first biometric border crossing systems in the world and serves as a model to other countries as they roll out similar systems. The U.S. Department of Homeland Security’s US-VISIT, which came out of the Sept. 11, 2001 terrorist attacks, has changed, upgraded and adapted in the past eight years. Still more changes are on the horizon including: greater interoperability with other U.S. agencies, the addition of multi-modal biometrics for expedited screening, and refinements on the existing exit system. Since upgrading from two-prints to 10-prints in 2008 a focus has been on interoperability with other agency databases, says Robert Mocny, director of the US-VISIT program. The program is fully interoperable with the U.S. Justice Department’s biometric database, checking fingerprints of individuals at border checkpoints in real time and receiving responses in 13-seconds. “This enables


Summer 2012

Customs and Border Protection access to millions of records in the criminal master files,” he adds. The next step is to build the same level of integration with the U.S. Defense Department’s Biometric Identity Management Agency, Mocny says. The DOD has been collecting biometrics overseas, and while US-VISIT is able to check against these records, it’s not in real time. This should change in the fall. The plan is to add back and forth communication so customs officials can check the Defense database and Defense can access US-VISIT data. “Officials will be able to get in from any point, Justice, Defense or Homeland Security to access information,” he says. “This didn’t exist a few years ago.”

ADDING BIOMETRIC MODALITIES Fingerprint biometrics will be the standard for US-VISIT, though the agency will add iris to the mix, Mocny says. In 2010, Homeland Security piloted iris scanning at a border patrol station in McAllen, Texas, checking immigrants against a watch list as they crossed the border. The success of this pilot is expected to lead to iris biometric integration into Global Entry kiosks. Global Entry is an international expedited border-crossing program that enables U.S. citizens to use kiosks when entering the country. Travelers have to enroll in the program, pay a fee and undergo a background check to participate.

Once enrolled, travelers scan their passports and fingerprint, enter their declaration and can go on their way. The kiosks will soon add iris biometrics as an option for authentication in addition to fingerprint, Mocny says. “People will have a choice of fingerprint or iris,” he says. “For people with fingerprints that don’t match well, iris will be an option.” “We’ll always keep fingerprint but from a transactional point of view iris is much better,” Mocny says. There’s the possibility facial recognition could be added down the line as well. US-VISIT isn’t ruling out adding iris to the traditional border screening process either, Mocny says. “It may be both fingerprint and iris or one or the other,” he explains. “To increase security, we could also alternate between modalities – one day it’s fingerprint, and the next day it’s iris.”

EXIT While the biometric screening process has been in place for some time, the exit component to US-VISIT has been tougher to tackle. Homeland Security wanted airlines to collect the biometric departure information, but the companies refused and eventually were able to dissuade the agency. The biometric portion of exit has not been fulfilled, but the agency has taken other measures to determine if individuals have overstayed and track them down,

The US-VISIT program not only checks travelers coming in from other countries but can also be used by state and local officials to check immigration status.


US-VISIT CASE STUDIES On February 6, 2012, subject “X” arrived at the George Bush Intercontinental Airport in Houston after a trip to Panama and applied for admission as a returning lawful permanent resident. He presented a valid Mexican passport and a valid U.S. Permanent Resident Card. After his fingerprints captured in the system, he was referred to secondary inspection for being a match against the US-VISIT Watch List. During secondary inspection, it was discovered the subject had been arrested in Texas for drug possession, and was determined to be inadmissible into the United States due to a controlled substance conviction. This case highlights the value of having the availability to search the FBI’s Criminal Master File which returns a response within 15 seconds.

Without a positive biometric identification match, “X” would have possibly entered the U.S. without question. On November 30, 2011, Australia submitted to US-VISIT the fingerprints of subject “V,” who was seeking refugee protection. The fingerprints were a positive match to an encounter in US-VISIT database. After further analysis, it was revealed that subject “V” was born in Egypt yet claiming Australian citizenship. “V” was in possession of a valid passport issued by Australia, but it was suspected that it was issued in error and obtained by using fraudulent claims and documentation. It was also discovered subject “V” was connected to multiple aliases, social security numbers, and dates of birth. US-VISIT assisted Australia in confirming his true identity.

Mocny says. Airlines still collect biographical data from travelers and provide that to Homeland Security. That information combined with the entry data and other data sets enables the US-VISIT office to determine whether someone is a threat. “We take the biographical data and run it through additional databases and we can get a good idea of who is left in the country, whether they may be a threat and if they should be looked for,” Mocny explains. “Having the biographical side gets us to a point but when we add biometrics we’ll be in a better place.”

INTERNATIONAL COOPERATION Since the US-VISIT program was one of the first biometric border crossing systems deployed, officials have worked with other countries considering similar systems. China visited the US-VISIT office earlier this year to discuss biometric borders and the European Union is also rolling out a US-VISIT type of system, Mocny explains. There’s also the Five Country Conference – the UK, U.S., New Zealand, Australia and Canada – who have agreed to share immigration data and develop interoperable systems. The US-VISIT office is also working with other countries on standards for biometric usability, Mocny says. Basically, travelers to different countries using these systems should have the same experience, know where and how to place their fingers on the scanner and be used to the process. “Have it be like an ATM but for biometrics … everyone knows how to use an ATM no matter what country you’re in,” he explains. “They need to have a common interface so someone who’s not a frequent traveler can figure out how to use it.” There should also be an accepted set of privacy and security requirements. “As more countries do this we need to make sure we’re adhering to standards, ensuring privacy and security,” Mocny says. “We need to create a body or have an existing one create standards to make sure that everyone knows how biometrics are used and has confidence using them.”

Summer 2012


OBAMA WANTS MOBILE STRATEGY Report includes BYOD requirement, new solutions for mobile ID The White House Office of Management and Budget released a digital government strategy report, “Digital Government: Building a 21st Century Platform to Better Serve the American People.” President Obama issued the directive to make services accessible from mobile devices and charged OMB with developing a strategy to build a 21st Century Digital Government that delivers better digital services. The report also paves the way for “bring your own device” which enables federal employees to use personal mobile technology in the workplace. It also calls for new solutions for mobile identity, authentication and credential management. The strategy calls for the creation of a Digital Services Advisory Group out of OMB including members from the Federal CIO Council, Federal Web Managers Council and other agencies. One area of focus for the group will be to identify and recommend changes to help close gaps in policy and standards. Specifically, the report mentions identity credentials and mobile devices. “As new technologies are introduced into the federal environment, policies governing identity and credential management may need to be revised to allow the introduction of new solutions that work better in a mobile world,” the strategy states. Revisions to FIPS 201, the standard for federal employee identity credentials, are


Summer 2012

currently underway. The first draft was released more than a year ago but didn’t focus on mobile. Further revisions are expected to include a strategy for using high-assurance credentials with mobile devices. Another draft is expected before the end of the year and a final specification in Spring 2013. What, if any, impact this new report will have on the revisions to FIPS 201 is unknown. But the new Digital Services Advisory Group is instructed to issue a report in the next three-months on agencies and bring your own device. The report will be based on lessons learned from other agencies. The report suggests the federal government “must pilot, document and rapidly scale new approaches to secure data and mobile technologies and address privacy concerns.” New technologies should be consistent with the National Strategy for Trusted Identities in Cyberspace and the Federal Identity, Credentialing Access Management requirements. Identity is again mentioned when it comes to privacy and security: “Other opportunity areas include adopting advanced mobile device management solutions to support continuous monitoring, strengthening identity and access management and accepting externally-issued credentials on public-facing Web sites.”

SALTO Electronic Locking System


Features & Benefits

The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.

· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates

The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com

inspir edaccess


Federal employees wanting to access secure government Web sites on mobile devices don’t have it easy to begin with, but make it an Apple iOS device and it gets more complicated. Thursby Software Systems, while already making it easier to use smart cards on Apple computers, has also launched a new smart card app and reader combination that enables government employees to access secure federal sites from their iPhones and iPads. “We saw there was a need for Apple users to get their smart cards working without being rocket scientists,” says Paul Nelson, Thursby’s chief technology officer. “This is the first product that addresses individual users of iPads and iPhones with the built-in the security as if it were a military product.” Last September, Thursby released PKard for Mac v1.1 to enable federal and private sector employees to use their U.S. Defense Department Common Access


Summer 2012

Cards and PIV cards to access secure Web sites, Web VPN and secure mail using Apple desktops and laptops. The software automatically links popular Web sites with the security certificates needed to access them, and eliminates the work-arounds typically required to use Macs in primarily Windows-based environments, such as virtualized Windows or thumb drives, Nelson says.

Thursby’s PKard reader enables iPhones to use smart cards for email and other tasks.

The newly released PKard Reader app V1 takes those features mobile. The app creates a secure browser connection for iPads and iPhones and with a smart card reader enables federal employees to use their credentials to access secure federal

Web portals and Web sites. It’s designed for use with mobile devices operating at iOS 5 or higher. It can be used with smart card readers including the baiMobile 3000 MP encrypted Bluetooth reader, the Precise Biometrics Tactivo card and fingerprint reader or Thursby’s PKard reader. The PKard Suite combines the app with Thursby’s proprietary PKard smart card reader, which plugs directly into the 30-pin connector on an iPhone, iPad, or iPod touch. The PKard reader is a little square device that fits into a pocket easily, and all a user has to do is plug it into the phone, Nelson says. Apple approved the app in April so it’s in the process of rolling out to users. Prior to this, however, Thursby had 88 beta-testers in government agencies such as the Department of Defense, Department of Homeland Security, the Transportation Security Administration and the Federal Aviation Administration. “They have helped us work out the bugs,” Nelson says. Michael Danberry, chief of Network Operations at MI Readiness Command in Belvoir, Va., and author of the troubleshooting site www.MilitaryCac.com, was one of the beta-testers. “The government has made a lot of movement toward everything being through public key infrastructure. They’ve pushed us in that direction

but haven’t given us a lot of tools to make it all work,” he says. According to Danberry, Thursby’s Pkard Suite is the only product he has found that enables use of CAC cards with iPhones and iPads that is easy to use and affordable. An equivalent product is on the market, the baiMobile Bluetooth smart card reader costs $289, plus $57.80 each year for service. “The cost really limits how many people you can give the technology to,” Danberry says. Danberry and his colleagues are “looking for ways to access services easily, using the personal technology they like the most,” namely their iPhones and iPads, he says. “People want these card readers and want them now, and they are willing to pay $150 to get it.”

PRODUCT FEATURES Features of the mobile app include a secure reset feature, which clears the browser history “so there is no trace of anything left in the app,” Nelson says. It provides the ability

to sign and encrypt email, a requirement for government employees. The PKard Suite can be integrated with Google Apps so an individual can use the smart card to log in and do your work there. The PKard Mac app is free through iTunes, but Thursby is selling the PKard suite with Thursby’s card reader for $149.95. The company hopes to drive the price down to about $75 by next year, Nelson says. “It’s just a question of increasing the manufacturing capacity.” A $75 price point would position the product in the sweet spot for the target audience of individual users. “We want to get the product in the hands of individuals first, before trying to work with government agencies,” Nelson says. He envisions military reservists using the suite to access Web portals they already use for online training and to update time cards. “There is a lot of opportunity there, because there are quite a few people who have these credentials,” he says. And although individuals in the federal government will be the primary users, the company hopes it will be adopted for first-responder use by state and local governments as well. The app could allow emergency personnel at a disaster site verify the identities and qualifications of other workers, Nelson says. With mobile smart card readers, federal employees can access work-related services such as Outlook email, the Department of Defense travel system and reimbursement filing systems. The pay system as well as personal official military records are all “smart card enabled and there is more and more stuff coming online all the time,” Danberry says. For federal employees, “it’s not just about security, but also about being able to use and access your information in multiple places.” Thursby’s PKard app draws on many of the features of the company’s other products. The company has been making software to help Mac computers integrate seamlessly into primarily Windows-based systems in government and enterprise since 1986.


Summer 2012



Now that VISA and MasterCard have released road maps to EMV in the United States, the initial implementation milestone is fast approaching. With a first deadline in the fall there are some in the industry who wonder if the deadlines are too aggressive and whether the project could drag on for 10-years. “The size and complexity of the U.S. market could potentially make the rollout of EMV a decade-long exercise,” says Mads Petersen, CEO of CIM USA. “Clearly the larger issuers can get cards on the streets quickly, but merchant owned stand-alone terminals will be the last in the chain to be updated and will require the most radical changes.” In August of 2011, Visa announced its path toward EMV contact and contactless chip technology in the United States. The road map encourages investments in technology that will hasten the adoption of mobile payments and improve international interoperability. The first initiative, effective October 1, 2012, has Visa expanding its Technology Innovation Program (TIP) to merchants in the U.S. “We still require Payment Card Industry Data Security Standard Compliance, but those merchants who deploy contact chip and contactless chip technology at their points of sale would have some reduced requirements for validating their compliance to PCI DSS,” says Stephanie Ericksen, head of Authentication Product Integration at Visa USA. “We’d like to see the U.S. infrastructure adopt dynamic data and begin to do that as soon as possible.”


Summer 2012

For merchants to avoid the annual validation requirement, at least 75% of their Visa transactions must originate from chip-enabled terminals. The terminals must be enabled to support both contact and contactless chip acceptance – including mobile contactless payments based on NFC technology – and their systems must not store data, security codes or PINs. Step two involves building the processing infrastructure for chip acceptance. VISA will require merchants to upgrade their systems to pass contact chip data or dynamic data from the acquirer system by April of 2013. Then comes what Ericksen calls the final milestone in October of 2015 – the

THE SIZE AND COMPLEXITY OF THE U.S. MARKET COULD POTENTIALLY MAKE THE ROLLOUT OF EMV A DECADE-LONG EXERCISE liability shift. “The merchants that have not yet deployed contact chip technology at the point of sale may take on some additional liability for counterfeit transactions if chip could have prevented that counterfeit,” says Ericksen. As the infrastructure is upgraded and these cards are more widely issued, Ericksen says anyone with a chip-enabled card will be able to go to a chip-enabled merchant.

“Depending on the type of terminal the merchant has deployed, the cardholder will be able to either do an EMV contact chip transaction or a contactless transaction with their card,” says Ericksen.” Or if the merchant does not have contact or contactless chip, they can still swipe their card and do a mag stripe transaction. It’s an approach that’s not unique to the U.S., according to Ericksen, who is combating the misconception that “chip” means “chip and pin.” She explains that many countries around the world have adopted EMV chip technology that is not based on chip and PIN. It is true that in many cases EMV chip has been partnered with offline PIN. “That’s because the offline authentication that’s being used by the chip is coupled with the PIN to secure the transaction for the offline environment,” says Ericksen. “We have an online environment here in the U.S. and there are many countries around the world that also have that as well,” she adds. Because of this, there is not the need to manage offline PIN and the complexities that come with it. That’s the model VISA plans to deploy in the United States.


MasterCard’s roadmap to EMV in the U.S. was released in January and like VISA, it has the same deadline of April 2013 for MasterCard’s acquirers to have their infrastructure ready, though it’s sliding scale of liability is less stringent.

While VISA’s road map veers away from chip and PIN, MasterCard is advocating for it’s adoption because it believes it to be the most secure method, says Colin McGrath, MasterCard’s vice president of Develop-

ogy presents,” McGrath explains. “A lot of partners in the payments ecosystem are looking for that next advance. Where is it going to come from? We believe now is the time to get people on the same

yet because many don’t believe it is going to happen this fast,” says Smith. “I would say it’s going take two to three-years to get implemented, and probably in five-years it will be to where all of the other countries in the world are today. I think it’s going to be a lot longer process than people would like to believe.” Smith says part of the problem is the sheer quantity of banks. While Canada has six major banks, he notes there are upwards of 14,000 community banks and credit unions in the U.S. “Execution is quite complicated,” says Smith. “There’s got to be several hundred acquirers and processors, and they have to get the back end ready to accept chip cards. The complexity is huge.” Jeremy Gumbley, CTO at CreditCall, thinks the timing is right for companies to jump in now. “The great thing about the USA going to EMV now as opposed to earlier is that it can take advantage of the experience gleaned from the rest of the world migrating to EMV, avoiding the common mistakes that have occurred elsewhere,” he adds.


Insiders say the aggressive EMV deadlines may be difficult to meet as switching to EMV isn’t as simple as flipping a switch.

ment in U.S. Markets. “We believe that will provide the best and most secure experience for consumers. It’ll provide the greatest security for issuers and for merchants, so everyone really benefits,” says McGrath. But, he stresses, technology changes and market demands may lead to other approaches. “It’s difficult to predict what the future holds from a technology standpoint, so what we’re really trying to articulate is a framework that’s flexible and can be adapted to grow with whatever the changing technol-

page about upgrading the infrastructure for the U.S. payments industry,” says McGrath.

AGGRESSIVE TIMELINE Gregg Smith, co-founder and partner in EMV Academy, says EMV will not be easy to implement in the U.S. He thinks the timelines for VISA and MasterCard are too aggressive. “There doesn’t seem to be a lot of people jumping on the bandwagon

Smith believes EMV in the U.S will migrate from chip and signature to chip and pin. Without chip and pin, he says, users are missing one of the key levels of security that EMV provides. “Data shows a big shift in fraud in this country now that other countries are certified,” says Smith. “U.K. tourists still get fraud, but they get it when they come here because their chip cards convert to mag stripe.” Smith also cautions that there’s a shortage of people who know how to implement this technology. “There is no expertise in the U.S. to be able to tell people how to do this. The lack of resources, to me, says if you don’t get involved in this thing now, come the second half of this year, there may be nobody to talk to,” he says. “If we took everybody in Europe that understood EMV and brought them here for a year to help out,” he concludes, “there still wouldn’t be enough.”

Summer 2012



For public transit users, the grind of a daily commute is two-fold. Not only do you have to cram onto a crowded bus or train, but you also have to worry about having your fare ready, whether you’ve got exact change, if your transit pass has expired, or what to do if your transit card won’t register. Public transit officials know that commuting can be a stressful experience. With the development of open fare transit systems, they hope to make mass transportation a simpler and more enjoyable experience. Most domestic transit systems today rely on a combination of fare payment methods. “Today, fares are paid with cash, tokens, or closed-loop magnetic or contactless media,” says Dave Blue, regional director for sales and marketing at Cubic Transportation Systems. The variety of technology incorporated into transit systems across the world varies greatly. SEPTA, the transit agency serving southeast Pennsylvania including Philadelphia, uses cash,


Summer 2012

paper tickets and tokens. Other cities like Hong Kong, London and Chicago utilize a closed-loop contactless card in their fare acceptance systems. In 2009, the Utah Transit Authority became the first in the nation to trial open-loop fare payments. Since this initial application, open-loop payments have made headway as the solution of the future with other cities piloting or implementing the technology. Open-loop systems enable riders to pay fares using bankissued payment products. Initially, this revolves around contactless cards such as a Visa payWave, MasterCard PayPass, Discover Zip or American Express ExpressPay. But it can also include mobile wallets and NFC payments.

OPEN-LOOP SYSTEMS ENABLE RIDERS TO PAY FARES USING BANK-ISSUED PAYMENT PRODUCTS “The convenience for the consumer is that you don’t need another form of payment or to carry another card. You can use the contactless bank card that you already carry in your wallet to get you through a fare gate or onto a bus,” says Blue. As contactless technology was added to the payment system, open fare transit started making waves. “It changed the way people looked at options for transit collection,” says Jerry Kane, New Payment Technology Project manager at SEPTA. Transit systems no longer had to opt for a proprietary, closedloop system that only worked in their transit operations.

With the addition of contactless, the amount of time needed to complete an open-loop transaction was reduced. This transaction speed is vital when moving people through turnstiles quickly. Once the transaction could be completed within 500 milliseconds, it was a viable option for use in the mass transit arena, says Kane. Transit agencies that have paper tickets, mag stripes or tokens have discovered that the accounting and technology behind the scenes can become a burden. Paper tickets and tokens require inventory and distribution, says Kane. Closed-loop systems don’t ease the burden much as transit agencies are forced to issue their own media and manage complex systems. They require agencies to invest heavily in technology and manpower to build and maintain the systems. “Today transit agencies spend significant dollars on proprietary fare media, media distribution and cash collection,” says Blue. Proprietary systems leave transit agencies beholden to one vendor for everything related to the technology, including upgrades and added functionality. “You’re stuck with that vendor as long as that system is operating,” says Craig Roberts, manager for technology development at the Utah Transit Authority.


Public transit fares will be paid with branded-credit and debit cards as well as other fare media.

On the contrary, open fare systems enable transit operators to invest in communication and payment technologies that are based on open standards and widely deployed across industries, explains Roberts. This gives agencies the freedom to make changes and upgrade their systems as their needs change. “Ideally you are able to buy in a competitive marketplace and plug and play different components. Agencies are in better position to make changes,” says Roberts. Agencies can also transition from managing the entire payment operation to simply being another merchant in open

Summer 2012


system. “If the agencies can move toward open payments as their primary payment mechanism they can recognize substantial cost savings,” says Blue. Roberts adds that once an open fare system is in place it’s relatively easy to make changes. In a closed system where intel-

IF YOU HAVE A CONTACTLESS CREDIT CARD IN YOUR WALLET OR PURSE, YOU CAN USE TRANSIT IN UTAH TODAY ligence is held on the card itself, changing fares can require the agency to change readers and even cards. If the agency adds a pass product that’s card-based, it’s “essentially going to have to re-card and reprogram readers to take the product,” says Roberts. “Back office simplicity equals reduced cost for agencies. There’s greater efficiencies,” says Roberts. Because open fare utilizes current payment network brands, a transit agency doesn’t have to issue its own media or concern itself with issues surrounding adding value to the card. It also doesn’t have to provide customer service for the card since they’re not the issuer. Passengers don’t have to figure out how the fare system works. Through focus groups the UTA found that was an added benefit. “The issue of embarrassment is a major barrier to use of a transit system,” says Roberts. “If you have a contactless credit card in your wallet or purse, you can use transit in Utah today,” says Roberts.


Summer 2012

OPEN-LOOP UTILIZATION IN UTAH REMAINS LOW Though agencies see benefits from open loop, convincing riders to use their contactless bank-issued cards for transit is a different story. Currently, only about one percent of UTA fares come from open payment transactions, says Roberts. Half of ridership comes from third-party payers such as ski resorts, employers and schools that issue cards that work on the system. Another 25% to 30% of riders pay cash. The remainder purchase passes sold at retail locations like grocery stores. “We have it but haven’t been promoting it. People don’t know,” says Roberts, noting that the card issuing banks are responsible for promoting the use of contactless payment with cards. “It’s the chicken and the egg about contactless and open payment. You have to have a lot of merchants, then a lot of banks. Then you get promotion,” says Roberts.

CHICAGO EMBARKS ON AN OPEN-LOOP TRANSITION Although the UTA system has scant usage, it hasn’t deterred other agencies from delving into open fare implementation projects. In January the Chicago Transit Authority (CTA) awarded a 12-year contract to Cubic Transportation Systems to upgrade its Chicago Card system from a closed to an open fare collection system based on contactless and NFC standards. According to Ed


As the mobile wallet becomes more prevalent, transit authorities may also be able to tap into the mobile user for payment. “Since the systems are built to accept contactless media they are a perfect fit for upcoming NFC technology. The mobile phone will be able to emulate a proprietary card if the agency wishes or it can be the conduit, through a ‘wallet’,

for an open payment bank issued card,” says Dave Blue, regional director for sales and marketing at Cubic Transportation Systems. According to a report by the Smart Card Alliance, NJ TRANSIT in New Jersey became the first transit agency to test these waters when in October 2011 it partnered with Google Wallet for an NFC mobile payment test. The agency hopes NFC can speed up the ticketing and boarding process through shorter transaction times. However, open fare systems can also easily enable NFC and mobile payment. “If the industry makes mobile payments work for Visa, MasterCard and American Express, we’re already set up,” says Roberts. “Any agency looking toward the future will have that enabled.”

Reese, general manager for business development at the CTA, the terms of the deal give Cubic a two-year implementation program and a ten-year operation and maintenance contract. Cubic won’t receive payment until the system goes live. Once operational, Cubic will earn a fixed per tap fee for the term of the contract, as well as a fixed monthly fee, says Reese. It’s a way for CTA to reduce operating expenses. “We shift the risks, credit, labor and security to a private contractor,” says Reese, adding that the CTA anticipates cost savings of $5 million a year. After the transition, rail fares will be 100% contactless. Buses will accept both contactless payment and cash. “This will lower the cash processing costs, which means higher revenue for us,” says Reese. When the new system is rolled out, the CTA will issue new media in the form of a Visa co-branded general-purpose reloadable card. Those who do not have a contactless-enabled card or are unbanked will use this card. “You can top up the card or link it to a credit card account,” says Reese.

ONCE THE SYSTEM IS LIVE, THE CTA WILL STOP ISSUING ITS OLD CARD. The reloadable card will also be able to handle all of the various fare passes CTA offers. “All of the existing fare products are able

to be purchased on the card at any point,” says Reese. In designing the software, the CTA intends to support different fare schemes, including fixed-route pricing, peak pricing, premium pricing and route specific pricing. “Things we can’t do now,” explains Reese. Open fare transit makes it easier for agencies to work with each other, because Visa, MasterCard and American Express are automatically interoperable with other systems, says Roberts. For an agency like the CTA, this feature is important because it helps the system comply with a new Illinois state law that mandates the three Chicago-area transit agencies have a universal fare card. The transition to an open fare payment system will allow the three Chicago-area transit agencies – CTA, Metra commuter rail and Pace buses – to work together in an accountbased universal system, explains Reese.

PHILADELPHIA’S SEPTA OPENS UP While Chicago is transitioning from one contactless system to another, SEPTA plans to replace its paper and token-based fare system with a contactless system dubbed the New Payment Technology Project. “We were facing a technological obsolescence,” says Kane. SEPTA’s current system uses read-only mag stripe technology for throwaway passes, a technology available since the 1980s. “It’s at the end of its useful life for fare collection,” says Kane. For SEPTA, switching to an open fare system also means cost savings. “It’s quite expensive to run fare collection, managing calendar passes, tokens, collection and distribution. It’s the full burden of running a bank, but we don’t get any money out of it,” says Kane. Transit vendor ACS will provide the complete solution including design, testing, installation and operation, explains Kane. The design phase is just beginning, with testing expected by the end of the first year and pilots to follow. Both systems will run side by side until the new system is installed overall. A challenge for SEPTA is figuring out how to implement the open fare system for its commuter rail operations, which make up 10% of overall ridership and 15% of revenues. “At trains, buses and trolleys you pay first but with commuter rail you pay on board. Conductors will have handheld readers for validation,” says Kane. SEPTA has not yet decided on the type of media it will use for this new system. “We are going to accept all forms of payment that comply with open standards,” says Kane. Still any transit agency must serve the unbanked population. To this end, SEPTA is exploring use of its own white label prepaid card as well as a general-purpose reloadable branded card. Because the new system is still years from implementation and has to run in parallel with the existing system, SEPTA does not know what cost savings it can realize. “There are a lot of hidden costs associated with running your own fare payment system that you would not encounter in an open fare system,” concludes Kane.

Summer 2012



The Transportation Security Administration wants its inspectors to be able to spot fraudulent IDs or boarding passes without using a magnifying glass. To that end, the TSA has initiated a pilot program to test technologies supplied by three companies. The end goal is for inspectors to spot fake documents via electronic scanning. The first pilot kicked off in early April at Dulles International Airport in Washington, D.C. Other pilots will follow at Houston’s George Bush Intercontinental Airport and San Juan Luis Munoz Inter-

Awardees include: • BAE Systems Information Solutions • Trans-Digital Technologies • NCR Government Systems. Each airport will receive six detection units, two units from each vendor. “The credential authentication technology (known as Credential Authentication Technology-Boarding Pass Scanning Systems) will automatically verify passenger boarding passes and identification

documents’ embedded security features. “This technology offers another layer of security at the checkpoint that can deter and detect individuals who might attempt to board an aircraft with fraudulent documents,” she adds. All passengers are also vetted against watch lists through TSA’s Secure Flight Program before they’re issued a boarding pass. When implemented, the new program will replace the time-consuming check-in process inspectors have been using since 2007 that involves “visually inspecting the

THE NEW PROGRAM WILL REPLACE THE TIME-CONSUMING CHECK-IN PROCESS INSPECTORS HAVE BEEN USING national Airport in Puerto Rico. These airports were selected because each has the capability to screen mobile boarding passes and both domestic and international travelers, says Ann Davis, TSA public affairs. In October 2011, TSA awarded $3.2 million in contracts for technologies to detect fraudulent documents.


Summer 2012

presented to TSA by passengers during the security checkpoint screening process,” says Davis. “The technology scans a passenger’s boarding pass and photo ID to automatically verify that the names on both documents match, as well as ensure the authenticity of the documents,” she adds. Authenticity of both the boarding pass and photo ID is ensured by analyzing each

documents and using magnifying loupes and black lights to identify fraudulent boarding passes and IDs,” says Davis. The pilot, says Davis, is expected to last a couple months. “Throughout this time, TSA will be collecting data and will monitor its function during pilot testing to determine whether it is a viable option for deployment.”

Spending. Security. Event privileges. Your campus card system should open the door to a world of possibilities on campus, online, and beyond. CBORD® is the industry leader in campus card systems that keep a new generation of students connected to their university communities. Visit www.cbord.com and take your one-card program to the next level with CBORD.

Comprehensive Solutions. Innovative Products. Dedicated Service. The CBORD Group, Inc. • 61 Brown Road, Ithaca, NY 14850 • 607.257.2410 • FAX: 607.257.1902 • www.cbord.com

Subscribe today Regarding ID Magazine features the best editorial insight from across the ID technology landscape.

Sign me up for a 1 year subscription for just $39 Own the entire collection ( 1000 + pages of ID technology ) for $60 Shipping Adrdress

Billing Address ( If different )



Job Title



City / State / Zip



City / State / Zip

Credit Card Information


Credit Card #




Uses ID Technology Sells / Provides ID Technology


Expiration Date


Financial Industry Educational Institution Government Entity Corporation Other

Fax this form to 850-222-4477 or purchase online at http://store.avisian.com

Physical Security Logical / Computer Security Identification / ID Management Payments Other

SMART CARD SYSTEMS TARGETED BY HACKERS Weakness exploited in Defense’s Common Access Card program

Most consumers don’t think twice about downloading a PDF from an email, even if it’s not from someone they know. But many times these documents are spear fishing attacks, targeting individuals with high-level network access. The PDF contains a virus that opens a key-logger to track user IDs, passwords and PINs. This virus, a Sykipot variant, was discovered within the U.S. Department of Defense and was logging Common Access Card PINs. This enabled a hacker to access secure networks when a compromised individual had their credential in the computer. The attack was discovered and reported by Alien Vault Labs. This variant, which appears to have been released in March 2011, has been seen in dozens of attack samples from the past year. Cleaning the computer’s operating system, protecting the operating system against the malware, and updating or patching the software application that introduced the malware to the system can prevent the attack. While integrity of the smart card was not compromised, credentials stored on the smart card may have been used for unauthorized transactions. The smart card PIN should be reset and, as a best practice, new public key certificates should be issued to the user, with the compromised certificates added to the revocation list and validation services. While trojans that have targeted smart cards are not new, there is obvious significance to the targeting of a particular smart card system in wide deployment by the Defense Department and other government agencies. Attacks are also becoming more and more advanced and it’s becoming increasingly difficult to keep up with them. “Every time we turn around there’s a new attack,” says Jim Zok, an ID industry veteran and former government official. The Skykipot attack wasn’t new but a variant on an old one, says Randy Vanderhoof, executive director at the Smart

Card Alliance. “These threats are not new, they’ve been known about for a while,” he says. “But there’s a slight difference in the way the hack is delivered and they’re finding vulnerabilities that have always existed but have never been exploited before.” Hackers are continuously finding vulnerabilities and exploiting them. The time it takes for the hackers to find these problems has dramatically decreased. “We use to think we had a year but now we have hours,” Zok explains. Organizations have to take a risk-based approach to security. Corporations aren’t going to deploy a new system every time a new vulnerability is discovered. It’s not cost effective. Vanderhoof says the question to ask is, “do we want to throw money at this or do we wait and see what alternative strategies might surface once people understand how the attack works.” Patches and software upgrades can keep systems secure without having to implement entirely new systems. But ultimately there will be a time when the system is no longer secure. “We can harden the credential, we can harden the device but somewhere that credential interfaces with an untrusted computer environment,” Vanderhoof says. Keeping abreast of the latest attacks and updating anti-virus programs are important but consumer education is needed, Zok says. “Fifteen to 20% of users are afraid of certain behavior but they do it anyway,” he says. “We need to make the public responsible for their own actions.”


Summer 2012




MULTIPLE ANNOUNCEMENTS ON MOBILE ID AND THE ENTERPRISE Entrust is actively working to make mobile identity simpler. To this end, the company has announced multiple new offerings including the extension of its IdentityGuard strong authentication platform to enable credentials on mobile devices for enterprise-grade security. Taking advantage of near field communication and Bluetooth standards, the solution embeds biometrics and digital certificates on smart phones to create trusted identity credentials for strong, convenient enterprise authentication. This lets an organization leverage mobile devices for logical access to


Summer 2012

corporate and wireless networks, web authentication and physical access to buildings and other facilities. By delivering updated credentials to mobile devices anytime and anywhere, organizations can eliminate the risk of physical smart cards being intercepted or lost in the mail and also eliminate shipping costs and delays. IdentityGuard mobile credentials can be deployed on Apple iOS, RIM BlackBerry and Google Android devices. It leverages industry-standard technologies, including PIV, for high security and interoperability.

The solution also provides certificate on boarding to mobile devices for certificate-based authentication and Secure Multipurpose Internet Mail Extension (S/MIME)-based decryption and signing of email. Advanced secure email capabilities include synchronization, key history and encryption across enterprise desktops and mobile platforms.

EMAIL SUPPORT WITH GOOD TECHNOLOGY With the help of mobile solutions from Good Technology, Entrust is offering endto-end support of S/MIME and PKI from inside the firewall to the mobile device. Good’s container-based methodology was adopted to secure and manage sensitive data and prevent it from being leaked to other non-secure applications present on a device. Each Good Technology solution protects proprietary enterprise or government data in-transit, over-theair and at rest on a device using a FIPS 140-2-validated cryptographic module that utilizes AES 192 encryption. Working together, Entrust and Good are easing the integration between their respective solutions removing the need for desktop synchronization software or out-of-band private-key distribution.

improve usability for Entrust customers. The AirWatch solution provides a set of mobile security features including a management console, secure content locker and secure email gateway. It helps organizations to securely manage both corporate and employee-liable devices and location-based services. A separate solution from MobileIron will enable Entrust on-premise and cloud customers to manage certificates for mobile devices and applications. This solution enables Entrust customers to identify devices accessing their enterprise and manage the identity of these users.

IDENTITYGUARD MOBILE CREDENTIALS CAN BE DEPLOYED ON APPLE iOS, RIM BLACKBERRY AND GOOGLE ANDROID DEVICES. IdentityGuard enables users to send secure email on iPads and other mobile devices.

IMPROVING DEVICE MANAGEMENT Software as a Service, appliance-based or on-premise solutions, from mobile ID and security company, AirWatch, will help

Summer 2012


IDENTITY REASSEMBLED ID 1.0 and 2.0 have failed, time for ID 3.0 or ID Next Gen JEFF NIGRINY, CERTIPATH

Identity in our online world is well understood to be broken. Broad recognition of this began 18-years ago with a cartoon depicting dogs using the Internet pretending to be people. When was the last time a news cycle didn’t include a story about stolen identities or the failure of passwords as a security mechanism? The U.S. Federal Government launched the National Strategy for Trusted Identities in Cyberspace in an attempt to “correct a market failure.” All of the components exist for online identity to be successful, and now it’s time to reassemble it. As a gross simplification, ID 1.0 was the advent of user ID and password-based mechanisms that bound an individual to a service provider’s specific application or network domain. ID 1.0 went wrong in some very specific, avoidable ways. Lowassurance identities serving low-value transactions have proved to be ineffective. Each service provider has its own identity mechanism. This one-to-one identity to service provider ratio has driven users to select the same identity credentials – user IDs and passwords – for all providers on all applications and sites. Low-assurance identities coupled with the same credential in use at all places empower attackers and undermine confidence in the entire concept of online identity (See Figure 1). ID 2.0 attempted to make identity credentials portable and/ or higher assurance, but solutions such as one-time passwords suffered from a lack of orchestrated roll out between service providers and identity providers.

By design, Internet services did not consider security or identity federation as operational requirements. The concept of portable identities between service providers was not considered at the outset. Each service provider was responsible for the full process of onboarding new users, establishing identity, giving them a credential and managing of the identities over time. If we fail to recognize the reasons this occurred, Identity Next Generation will be no more successful. For ID 1.0/2.0, online identity was predominantly a technology challenge. Today, however, the technical challenges enabling identity portability have largely been solved. We are now faced with crippling policy and governance issues caused by an immature ecosystem that was shaped through commercial pressures alone. Online identity needs to be about a secure, fraud resistant form of identity first and a convenient transaction enabler second. Emerging federation solutions within ID 2.0 have been largely positioned as a single sign-on mechanism across popular social networking sites, extending these site providers’ missions beyond social networking into the role of an identity provider. Identity providers and service providers have taken the path of least techni-

FIGURE 1. Each service provider sets up their own identity for their users


Summer 2012







cal resistance at every turn. The security and fraud issues inherent in these low-tech, low-assurance authentication schemes continue to make it easy for the attackers perpetrating identity theft (See Figure 2). In ID 2.0, online identity and the attributes used to extend it are difficult to manage and protect. Once an individual elects to use a social media site as an identity provider – for example Facebook – the default behavior is to share everything about the individual with the service provider’s application. This far exceeds the mandate of an identity provider, yet it is the very phenomenon that has led to Facebook’s significant market share as an identity provider. Specifically, an individual’s profile data is a marketing bonanza for service providers so these web and e-commerce sites love Facebook Connect. Identity providers and service providers alike have commoditized identity data taking advantage of the fact that its use is currently under regulated.


The next generation of online identity doesn’t need to be a complete redo. In fact some of the identity mechanisms and models available today are fundamentally correct. Consider how service providers link a user ID and password with a text message code to improve authentication for access to services. For example, Google+ requires 2-factor authentication for access and many financial institutions require more than one factor of security to use online banking (See Figure 3). The market failure that necessitated the national strategy is broadly a chicken and egg problem. Leveraging a new identity mechanism requires both the identity provider as well as the service provider to simultaneously adopt the new technology, but each needs the other to justify a mass rollout.

PROBLEMS WITH STRONG CREDENTIALS High-assurance identity usage has suffered from other roadblocks as well. Service providers have not centralized on a single credential type, leaving the credential service providers fractured and regionalized. When someone wanted to buy a credential, they found the physical locations to obtain one to be few and far between. However, this is rapidly changing with the advent of the PIV-I smart card based public key identity credentials.

As we migrate to ID Next Gen, there are new concepts and definitions that support the ecosystem. To facilitate discussion about what’s next, we use the following definitions: • End-entity – an individual with associated attributes • Attribute – a quality or characteristic inherent in or ascribed to an end-entity • Claim – an assertion by an Identity Provider about an endentity and its associated attributes • Vetting – the process of inspection and adjudication of claims • Identity – an association between vetted claims and a subject, certified by a trusted authority • Credential – a physical or logical representation of an identity issued by an authority • Credential Service Provider – an organization that issues credentials to the end-entity enabling the end-entity to authenticate themselves within the federation • Identity Provider – the organization in the federation that authenticates the end-entity for a given transaction and provides a claim to the service provider about that endentity. Different identity federation models may vary by push and pull style mechanisms. • Community of Interest – a set of likeminded service providers • Federation Operator – an organization that provides the governance of the federation for a Community of Interest. The operator defines the rules for an authentication event and states what attributes can be passed from an ID provider through the federation operators to a service provider. • Service provider – an organization that provides a service to an end-entity

These present a fairly complex ecosystem for ID Next Gen. But with these definitions in mind, it’s not difficult to show comparative issues between ID 1.0/2.0 and the next generation. The most critical difference is the separation of the community of interest, the ID provider and the service provider. The credential service provider issues the long-lived credential to the end-entity. Fundamentally, the end-entity uses their credential for authentication to the ID provider who then




Summer 2012


presents the necessary claim for access to the service provider’s applications. There are key properties ID Next Gen must exhibit to overcome the barriers that thwarted ID 1.0/2.0: An identity is only useful in the context of a Community of Interest. The profile of an appropriate claim, including the policies that define the vetting of attributes for a given population, need to be defined by a community of interest. The federation operator provides governance over these profiles for the community, ensuring enhanced security and smooth migration over time. Additional granularity of policy can be achieved through the overlay of assurance levels. An ID provider will not be authorita-

tive for all attributes in the scope of an identity claim. Identity providers and attribute providers will have to support RSS-style feeds so that changes in identification can be received. For example, if an employee receives additional certification or access right, this would be able to be updated through this feed. This will support both front end and back end attribute exchanges, the former that is automatically pushed and the latter that can be requested if needed. ID Next Gen extends the scope of form factors an identity may take. It must enable the end-entity to authenticate to the ID provider with their strongest identity credential and receive a derived credential at a lower level of assurance matching

the form factor of the service provider they wish to access. ID Next Gen must continue to support user convenience without sacrificing security. Consider three core properties that we feel are required within the ID Next Gen ecosystem: • One-click login • Easy two- and three-factor support • Single-sign-up to any service provider’s application

ID1.0/2.0 illustrated the importance of building user convenience into a security mechanism, despite the paradox it creates. One-click login – implemented as a common graphic used across service

FIGURE 3. Authentication mechanisms









Summer 2012

providers in any community of interest – must be standardized as a default part of the identity ecosystem. Identity assurance will continue to be an important concept but can be vastly simplified for the end user. ID Next Gen must enable users to register their mobile device with their ID provider and standardize easy two- and thee-factor authentication services, and then to have an easy two-factor OTP service that a provider can invoke when two-factor authentication is required. Similarly biometrics, while not as common for online identity applications, could be addressed as an add-on service and authenticated between the user’s PC and the ID provider. Finally, Single sign-up is a usability enhancement benefiting not only the end user but also the service providers and ultimately the identity providers. Currently provisioning new accounts is manually intensive and error prone for service providers. This is especially true for service providers in the financial sector supporting “Know Your Customer” rules that need high quality claims for identities and attributes. Privacy must be designed into ID Next Gen to inspire trust. Enabling users to understand how their identity information is proliferating in the system is a key capability for use of ID Next Gen. While many mechanisms exist to accomplish this, ID Next Gen must incorporate an auditing/reporting element. Much like credit monitoring tools that alert one to activity involving their credit record, this

system must implement identity and attribute usage reporting. When a service provider uses an identity or further queries secondary Identity providers for additional attributes, it must report this usage back to the primary ID provider. The ID provider must share this information with users in an easy to query service. Federation Operators will provide identity directories for Communities of Interest. These will not be master records of all known people but rather a convenient means to link Identity providers, community service providers and others within the federation. All participants in a given federation must know where to acquire identity data that has been verified, corroborated and hosted by an ID provider. The ID provider will facilitate secure access to this data and will advertise metadata to make it more useful. For an ID Next Gen directory to be useful within a specific community of interest, it must store the following: those identity providers certified to assert identities, secondary Identity providers/attribute providers known to have information about end-entities for which a primary ID provider is authoritative, the home realm of the credential service provider for a given end-entity to facilitate subsequent attribute queries from a service provider, and a trust store list of signing certificate authorities that issued the assertion signing certificates in use at each of the identity providers. ID Next Gen must support legal discovery between parties in the federation.

The legal responsibilities of the involved parties must be spelled out, and each participant must be able to support the other in dispute resolution. There must be mechanisms to demonstrate the end entity’s transactional intent to the satisfaction of the service provider. The common dispute “I didn’t buy that nor did I receive it” must have a simple resolution. It must be straightforward for an ID provider to show which credentials and attributes were put together to deliver a claim to the service provider for authorization of a purchase. It also must meet the requirements of legal scrutiny. ID 2.0 has shown us the basis of an Internet economy opportunity. There is room for improvement to enhance the user experience and trustworthiness of a networked society using the properties identified for ID Next Gen. These enhancements are not anticipated to be free, as they are not least-commondenominator based solutions. An economic model between parties must be developed to support the enhanced capabilities in a federated solution that can provide the ease of one-click login, EZ-2 and EZ-3 factor authentication, along with the backing of legal force. Credit card and cellular markets have demonstrated that such issues can be solved. Moving forward, the Internet can no longer afford to be the source of identity theft made easy. ID Next Gen is overdue.

Top 10 properties for ID Next Gen 1.

2. 3. 4. 5.

Prevent identity theft and subsequent loss of control over one’s personal information. The user must have a way of seeing who is using their identity data to provide confidence in the solutions offered by ID Next Gen. Enable third-party corroboration of identity attributes. Be easy to use, consistent in operation and supported ubiquitously. Be viewed as cool to use. Facilitate user choice so they can select the identity data they are comfortable sharing and require service providers to notify the user



as to what is mandatory to access their service. Enable portability of identity between identity providers, similar to the ability to move your mobile number across carriers. Build protections to safeguard users from nefarious individuals trying to behave as them online. ID Next Gen must operate within a legal framework that provides non-repudiation and a predictable distribution of liability across all participants in an identity system. This could be similar to the fraud system credit

card issuer have in place. Avoid “mega records,” to eliminate fear of creating a national identity system. 9. Attach to a vibrant ecosystem, for example, LinkedIn, Facebook, PayPal, Salesforce.com, and medical applications. 10. Straddle the old and the new. If you consider the identity to be a form of key and the application trying to authenticate a user to be the lock, ID Next Gen must assist in the migration towards more secure forms of locks. 8.

Summer 2012





Summer 2012


Outside of a couple of Samsung and Blackberry handsets there aren’t many options for near field communication for the common consumer. Moneto wants to change that.

The Moneto menu shows users available options and balance.

Moneto launched in January and interest has been high so far, though sale numbers weren’t available, says Amitaabh Malhotra, COO at DeviceFidelity. The company is planning to target the 18- to 34-year-old demographic with a marketing push in the second half of 2012. A partnership between Device Fidelity and SpringCard, the new company aims to bring NFC to any Android or iPhone using a prepaid MasterCard account. iPhone users can purchase a protective case that includes a microSD card that costs $79.95 while Android users get a microSD along with a sticker that amplifies the NFC signal for $29.95. The account comes preloaded with $10. Moneto can be used to make mobile NFC-based payments at any merchant location accepting contactless MasterCard PayPass transactions. Additionally, the accompanying traditional plastic card can be used for magnetic stripe-based transactions at any location that accepts MasterCard. I tested the solution with my iPhone 4. The package included a traditional prepaid MasterCard, a plain white card that contains the microSD, the iPhone case and a USB cord. There were also instructions and terms of service for the account. To begin, I pulled the protective case into two pieces, popped the microSD card into the springloaded slot in the back of the handset case and snapped it together around the iPhone. The case connects using the 30-pin iPhone connector replacing it with a mini USB port. The supplied cord enables syncing and charging using the USB port since the 30-pin connector is no longer available. At the iTunes App Store I downloaded the 3.6 MB Moneto app, synced the device and completed the registration process entering name, address and Social Security number. This process was easy enough but I would have preferred to do it on a computer with a regular keyboard.

Summer 2012



I selected a PIN for that app and was ready for mobile payments. The available balance appears at the top right of the screen along with a big blue pay button and other app options, including history of transactions, locations where the app can be used, account info, reload options, transfer and rewards. Transfer and reward options are not yet available. In the coming months, however, users will be able to transfer money to other Moneto users and participate in a rewards program, says Malhotra. Adding funds to the account may seem cumbersome to some users. Options

up in my Moneto account. For me, the real drawback is the $4.95 monthly fee. I’m not accustomed to paying for banking service – I don’t even have a card with an annual fee – so paying a monthly fee for the privilege of using my phone to pay at a handful of merchants is a bit of showstopper for me. Malhotra says that once the rewards program is up and running, users will see that $4.95 returned to them in various rewards every month. Also, because the MasterCard prepaid card can be used to make purchases anywhere and to get cash at ATMs, the account has functionality be-

As for the hardware and app, however, they seem to work well. It took me a few seconds to find the sweet spot for the signal on some contactless readers. At first I found myself fumbling a little bit at the point of sale but the usability improved as I became familiar with the process. And to my surprise, the iPhone case itself is very nice. It adds a little length and bulk to the handset but nothing that’s too noticeable. For those who use their iPhone on a dock frequently, they may be frustrated because the 30-pin connector is blocked and you have to remove the

THE MAJOR DRAWBACK IS THE ONE TO FOUR DAYS IT TAKES FOR THE NEW FUNDS TO SHOW UP IN MY MONETO ACCOUNT include direct deposit from payroll, ACH transfer from an online bank account, MoneyPak Green Dot, MoneyGram or PayPal. Malhotra says they are looking to expand these options further in the future. Since I already have a PayPal account, I choose that option. Because I didn’t have a bank account linked to PayPal, I had to do that through my online banking site. At that point I was able to transfer funds from my banking site to Paypal and then finally to the Moneto account. The major drawback is the one to four days it takes for the new funds to show

yond the contactless-accepting merchants. For now I don’t see the value. Within two miles of my residence the app lists eight places that would accept the payment technology, three of which are CVS Drug stores. I would like to keep using it but the $4.95 fee is too much for the limited use. Couple that with the $79.95 price tag to purchase the case, and I am skeptical that many people will be willing to spend that kind of money to make purchases with their phone. Once Moneto rolls out the rewards program there may be a benefit but until I see that it’s difficult to say.

bottom half of the case to plug into a dock. Future enhancements might make the $4.95 worthwhile. Besides adding the rewards program to Moneto, the company also envisions a future where other apps could be added to the microSD card, for example, a local transit application or physical access credentials. Overall, if you want NFC for your iPhone and are willing to deal with the $4.95 monthly fee, Moneto is a good option. For me, when my bank offers an option I’ll be jumping on that as long as associated fees aren’t there.


Summer 2012

Profile for AVISIAN

Regarding ID Summer 2012  

Regarding ID Magazine features the best editorial insight from across the ID technology landscape.

Regarding ID Summer 2012  

Regarding ID Magazine features the best editorial insight from across the ID technology landscape.