Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
ID AS A SERVICE
Outsourcing identity and credentialing matures
• 2010: The year that wasn’t • Health care’s security breach • Germany’s contactless national ID
Deliver multi-applications without compromise Identification solutions for security, convenience, and design productivity
Systems that support multiple applications are the new reality for electronic identification. NXP is already there, building on 15 years of innovation and an unmatched understanding of applications across segments and ecosystems. Our identification solutions are designed for the future, with features that let you create multi-application systems without forcing you to compromise on security, convenience, or design productivity. NXP is an innovative leader in High Performance Mixed Signal, seamlessly uniting RF, Analog, Power and Digital Processing technologies. Our in-house processing capabilities, application insights and expertise in sub-system design will help you excel in complex, ever-changing markets. Leading solutions in High Performance Mixed Signal and Standard Products
ID as a service: Outsourcing identity and credentialing matures
Transportation worker ID moving ahead: Pilots concluding but final access control policies still more than a year out
Health care’s security breach
Common Access Card continues to pave the way: Department of Defense explores future form factors, PKI applications
Banks, carriers roll out new pilots in U.S.
Opening the loop with transit programs
60 34 44 62
6 | OPINION | 2010: The year that wasn’t 8 | PODCAST | Conversations on identity standards, alternative form factors and the Common Access Card 10 | ID SHORTS | Key news items from AVISIAN’s online ID technology sites
Winter 2010 30 | NATIONAL ID | Germany deploys contactless national ID 32 | BORDER CONTROL | E-passport inspections lagging worldwide
INDEX OF ADVERTISERS Apriva iss.apriva.com CARTES & IDentification www.cartes.com The CBORD Group www.cbord.com CPI Card Group www.cpicardgroup.com CSC www.csc.com/nps CSCIP www.smartcardalliance.org Digital Identification Solutions www.dis-usa.com/Re-ID Entrust www.entrust.com Evolis www.evolis.com FIPS201.com www.fips201.com HID Global www.hidglobal.com/ fargo-dtc-REID IEEE www.IEEEBiometricsCertification.org Kaba Access Control www.kabaaccess.com LaserCard www.lasercard.com Mobile & Transit Payments Summit www.smartcardalliance.org MorphoTrak www.morphotrak.com NXP www.nxp.com Sarnoff www.sarnoff.com/iom Sargent www.intelligentopenings.com Teslin www.teslin.com
19 | CALENDAR | Industry events from the identity and security worlds 21 | VIDEOS | Interviews with leading vendors from events in the identity and security worlds
23 65 49 33 67 35 13 3 29 59 68 39 25 37 63 27 2 41 55 47
22 | COVER STORY | ID as a service: Outsourcing identity and credentialing matures 28 | TECH | ID management moves beyond logical access
34 | TWIC | Transportation worker ID moving ahead: Pilots concluding but final access control policies still more than a year out 38 | BIOMETRICS | Keystroke dynamics secure computer access 42 | MARKET | Identity industry sees consolidation 44 | HEALTH ID | Health care’s security breach 46 | DIGITAL ID | Widespread authentication catches on 50 | LEGISLATION | Veto of IRON Act impacts ‘national strategy’ 52 | MILITARY ID | Common Access Card continues to pave the way: Department of Defense explores future form factors, PKI applications 53 | CITIZEN ID | Translating experience from government ID to citizens 56 | LEGAL | Lawsuit threatens federal ID programs 58 | ONLINE ID | ‘National strategy’ delayed: Online ID initiative stalled by political and technical challenges 60 | NFC | Banks, carriers roll out two new NFC pilots in U.S. 61 | INNOVATION | Enabling payments on legacy hardware 62 | TRANSIT | Opening the loop with transit programs 64 | PAYMENT | Cubic drives open payments 66 | NFC | Apple: A love letter
Perspective EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Daniel Butler, Ryan Clary, Liset Cruz, Seamus Egan, Gina Jordan, Autumn Giusti, Ross Mathis, Ed McKinley ART DIRECTION TEAM Darius Barnes, Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions.avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2010 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com.
2010: The year that wasn’t Zack Martin Editor, AVISIAN Publications As the year began, there was great excitement around identification. Many were touting 2010 as the big year for identity. There were going to be great new use cases for PIV, true progress toward securing our health care data, NFC handsets and rollouts and even a government-initiated online ID. All very exciting stuff. Except none of it came to be in 2010. There were some exciting developments and progress but in different areas à la smart phones and EMV. The biggest disappointment has to be PIV. The deadline for card issuance was more than two-years ago yet outside of than the Defense Department, which already had applications in place, there’s only a handful of use cases. Officials know this is a problem and finding use cases for PIV is the focus of the Federal Identity, Credential, and Access Management (ICAM) group, but the pace seems glacial. I know these systems can’t be rolled out overnight but it’s been more than two years and it’s time to start using the technology on the card. There’s also the physical access control component of PIV. Many suggest that the current physical access approach has inherent weaknesses that must be addressed. Early this year there seemed to be progress around PKI at the door and its potential for the federal enterprise. In the last few months, however, the buzz has gone silent. Health care is another disappointment. President Obama wants every American to have electronic medical records and few argue the need to secure that data and identify patients and caregivers. But the U.S. Department of Human services has at best been timid, recommending encryption to protect the data but leaving the identity piece for providers to figure out. Having covered the health care IT market before I know it’s a difficult industry to advance, but there are serious issues around health care identification and not enough people seem to be taking it seriously.
The health care issue goes hand-in-hand with what President Obama wants with NSTIC, a secure way for individuals to protect their identity and conduct transactions online. The timeline for the president to sign a strategy along with the release of an implementation plan was aggressive … it was supposed to be October. Predictably, some say, the plan has been delayed. Two likely causes are the desire waiting until after the midterm elections to avoid politicizing the strategy and jockeying among federal agencies as to who will oversee the plan. My issue isn’t with the delay as much as it’s with how the strategy is being drafted. I understand a lot of work on this has to happen in a back room, but there needs to be a bit more openness with the public especially with regard to the implementation plan. When the first draft strategy was released it was opened up for public comment, an interesting idea that went along with President Obama’s call for a more transparent government. But the comments have been closed for some time and there has been little to no official news regarding the strategy since its release. I know the old saying about two things you don’t want people to see made … sausages and laws … but some transparency on the national strategy is necessary. This is supposed to be a credential that citizens will eventually opt in to use so let’s share some of the process. As I’ve said before, the idea of a secure credential for online identity is something I’m excited about and am ready to get in line. Another technology that I would wait I line for is NFC. The idea of having everything on my smart phone and not having a giant wallet in my back pocket makes me happy, especially because the three contactless cards I have in my wallet won’t work unless I take the individual one out of my wallet. But alas, I am still waiting. Throughout 2009 industry officials told us 2010 would be the year of handsets and rollouts. But again it did not happen, and instead we’re seeing more NFC bridge technologies like stickers and microSD cards.
There are other solutions using the mobile device itself as the additional authentication factor. A smart phone can be a credential and a reader. It has built in processing capabilities and it can be ‘connected’ from virtually anywhere on the globe. Even without the communication capability inherent in the handset, it would be easier to provide a USB cord to connects it to a computer and run the identity scheme. It would be more cost effective, convenient and have a higher chance of success than issuing a dedicated card or token and additional hardware. The other positive note of 2010 is the discussion of EMV in the U.S. In a very short time it moved from non-starter to virtual inevitability. I don’t think a week went by without a mainstream media story telling the tale of U.S. travelers struggling to use their magnetic stripe cards abroad. Much of this is due to good lobbying from the smart card industry. Of course it wants to see its products used in one the world’s largest payment markets. And there has been some progress. The United Nations credit union is issuing EMV cards to its members and there are reports that some U.S. banks are beginning to issue the cards to customers that frequently travel overseas. The U.S. will eventually have to bow to the pressure and deploy EMV or the next generation solution. Every other industrialized country is using EMV and it’s only a matter of time before the U.S. becomes a center for fraud because of weaker security. So read on. Virtually everything I kicked over here is covered in-depth somewhere in this issue. Here’s to 2011 … the big year for identity? Comments? Concerns? Suggestions? E-mail me: email@example.com Follow us on Twitter: @Avisian
The good news from 2010 On the positive side, 2010 brought to the forefront the concept that a smart phone is a viable form factor for identification. The reality is many corporations already use BlackBerrys, iPhones and Android devices for two-factor authentication. Most of the one-time password providers have released software that run on these devices negating the need for a separate token.
Do you have an idea for a topic you would like to hear discussed on an re:ID Podcast? Contact podcasts@AVISIAN.com
Episode 63: ID standard series: GlobalPlatform
Episode 64: Securing the cloud with the phone
In another of a series of podcasts investigating identity standards, Kevin Gillick, executive director at GlobalPlatform describes the organization’s place in the standards landscape.
PhoneFactor CTO Steve Dispensa and Sarah Fender, vice president of marketing and product management, discussed their survey on the role of security in the adoption of cloud computing. More than 300 IT professionals from a variety of industries weighed in on current and planned use of cloud computing, the perceived benefits of making the change and what’s holding them back. Fender says the results show a big interest in cloud computing because of the cost and scalability, with an equally strong fear about whether security in the cloud is adequate.
The ID credentialing space is an important component for GlobalPlatform and the group has a government task force with 24 members. “What we’re doing today with this government task force is taking an active position and collecting other government activity around the world through liaison activity,” Gillick says. An example of some of the work GlobaPlatform has done in credentialing is the release of a secure channel protocol for government IDs. “That is a technology that supports government migration to higher cryptographic standards,” he says. “As an example the U.S. Department of Defense has a need to migrate from the DES to the more advanced cryptography AES.”
To listen, visit ContactlessNews.com/tag/Podcasts and select “Episode 63” 8
“A lot of people are in regulated environments that literally require the use of multi-factor authentication, so a cloud-based application that doesn’t offer multi-factor is just off the table,” says Dispensa. “You really have to trust your cloud service provider to take extra steps, keeping cloud services clean not only of traditional viruses but also things like cross-site scripting and SQL injection attacks, all of which seem to haunt so many Web-based cloud service providers.” To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 64”
Episode 65: A look at the Common Access Card
Episode 66: PKI and the Common Access Card
The U.S. Department of Defense Common Access Card celebrated 10 years in October. As the forerunner to U.S. government smart card programs, many would say it set the stage for HSPD-12 and what is now the PIV credential that many government employees are carrying. Mike Butler, deputy director of the Defense Manpower Data Center for identity and personal assurance at the Defense Department spoke about the program’s history and future.
The U.S. Department of Defense has one of the largest Public Key Infrastructures in the world. Getting to that point wasn’t necessarily easy, says Scott Jack, director of identity assurance for DOD PKI. Jack spoke about the role PKI plays with the credential and how it may be used in the future, including form factors other than smart cards.
“In 2000, 2001, 2002, we (DMDC) saw ourselves as card issuers, but somewhere in that time frame there was this shift. It’s not really ID cards – although that’s technically what we do – it’s really identity,” Butler says. “At that point came the full embracing of the PKI process within DMDC.”
Without PKI the Common Access Card would be just another ID, says Scott Jack, director of identity assurance for DOD PKI. “The PKI literally binds the human identity to a virtual identity in cyberspace,” he says. “It cryptographically asserts an identity that’s been proofed and vetted for the lifetime of the credential.”
The DOD also wants to continue to strengthen its PKI and the business case for the credential, Butler says. “Using the CAC and PKI we may be able to better service data that’s up in the cloud, like back end authentication,” he says.
The Defense Department is planning to expand the use of PKI, including adding the technology to non-person entities such as routers, switches, hubs and even PDAs and laptops, Jack says. “They are also considering the use of other form factors, such as mobile devices, for credentials to login to networks, Jack says.
To listen, visit FinancialIDNews.com/tag/Podcasts and select “Episode 65”
To listen, visit SecureIDNews.com/tag/Podcasts and select “Episode 66” Winter 2010
ID SHORTS SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com
HID, Sony partner to develop contactless smart card readers
HID Global and Sony Corp. have entered into a strategic partnership to develop an embedded contactless smart card reader platform for the global PC marketplace. The platform will be designed specifically for laptop manufacturers and will support Sony’s FeliCa contactless card technology, HID Global’s iCLASS credentials, as well as other adopted technologies. The reader solution will support applications based on Near Field Communication. Goals for the development, including a reference design and comprehensive developer support, are focused on minimizing product development requirements and speeding time-to-market schedules for PC manufacturers. Plans are in place to provide details and availability later this year.
Deployed in Asia for more than ten years, Sony’s FeliCa technology is used in 67 million mobile phones in Japan, and more than 315 million FeliCa cards have been shipped worldwide for transportation, electronic money and other applications. HID Global’s iCLASS technology for the jointly developed HID Global and Sony smart card readers will be securely delivered via HID Global’s Trusted Identity Platform (TIP), which enables all end points in a system or network to be validated so that identity transactions between them can be trusted at any time, on demand. HID and Sony are now discussing details of the partnership and finalizing a definitive agreement. With this partnership, HID Global and Sony will further expand their product solutions to increase the benefits and convenience of contactless applications globally. 10
Neurotechnology releases multimodal solution
School buses trying biometric solution
Neurotechnology released a new multi-modal solution that employs fingerprint and irisbased authentication.
The Desert Sands School District outside of San Diego has approved a fingerprint-based biometric authentication system to improve security and child tracking on the district’s school buses.
The system, called MegaMatcher Accelerator 3.0, is being touted by the company for its matching speeds of 200 million irises per second and 100 million fingerprints per second. Neurotechnology believes its new solution to be a perfect match for large-scale identity detection projects such as voter duplication detection, passport issuance, border control and other applications where a need for oneto-many matching exists. In addition to speed, the new version of the MegaMatcher system has increased its storage size with storage capabilities of up to 30 million fingerprints and 50 million irises.
Millionth UK contactless transaction made New data from Barclaycard reveals that the total number of contactless transactions in the UK this year has surpassed the one million mark. Since January there has been a 217% rise in monthly contactless transactions, with more than 150,000 processed in September alone. While contactless transactions remain a small part of overall card payments, increasing numbers of consumers, retailers and banks are committing to the technology, with contactless cardholders predicted to reach 12 million in the UK by the end of the year, according to Barclaycard. Additionally, there are now 42,500 terminals installed in shops across the UK, a huge leap from 25,000 at the beginning of the year, says Stuart Neal, Head of Payment Acceptance at Barclaycard.
Global Biometrics Security developed the system called Biometric Observation Security System (BOSS). It is designed to keep students from getting off at the wrong stops and to ensure the right students are on the right buses. In the BOSS system students are required to scan their fingerprint when leaving the bus so that if they are getting off at the wrong stop an alarm will ring to alert the driver.
Gemalto provides multi-platform eBanking security for CI Banco customers Gemalto announced the rollout of its Ezio strong authentication server and one-time password tokens to enhance eBanking security for CI Banco’s customers in Mexico. The solution combines one-time password tokens with the software platform to create a time-based challenge-response mechanism, thereby adding a layer of security to ensure the authenticity of the Internet banking session and provides an enhanced level of protection for users accessing their accounts or performing online transactions. The Gemalto solution also provides CI Banco with the possibility to expand it customer of-
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com ferings to support other types of authentication devices including EMV payment cards, connected readers or mobile phones.
Confident Technologies delivers image-based, multi-factor authentication The human brain is naturally better at remembering categories and recognizing images than remembering long strings of random alphanumeric characters. That is why Confident Technologies has made available ImageShield, an image-based authentication solution for strengthening passwords on public-facing Web sites and Web-based applications. Designed to thwart keylogging malware, phishing and brute force attacks, this cloudbased, multi-factor authentication service creates one-time pass codes by prompting users to correctly identify pictures from a dynamic grid of images presented during login. When a user registers on site for the first time, they choose from various categories of images such as dogs, cars and flowers. Each time the user logs in they are presented with a randomly generated grid of images and the user looks for the images that fit their chosen categories and enters the corresponding letters or numbers that appear in the images to form a one-time pass code.
Thai Digital ID taps Entrust Entrust Inc.’s public key infrastructure (PKI) technology has been selected by the Thai Digital ID Company Limited. Thai Digital ID will resell Entrust’s in-house and hosted PKI solutions – Entrust Authority PKI and Entrust Managed Services PKI, respectively – to current and future customers in Thailand.
Entrust’s first public key infrastructure was released in 1994 and its now in its eighth edition. By managing the lifecycles of digital certificate-based identities, Entrust Authority PKI enables encryption, digital signature and certificate authentication capabilities to be consistently and transparently applied across a broad range of applications and platforms. Entrust Managed Services PKI enables organizations to establish and maintain a trustworthy environment by providing certificates that secure many off-the-shelf applications using encryption, digital signatures and strong certificate authentication. This enables organizations to control access to resources, prevent theft of information, and comply with privacy and digital signature regulations. Founded in 2000, Thai Digital ID’s core mission is to establish a trustworthy CA service center to facilitate e-commerce in private and government sectors.
VASCO announces DIGIPASS as a service platform for B-to-B VASCO announced the availability of its DIGIPASS as a service platform for Business-to-Business providers, now giving companies the ability to either host authentication in-house or opt for the DIGIPASS as a service platform. DIGIPASS as a service is VASCO’s cloud based authentication platform for web based applications The DIGIPASS as a service offering includes a redundant hosted authentication backend, the provisioning of DIGIPASS software or hardware authenticators to end-users and a host of DIGIPASS services including fulfillment, branding, customization, packaging, provisioning, distribution and storage. In the first rollout phase announced, VASCO is targeting Business-to-Business applications. In later stages, VASCO will expand service offerings for enterprises and consumers.
Matrix Systems, Codebench partner for FIPS 201 Matrix Systems, and Codebench have formed a partnership to streamline HSPD-12 compliance for users of Matrix’s Frontier access control software. The integration of Codebench’s PIVCheck Plus with Frontier offers Matrix Systems customers an easy solution to comply with governmentmandated FIPS 201 personal verification credentials. PIVCheck Plus is an authentication software and hardware solution that bridges federal governing networks with physical access control systems (PACS). Matrix Systems customers can now use their Frontier PACS to maintain a single ID credential when managing employee access and verification in authorized facility areas requiring Personal Identity Verification (PIV), Transportation Worker Identification Credential (TWIC) First Responder Authentication Credential (FRAC), Common Access Cards (CAC) and other FIPS 201 verification standards. Frontier is an open architecture PACS designed specifically for government, transportation, healthcare, education, commercial and industrial facilities.
New software holds potential for mobile phone biometrics New technology developed by scientists at the University of Manchester in the UK and funded through the European Union’s Mobile Biometrics Project holds promise for accurate and fast facial recognition on mobile phones. The new software would allow for mobile phones with front-facing cameras to utilize facial recognition in lieu of traditional PINs, Winter 2010
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com passwords or patterns for unlocking access to the phone or other protected applications and data contained on it. Lead researcher on the project, Phil Tresadern, claims that utilizing the real-time video capture of 22 points on an individual’s face via the phone’s camera allows for a highly accurate and fast authentication mode. Additionally, Tresadern claims that the technology his team is developing is the first of its level to be designed for mobile use. According to an article in Wired, the University of Manchester research team has developed the first working version of the software for the Nokia N900 phone, but has also developed a prototype for the iPhone 4.
ACS launches new biometric solution Advanced Card Systems launched a new card reader with an embedded fingerprint sensor. The reader, called the AET62 Near Field Communication Reader, is a multi-factor authentication device that requires the input of a user’s PIN or password, contactless smart card and fingerprint for proper authentication. The device employs match-on-device technology wherein the user’s biometric profile is stored on the individual device instead of a remote server or database in an effort to keep fraudsters from accessing biometric data.
Caribbean leads multi-country biometric border control The Caribbean leads the world in multi-country biometric border control programs with 15 countries and 18 airports operating on the same fingerprint and facial biometrics-based
system. So says Colin McGeachey, biometric specialist from 3M Canada.
Danish city introduces contactless card for school kids
Other places where biometric acceptance is high includes Frankfurt airport in Germany where the passport gates accept biometrically-enabled passports from 62 countries. German Federal Office for Information Security official Mark Nuppeney also spoke at the conference detailing some of the advances the Frankfurt system has in place, but also noted its high rejection rates resulting in one in eight people requiring human intervention to pass through the gate.
Children in Aarhus, Denmark are now able to use a contactless payment card in stores throughout the city as a replacement for cash. Called the School Card, it can be topped up by parents or blocked if the card is lost or stolen. Parents can set daily spending limits and even prevent the acquisition of certain foods based on religious or allergy grounds. The city is considering more functions for the card such as payments at municipal sports centers, library ID and attendance tracking at clubs and events.
Politician pushes for biometric ID cards for pilots There has been little to no movement from the Federal Aviation Administration (FAA) to provide biometric and tamper-resistant ID cards for their pilots since the U.S. Congress passed a law requiring them to do so by December 2005. Florida Congressman John Mica is demanding an answer from the agency on why no solution is in place. Mica is not alone. According to a Next Gov article, other members of the House Transportation and Infrastructure Committee on which he serves are looking into the matter as well. FAA officials responded that they are expecting to publish a new rule requiring pilots to obtain a certificate that includes a photo, which current pilot IDs do not have, but did not specify dates or other requirements for the new IDs such as biometrics or other secure identity features. In addition to pressures from Congressmen, the Coalition of Airline Pilots Associations, a trade group representing airline pilots, also issued a statement in support of ID security upgrades including biometrics.
Researchers looking into fraud in biometric systems Scientists from the University Identification Technology Group at Carlos III University in Madrid are investigating ways that biometric systems can be compromised and ways to improve the security of the technology. The process known as anti-spoofing intends to assist biometrics developers by helping them consider the multitude of ways that spoofing can occur so that they can design anti-fraud measures for each one. In addition to their anti-spoofing work, according to a Physorg article, the researchers have also been testing existing system’s security strength and creating new algorithms and techniques to curb fraud. The team has already tackled iris, written signatures and fingerprints with intentions on moving towards facial recognition system vulnerabilities soon.
Accenture develops large-scale identity solution Accenture has developed a new biometric system designed for use in large-scale identity matching applications such as those used by government entities for identifying national security threats or managing social service programs.
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Called the Large Scale Matching Solution, it is scalable when deployed on a platform in the cloud and capable of finding and eliminating duplicate entries for individuals via both biographic and biometric data.
Homeland Security tests iris The U.S. Department of Homeland Security began testing of iris recognition systems in October as a potential option for weeding out illegal immigrants at border crossings. The testing is expected to discover the viability of such devices for border patrol agents.
The iris systems caught the interest of Homeland Security due to advances enabling authentication from up to six feet away, according to a USA Today article. The new government interest in such systems, however, has also sparked interest by the American Civil Liberties Union that worries about covert use of the cameras to track individuals without their knowledge or consent. Despite the new trials creating worry among some groups, other government operations have used similar systems in the past. The military utilizes iris biometrics to track suspected militants and airports use iris scans for registered traveler programs. review and edit the tabulated hours from the system as necessary.
Organizations also appreciate biometric time and attendance solutions due to their ability to produce more accurate time records by eliminating fraudulent punches.
Poll suggests consumers prefer biometric credit card verification Unisys announced that two-thirds of consumers support the use of fingerprints in place of or in addition to signatures, PIN numbers or photo IDs for identity verification with credit card purchases. In a survey of more than 300 consumers, 63% chose fingerprints as the best way to prove ownership of a credit card as compared with 20% choosing photo verification, 13% choosing PIN numbers and six percent choosing signatures.
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com Unisys is hopeful these survey results point to a general increase in comfort and support for incorporating biometric technology into everyday life.
The new solution combines both contactless and biometric technology for authenticating an individual’s identity to ensure only authorized users access protected workstations and specific data or networks.
Transport for London pushes ahead with international contactless transit card
In addition to simply managing access, however, the new system will automatically log out and lock should a user walk away from the workstation.
Transport for London hopes to have a cross-border contactless transit and payment card in play by 2012 to support access to transportation services domestically and overseas. The agency is already working with several transport operators in the U.S., Europe and Australia to “develop common standards for the technology,” a TfL spokesperson told the American Banker. Some experts, however, do not believe the 2012 goal is possible. “The challenge is the interoperability of the different transit systems involved,” Tony Craddock, the chief executive of Global Prepaid Exchange, said recently in a newsletter. “Different from near field communication-based mobile payments, which has strict standards, contactless transit fare collection lacks a similar international standards body.”
Fujitsu, Crystal partner for new biometric security solution Fujitsu Frontech North America has integrated its vascular-based biometric authentication solution PalmSecure with fellow IT solutions developer Crystal IT’s Avert Access Control logical access control system.
While the previous Crystal IT solution utilized two-factor authentication, there were issues surrounding lost or forgotten passwords. With the inclusion of biometric authentication in place of passwords, the companies expect to improve work flow and operations.
Digital Identification Solutions releases new card printer Digital Identification Solutions unveiled the EDIsecure DCP 360+, a newly designed direct to card printer. The fast, full-color printer was developed for industrial needs with portrait mode printing and can handle plug and play inline lamination. It is part of the Business Line family and capable of managing complex applications such as those needed by corporations, government agencies, universities and hospitals and other organizations. The EDIsecure DCP 360+ boasts field upgradeable optional encoder modules for magnetic stripe, contact and contactless smart card encoding. To extend the security of the cards, the DCP 360+ can be joined with optional modules for single-sided and dualsided inline lamination in one pass. Even different laminates can be applied to the same card at the same time owing to two cartridges and two heat roller systems. A variety of lamination media is available: clear and
holographic patches in various thicknesses, patches with chip cut-out for contact chip as well as holographic overlays. Both lamination modules are provided with optional lockable access to lamination supplies to guarantee extra security.
Ingersoll Rand rolls out aptiQ smart card from Schlage Ingersoll Rand Security Technologies new aptiQ smart card from Schlage features MIFARE DESFire EV1 technology. The cards are built to support a variety of applications, including access control, event ticketing, and payments. aptiQ smart cards offer multiple layers of security, including mutual authentication and AES 128-bit encryption. Additionally, the cards supply diversified keys, which ensure no one can read or access the cardholder’s credential information without authorization. A message authentication code further protects each transaction between the credential and the reader during the transfer of information.
Mass. town adopts contactless debit cards to boost local spending The city of Brookline, Mass. is launching a smart card debit program to boost consumer spending in local shops and restaurants. Brookline residents can now go online to order their PXT Payments smart debit cards, which enables them to pay quickly and securely at local coffee houses, hardware stores, retailers, and parking lots. According to getdebit.com, Portland, Maine is considering a similar program.
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com
University of Southampton developing ear biometrics Scientists from the Electronics and Computer Science department at the University of Southampton in the UK outlined a technique to highlight tubular structures such as human ears to make them a viable biometric mode. The technique enables the structure of the ear to be highlighted properly for enrollment and verification, according to a University of Southampton News article. The scientists expect similar techniques to create new gait biometrics and 3D biometrics scenarios.
AuthenTec releases new mobile phone software AuthenTec announced the development of new mobile identity management software to enhance biometric capabilities of mobile phones with embedded AuthenTec fingerprint sensors. The new software, called TrueSuite Mobile, is designed to simplify management of personal data, allow for more customization and simplify setup of the smart sensor. Additionally, it includes a new API designed to assist app developers wishing to include biometric security in their application. The TrueSuite Mobile software is compatible with Android, Windows 7 and Symbian mobile operating systems and supports AuthenTec’s smart sensors including their two newest offerings the AES1750 for touchscreen
phones and AES850 designed for navigation and authentication.
Oracle buys Passlogix Single sign-on provider Passlogix is being acquired by Oracle. Passlogix products help organizations increase security by enabling single sign-on for a range of client-server, mainframe and Web-based applications. The combination of Oracle and Passlogix provides enterprises with an identity management solution to further advance their identity management, compliance and authentication initiatives with even tighter integration capabilities. The transaction is expected to close this year. Financial details of the transaction were not disclosed.
EMVCo: More than 1 billion EMV cards in circulation EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa, reports that more than one billion EMV cards and 15.4 million EMV terminals are active globally as of September 1. Furthermore, EMVCo says that 36% of total cards and 65% of total terminals in circulation are now based on the EMV standard. According to EMVCo, Europe Zone 1 (Western) has the highest adoption of EMV technology with 555.7 million cards issued and 9.4 million terminals in place, representing an
adoption rate of 65.4% of cards and 84.7% of terminals currently active in the region. Within the Asia-Pacific region, 305.1 million cards and 3.2 million terminals are in operation, followed by the Canada, Latin American and the Caribbean region, which has 182.2 million cards and two million terminals in circulation. These two regions share a similar rate of EMV adoption with 26.6% and 26.4% for cards, and 41.6% and 55.6% for terminals, respectively. In Europe Zone 2 (Eastern), 22.8 million cards and 458,000 terminals are now active, representing an adoption rate of 11.5% for cards and 61.2% for terminals. 16.8 million cards and 348,000 terminals have been deployed in Africa and the Middle East, representing an adoption rate of 13.7% for cards and 62.5% for terminals. The U.S. is excluded from the figures as there are currently no EMV programs deployed.
LEGIC launches next-gen contactless chip LEGIC Identsystems launched its new generation of contactless reader chips for personal identification. The new SM-4200 reader chips are equipped with the company’s advant smart card technology making them suitable for single and multi-applications in access control, time and attendance and e-payment. The SM-4200 is the smallest chip ever developed by LEGIC, measuring only 8x8 mm. Its low power consumption makes it ideal for integration into battery-operated applications such as offline door locks. The new chip supports the ISO 14443 A+B, ISO 15693 industry standards, the LEGIC RF standard and now NXP Semiconductors’ MIWinter 2010
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com FARE technology, which LEGIC recently announced would be supported by all its reader platforms.
Cross River will be the first state in Nigeria to fully take part in the SmartGov Initiative.
By integrating MIFARE technology in its reader components, LEGIC says it will be able to provide its readers for a variety of new applications including public transportation, access management, event ticketing and customer loyalty.
Ayonix releases city surveillance system
Immigration NZ begins biometric system trial The New Zealand government’s immigration department, Immigration New Zealand, is trialing a new biometric system that uses facial recognition to match people to their passport upon entry into the country.
Japan-based Ayonix released a new version of its face recognition system designed for use in city surveillance. The system, called Ayonix Public Security, operates in real-time searching for people of interest such as known criminals in crowded public areas such as airports and stadiums. When a match is found a human operator is notified of the match to allow them to decide whether the matter requires intervention or further investigation. Upgrades to the system include a new imageprocessing algorithm that speeds processing ten times compared to previous releases of the system allowing for more efficient matching of moving people.
The department is planning to use biometric systems to authenticate all travelers’ identities upon their entry into the country within a few years.
Additionally, the system includes new administrator tools that allow a user to access other sources for facial data such as passport databases or law enforcement databases.
The new system, according to a ZDNet article, is being trialed for the next 12 months and will not be used in regular border control operations.
HID unveils new readers, credentials
Precise implements biometric ID solution in Nigerian state Precise Biometrics provided the Cross River State in Nigeria with technology for a statewide biometric ID card designed for use in government services and personal identification. The program is called the SmartGov Initiative and works with government services such as tax declaration, health care, social benefits and pension. It also enables the government to offer services such as e-payments to its citizens. 16
HID Global unveiled a new access control reader and credential offerings that provide options for migrating from legacy solutions to 13.56 MHz contactless smart card technologies. The readers can be used with single- and combination-technology cards including a dualhigh frequency credential. HID’s expanded offering includes: • An iCLASS reader for migration from MIFARE Classic to secure 13.56 MHz MIFARE
DESFire EV1 and HID iCLASS contactless technology • New multiCLASS readers for migration from legacy magnetic stripe and 125 kHz proximity card technology to higher-security 13.56 MHz HID iCLASS contactless technology • A dual-high frequency credential, which bridges the gap between legacy solutions and secure iCLASS and MIFARE DESFire EV1 contactless technologies, expanding customer options for deploying security while maximizing the value of their credential investment The products are available from the company’s network of distributors, OEMs and system integrators.
Equifax acquires Anakam The Equifax acquisition of Anakam closed on Oct. 1 though details were not disclosed. The two companies have worked together since the beginning of 2010 when Equifax selected Anakam to provide the electronic authenticator for the Equifax I-Card. They also have had a strategic partnership providing no touch, risk-based identity verification and multi-factor authentication solutions for government, health care and commercial organizations. Equifax provides identity proofing, verifying more than 60 million identities annually. The acquisition of Anakam gives Equifax the ability to offer global customers and partners a policy-based platform to establish trust and mitigate risk as enterprises move manual or face-to-face business processes into public and private cloud environments. Anakam and all of its employees are part of the Equifax Technology and Analytical Services business unit.
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com
Entrust Discovery unveiled Entrust introduced Entrust Discovery, a solution designed to find, inventory and manage digital certificates across diverse systems to help prevent outages, data breach and noncompliance. Digital certificates play an important role in business technology. Located on servers, devices, networks and communication platforms, they represent a necessary security technique for encrypting transmissions and securing digital identities in today’s enterprise. Available as a managed service or a customer-deployed solution, Entrust Discovery simplifies the certificate discovery and inventory process. This saves the management effort of manually inventorying machines and networks, as well as tracking certificate expiration dates in spreadsheets or tables.
Canada announces new biometric immigration program In an effort to cut back on illegal immigration, Citizenship and Immigration Canada announced a program to collect biometric information from applicants seeking digital visas. The program will utilize fingerprints and photographs of individuals to add to the database of approved or not approved immigrants. The new upgrades are expected to bring Canada’s border security up to the level of countries like the U.S. and the UK. Officials from the Royal Canadian Mounted Police expect the biometric program will help law enforcement to weed out criminals applying for visas. India, Costa Rica and Gambia have also announced similar border security programs.
HCL launches airport security solution HCL Technologies launched its biometric airport security solution to help speed up the movement of pilots and flight crew through security checkpoints. Unlike similar systems developed for checking pilot and flight crew credentials using biometrics, the AeroPass system stores biometric information on the airline employee’s credential rather than on the system. HCL says the system meets the standards of the Biometric Airport Security Identification Consortium as well as the Transportation Security Administration’s rapid-access biometric systems regulations.
HID offers MIFARE option HID Global expanded its secure identity credential offering to support the latest MIFARE DESFire EV1 technology. The MIFARE DESFire EV1 card joins HID Global’s iCLASS card portfolio to expand customer options. HID’s expanded secure Genuine HID card offering includes both MIFARE DESFire EV1only and combination MIFARE DESFire EV1/ Prox credentials. Available in PVC and durable composite PET/ PVC construction, the cards are designed for many applications and can accept an embedded contact chip for logical access applications. MIFARE DESFire EV1 technology delivers transaction times of less than 100 milliseconds for a typical secure transaction. Based on open global standards, the technology is fully compliant with ISO 14443A 1-4 specifications and has been awarded CC EAL 4+ certification for card security.
Oklahoma bank taps PhoneFactor PhoneFactor announced that Stillwater National Bank and Trust Company, Stillwater, Okla., has deployed its authentication solution to protect its commercial online banking transactions. By utilizing PhoneFactor’s Universal Banking Gateway, Stillwater was able to integrate the product with its online banking platform. When a transaction is initiated, PhoneFactor calls the customer with details about the transaction. To approve the transaction, the user simply enters a PIN during the phone call. Because the transaction is verified across the telephone network, it is not vulnerable to malicious code running on the user’s computer.
Evolis integrates UHF Gen 2 Evolis introduced new ultra-high frequency Gen 2 RFID encoding options for its single and dual-sided Pebble and Dualys card printers. The solution supports a range of applications in various vertical markets including identification, access control or tracking. Evolis partnered with TransTech Systems to introduce the ultra-high frequency card printing solution. “We have tested the Evolis Gen 2 card printers for applications such as amusement park, event and cruise ship passes,” says Jeff Kruse, general manager at TransTech Systems. “We look forward to introducing these solutions to a wider audience.”
OMNICheck certified for six mobile biometric terminals Codebench’s OMNICheck software passed the Transportation Security Administration testing making it valid authentication software for use in the Transportation Worker Identification Credential program. Winter 2010
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The Codebench product underwent testing with six different terminals including Cross Match Be.U Mobile, DAP CE3240BWE, Datastrip DSV2+Turbo, Datastrip DSV3, MaxID iDL500, MorphoTrak MorphoCheck.
including PayPal and direct debit of bank accounts – while automatically receiving real-time account balance updates and instant rewards through an intelligent loyalty program.
The OMNICheck mobile validation product works to confirm PIV, TWIC, FRAC, and CAC credentials over the reader’s contact or contactless interface. When operating in TWIC authentication mode it functions as a TSA ICE-listed mobile TWIC reader, but when operating in non-TWIC modes the software simply applies the most secure validation rules based on the card type.
Bling Nation is distributing the contactless/ NFC-enabled VeriFone VX 810 Duet for countertops and wireless VX 680 to participating merchants as fully-functional “Blingers” that accept payments from consumers using BlingTags.
Fulcrum provides homeless management solution for NJ county Fulcrum Biometrics partnered with New Jersey Business Systems to create a fingerprint recognition system to identify the homeless population for the Bergen County Department of Human Services in New Jersey. The new system leverages the existing New Jersey Homeless Management Information System to better provide the county’s homeless with access to food, clothing and housing as well as expand on details in the state database for homeless populations.
VeriFone, Bling Nation partner for mobile tap-and-pay initiative VeriFone and Bling Nation are partnering for a mobile payments program in Palo Alto, Calif. The new program enables consumers to simply tap-andpay for purchases using a BlingTag, a quartersized contactless sticker, at the physical pointof-sale systems. The solution enables customers to purchase goods via alternative payment methods – 18
After the conclusion of the introductory program, VeriFone plans to enhance its PAYware Connect transaction gateway service to allow PAYware merchants to seamlessly consolidate traditional and alternative payment methods on a single card acceptance device.
London college launches sQuid payment system sQuid, provider of contactless eMoney solutions for campuses and The London School of Economics and Political Science announced the launch of sQuid on the LSE card. The multi-function smart card incorporates ID, access control, eMoney, loyalty and library membership. Students and staff can go online to pre-load the card with funds to spend at various oncampus restaurants, cafes, and libraries. The card also has a loyalty purse included, and LSE plans to introduce incentives so students and staff can gain rewards by using their cards throughout the campus. New students are already being issued the new LSE card with sQuid technology. Existing students and most staff will get the chance to upgrade their card by the end of the year.
UK looks to increase biometrics in immigration The UK government has reached an agreement for a seven-year biometrics program intended to increase the speed and efficiency for immigrants traveling into the country.
The system that is to be developed, called the Immigration and Asylum Biometric System, will be designed to check biometric visas, residence permits and registration cards for asylum seekers against their own biometrics upon entering the country. Additionally, the new system will be attached to the UK Border Agency’s National Identity Assurance System, which maintains a database of fingerprint and facial images to better track those with criminal histories and that have already been denied visas. British Immigration Minister Damian Green believes implementing this system is a necessary step to keep out foreign nationals intending to do harm to the UK or its citizens.
MBNA announces massive roll out of contactless payment cards in UK MBNA began a twoyear program to roll out contactless credit cards for its millions of UK customers. According to the issuer, 5 million of the company’s cards will have contactless technology by the end of 2011, adding to the existing 10 million contactless credit and debit cards already in the UK market. According to MBNA, customers do not need to do anything to receive the new cards, as they will be automatically updated and distributed upon reissue. Additionally, MBNA says the cards will feature several new layers of security. For example contactless cards cannot be used until a PIN is entered on first use, payments are limited to up to £15 per transaction, and customers will occasionally be asked to enter their PIN number to ensure the transactions are valid. According to MBNA, adoption of contactless payment among UK businesses is gathering pace, with Subway, Pret a Manger, Caffe Nero
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com and others already installing terminals. In addition, a host of big-name retailers are either trialing the technology or rolling it out, including the Co-op, Boots, Spar, National Trust gift shops and Little Chef restaurants.
NASA installs RFID system to track inventory of data center and lab assets NASA is using RFID system at its Langley Research Center in Virginia to inventory and track critical data center assets like servers, switches, racks and other associated equipment. The RFID solution from DataSpan will be used to manage the movement of laboratory and testing equipment as it periodically moves between the Langley facility and various field project locations.
2011 FEBRUARY 2011
RSA Conference USA 2011 February 14 – 18, 2011 Moscone Center San Francisco, CA
SCA 2011 Payments Summit February 15 – 17, 2011 Salt Lake City, UT
It utilizes handheld readers and three different types of EPC Global Class 1 Gen 2 tags. Most items are tagged with Omni ID metal mount tags, smaller lab assets are tagged with Sontec metal mount tags and individual offices identified with UPM Raflatec Gen2 labels.
HIMSS11 Annual Conference & Expo February 20 – 24, 2011 Orange County Convention Center Orlando, FL
Ready to use RFID for home, everyday use?
8th Annual World Health Care Congress April 4 – 6, 2011 Gaylord Hotel & Convention Center Washington, DC
With the RFID ME Gen2 Internet, RFID is ready for home office, consumer and everyday personal use. MTI, RF-iT Solutions, NXP Semiconductors, austriamicrosystems and Avery Dennison are partnering to promote the EPC Gen2 RFID solutions. RFID ME, a software application with plugand-play USB capabilities, ties the world of EPC Gen2 RFID tagged objects automatically and instantly to the Internet, essentially converting any computer into an EPC Gen2 reader.
18th Annual NACCU Conference April 17 – 20, 2011 Baltimore, MD
Smart Card Alliance Annual Conference May 2 – 5, 2011 Hyatt Regency – McCormick Place Chicago, IL
ASIS Intl Seminar and Exhibits September 12-15, 2011 Orlando, FL
ISC West April 5 – 8, 2011 Sands Expo and Convention Center Las Vegas, NV
RFID Journal LIVE! April 12 – 14, 2011 Orange County Convention Center Orlando, Florida
2011 Biometric Consortium Conference and Technology Expo September 27 – 29, 2011 Tampa Convention Center Tampa, Florida
CTIA Enterprise and Applications October 11 – 13, 2011 San Diego Convention Center San Diego, CA
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com The RFID ME Kit includes a CD-ROM with RF-iT Solutions software, MTI’s USB Reader Dongle and sample quantities of Avery Dennison EPC Gen2 pressure sensitive opaque inlays.
improve operational efficiency by eliminating the need for cash. According to NXP, this marks the first rollout of MIFARE Plus in Russia.
such as conducting privacy impact assessments, limiting access to personally identifiable information within an organization, and adopting a security breach notification plan.
The system supports NXP G2iL+ UCODE features for developing and deploying Internet of Things applications and enables home users to read and write their own RFID tags.
Nephsystem launches new ‘world’s smallest’ contactless reader
Morpho issues first UIDAI number in India
Canada’s Nephsystem released its new 13.56 MHz contactless reader/ writer that it claims is one of the smallest stand-alone contactless smart
AuthenTec, UPEK announce merge Biometric sensor developers AuthenTec and UPEK merged under the AuthenTec name. The new company is expecting significant opportunities due to its expanded customer footprint, expertise and portfolio of offerings. Additionally, they were primary competitors so market pressures will change for the merged entity. Former AuthenTec COO and President Larry Ciaccia will serve as the new CEO and two new directors were added to the board from UPEK. Shareholders of UPEK will receive AuthenTec shares resulting in a 31% stake in the new company by UPEK’s previous shareholders.
NXP delivers contactless transit system for 2014 Olympics NXP Semiconductors’ MIFARE Plus contactless microcontroller was selected to power the Russian city of Sochi’s Automatic Fare Collection system in preparation for the 2014 Winter Olympics. NXP is working with several partners to complete the system, including solution provider and equipment manufacturer Strikh-M, inlay manufacturer SMARTRAC and card manufacturer Novacard. Serving Sochi’s population of 500,000 residents and one million annual tourists, the MIFARE Plus-based system is designed to 20
card devices in the world. Weighing in at only 15 grams, the N330 also features wireless communication capabilities via Bluetooth, a USB interface and compatibility with all the 13.56MHz protocols. Other features include a high capacity Li-ion rechargeable battery, Windows compliance, and keyboard emulation or wedge capability allowing tag data to be transferred directly onto any text editor, including Excel, Word, Notepad, for legacy application support.
Morpho has helped to issue the first Unique Identification Authority of India (UIDAI) number during the inauguration ceremony for the project. A UIDAI number, a 12-digit personal identification number, will eventually be assigned to each citizen in India. It will be connected to fingerprint and iris biometrics in an effort to make identification easier across the country especially when dealing with social programs. Morpho is supplying deduplication technology to scan the collected biometric samples in search of duplicate entries to ensure that when UIDAI numbers are assigned no individual receives more than one ID.
Contactless check-in system goes live at Sydney Airport
SIA develops framework to address privacy concerns in biometrics, RFID
Australian airline Qantas has successfully introduced its a new contactless check-in system at the Sydney Airport.
The Security Industry Association has developed a new privacy framework to address privacy concerns related to the use of surveillance video and the gathering of personal information for use in biometric, RFID and other security technologies.
Already up and running in Perth, the system allows Qantas Club members and frequent flyers to check in using only their contactless ‘Q cards.’
“While security without privacy is possible, privacy without security is impossible,” said Kathleen Carroll of HID Global, who serves as chair of the SIA government relations’ state and local policy working group. The 12-item privacy framework includes guidelines, according to Security Info Watch,
After tapping the Q card at a reader at the terminal entrance, the traveler receives an automated text message on their mobile phone confirming a successful check-in. The card is then tapped once again at the departure gate. According to itwire.com, Qantas is issuing the cards to travelers in order of their frequent flier status.
SecureIDNews.com • ContactlessNews.com • CR80News.com • RFIDNews.org • NFCNews.com • ThirdFactor.com • DigitalIDNews.com • FIPS201.com
Industry discusses PKI at the door
What will the next-generation physical access control look like? Many industry insiders say it may be PKI at door. At different event throughout the year, industry leaders shared their views on the next generation of physical security and credentials.
What is digital identity?
Digital identity can be different things to different people. At the 2010 RSA Conference industry leaders shared their impressions of what digital identity and the challenges that exist when it comes to putting a digital ID system in place.
AOptix adds face to InSight iris system
MorphoTrak: Challenges issuing, using PIV credentials
Kaba enables flexibility for physical access control
Biometric use building on campus
Evolution of off-line locks
Smart cards competitive with prox
AOptix and Aware demonstrated a prototype at the Biometric Consortium Conference showcasing the ability to capture an ISOstandard face biometric at the same time as capturing an iris images, while the subject is standing at the two-meter distance from the device.
Biometrics are being used more frequently on campus for access to high-security areas, says David Stallsmith, director of product marketing at ColorID. Data centers, animal labs and medical facilities are leading the way.
While there is plenty of guidance available for issuing PIV credentials to government employees, challenges still exist. “The value of Special Publication 800-116 is that it lays out how to implement PIV cards, now that you have them,” explains Consuelo Bangs, senior program manager at MorphoTrak.
ASSA ABLOY’s Bret Tobey talks about a new generation of locks he calls "near online." They are similar to off-line locks of the past except they include network components to remove manual tasks and up security.
Kaba’s Mark Allen explains the company’s E-Plex 5800 series FIPS 201 approved locks. They work in any one of three modes: standalone, integrated with a larger identity management system and PKI-enabled to check against watch or revocation lists and the Federal Bridge.
Lowering costs of contactless smart cards makes them competitive with legacy prox, says Jennifer Toscano, IR Security Technologies. Smart cards offer more security and enable added applications beyond access. Winter 2010
ID AS A SERVICE
So, you want to deploy a converged smart card system for logical and physical access control for your company?
Outsourcing identity and credentialing matures
You start taking inventory, looking at the operating systems in use, applications that would have to be enabled, public key infrastructure technology that would need to be deployed and physical access control infrastructure and try to figure out how to take all this and make it work with one smart card for each employee. And then you quit. All kidding aside, deploying a converged solution can be time consuming, costly and frustrating. This is leading some to look at using an identity as a service model which is similar to the software as a service model, says Mark Diodati, research director at the Burton Group. There are many items to take into account when combining physical and logical access controls. “It’s really hard to do,” Diodati says. “Many organizations spend lots of money and projects are delayed.”
Zack Martin Editor, AVISIAN Publications
Much of the costs for a smart card system are incurred with the initial deployment. “If you want to stand up a smart card deployment you have a lot of costs right up front,” Diodati says. But with ID as a service offerings, like other managed services, companies pay a subscription fee based on the number of users. ID as a service solutions differ, but most involve card or token issuance, integration into existing IT infrastructures, PKI and identity management. IDonDemand, Gemalto and Verizon Business are offering identity as a service, Diodati says. Offering logical access control as a managed service is not new, he adds, but including physical access control in the mix is new. IDonDemand This complete converged solution is where IDonDemand is trying to create its niche.
The company offers a credential that enables physical and logical access for $50 per employee, says Jason Hart, CEO at IDonDemand. “We looked at the average cost of deploying a product (in the traditional manner) and it started at a couple of million bucks,” Hart says. “It’s a big price tag.” “It is a concept that developed when I was at ActivIdentity,” explains Hart when asked about the origins of the IDonDemand concept. “Trying to resolve how we get more sustainable revenue, deliver better service and take something from the government and make it usable for the commercial customer.” IDonDemand’s solution can be delivered through the Web, Hart says. “It’s a smart card that can open up the front door, log them in, encrypt data and conduct e-commerce,” he says. “What a customer gets from us is a fully managed, end-to-end solution and the
certificate authority with some level of public trust, be it cross certified to the Federal bridge or something else.” But the physical access control piece is the differentiator. Hart says IDonDemand can produce cards that emulate 30 different types physical access control systems, including FIPS 201’s card authentication key, Mifare, PLAID and other ISO 14443 contactless smart card standards. When a company is interested in deploying a smart card system with IDonDemand they start with a pilot involving a few employees, Hart says. It typically takes about 24-hours to provision the smart card infrastructure, set up the PKI and get them set up. This can be done remotely or at the customer site. IDonDemand sets up a public and private key set in Active Directory for network login. They up digital signature functionality for email, a process Hart says is fairly straightforward with
ARE YOUR SENSITIVE ASSETS SECURED? Apriva’s Authentication Ensures They Are Apriva’s encrypted Bluetooth® smart card reader and middleware provides authentication for mobile users. Apriva’s solution secures personal electronic devices for mobile computing applications and validates the identity of personnel interacting with your most sensitive information. This solution solves the US DoD and Federal civilian government mandates for PKI Authentication to devices and networks and is an optimal solution for warehouses, medical and manufacturing facilities.
AKO Go Mobile
Call 877-277-0756, Email SCRsales@apriva.com, or visit iss.apriva.com for more information.
Copyright © 2010 Apriva LLC. All Rights Reserved.
© 2010 Apriva LLC. All Rights Reserved.
“The only infrastructure you need onsite is a Web browser … Within 24 hours this one card will let them in the front door and log them on to the network.” — Jason Hart, IDonDemand
newer software systems, Hart says. “There’s a lot of native support built into products,” he adds. For older software packages IDonDemand has middleware to assist in the deployments.
project, opposed to many if an organization decides to manage the deployment. “It’s one throat to choke for card supplies and certificates,” Hart says. “You don’t have to deal with a lot of different vendors.”
The company also uses the Web to design the badge, figure out what types of certificates they want on the card and what physical access control systems the card should emulate, Hart says. The cards can be produced onsite if the company has a card printer with the necessary capabilities or done remotely at a central facility and shipped to the client. “The only infrastructure you need onsite is a Web browser,” he says. “Within 24 hours this one card will let them in the front door and log them on to the network.”
In addition to corporate settings, the company has seen interest in the ID as a service model from many different markets, including health care and state government for PIVI, Hart says.
A year ago, IDonDemand thought its target market would be token replacement but the company has seen a lot of demand in the convergence arena, Hart says. It also thought the sweet spot for company size would be the five to 15,000 employee company but has found many Global 1000 companies interested in the solution. “A lot of these companies have tried to install systems in the past and found the infrastructure too complex,” he says. “We found that providing the skill set in a certified, audited bunker gives them more features and options.” Using the managed service approach also lets companies deal with one vendor for a 24
Gemalto Gemalto has two different managed service offerings, says David Teo, marketing manager for online authentication at the company. The first is its Device Administration Service that uses smart card-based one-time password devices. The solution is designed to complement Gemalto’s .NET smart card by providing organizations with a cost-effective and user-friendly service to perform card issuance and administration tasks. These tasks include card initialization, PIN change, key change, PIN unblock and card reset. Device Administration Service is a fully hosted service targeting small-to-medium size businesses. It is made up of an administrator portal where the card is initialized before issuance, remote PINs can be unblocked and certificates loaded, Teo says.
There is also an online user portal where PINs can be reset thus eliminating help desk calls. The self-service portal automates basic tasks improving end user satisfaction, Teo says. The Device Administration Service is much more cost effective than an on-premise system, Teo says. “The savings come from the pay-as-you-go pricing, no hardware maintenance and no need for costly deployment,” he says. This solution can’t be directly compared with the full-scale card management systems that are typically targeted at large organizations. “They offer integration with identity management systems and provide fuller feature sets that are required for large organizations, but tend to be overkill for small and medium sized businesses,” he says. For a comparison between the Device Administration Service and similar on-premise card administration systems – as opposed to card management systems – the cost to deploy a card administration system for a 500-employee organization is about $30,000 with three years of support, Teo says. “Contrast this with about $4,000 for the Device Administration Service over three years,” he says. “Customers can choose to buy an annual subscription, a two-year subscription, or three-year subscription upfront with significant discounts.”
Use Government Smart Cards at Stand-Alone Doors ...
Made in the USA
With the E-Plex 5800 Series GS FIPS 201
The First and Only PACS Integrating Certified CHUID Readers Into Stand-Alone Locking Devices
• Scalable from one door to many • Simple card enrollment at door, or use optional software (Single PC or Networkable) • Perfect Solution when it is not feasible, or desired to run wiring • Validation through Federal Bridge PKI available • No wires to, or through the door • Meets Buy American Act • Install in minutes!
Kaba Access Control • 1.800.849.8324 • www.kabaaccess.com
“In a lot of the cases they don’t want to distribute tokens. They want to get out of the logistics and ease the use. They are becoming more aware of the costs and the headaches associated with the tokens.” — Mark Shapiro, Verizon Business
Also using the ID as a service model, Gemalto offers Authentication as a Service. This is a cloud-based OTP server that enables organizations to implement OTP authentication for Virtual Private Networks, Outlook Web Access, internal Web applications and external Software as a Service. Organizations are offered a choice of a mobile OTP application for smart phones or a separate hardware token. Authentication as a Service is designed for organizations looking for strong authentication solutions that are cost effective, easy to deploy, easy to use and easy to manage, Teo says. The pay-as-you-go model enables organizations of any size to lower upfront investments and operational costs. This is a result of not having to maintain hardware servers as well as the overall lower subscription costs compared to on-premise server software. This service is under development and is expected to be available in the coming months. Verizon Verizon Business has been involved in credentialing and identity in a variety of ways, says Mark Shapiro, senior marketing strategist for the company’s Identity as a Service business. The identity piece came to Verizon Business through its acquisition of Cybertrust. The company has done a lot of work with first responders to set up PIV-I credentials, but also offers hosted two-factor authentication solutions for corporations as well as single sign-on and federated identity, Shapiro says. “We run managed services around PKI and 26
OTP for a lot of corporations,” he says. “Basically an organization outsources its identity management infrastructure.” As more companies are moving to cloudbased application, Verizon is seeing organizations change their identity infrastructure, Shapiro says. Even those with an existing infrastructure and tokens are switching, as more applications become cloud based. “They need to ramp it up and we’ll walk through it with them and evaluate the methods in place,” he says. When a company brings in Verizon Business, they basically perform a takeover of the identity solutions, Shapiro says. Whether the organization is starting from scratch or has existing systems dictates what happens next. It also depends on what the organization is hoping to accomplish. “Is cost a driver or security a driver,” he asks, “or is it a combination of the two?” While smart cards are popular in government, one-time password tokens and applications that can be used on smart phones for secure access are used more in corporate settings, Shapiro says. Running the OTP software on smart phones has become a popular way to secure access to applications. “In a lot of the cases they don’t want to distribute tokens,” he says. “They want to get out of the logistics and ease the use. They are becoming more aware of the costs and the headaches associated with the tokens.” The traditional use for the token is access to corporate virtual private networks. But uses for these OTPs are growing as organizations
add PKI and access to cloud-based applications, Shapiro says. “We’re seeing a hybrid with PKI and OTP,” he says. “When it comes to those types of deployments some people say they just can’t manage and it’s scaled better to have another organization do it.” But the credential is just one piece of the identity puzzle that Verizon Business is seeing interest in from corporations. Adding federation and single sign-on is also becoming popular, says Shapiro, and it is tough for some organizations to crack.” Adding federated identity is a challenge because it takes all the application and computer logins – local, remote and in the cloud – and makes them one. The idea is for there to be one login for everything. A sales person on the road would use the same login for the computer and be able to access cloud-based application, such as SalesForce.com. “We set ourselves up as a hub that sits in the middle and translates into the federation,” Shapiro says. Is the future of identity outsourced? As more organizations move applications to the cloud, there’s a need for greater security and two-factor authentication looks to play a role. Many organizations simply do not have the resources – manpower, expertise or capital – to roll out an identity and credentialing system on their own. For this growing number of organizations, a managed service offering may be the ideal way to fill that gap.
As the leading provider of large identity management systems and biometrics for over 35 years, MorphoTrak brings its worldwide experience and advanced technology to assist customers across government and commercial markets in the design, implementation, and support of FIPS 201 compliant solutions. www.MorphoTrak.com or call 1.800.601.6790
ID management moves beyond logical access New deployments manage privileges and enforce data policies Identity management systems are typically thought of as databases where employees are enrolled, they are given access to the various applications needed to do their job, and their identities and privileges are altered or revoked over time. This somewhat limited view is changing. ID management systems not only enable access to systems but also control the context of what individuals see and can do with the information when they access it. And these systems don’t just impact employees, partners and contractors. They can also act as a customer relationship management and cross-selling tools as companies interact with clients and prospects.
Security questions businesses are asking: • Are we compliant? • What are our security risks? • What can we do to mitigate these risks? • What do we deal with first? • Who has access to what? • Who authorized their access? • Do they have the right level of access? • What did they do? • How do we prove compliance? Source: CA Technologies
The changing face of ID management comes as corporations realize that identifying and securing access is crucial as open networks are increasingly used for access to applications, data and services. “Identity is the cornerstone of security and without proper management it can be your worst security gap,” says Gijo Mathews, vice president for security at CA Technologies. Organizations are deploying more involved ID management systems to reduce risk and 28
cost, enable compliance with regulatory issues and ease growth in services, Mathews says. “Reducing risk and cost is a primary driver,” Mathews says. “You want to put people on the system and take them off as quickly as possible … in a way that won’t be a major burden to staff.” It’s all about the context These identity management systems also enable corporations to keep track of who is accessing applications and even what information is being accessed in that application. These systems are often necessary in order to comply with various regulations. Regulations, such as Sarbanes Oxley and Payment Card Industry Data Security Standards, require organizations to keep track of who accesses specific data, Mathews explains. CA Technologies tries to differentiate itself in the ID management space by making sure that only authorized individuals have access to data, Mathews says. “It’s not just about provisioning someone to an application,” he says. “We can also put data policy in place so an employee can see certain information but they can’t email it to another account.” It is content awareness, Mathews says. The technology enables organizations to write parameters that allow employees to access certain information and also control what they can do with it. “From the minute a person is provisioned they are set to the data levels of what they can access and do with data,” Mathews says. Part of enabling this type of ID management involves breaking down information silos and integrating applications, Mathews says. “Being able to marry those identities brings the customer more value,” he says. “Our goal is to control and manage identities based on roles.” Access based on roles has become more important as contractors and partners are given access to sites or applications, Mathews says. “The difference between a contractor, partner and employee is becoming blurred and
we need to differentiate it,” he says. “We can group people into roles … make sure that they only have access to what they are supposed to and take away identity if necessary.” Customer access IBM has couple of different ID management products under the Tivoli brand and is seeing businesses use them so customers can access information and perform transactions, says Ravi Srinivasan, program director for data and application security at IBM Security Solutions. A typical use case would be a credit card company, Srinivasan explains. A customer logs in to check a statement and pay their bill but the company also offers links to a rewards program and for travel deals or rental cars. “As customers want to gain access to more externally hosted offerings we help pass the ID into the cloud,” he says. Many different markets want to offer individuals more services, Srinivasan says. “In a lot of vertical markets organizations are offering portals as a way to interact and give them more applications and services,” he says. “This is all handled with an ID management system.” Watching the watchers Employees and customers use ID management systems, but there also needs to be controls put in place for those administering the systems, Srinivasan says. “Our customers are worried about maintaining the back end that’s open to privileged users,” he says. Many compliance issues in health care and the financial sector surround these privileged users, Srinivasan explains. IBM has a system where that privileged user checks out a password to use so an audit trail is maintained of what they do while accessing that system. “This enables you to provide that required level of compliance,” he says.
What do the Cannes Film
Festival and the Paris Metro have in common? Evolis card printers: their choice for ID card personalization For the past 5 years, the Cannes International Film Festival has relied on the Evolis solutions to manage and deliver accreditation and security badges. Over the last 10 years, Evolis has also provided the Paris Metro transportation network with card printers to personalize on-site contactless transportation cards called Navigo. The largest organizations confidently choose Evolis to manage their advanced and secure identification needs. Simply because the Evolis solutions are innovative, user-friendly, reliable and cost-efficient. To learn more, call us today at 954.777.9262 or visit www.evolis.com.
Germany deploys contactless national ID Credential to link government, private businesses ID card schemes in the European Economic Area Country
1. In some countries, the possession of an ID card or a passport is compulsory. However, the term “compulsory” has different meanings and implications in different countries. For example, requirement to carry an ID card may apply only after a certain age; in some cases, ID cards are compulsory for nationals and foreigners residing in that country; often, ID cards are only compulsory for nationals residing inside the country. A “yes” item in parenthesis in this column indicates that the ID card is the primary ID in a broader sense. 2. The “yes”/”specs.” entries in these columns with asterisks indicate which implementations/specifications have been taken into account. Source: European Network and Information Security Agency Position Paper: Privacy Features of European eID Card Specifications
Germany began issuing the new contactless national ID to citizens in November. The program is one of the first contactless-only electronic ID programs. It also employs a unique privacy scheme to protect cardholders. National ID cards aren’t new in the European Union and many countries use smart card technology to power the credentials. But the contactless German ID is a bit of a departure from what other countries have done and thus necessitated a slightly different take on existing contactless smart cards. The country expects to issue 60 million cards over the next 10 years to replace existing paper documents, says Rudy Stroh, executive vice president of the ID business and country manager for Germany at NXP Semiconductors. NXP is providing the chip – its 128-kilobyte SmartMX secure contactless microcontroller – for the German e-ID. “The contactless technology used in the e-ID enables strong privacy protection,” Stroh says. The first difference between the German ID card and other contactless smart cards is that is can only be read from four centimeters, whereas most other cards can be read from eight to 10 centimeters, Stroh says. The chip is also PIN protected and will not release any personal information until the correct six-digit code has been entered. Communication between the card and the reader is encrypted and the card generates a unique number to begin each session with a reader, Stroh explains.
Typically when a card and reader are in close proximity, they share a number as a means to cryptographically authenticate one and other in a process called mutual authentication. By ensuring that the number shared for mutual authentication is unique for each session, there is no chance to track a card and thus an individual via this shared number. Securing both physical and virtual worlds “With the contactless application,” says Stroh, “there will be opportunities to use the card for a lot of services.” The German program uses the electronic passport standards developed by the International Civil Aviation Organization and can be used in place of a passport for travel between European Union countries. “It’s based on the ICAO EAS passport,” Stroh says. “There’s a common terminology being used and commonality between the documents for travel in Europe.” When traveling to other countries fingerprint templates stored on the card are verified to ensure the identity of the cardholder. Use as a travel document is optional so citizens can choose whether or not to enroll and store fingerprint templates. The credential can be used for access to government and commercial Web sites as well, explains Stroh, to digitally sign documents, auto fill forms, verify age and login to bank accounts and other services. Stroh estimates that 150 companies – including financial institutions, retailers, and airlines – are working on applications to take advantage of the card technology. In addition to verifying a cardholder’s identity online, it can protect cardholders from online threats as well. Using mutual authentication techniques between the card and the service provider, cardholders can better trust the authenticity of the service provider. This is designed to make it faster, more economical and more secure to open and log into accounts while guarding against identity theft. It also can protect young people, for example, by preventing underage cardholders from buying cigarettes from vending machines or accessing other age-defined products and services. From the ground up, the German e-ID was created with privacy protection in mind. This is evident in the handling of age verification as well. Rather than disclose the age of the cardholder to the service provider, only a pass or fail indicator is provided based on the date of acceptability. Card expiration is managed in the same way disclosing only whether the card is valid or invalid, rather than providing the actual date of expiry.
SCM unveils smart card reader, software for German e-ID SCM Microsystems announced the availability of the CHIPDRIVE IT Security Kit, a contactless smart card reader and software designed to protect personal data online when used with the new German electronic ID cards. Beginning in November, the German government began issuing citizens a new electronic ID card based on contactless smart card technology. The ID card includes an electronic proof of identity feature that safeguards the user’s personal data when transferring information over the Internet, such as when making online purchases, downloading music, confirming age or place of birth, filing an insurance claim, or communicating with local or federal authorities. A smart card reader is required to use the card’s e-ID feature online. Together, the reader and e-ID significantly increase online trust and security compared with basic username and password techniques. The CHIPDRIVE IT Security Kit includes a contactless smart card reader for certified by the German Federal Office for Information Security, a governmentprovided e-ID interface application called the AusweisApp and a 12-month license for a popular antivirus and firewall solution. In addition to use with the German ID, the USB reader can be used with transit and payment cards as well. At US$35 the kit enables German citizens to take advantage of the new e-ID capability for online services.
E-passport inspections lagging worldwide
Issuance remains strong but slow economy hinders infrastructure investment The issuance of electronic passports is going well with approximately 250 million documents in circulation as of October, according to Barry Kefauver, principal at the consulting firm, Falls Hills Associates LLC. On the other hand, deployment of inspection systems to read the contactless chip in these books is not going as well.
Combine that with a weak world economy and spending on new border control systems was just not a priority, says Mark Joynes, director of product management at Entrust, a passport systems provider. “The financial meltdown slowed things down,” he adds. “It stalled the European rollout of second generation e-passports and inspection systems.”
Mandates were the impetus to get the new documents issued, but no such pressure exists on the inspection side. “It’s obviously not as quick and not keeping pace with the issuance systems,” says Kefauver.
That’s not to say there aren’t inspection systems out there, Kefauver says. About a dozen countries have automated gates where the chips on the documents are read and the biometric confirmed with either facial recognition or fingerprint, depending on the document.
“The issuance has been on the front burner (but) the inspection is handled by organizations completely different from the issuance authority,” Kefauver explains, “and you have the dropped ball phenomenon.” 32
“They are overseen by a human supervisor but not necessarily in the same way as a traditional border checkpoint,” he says.
Switzerland was expected to roll out system capable of reading all countries passports, including those using extended access control (EAC), Kefauver says. EAC is a security protocol that only enables the biometric information on the chip to be read after the passport reader and country are verified. “About a dozen countries are doing EAC inspection,” he says. It took eight-years for the optical character recognition-B (OCR-B) readers to reach critical mass and for countries to read that code, Kefauver says. It’s only been three-years that e-passports have been widely issued, he explains, stating that he is not that concerned. “Everyone is inspecting it,” he says. For the majority of countries that involves reading the OCR-B stripe on the passport’s
data page, Kefauver says. Many countries, including the U.S., are looking for multi-use readers that would be able to read the OCR and the chip. But issuing a document with a contactless smart card chip and not reading that chip is problematic to some. “Of course you’re not getting the value until you’re doing the inspection,” says Joynes. Entrust is has seen a lot of activity on the issuance side of e-passports but not as much on inspection, Joynes says. “We’re seeing a lot of activity in Asia and starting to see more in the Middle East and Africa,” he says. “But most of that interest is on the issuance side of things.” One problem on the inspection side is the lack of standards, Joynes says. Countries have to distribute validation information to inspection points. It’s a difficult task and there are not yet standards on how to do it from the International Civil Aviation Organization (ICAO), the group responsible for the e-passport standards. “Distribution of validation materials is crucial but it’s not standardized,” he says. “Identifying travelers who raise concern and integration with Interpol’s lost or stolen passports lists need to be coordinated and integrated.” Because of the lack of standards, countries are hiring vendors like Entrust to perform these tasks, says Joynes. The company released the capability to provide material to inspection systems using standard PKI and routing the information through an existing infrastructure. PKD problems? While issues around transmitting validation materials exist, there are equally pressing issues with participation in ICAO’s Public Key Directory (PKD). The PKD was established to support the global interoperability of epassport validation and act as a central broker to manage the exchange of certificates and certificate revocation lists from different countries. The idea around the central repository is to ensure interoperability by minimizing the volume of certificates being exchanged, providing timely uploads and to managing adherence to technical standards.
Participation in the PKD has been the biggest issue with just 20 of 80 eligible countries participating, Kefauver says. “Twenty out of 80 is a small percentage but (the participants) are the biggest countries,” he says. Finding the funds to participate in the PKD has been a significant obstacle for many countries, says Kefauver. The European Union is considering funding participation in the directory for member countries.
Educating countries on what the PKD does is an important step, he says. Once they understand the importance they will be more likely to participate. More countries are close to subscribing to the PKD and deploying inspection systems that read the chip, Kefauver adds. “2011 will tube the year we see a lot more activity,” he says.
A Leader in
Smart Card Solutions 1 0 11 00 11 0 1 1 10
Access Control Contact EMV Contactless Dual Interface Government ID RFID Sticker
www.cpicardgroup.com Winter 2010
Petty Officer 3rd Class Taylor Mudrock, from Coast Guard Marine Safety Unit Cleveland checks a worker at Jonick Dock and Terminal Co. for his Transportation Worker Identification Credential. (Coast Guard photo/Petty Officer 3rd Class William B. Mitchell)
Transportation worker ID moving ahead
Pilots concluding but final access control policies still more than a year out John Schwartz, program manager for the Transportation Worker Identification Credential (TWIC), was going to begin an update on the program with the words “eight-years ago,” but then thought better of it. It has been that long since Congress mandated that the Transportation Security Administration (TSA) create a credential for secure access to ports, and the agency is still working on the roll out. It will most likely be 2012 before there are widespread readers electronically verifying the credentials, Schwartz said during a presentation at the Interagency Advisory Board meeting in September. But while critics dismiss the credential as an expensive flash pass, progress has been made toward wide-scale electronic verification at ports. The TSA reports that at 135 enrollment centers across the country, 1.7 million workers have been enrolled and of those 1.6 million have activated their ID. Schwartz and his team are working on a congressionally mandated reader test that will lead to the final rule for reading the TWIC. His team has done testing in the lab, in the field without looking at the impact on a port’s business processes and finally in the field while considering at the impact on business.
Through lab testing the TSA approved 28 readers and associated systems, Schwartz says. The lab tests looked at reader performance in different environmental conditions, extreme hot and cold temperatures, water and humidity, as well as durability tests. The 28 approved readers include two alternative biometric systems. If a port can show a chain of trust in enrolling a worker in the local physical access control system, it is acceptable to use an alternative biometric, such as iris, to access the facility. TWIC follows the FIPS 201 specification but diverges in the utilization of biometric and contactless technologies. In order to access the biometric on a TWIC a cardholder must be enrolled in the local physical access control system first. That means the TWIC privacy key, which is storied on the card’s magnetic stripe and chip, must be registered into the local physical access control system before it can be read using the contactless interface. This is different from other PIV credentials where the biometric is accessed only via the card’s contact interface. TWIC modified the FIPS 201 spec for its use because port operators demand high throughput and PIN protected contact interface reads were deemed too time intensive.
For the field-testing, Congress instructed that the readers be used in at least five distinct geographic locations to test the business processes, technology and operational impacts.
the card gets an error the guard would tell the worker they need a new one when it may not have been registered in the PACS or something more minor,” Schwartz says.
The sites selected for the tests needed to be from a broad spectrum of operations and climates, Schwartz says. The final report on the testing was due in April but implementing specifications and identifying volunteer ports delayed the project.
There have also been issues with creating a standard for the information processing. The TSA has determined that the sequences for authenticating the card, checking the registration in the physical access control system and checking the hot list all need to be done in the same sequence.
The TSA received $8.1 million to provide independent testing, data collection and analysis, Schwartz says. The ports, terminal and vessel operators received $23 million in security grants with $15 million for the pilot and the remainder held in reserve for future reader deployments. While $15 million may sounds like a lot of money to spend on readers, it wasn’t spent just on that technology, Schwartz explains. Cabling, updating infrastructure and deploying physical access control systems had to be done in many instances for the system to work. The tests have already generated some important lessons, Schwartz says. There have been challenges integrating the TWIC readers into different physical access control systems. The messaging from the readers needs to be standardized and made to be visible in all environments, Schwartz says. He cites the example of a card rejected by a reader without an adequate error message. “If
The read range of the contactless readers has been problematic too, Schwartz says. Ports that used proximity cards previously are reeducating workers that the card may need to be held closer to the reader than with the prior technology. The cards, which come with plastic sleeves, also have to be removed from the sleeve to be read in some instances. Educating cardholders on how to take care of the credential has been a learning experience, he says. Some truck drivers will keep the credential around the rearview mirror in the sun and this can damage the chip and antenna. Explaining the hot list, or revocation list, has been problematic too, Schwartz says. A worker will lose the card, call the number to report it lost at which point it is placed on the revocation list. If the worker finds the card a day or two later and tries to use it, it is flagged port security is alerted.
Become a Certified Smart Card Industry Professional About CSCIP Professionals now have the opportunity to increase their industry knowledge, sharpen their professional skills, and take charge of their personal professional development. A CSCIP certification means you have passed a rigorous, comprehensive smart card technology and applied business applications education program and gained recognition as a certified smart card industry professional.
Join LEAP and make the SMART career move LEAP is an individual membership option offered by the Smart Card Alliance that offers exclusive industry knowledge, professional networking, and access to the only accreditation program (CSCIP) available for smart card industry professionals. LEAP is available to everyone, with special discounts offered to Alliance members. For more information, visit http://www.smartcardalliance.org/pages/activities-leap.
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. http://www.smartcardalliance.org.
Next test dates DECEMBER 9, 2010 Paris, FRANCE FEBRUARY 17, 2011 Salt Lake City, UT MAY 5, 2011 Chicago, IL NOVEMBER 4, 2011 Washington, DC Visit the LEAP web site for future exam locations and dates in 2011.
TWIC pilot participants # of Readers Time of Pilot Ports / Facilities Port Authority of Brownsville, TX
01/10 – 05/10
Port Authority of NY and NJ
03/10 – 10/10
Port Authority of Los Angeles
05/10 – 03/11
Port Authority of Long Beach
30/10 – 03/11
APM Terminal, Chesapeake, VA
10/10 – 03/11
01/10 – 07/10
Staten Island Ferry, New York, NY Watermark Cruises, Annapolis, MD Magnolia Marine, Mississippi Clipper Navigation, Seattle, WA Source: TSA
Other problems have included general installation issues including electrical power fluctuations, physical reader placements that are too high, too low or too far from worker, and slow turnstile and gate mechanism responses. The TSA is planning to deliver a report with the test findings to Congress in 2011, Schwartz says. After that the U.S. Coast Guard, which is responsible for enforcing TWIC, will make a rule for ports and port operators to follow. That will most likely not be until 2012.
compatibility with the final rule, Hamilton says. “It give the maritime operators some level of comfort,” he says.
facility and before leaving the activation center, but there have been problems with card failures in the field.
The TSA is looking to solve some other logistics issues as well, Schwartz says. Enrollment and card activation services for remote locations can be a hardship for some areas. Workers have to show up once to apply for the credential with all the appropriate documentation and then show up again a few days later to receive and activate the card.
Without the presence of a TWIC team member with card analysis tools, it has been difficult to determine whether the problem is with the card, the reader or the access control system at the facility.
Because of the delay in the final rule most port operators are opting to wait before deploying TWIC reading systems, says Walter Hamilton, senior consultant at ID Technology Partners. Port operators could deploy the systems now but are afraid they will have to retrofit or tear out technology depending on the rule.
This has been problematic in areas where the enrollment center is far from the port or port worker’s home, he explains. Congress has questioned the TSA on this, asking if the credential can be mailed but the FIPS 201 standard doesn’t allow the ID to be mailed. TSA is looking at other alternatives to solve this problem.
But some reader manufacturers have given guarantees that if they opt for the maintenance package the vendor will guarantee
The durability of the credential has been another problem, Schwartz says. The card is tested before leaving the central production
The TSA is considering a move from a 72K chip to a 144K chip, Schwartz says. Before the change is made official, however, they are verifying that no other system changes will be necessary and that there will be little or no impact on production and reader equipment. The TWIC road has been a long and arduous one, ultimately taking more than a decade from mandate through roll out to electronic verification of the credential. But one day soon U.S. ports may have the increased security originally envisioned by TWIC initiators.
Secure ID programs are complex. Choosing the right partner doesn’t have to be.
LaserCard’s customized secure credential solutions have been trusted for decades by major governments and enterprises around the world. Find out why customers and partners look to LaserCard for secure, counterfeit-resistant credentials and solid ID solutions, implemented on time and on budget. ÊÊ Professional services and consulting to optimize Secure ID
program implementation and performance ÊÊ Innovative credential design and manufacturing services ÊÊ Advanced credential technologies incorporating leading physical,
visual and digital security ÊÊ ISO 9001 certified: secure credential manufacturing plants
in USA and Germany
w w w. l a s e r c a r d . c o m
Keystroke dynamics secure computer access Quirky biometric modality praised, has yet to catch on Autumn C. Giusti Contributing Editor, AVISIAN Publications Maybe you’re a hunt and peck typer. Or perhaps you zip around the keyboard but linger over certain keys. And it’s possible that you type much faster after you’ve had your morning coffee than you do when 5 o’clock rolls around.
whether the sender was an ally or an enemy. The Army Signal Corp discovered that the rate and rhythm of the tapping differed between individuals. They developed a concept called “the fist of the sender” to use these variables to ensure received messages were valid.
A person’s typing patterns can be as unique as a fingerprint or signature. That’s the idea behind keystroke dynamics, and some technology firms have built their business around using this biometric as a form of authentication.
Today, keystroke dynamics can provide strong authentication to Web-based applications, email and networks.
Keystroke dynamics or keystroke biometrics is a behavioral biometric rather than a physiological biometric. That means it measures some action such as typing, gait, signature or voice rather than a physical characteristic such as fingerprint, face or iris. Although it’s been slower to catch on, some say keystroke dynamics can be as good a form of authentication as any other biometric. “The technology works pretty effectively,” says Avivah Litan, security research analyst for IT research and advisory firm Gartner Inc. “There have been some well regarded, prestigious New York banks and credit unions that have used it for private banking … it’s much stronger than a password and it’s every bit as good as a hard token going through the Web browser.”
Systems that rely on keystroke dynamics measure the movements and patterns a person makes when typing, such as the duration of each keystroke, how long each key is held down and the overall typing speed. In particular, these systems look at the dwell time – how long a key is pressed – and the flight time, or how much time it takes to get from one key to the next. Other factors might include typing habits, such as whether the person holds down the shift key or uses ‘Caps Lock’ to type a word in capital letters. Miami-based AuthenWare Corp. offers software to verify that the person typing a user ID and password is the actual owner of those credentials. Its AuthenWare Technology system uses keystroke dynamics to evaluate the way that person types the credentials. AuthenWare also considers other behavioral and environmental characteristics, such as
whether a person uses a mouse to move from one task to another, as well as the person’s IP address, time zone, operating system and browser and typing speed at different times of the day. “Maybe you had a lot of coffee or are tired, and you may be typing faster or slower, but it is still you typing,” says Tom Helou, president and chief operating officer of AuthenWare. All of these elements help AuthenWare build an accurate personal pattern for each user to minimize identity theft, Web fraud and system vulnerability. “Even when you’re switching from one computer to another, we have the ability to determine whether you’re the right person to be accessing those credentials,” says Helou. “The application turns the person into the security device.” The system compiles all of a person’s typing characteristics using an algorithm to create a numeric template that, in essence, encapsulates the variables. This template is compared to the enrolled template created during previous typing sessions. If the pattern is mathematically similar to the one already stored, then the user is granted access. If a hacker were to type the person’s username and password at a different typing speed the system would reject him. “We make stolen information useless,” Helou says.
So what’s the hang-up? “It’s unconventional. People generally don’t like to adopt unconventional measures. So as soon as you get more big banks and service providers using it, they’ll all start jumping on the bandwagon,” Litan says. The concept of keystroke dynamics goes back to the use of Morse code during World War II. The military used the code to tap out important messages but it was crucial to determine
Behavioral biometrics are based on a individual‘s specific behavioral trait. Examples include speech patterns, signatures, gait and keystrokes. Physiological biometrics are based on an individual’s physical characteristics. Examples include fingerprints, hand geometry, iris, and DNA.
Have you gained access to Biometrics Certification? Access is now being granted to qualified Biometrics Professionals.
IEEE, along with some of the world’s leading biometrics experts, has developed a new certification and training program for biometrics professionals and their organizations. The IEEE Certified Biometrics ProfessionalTM (CBP) program focuses on the relevant knowledge and skills needed to apply biometrics to real-world challenges and applications. • Certification: Earning the IEEE CBP designation allows biometrics professionals to demonstrate proficiency and establish credibility. • Training: The IEEE CBP Learning System combines print materials and interactive online software – ideal for job training, professional development, or preparing for the CBP exam.
To gain access to more details, visit www.IEEEBiometricsCertification.org.
‘A layered approach’
Like other biometrics, keystroke dynamics is not a perfect solution. Most security experts agree that using layered techniques is best. Keystroke dynamics can be one part of a suite of authentication modes. “You can’t rely on it on its own, but you can’t rely on anything on its own,” Litan says. “You have to have a layered approach.”
Keystroke biometrics is still less popular than other forms of biometric authentication because not enough people are familiar with it yet. “No one wants to be first out of the box,” Litan says.
That’s the idea behind KeystrokeID, one of a series of strong authentication and encryption products offered by ID Control based in The Hague in The Netherlands. KeystrokeID is designed to work in tandem with the company’s other strong authentication tokens, such as one-time passwords. “We don’t believe in using only one single method of strong authentication,” says Hans Kortekaas, CEO of ID Control. “We offer a mix, which means there’s always an ideal solution.” Key to any biometric solution is the false acceptance rate and the false rejection rate. False acceptance is the rate at which someone who isn’t you gets in with your credentials. False rejection is when you’re the correct person, but the system doesn’t let you in. At the highest security level setting, AuthenWare’s false acceptance rate is .19%, but the false rejection rate tops out at 3.2%. To ease the challenges caused by false rejections, AuthenWare lets the user define the security level that he or she wants. For instance, a person working in research and development might be willing to risk more false rejections for the sake of higher security. Alternately, a person on a home computer might not need as much security and could lower the false rejection rate for the sake of convenience. With KeystrokeID, there’s a false acceptance rate of about 1 in 10,000 people, whereas the false rejection rate is about 3 out of 100. “Even though that is the case, you have to remember that you can always put a threshold on your security measure,” Kortekaas says. If a person is falsely rejected and the system knows his mobile number, ID Control can send a one-time password to use for that day or that session, explains Kortekaas. “From that point of view,” he adds, “you always have control.” 40
One challenge is that the same person’s typing speed can vary greatly on different computers. KeystrokeID addresses this issue by allowing the user to notify the system of which computers he uses on a regular basis, and then select which computer is being used at each time of the day. There’s also the issue of what happens when a person breaks a hand or finger. Typing patterns tracked in the AuthenWare system can adapt to nuances in user typing behavior such as those caused by injury, illness, medication or even the consumption of too much caffeine. For KeystrokeID, the solution goes back to layers of authentication. “Again, what do you do when someone loses their ATM card?” Kortekaas says. “If you lose one arm, you still have the other arm to receive a one-time password on your mobile phone.” With any form of authentication, there are risks. With an ATM card, for instance, the user has to remember his or her PIN number. “People forget that there’s always a chance someone guesses right and can use your card to withdraw your money,” Kortekaas says. User benefits Many forms of authentication that rely on biometrics, such as eye scans and fingerprints, can be expensive, intrusive and inflexible to the customer, says Wayne Snell, vice president of marketing for AuthenWare. “And once you configure it for a certain security level, you can’t go undo it.” With keystroke dynamics, there’s no new software or hardware for the end user to install, so it’s less expensive, Helou says. “It’s software that only gets invoked when someone types in a username and password, so it’s much less intrusive to the user,” he says. The average corporate employee might have 27 different user IDs and passwords that need to be changed regularly, often without re-
peating any of the previous characters, Helou says. A system that relies on keystroke information could eliminate the need for multiple user IDs and passwords. “It’s very difficult for us humans to remember those unnatural credentials,” Helou says. “So you store that information in a file on the back of the keyboard or on a shelf (and) whoever can get to that file can get this information.”
Dwell Time is a keystroke biometric measure that tracks the duration of time that a specific key is pressed. Flight Time is keystroke biometric measure that tracks how long it takes to move from one specific key to another.
A growing number of companies believe that changing usernames and passwords too often is a poor security practice, Helou says. “We believe the same thing,” he says. “So for companies to secure their users, they are adding more and more security layers. Then the challenge becomes (balancing) security and user friendliness.” Potential uses Keystroke dynamics works especially well for workplaces, where most employees use the same keyboard day after day. The same applies for online courses, in which a student might follow the same course for nine weeks – allowing time for the system to measure his typing patterns – and then take a test that requires strong authentication in the final week. ID Control’s clients include a mix of legal, health and financial companies. AuthenWare primarily serves government agencies, retailers and banks that use the technology mostly for securing online transactions. The key for keystroke is its flexibility to add an additional layer of security to any transaction requiring data entry. This makes the ultimate market for the biometric authentication technique virtually limitless. Winter 2010
Secure Iris Recognition… Effortless and On the Move Sarnoff, the pioneer of standoff iris recognition, offers a suite of highly accurate identity verification systems. Iris on the Move® (IOM) combines unprecedented speed with a touchless biometric solution for a variety of security applications including border control, critical infrastructures, correctional facilities, corporate offices, and many more. IOM can easily integrate with your existing access control system. Contact Sarnoff today to discuss how you too can experience life in the fast lane!
609-734-2553 | firstname.lastname@example.org | www.sarnoff.com/iom
and u c t ” n s” d o r ew P o l u t i o e s t N nt i t y S B ” r ne nd Ide Win 010 etrics a 2 t s e m ©2010 Sarnoff Corporation ISC Wst in Bio e B “
Identity industry sees consolidation Wave of acquisitions adds missing pieces to key players
A pruning back of industry players has been under way in recent months, as three key companies in the biometrics and identity space have given in to acquisition deals. Within a period of a month and a half, L-1 Identity Solutions was acquired by Safran, L-1 competitor Cogent Systems was picked up by 3M and HID Global’s parent company Assa Abloy announced plans to buy ActivIdentity.
HID Global significantly increases its presence in the logical access control market with the addition of ActivIdentity.
A competitive landscape has created an environment ripe for such transactions in the space, says Joel Fishbein, an analyst with Lazard Capital Markets in New York. “We think the identity space and biometrics is going to be very large and growing fairly robustly over the next three to five years as government entities in particular look to secure their borders through the means of biometrics,” he says. The consolidations also give firms a chance to use a larger organization’s resources to expand their products. “I see this happening with a lot of the smaller organizations. They have some good technology, but they don’t have the reach a Safran or a 3M would,” says Dilip Sarangan, industry analyst for Frost & Sullivan. “So it is an opportunity for a larger organization to come in and take the technology, improve it and create a better market for biometrics.” L-1 boosts Safran holdings
Safran’s purchase of L-1 bolsters its existing line of biometric and identity offerings and, equally importantly, gives the French company a major U.S. presence.
In the largest of the three transactions, Stamford, Conn.-based biometrics firm L-1 Identity Solutions agreed to be acquired by Safran, a French aerospace and defense systems company that is active in the biometric space through its subsidiary Morpho. The merger, announced in September, would give stockholders $12 per share in cash, or $1.6 billion, inclusive of outstanding debt. L-1 provides biometric identity products to businesses, federal agencies and local and international governments. Safran will acquire L-1 following the sale of L-1’s intelligence services businesses to BAE Systems in a separate transaction valued at $296 million. L-1’s intelligence services businesses include SpecTal LLC, Advanced Concepts Inc. and McClendon LLC, which are expected to have combined revenues of $234 million in fiscal year 2010. The BAE transaction is expected to close in the fourth quarter of 2010. The remainder of L-1’s business – Secure Credentialing Solutions, Biometric and Enterprise Access Solutions and Enrollment Services – will transition to Safran. These businesses are expected to have combined revenues of $486 million for the 2010 fiscal year.
3M’s acquisition of Cogent adds biometric expertise to the 3M’s secure document business and provides marketing muscle to enable expansion of the Cogent technology.
Safran will integrate L-1’s operations into its subsidiary, Morpho, a leading provider of biometric and secure ID solutions for homeland security and other high security sectors. Integrating L-1 into Morpho will increase Safran’s holdings significantly in this area, Sarangan says. “Morpho produces a lot of technologies that L-1 does, but L-1 has a bigger reach in the U.S. market,” he explains. “So it gives (Safran) an opportunity to get more brand recognition in the U.S.” Safran vastly expanded its foothold in the U.S. market in 2009, when the company acquired 81% of GE’s homeland security business. The L-1 merger will enable Safran to get into the technology side as well. “It helps them in building more comprehensive and integrated solutions (adding) biometrics into other security technologies,” Sarangan says.
Still, there are regulatory risks involved in the acquisition, New York investment firm Morgan Joseph wrote in a report on L-1. “We recommend that investors lock in gains at the open because we think that the downside risk from regulatory approval, while not great, does outweigh any upside potential,” the report stated. Morgan Joseph lowered its rating of L-1 from “buy” to “hold,” citing the unlikelihood of a higher bid for the company and the risk from required regulatory approvals. 3M/Cogent deal contested In another move on the consolidation front, officials announced in August that 3M would acquire Pasadena, Calif.-based Cogent Systems for $943 million, or $10.50 per share. So far the deal hasn’t been well received by analysts. Fishbein, who tracks Cogent for Lazard Capital, says 3M’s offer greatly undervalued Cogent, which could have demanded at least $12.50 per share, or $1.1 billion. A Lazard report estimates Cogent’s fair market value at $15 per share, or $1.3 billion. “I think they did their shareholders a disservice by selling out at such a low price,” he says. “They took a low-ball offer, in our opinion.” Apparently shareholders thought so, too. Between Aug. 31 and Sept. 16, nine plaintiffs filed class-action lawsuits against Cogent, its directors and 3M. Three suits were filed in Delaware Chancery Court and six were filed in the California Superior Court for Los Angeles County. On Oct. 6, the Delaware court denied a shareholder motion to block the acquisition, according to a Lazard report. The suit alleged that Cogent failed to consider a “preliminary, non-binding indication of interest” at $11 to $12 per share from NEC before accepting 3M’s proposal. NEC has not been in communication with Cogent since it accepted 3M’s offer per court proceedings, the report states. Meanwhile in California, the six have been consolidated, and the court stayed the cases until Nov. 2. Lazard believes the pending lawsuit won’t stop the acquisition. 3M stated the allegations are without merit. Because of the risk of further legal review, Lazard downgraded its rating of Cogent to “hold” from “buy.”
Legal wrangling aside, Fishbein believes the acquisition positions Cogent to compete better in a global environment. “(Cogent) should be better under 3M’s reign because 3M has a lot more marketing muscle and a lot more scale from a company perspective,” he says. The acquisition gives 3M a new technology platform to sell. Cogent provides finger, palm, face and iris biometric systems for governments, law enforcement agencies and commercial enterprises.
ActivIdentity will become part of Assa Abloy’s HID Global business, and ActivIdentity products will provide the foundation for HID Global’s logical access offering. So the addition of ActivIdentity’s authentication and credential management technologies to HID Global’s Identity and Access Management business is expected to yield a more diverse portfolio of converged access offerings.
3M already has an ID management business that includes border management products; document manufacturing and issuance systems for IDs, passports, and visas; document readers and verification products; and security materials, such as laminates, to protect against counterfeiting and tampering.
“The idea that has started to surface is how can you converge those so that at the end of the day, you would have one credential that would permit you access to a building and to your networks. It would substantially cut down on support costs,” says Frederick Ziegel, an analyst with Petoskey, Mich.-based Blue Water Capital Markets who tracks ActivIdentity.
“Adding Cogent Systems’ products to our business strengthens our product portfolio and services in high security credential issuance and authentication systems and positions 3M’s business in law enforcement applications,” says Mike Delkoski, vice president and general manager, 3M Security Systems Division, in a statement. “It also expands our reach into access control and other commercial ID and authentication applications.”
ActivIdentity had already been working on the convergence concept for awhile, having previously partnered with security systems manufacturer Hirsch Electronics and physical security provider Lenel Systems International. “I think what this acquisition puts in place is more substance to that whole concept,” Ziegel says.
Cogent had about $130 million in 2009 revenues and employs about 500 people. Physical, logical unite In a transaction that’s being viewed as a marriage of physical and logical access power players, HID Global in October announced that parent company Assa Abloy would acquire ActivIdentity for $162 million, or $3.25 per share. The transaction is scheduled to close in December. Assa Abloy of Sweden is a global leader in locks and access control equipment. HID a world-leading manufacturer of proximity and contactless access control cards, card readers and solutions for the security industry. ActivIdentity, with $62 million in 2009 revenues, provides solutions for digital identity assurance. The company is headquartered in Silicon Valley, Calif., and employs more than 200 people worldwide.
The acquisition comes at a time when, according to Ziegel, the federal government and the Department of Defense are beginning to mandate converged solutions for physical and logical access. “The DOD by far has the biggest deployment of smart cards, which coincidentally happen to have been supplied to them by ActivIdentity,” Ziegel says. “So their whole idea is to have a single credential enable some DOD personnel to be able to go from building to building and from network to network without having to worry about carrying around a pocket full of credentials or a pocket full of passwords. There’s an enormous cost savings to all of that.” ActivIdentity has already received some orders for physical logical access from a few federal clients, including the Lawrence Livermore National Laboratory, Ziegel says. “I think this is going to drive a pretty big market over the next few years,” he says.
Health care’s security breach
Smart cards key to eliminating ID theft and billions in fraud Michael Magrath Director, Business Development, Government and Healthcare for Gemalto, CSCIP Identity theft is common in the banking world and online, but now it is also lurking where Americans are told to feel the most protected – hospitals. The frightening reality is that there is little to no identity management, much less protection, in our health care system today.
ance that every person within the system is who they claim to be. Obviously this applies to patients, but it also applies to everyone accessing sensitive medical records – physicians, nurses, EMTs, therapists, administrative personnel, etc. Moreover, this applies to physical and virtual identity presentation.
Because of this, health care fraud and identity theft are growing at an alarming rate and becoming very well organized. Recently, federal authorities shut down a 44-member crime ring responsible for two massive health insurance fraud schemes. The $100 million scheme to defraud Medicare and private health insurers in the state of New York was the largest in history.
In early 2011, it is expected that President Obama will sign the National Strategy for Trusted Identities in Cyberspace (NSTIC) to combat fraud and identity theft. Among other things NSTIC calls for strong authentication for certain types of online activity. Because of its sensitivity and personal privacy, access to electronic health records is referenced throughout the early drafts.
How did this fraud attempt become so massive? The indictment alleges defendants operated at least 118 bogus medical clinics in 25 states each submitting fraudulent claims using stolen identities from both doctors and patients. Medicare eventually shut down the fake clinics, but not before $35 million in false claims were distributed.
Breaking Down the Numbers
At the heart of this issue are two fundamental challenges: (1) transition from a paper-based record system to electronic health records in the U.S. and (2) implementation of strong authentication of individuals requesting access to medical records. This summer, President Obama said that all Americans must have electronic medical records within five years. Digital records, he said, will save billions by cutting waste and eliminating repeated tests and errors. Providers who do not comply by 2015 deadline will face cuts in Medicare payments. It is critical for this transition to occur in a way that not only establishes online records but also implements high-security resistant to outside breaches. In order to protect patient privacy and security there must be a very high level of assur44
A 2010 report by the National Health Care Anti-Fraud Association stated that the U.S. health care system sees $100 billion a year in medical fraud. To date, most information from patient documents was stolen via inside access, such as doctors or nurses selling patient information. However, a rising trend finds hackers stealing information online and submitting false claims through the Medicare system. Stolen information such as social security numbers and addresses are used to submit false claims from past patients. About 9% of U.S. adults have been victims of identity fraud, with 6% classified as medical identity theft. This translates to 1.4 million people, according to survey results from the Ponemon Institute’s National Study on Medical Identity Theft. The average total cost to resolve a medical identity theft incident, according to the survey, exceeded $20,000. But it isn’t just money that patients are sacrificing – it’s their health. Misdiagnosis or incorrect treatment can cause serious injury or even death if a
person’s medical information is entered into another patient’s record. A common cure Both medical fraud and identity theft can be addressed through the same solution: strong identity assurance and verification of both the patient and the provider. Implementing standards-based, smart card technology into the health care system has the potential to completely revitalize the records system. Patient identification can be securely stored on a chip that has built-in, tamper-resistance features making it extremely difficult to duplicate, hack or forge. Smart cards support advanced cryptographic methods to secure data on the card and can be used as secure tokens to provide authenticated access to health care information. They can also be used in conjunction with biometrics to provide the highest levels of security. For example, a health care provider could have a biometric template – i.e., fingerprint – stored and matched on their smart card to provide three factors of authentication, preventing an unauthorized person from accessing, stealing or misusing patient identification. In the case of the previously mentioned Medicare fraud crime circle, a smart card enabled system could have eliminated the fraudulent claims. To enable this protection smart cards would need to be issued to properly vetted medical professionals and patients. At the point of treatment both the patient and provider would mutually authenticate themselves using a PIN or biometric to acknowledge the specific treatment was administered and specific medications or medical equipment prescribed. Both the patient and physician would use their card to digitally sign the claim that would then be electronically transmitted to Medicare.
The European connection The use of smart cards in the health care system is not a novel idea. The technology has been used across Europe and has been in place in some countries since the early 1990’s. In February of this year Bulgaria began deploying smart cards from Gemalto to secure access to personal health records for the country’s military personnel and their families. Patients and doctors use the cards to access personal data online allowing access only after both simultaneously insert their cards and enter their PINs. The personal electronic health record is a complete electronic archive of the patient’s medical history. It stores all existing medical documentation, including laboratory tests and results, X-ray pictures, all visual tests, electronic prescriptions, etc. It also contains the patient’s blood group, allergies, genetic predisposition to diseases, health check ups, and surgical interventions. The personal electronic health record enables providers to immediately access a patient’s medical data and therefore make more accurate decisions. Bulgaria is just one country utilizing Gemalto’s smart cards for medical technology advancements. Other countries including France, Germany, Slovenia and Algeria are providing ID cards for two-factor authentication, eliminating the chance for identity theft and implementing safer medical procedures and data storage. Ramifications of medical identity theft About the author Authenticating identity and issuing proper credentials is a solid first step in modernizing the U.S. health care system. By taking this step, patients, medical professionals and insurance agencies can benefit from the increased efficiencies and built in protections provided by a strong identity credential.
Michael Magrath is business development director for the security division of Gemalto North America. He is responsible for strategic marketing, business development and government affairs activities in the government and health care sectors.
Even though the White House is enforcing a zero-tolerance approach to health care fraud, it will continue until the U.S. implements stronger identity management and authentication practices for patients and providers.
Widespread authentication catches on Google, Facebook and Amazon add two-factor ID Ross Mathis Contributing Editor, AVISIAN Publications Since its launch in January 1996 millions of organizations have made the switch to Google Apps. 30 million users now depend on the messaging and collaboration tools that make up the Google Apps suite. Google Apps is a series of Web-based applications with offerings – email, calendar, word processing, and spreadsheet – comparable to those found in traditional office software bundles. PhoneFactor, a provider of phone-based multi-factor authentication, believes more companies would convert to these cloudbased applications if they were confident in the security measures available. Cloud computing can enable a company to save money on IT expenses by reducing software and hardware purchases. But in a recent survey conducted by PhoneFactor, cloud services including Google Apps, Ama-
zon Web Services, and SalesForce were rated only moderately secure or worse by threequarters of respondents. To meet the need for improved security and particularly this increasing need for multifactor authentication, Google announced at its annual European event dedicated to cloud computing the availability of two-step verification across Google Apps accounts, mainly in business environments. For Google Apps, Premier, Education and Government Editions, administrators now have the ability to secure user logins with a combination of the conventional username and password plus a one-time verification code provided to their mobile phone. According to Google this will add an extra layer of security to fend off risks like phishing scams and password reuse. Once a user enrolls in two-step verification they can select
Primary barriers to adoption of cloud services
whether they want to receive the verification code as an automated text message or phone call. Users with smart phones can also download the Google Authenticator app, available for Android, BlackBerry and iPhone, which can generate verification codes without a network connection. Either way the next time the user signs in to their Google account on a new browser or device, they enter their traditional username and password and are prompted to enter the one-time verification code. Users can opt to check “Remember verification for this computer,” to enable 30 days of unfettered access for that specific browser. “The two-step verification process helps protect a user’s account from unauthorized access should someone manage to obtain his or her password,” says Google. “Even if a password is cracked, guessed, or otherwise stolen, an attacker can’t sign in without access to the user’s verification codes, which only the user can obtain via their own mobile phone.” Google says the feature will be added to Google Apps Standard Edition as well as individual Google user accounts in the coming months. “We think phone authentication is going to be the dominant authentication going forward,” says Steve Dispensa, co-founder and chief technical officer at PhoneFactor. “So we’re happy to see Google embracing it.”
Source: 2010 Cloud Computing Survey, PhoneFactor
PhoneFactor offers a two- or three-step authentication system for cloud computing sites. The first two factors use a password and a phone. The third factor takes a biometric voiceprint. Users type in their username and password, then their phone would ring followed by a prompt to speak their pass phrase. The system validates the pass phrase itself and also makes sure it was actually the authorized user saying the phrase.
In the study conducted by PhoneFactor, more than 300 information technology professionals were surveyed from a wide variety of industries, questioning their organizations’ current and planned use of cloud computing, their perceived benefits of making the change and what’s holding them back. Results indicated a major interest in cloud computing because of the cost and scalability, but an equally strong fear about whether security in the cloud would be adequate. “The interest is definitely there, but 42% of respondents said that security had really stopped them, prevented from them from adopting cloud computing,” Dispensa says. “We heard that echoed in the user comments that we collected toward the end of the survey as well.” The security necessary for cloud computing isn’t typical either. “It goes beyond the traditional ‘put up a firewall and run a virus scanner,’” says Dispensa. “You really have to trust your cloud service provider to take a couple extra steps beyond that, keeping cloud services clean not only of traditional viruses but also things like cross-site scripting and SQL injection attacks, all of which seem to haunt so many Web-based cloud service providers.” When asked what security measures were critical to securing the cloud, 81% of respondents cited multi-factor authentication. “A lot of people are in regulated environments that literally require the use of multi-factor authentication, so a cloud-based application that doesn’t offer multi-factor is just off the table,” Dispensa says. “But even if you’re not in an environment where you have an explicit regulation to use multi-factor authentication, clearly the industry best practice today includes multi-factor for any kind of remote access.”
Software exists that is explicitly designed to look at Web sites and steal user’s passwords as they’re logging in. A piece of malware could sit there and grab your password as you’re typing it in on your keyboard. “That’s not an unknown, that’s not a theoretical attack,” Dispensa says. “That attack is costing online banking providers, for example, just millions of dollars year in losses.” Facebook adds OTP option Facebook, too, has recognized the need for stronger authentication. The popular social networking site unveiled a new service that supplies users with one-time passwords for temporary login needs. “We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” says Jake Brill, Facebook product manager. Users simply text “OTP” (one-time password) to the number 32665 on their mobile phone, and they’ll receive a randomly generated, temporary password. The password can only be used once and expires in 20 minutes. At that point the system reverts back to the original password. In short, this means that if a public computer has been injected with password-compromising malware the only thing lost is the temporary password that cannot be used again.
Amazon Web Services goes key fob route Users of Amazon Web Services are adding an additional layer of security in the form of a physical OTP token. In addition to the standard login credential, users must enter a valid six-digit, single-use code from the hardware device before access is granted. Endorsed by Amazon Web Services, leading digital security company Gemalto is offering its Ezio Domino key fob. The user simply presses a button on the Time Token and a unique six-digit, one-time password is displayed. The generated password is only good for one access attempt within a short time interval. “Cloud computing and Web services are experiencing strong adoption within enterprise accounts,” says François Lasnier, vice president and general manager of Gemalto’s North American security business unit, “and it is essential to ensure only appropriate users are gaining access.” At each login, access will only be granted after the correct combination of Amazon email-ID and password plus the code from the authentication device are provided. This multi-factor authentication combines something they know, their e-mail address and password, with something they have, the authentication device, to ensure only authorized users are accessing their AWS account.
The feature is currently only offered in the U.S., but Facebook says they’re rolling this out gradually and it should be available worldwide in the near term.
At each login, access will only be granted after the correct combination of Amazon email-ID and password plus the code from the authentication device are provided.
Maximize your card technology . . . Campus Card Systems • Access Control and Integrated Security Solutions Food Service Management Tools • Online Ordering • Catering and Event Management Housing Assignment Systems • Judicial Conduct Tracking
. . . One safe student at a time. • Improve safety • Drive revenue • Reduce costs Learn how at www.cbord.com.
The CBORD Group, Inc. · 61 Brown Road · Ithaca, NY 14850 · TEL: 607.257.2410 · FAX: 607.257.1902
In October the White House Press Office announced that President Obama would “pocket veto” H.R. 3808 (the Interstate Recognition of Notarizations Act of 2010), commonly known as the “IRON Act.” The Bill, first introduced by Rep. Robert Aderholt in 2005, had passed the House of Representatives in April and Senate in September. In his veto message, the President expressed concerns about possible unintended consequences for consumers, including foreclosure victims.
veto impacts ‘national strategy’ Timothy S. Reiniger Director of the Digital Services Group, FutureLaw
“The irony is that the IRON Act would actually have strengthened consumer protections by requiring, for the first time, that authentications of electronic documents in interstate commerce be rendered tamper resistant."
Consumer groups had expressed concerns that the bill would remove mortgage foreclosure victims’ ability to challenge unlawfully notarized documents, including the use of electronic signatures. However well intentioned, these concerns were misguided. In reality, the IRON Act would not change the legal standing of the notarization. The irony is that the IRON Act would actually have strengthened consumer protections by requiring, for the first time, that authentications of electronic documents in interstate commerce be rendered tamper resistant. The veto also was a set back to the National Strategy for Trusted Identities in Cyberspace (NSTIC). The “trustmark,” a key consumer trust component of the contemplated identity ecosystem, shares the same requirements for forgery protection and interstate court recognition as the notary’s electronic seal. Like the property title system, the identity assurance ecosystem requires the existence of a legal foundation for document authenticity. During 2006 hearings before a subcommittee of the House Judiciary Committee, the IRON Act was promoted by trial lawyers, court reporters, and notaries. There was no opposition from the courts, consumer groups, banking industry or trade organizations. What the IRON Act does The IRON Act reduces uncertainty and error in interstate commerce, reduces costs associated with unnecessary document rejection by courts, spurs technological innovation, and promises greater security for properly performed notarizations. Because courts are not currently required to honor notarizations, properly notarized paper documents are often rejected by courts in sisterstates because of varying or unrecognized seal practices. The IRON Act remedies this problem by establishing a minimum reliability standard for all notarized documents – whether paper or electronic – and obligating state and federal courts to recognize lawful notarizations. The IRON Act doesn’t prevent a foreclosure victim or any other relying party from challenging the validity of an affidavit or other notarization. In our legal system, every notarization can be challenged by evidence of fraud, duress or other unlawful conduct. Opponents have misinterpreted the IRON Act as somehow converting the notarization into a type of judicial act that cannot be challenged. Additionally, the IRON Act doesn’t remove the universal requirement that signers appear in person before the notary. In fact, except for the mandate that a seal of office be affixed to a paper document, the IRON Act in no way affects any current state regulation overseeing the credentialing and administration of notaries. By addressing the notarized
document itself and not the requirements that govern commissioning and practices, the IRON Act introduces no new federal regulations over notaries. Trustmarks link identity assurance to electronic records and signatures The IRON Act is based on the fact that the notary ‘s seal – or trustmark – performs a critically important function for courts in determining the admissibility of evidence. Unfortunately, only seven states currently have a tamper resistance requirement for electronic notarizations. The IRON Act, therefore, for the first time sets a national baseline for security and fraud-protection for all notarized electronic authentications. It specifies that the notary’s electronic seal information must be “securely attached to, or logically associated with, the electronic record so as to render the record tamper-resistant.” The bill further defines “logically associated with” to mean that “the seal information is securely bound to the electronic record in such a manner as to make it impracticable to falsify or alter, without detection, either the record or the seal information.”
The IRON Act intentionally builds on existing non-notary federal security requirements for electronic records found. Its method for issuing electronic public documents is consistent with the international guidelines of the Hague Conference on Private International Law. Those guidelines also require tamperresistant technology for documents bearing the official seal of a state or federal government authority in order for that document to be recognized internationally. Relation to the National Strategy for Trusted Identities in Cyberspace Both public and private sector participants view trust in online access to networks, the secure exchange of authentic information and the overall identity ecosystem as essential to enable greater citizen use of government data and participation in the digital economy. In particular, for electronic documents to be reliable over time, a mechanism in the form of a protective electronic seal or trustmark is necessary. NSTIC specifies that “to maintain trustmark integrity, the trustmark itself must be resistant to tampering and forgery; par-
ticipants should be able to both visually and electronically validate its authenticity.” Although not originally conceived with the NSTIC in mind, the IRON Act would greatly enhance the objectives of the national strategy by requiring notaries to affix electronic seals in such a way as to prevent forgery to the seal and the document itself. In its current form, the IRON Act’s tamper resistant approach to the notary’s seal mirrors NSTIC’s security requirement for the trustmark. In vetoing the IRON Act, President Obama expressed a desire to work with the Congress to pass the bill. This will provide an ideal opportunity to enable consumer confidence in both electronic document authentications and in the trustmark component of the NSTIC identity ecosystem. There remains an important need for the IRON Act and, above all, for mandated interstate recognition of document and identity trust frameworks based on tamper resistant official seals and trustmarks.
About the author Timothy Reiniger testified on the IRON Act in March 2006 and helped draft the electronic provision of the Act while executive director of the National Notary Association. He specializes in digital trust law and policy, including document authentication, and currently serves as Director of the Digital Services Group of FutureLaw in Richmond, Va.
Common Access Card continues to pave the way
Department of Defense explores future form factors, PKI applications Zack Martin Editor, AVISIAN Publications It was 10-year ago this past October when the first U.S. Defense Department Common Access Card was issued. Since then the largest U.S. agency has issued 24 million of the smart card-based secure credentials. In that time the staff at the Defense Manpower Data Center (DMDC), the group within DOD responsible for issuing the card, went from simply issuing an ID card to truly managing with identity, says Mike Butler, deputy director of identity services at the DMDC. Butler was with the Defense Department when it first issued the credential and rejoined the agency in August after three years away. “In 2000, 2001, 2002, we (DMDC) saw ourselves as card issuers, but somewhere in that time frame there was this shift. It’s not really ID cards – although that’s technically what we do – it’s really identity,” 52
Butler says. “At that point came the full embracing of the PKI process within DMDC.” The changes that the Common Access Card created within the agency were, at the time, widespread, Butler says. There was no ID for civilian employees, and there were separate cards for reservists and active duty personnel. The Common access Card put everyone on the same footing. Some may say the Common Access Card paved the way for the PIV credentials carried by federal employees across the country. Others go even further calling it the example for all high-tech, PKI-enabled IDs. The Defense Department is in the process of replacing the original card with a PIV-compliant credential, but the future Common Access Card may look very different than today’s version … both in terms of its applications and its physical form factor.
PKI is the difference Public key infrastructures still have a reputation for being time consuming and costly to deploy and maintain. But the Common Access Card is helping to change that line of thinking. Without PKI the Common Access Card would be just another ID, says Scott Jack, director of identity assurance for DOD PKI. “The PKI literally binds the human identity to a virtual identity in cyberspace,” he says. “It cryptographically asserts an identity that’s been proofed and vetted for the lifetime of the credential.” Using PKI for electronic communications is as good as having an individual sign a piece of paper in person, Jack says. “The recipient can be assured through the certificate validation that the person who sent the message is who sent it.” PKI has become the killer app for the credential, Butler says. “We were always looking for that killer application and when it started coming in I wasn’t sure that PKI was that app,” he says. After returning to DOD after three years and using the Common Access card everyday to sign and encrypt email and access networks, he more fully realizes its importance. Butler contrasts the DOD use of PKI to other enabled ID programs such as citizen e-IDs. “Most credentials given to citizens are used once or twice a year and there’s very few places to use them,” Butler says. “ I can’t get on the network without my CAC so every single day it has to be used. That is what differentiates it from other programs.” Since 2006 the Common Access Card has been required to login to Defense Department networks and no more than 90% of network authentication is done cryptographically, Jack says. But the credential has not always been so popular. When first rolling out the Common Access Card it took 15 to 20 minutes to issue each credential, Jack says. “Leadership at every echelon were seeing productivity loss because people were standing in line,” he says. “Any kind of change for a more than 3.6 million work force will create some problems.”
Translating experience from government ID to citizens Mike Butler has more than a decade of experience in the identity business for the federal government. He’s now back where he started rejoining the U.S. Defense Department’s Defense Manpower Data Center as deputy director of identity services. In a recent discussion with Re:ID, Butler talked about government credentialing programs, but he also shared some thoughts on issues around identity and citizens. Many of these issues are being discussed in the National Strategy for Trusted Identities in Cyberspace and Butler says the federal government and technology providers need to find solutions. The Defense Department is going to look at mobile devices and other form factors for credentialing, but Butler says that smart cards will be the standard for federal employees and contractors for the next few years because of the investment made in infrastructure. For others who do business with the federal government, however, the smart card may not be used. “Once we move outside of those core populations, smart cards probably aren’t the answer,” Butler says. “I’m accepting the fact that a smart phone would be a great way to do this.” He says the government should work with outside providers so that federal employees, who have anchored identities that have been vetted, can have a credential that can be used in the private sector. “We’ve never really been able to get our arms around that and make it work,” he says. One of the most challenging and expensive parts of a credentialing program is the original identity vetting and the efforts required to keep it current. The federal government has been able to solve this issue so why not give employees the option to use it in other areas. “It would be a great thing to be able to transfer that anchored identity into government or non government use,” he says. The smart phone would be the perfect form factor for this type of personal use credential. “People are carrying them and there’s no real additional hardware cost … we might be able to make that work,” Butler says. Hardware cost has made this a difficult goal, Butler says. “It’s been elusive because there always seems to be this huge cost factor that goes with it,” he says. “If you could get rid of the hardware and at least mitigate the in-person vetting piece, it might make good sense for everybody.” Butler says efforts are underway, but it won’t happen overnight. “I’m hoping maybe another six to nine months,” he says. “We’re going to start seeing some of the commercial guys come in and maybe lay out some opportunities for the government to partner.” Butler’s experience gives him unique insight and he is remarkably upbeat saying, “I think this is the first time that we’ve had a chance that it may actually happen.” Winter 2010
Then there was the challenge of PKI-enabling application on Defense Department networks. With many different applications and vendors involved this didn’t always go smoothly, Jack says. “But once it’s employed the value proposition becomes so demonstrative because you cut the overhead costs.” Performance reviews, travel and many other tasks are now handled electronically. According to Jack, “(thanks to the card) the typical DOD employee can touch and do many things in the virtual environment.”
and the White House Office of Management and Budget. Butler says the agency has taken some time to adjust to the new specification, but it’s gaining momentum and there have been cross agency use of PKI certificates with the U.S. Department of Veteran’s Affairs. The DOD has now issued more than 80% of the PIV-compliant Common Access cards, Butler says, “we’re on track to continue moving that along.” Other form factors on the horizon?
PIV: Blessing or curse? When HSPD-12 was signed in 2005 it would have appeared the Defense Department would be in good shape. The largest federal agency already had smart cards issued and the infrastructure in place to support them. But the FIPS 201 standard veered from what the Defense Department was doing. “There was a requirement for a fairly major shift,” Butler says. The Defense Department if still adjusting for this shift, a situation that has brought criticism from both the Government Accountability Office
The Defense Department is planning to expand the use of PKI, including adding the technology to non-person entities such as routers, switches, hubs and even PDAs and laptops, Jack says. “The devices would have a PKI that is bound and vetted so it would be recognized on a digital level,” he says. They are also considering the use of other form factors, such as mobile devices, for credentials to login to networks, Jack says. “We’re starting to look at technology that’s available to the commercial sector that comes in a number of different form factors,” Jack says
Take your access control to the next level
When compromise just isn’t an option, it’s time to take your access control to the next level – with the power of iCLASS. SARGENT® Profile Series v.S1 (PoE) and v.S2 (WiFi) IP-enabled locks now offer the enhanced security of HID® iCLASS® 13.56 MHz smart card technology. SARGENT Profile Series PoE and WiFi locks connect to your existing network using non-proprietary and industry standard equipment, dramatically reducing cost and simplifying installation. To learn more about Profile Series locks and the power of iCLASS, call 877-217-0897 or visit www.intelligentopenings.com.
Copyright © 2010 Sargent Manufacturing Company, an ASSA ABLOY Group company. All rights reserved. HID and iCLASS are registered trademarks of HID Global Corporation.
The challenge with other form factors is finding a solution that still enables the Common Access Card to be used for physical access, Jack says. The credentials primary use is for logical access control but it is used for physical access as well. “We are seriously thinking about how we would do that,” he says.
Lawsuit threatens federal ID programs Big card vendors license patent portfolio
Payment, transit and other applications The Defense Department is also considering new application for the card. The agency issued a request for information from vendors about adding an open transit fare collection application and an EMV stored value payment applications to the card. “It’s going to take a lot of time,” Butler says. “There’s FIPS testing and requirements, but it would absolutely have a return on investment in the Department of Defense. And we need to be looking at things like that.” The DOD also wants to continue to strengthen its PKI and the business case for the credential, Butler says. “Using the CAC and PKI we may be able to better service data that’s up in the cloud, like back end authentication,” he says. “Being able to deliver people’s status – more than just PKI status of whether or not I’m still an employee but something – out to physical access systems and business systems.” Ten years later and still getting stronger Butler was at the Defense Department from the start of the Common Access Card but left to work on other aspects of the PIV card program outside of DOD. He was reminded of the credential’s impact when he restarted at the agency. “My first day back, I had to raise my right hand and swear back in as a government employee,” he explains. “It was actually kind of a thrill for me because there was a two hour seminar, which was not at DMDC, and a significant part of it was about the Common Access Card and if you don’t have one you can’t do anything.” “For somebody who’d only been gone from the department for three years, I kind of knew that,” he explains, “but as one of the folks who was here from the very beginning with the team that really made this happen, it was a real thrill.” It seems fitting that Butler would rejoin the program and his team as the Common Access Card reaches a series of major milestones including its tenth birthday and so its 25 millionth credential. “It really does show you that if you’re just tenacious enough,” Butler concludes, “you actually can make something work.”
A lawsuit filed in federal court against the U.S. government brought the first public attention to a portfolio of smart card manufacturing patents owned by Leighton Technologies. The complaint alleges that the government is issuing smart cards that infringe on Leighton’s patents. Most of the patents involve a manufacturing technique known as hot lamination that is used in production of contact and contactless smart cards. Smart card officials, Leighton Technologies and government officials were not willing to talk about the lawsuit on the record. One executive did express concerns that the lawsuit could delay further PIV rollouts. But any delays were likely avoided, as the lawsuit seems to have had its intended effect. It leveraged client concerns to help persuade card vendors to pay up. Oberthur Technologies and HID Global agreed to license the Leighton’s patents early on and more recently Gemalto and AllSafe agreed. Gemalto’s license is an outcome of the Leighton Technologies LLC v. United States of America lawsuit. Though Gemalto was not a defendant, the company was given notice of the action by the U.S. Government because, as a government vendor, it might have an interest under applicable law. The lawsuit against the federal government still lists smart cards from Athena Smartcard Inc., Sagem-Orga and TecSec Inc. as violating Leighton patents. The six Leighton patents include: 1. 5,817,207: “Radio frequency identification card and hot lamination process for the manufacture of radio frequency identification cards.” 2. 6,036,099: “Hot lamination process for the manufacture of a combination contact/contactless smart card and product resulting there from.” 3. 6,214,155: “Radio frequency identification card and hot lamination process for the manufacture of radio frequency identification cards [sic].” 4. 6,441,736: “Ultra-thin flexible durable radio frequency identification devices and hot or cold lamination process for the manufacture of ultra-thin flexible durable radio frequency identification devices.” 5. 6,557,766: “Hot lamination method for a hybrid radio frequency optical memory card converting sheets into a web process.” 6. 6,514,367: “Hot lamination process for the manufacture of a combination contact/contactless smart card.”
2005 2006 2007 2008 2009 Spring 2009
Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
Grounded ... off? or ready for take
converges Canadian telco logical ID physical and
in an online world
contactless Bank-issued te payments compe t for transit marke
Outsourcing ID programs Real ID becoming reality London trials NFC
renew Card fraud cases in US call for EMV e NFC global updat
Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
Regarding ID Magazine – a survey of identiﬁcation technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews
HACKING IDENTITY The impact of smart card and security hackers Iris at-a-distance takes biometric center stage Health care mulls identity options EMV takes aim at U.S.
IDENTITY and the ELECTION
IDENTITY The forces are aligning but
Will a new president scale back existing projects or add new ones?
BIOMETRICS On campus, in the military PLASTIC IDS Recycling & green options
Contactless payments: Floundering or burgeoning? Airport worker credential in the making New rules for biometric sharing
BEYOND ISSUANCE … e-passports struggle to achieve usage
Is identity broken? EU considers student ID Registered Traveler in flux Plus NFC, RFID, biometrics
OWN THE ENTIRE COLLECTION 1000+ pages of ID technology insight just $200 • Educate new employees • Refresh your industry knowledge • Research for presentations • Review best practices • Learn from the experience of other implementations • Gain a competitive edge
For the first time, AVISIAN is offering all back issues of their industryleading re:ID magazine in a packaged set. You receive three year’s worth of top-notch news and insight – 15 issues of re:ID and 6 issues of CR80News magazine. Plus you get password-protected access to our online library with more than 1000 feature articles. To order, visit http://store.AVISIAN.com.
‘National strategy’ delayed
Online ID initiative stalled by political and technical challenges Originally President Obama was supposed to sign the National Strategy for Trusted Identities in Cyberspace in September or October, an aggressive timeline considering the draft was released for comment in June. While some would say the delay was predictable, a delay till 2011 may point to some larger problems. Reports in early November point to a six-month review by government agencies, which would mean nothing is released until May. Other sources, however, are still pointing to a release soon after the New Year. The national strategy will create an “identity ecosystem” that individuals can use for high levels of identity assurance for banking and health care applications while also using it for lower assurance levels or even anonymous transactions. The idea is to provide a voluntary credential in some form factor that individuals could use to secure identity online.
One source says the initial delay was to make sure the strategy didn’t get politicized during the midterm elections. There were rumbling from some in congress that the strategy could become an issue so officials decided to hold it back. There was also jockeying within the government as to who will oversee the national strategy, a source says. Though as of early November this issue seemed solved with the U.S. Department of Commerce taking the lead on the project. “People probably wouldn’t feel comfortable with Homeland Security heading an identity project,” says one source. The National Institute of Standards and Technology, which is part of the Commerce Department, is taking an active role, sources say. The organization has experience with identification standards having worked on the FIPS 201 standard for federal smart cards as well as a number of key biometric standards. Part of the reason for the delay is refining the implementation plan, which would be included in whatever President Obama signs, as well as specific case studies on how the strat-
Goals of the National Strategy for Secure Online Transactions • Foster the creation and adoption of federated identity frameworks that use a variety of authentication methods • Encourage the use of authentication methods with well-understood security, privacy, usability, and cost characteristics • Encourage the use of authentication methods resistant to known and projected threats • Provide a general trust model for making trust-based authentication decisions between two or more parties
egy would be used in the real world. One particular case study looks at how the credential may be used in health care, a source says. The implementation plan would also look at building a federated trust framework, creating and certifying identity brokers, addressing legal issues and tackling enrollment and credentialing challenges. It’s also investigating how to encourage and provide funding for the adoption of a credential. The group is also refining the four levels of identity assurance. These levels, which have been spelled out by the White House Office of Management and Budget for use with the FIPS 201 program and PIV card for federal employees, are being redefined for use with the public. A matrix is being conceived to match the level of identity assurance with a specific task, a source says. For example, accessing the FEMA site to check on procedures for filing a claim from a natural disaster would require a low level of identity assurance whereas actually filing the claim would require a higher level of assurance.
Newly approved FIPS 201 products Research detailed product listings and compare different vendor offerings online at FIPS201.com, the most robust source for FIPS201, HSPD-12, ISO 24727 and PIV products and services. Certificate Validator
Path Builder, CoreStreet, Ltd.
nShield Edge, Thales e-Security, Inc.
Fingerprint Capture Station
Dactyscan84n, Green Bit Americas, Inc.
Facial Image Capturing Station L-1 Camera Tower OLY E420 L-1 Camera Tower OLY SP350, L-1
PreFace SDK with Videology 24C7.38USB PreFace SDK with Videology 24Z704USB, Aware, Inc.
G&D StarSign® Sm@rtCaf?® Expert 80K with PIV Applet, Giesecke & Devrient
PIV Card Printer Station
SCOPE 5400, Muhlbauer, Inc.
Single Fingerprint Capture Device
ASEDrive IIIe KB Bio PIV, Athena Smartcard FS98 USB2.0 Mini Fingerprint Scanner FS99 USB2.0 Mini Fingerprint Scanner Module, Futronic Technology Co Ltd.
Caching Status Proxy
Brivo ACS Onsite Aparato, Brivo Systems, LLC
Athena ASEDrive IIIe Combo Bio PIV and KB Bio PIV Modern applications for smart cards – such as Digital Signature, Digital Certificate Verification and PKI – require higher performance smart card readers. ASEDrive IIIe Combo Bio PIV and ASEDrive IIIe KB Bio (keyboard) were carefully designed to ensure higher communication speeds to reduce the time needed for intensive operations such as cryptographic calculations. The readers support major international standards such as ISO 7816, EMV, PC/SC. All ISO 7816 compliant CPU-based smart cards and major memory cards are supported.
Electromagnetically Opaque Sleeve One Hander Guardian, EK Ekcessories, Inc.
Transparent Card Reader SCR339, SCM Microsystems, Inc. ASEDrive IIIe Combo Bio PIV ASEDrive IIIe KB USB ASEDrive IIIe USB V2 ASEDrive IIIe USB V3 Athena Smartcard, Inc. Omnikey 5321 CL SAM USB Card Reader Omnikey 5321 CR USB Smart Card Reader Omnikey 5321 USB Smart Card Reader HID Corporation Ricoh Smart Card Reader,
the premiere resource for compliant credentialing
Get your FIPS 201 Approved Product listed on FIPS201.com customizing photos, links, brochures, contact information, and more. Contact email@example.com for more information.
Ryan Kline FIPS201.com Coordinator 850-391-2273 ryan@AVISIAN.com
id technology resource
visit FIPS201.com to research and compare approved products
Two new NFC payment pilots launched by U.S. banks and carriers Analysts had predicted 2010 would be the year of widespread near field communication rollouts and handset availability. But it looks like it will go in the books as the year of more testing.
ing out between the issuers and the operators how they’re going to share the risk as well as the revenue for NFC,” says Randy Vanderhoof, executive director at the Smart Card Alliance.
The second half of the year did see two U.S.-based pilot programs announced by large players in the NFC ecosystem. AT&T, Verizon and Discover are working on a pilot, codenamed Mercury, in Minneapolis, Atlanta, Salt Lake City and Austin, Texas, according to media reports.
Banks want to manage the payment application in the phone but the mobile operators are hesitant to give up control of that secure element, Vanderhoof says. And even though the business case issues around NFC still exist, it’s not the reason the technology is being held up in the U.S. “The commercial availability of NFC handsets is the bigger delay,” he says. “Even if they could get together today and shake hands there are no handsets to deliver NFC.”
Participating customers will be able to pay for a variety of goods and services with NFC-enabled smart phones operating on Discover Financial Services’ payment network. T-Mobile also has a stake in the venture, as well as UK’s Barclays, who will help manage users’ credit accounts. Trials are expected to commence in mid-2011 but participants have been unwilling to share details on the project. In a separate project, Bank of America, Wells Fargo and Visa began a test of microSD cards and NFC payments in New York. This isn’t the bank’s first go around with the technology. Bank of America employees tested the technology at the Charlotte, N.C.-based headquarter from Nov. 2009 till May 2010. In September, according to a Bank of America spokesperson, an undisclosed number of microSD cards were issued to customers to facilitate NFC transactions with BlackBerry and iPhone handsets. Participants download a mobile wallet application to operate the microSD card and enable transaction capability. Participants are also encouraged to use the payment method on the New York City Transit, which accepts any type of contactless payment card. Through the test BofA is hoping to find out if it needs to enhance it payment form factor options and find out how people use the mobile device for payments, the spokesperson says.
This may change in 2011, Vanderhoof says. Nokia is rumored to be offering multiple NFC-enabled handsets and the iPhone 5 is expected to include NFC. Since there are a limited number of handsets available, Vanderhoof says rollouts are forced to use microSD cards and other technologies. “Until we have multiple options for embedded NFC handsets for the consumer trials we’ll be limited to the type of trials that are using bridge technologies like microSD and stickers to see how well they perform in the field,” he says. Even though tests are using so-called bridge technologies, it still shows that progress is being made, Vanderhoof says. “These tests will go a long way to see what handsets work best with this type of technology,” he says. Fed working on roadmap The U.S. Federal Reserve is also working with industry on a roadmap for mobile payments, Vanderhoof says. He attended a meeting in October with other stakeholders for mobile payments, including mobile operators financial institutions, technology providers and industry associations. “It’s getting everyone in the room together to discuss the technology and business case for mobile payments,” he says.
Still mulling business case The pilots from the banks and the mobile service providers show that the business case for NFC still needs to be resolved. “It still comes down to figur-
The group has worked to differentiate the various mobile payment models, Vanderhoof says. This is the fourth time they have met in 2010 and the position paper is due sometime in 2011.
Enabling payments on legacy hardware While the lack of near field communication handsets may be hampering widescale deployments of the payment technology, there are some companies carving a niche in supplying solutions that enable NFC payments on existing handsets. DeviceFidelity’s microSD solution is being used in the Bank of America pilot in New York, says Deepak Jain, co-founder, CEO and president at DeviceFidelity. U.S. Bank, J.P. Morgan Chase and Wells Fargo in the U.S. as well as four major banks in France are also using the technology. The company was founded three-years ago with the sole purpose of enabling payment on different mobile devices, Jain says. It delivered the first products in 2010. The primary technology is a microSD card where the Visa-approved payment credential resides, Jain says. For the BlackBerry and Android devices the card is inserted into the device, the application downloaded and then a user can start making payments. But DeviceFidelity also wanted a solution for the microSD-less iPhone, Jain says. It created an Apple-approved protective case that carries the microSD and can enable payments on the popular mobile device. Apple approved the cases in 2010 for the iPhone 3G, 3GS and 4.
At the issuing bank’s discretion, the microSD cards can be personalized with the individual’s information prior to being sent to the consumer or over the air, Jain says. If the card is personalized before delivery the consumer does not need to have data service on their phone. The application used to access the functionality of the microSD can either be downloaded from the app stores or from the microSD, Jain says. With the iPhone though it must be downloaded from the app story because of Apple’s requirements. The application is also customized for the bank issuing the card, Jain says. Whether or not a PIN or passcode is necessary to transmit the payment information depends on the particular financial institution or the consumer, Jain says. On the touchscreen phones a bar must be slid across the screen before the payment information is transmitted. Today, DeviceFidelity does not support other NFC use cases beyond payment, but they are on the company’s roadmap. “We’re waiting for a business case to emerge for supporting some of those additional features,” Jain says. In the next year Jain says they will begin supporting other mobile operating systems and the cards will be available in retail stores. Winter 2010
Opening the loop with transit programs Bank-issued cards remove transit agencies from issuance game
Lowering transit costs Transit agencies are hoping to save money on ticketing and staffing by switching to an open-payment system. With closed-payment systems, the transit agency must buy the ticket stock and contactless cards, issue the fare media and provide support when customers have problems with their transit passes. An open-fare system could change that. “If you have a problem with your card, you’d call your bank first,” Dixon says. The key is finding in a third-party issuer, such as a bank or a vendor, to issue the cards. “Transit agencies want to be considered a merchant, just like a Macy’s or any other organization that accepts payment cards,” Dixon says. “They would process transactions directly at the point of sale just like any other merchant.” Increased convenience for riders is another advantage of an open-loop payment system. “If you were able to show up and present your contactless bank card at the gate, you wouldn’t have to stop anywhere and buy the ticket,” Dixon says.
Autumn C. Giusti Contributing Editor, AVISIAN Publications
Transit riders are one step closer to ditching that stack of monthly transit passes and switch to a single card they can use to ride the train and make other purchases. Two more agencies have jumped to the front of the pack in a push for an open-payment system that would allow riders to use a bankissued contactless card for public transit instead of a transit-issued ticket or card. In September, the Chicago Transit Authority issued a request for proposal for implementation of an open-loop payment program. Also that month, the U.S. Department of Defense put out a request for information on the addition of transit payment capabilities to its Common Access Card. “This is an evolutionary thing that’s happening right now,” says Phil Dixon, director of new product development for San Diego-
based Cubic Transportation Systems, which provides fare payment infrastructure systems for the mass transit industry. “If we go back 20 years, all transit was done with coins and magnetic stripe systems. Then they went to contactless smart cards. Now, this is the next step – an open-payment system, with cards issued by banks or someone other than the transit agency.” In February 2009, the Utah Transit Authority became the first U.S. transit agency to launch a fare collection system that accepts contactless credit and debit cards from American Express, Discover, MasterCard and Visa. Open-fare pilot programs have also taken place with the transit authorities in New York, Los Angeles and San Francisco’s Bay Area. Additionally, an active procurement is underway for Washington D.C.’s transit system.
The next-generation CTA pass is expected to be a contactless smart card that operates as a standard credit or debit card, enabling riders to pay their fares and also use the card for other purchases. It is envisioned to be a prepaid card that would enable customers the option of whether or not to tie the card to a bank account. CTA riders could also pay their fares with a bankissued contactless credit or debit card. The current fare equipment was installed in 1997 and is reaching the end of its useful life, according to the CTA. They hope to be able to update the fare equipment without an upfront capital cost but still own the equipment installed by the vendor. They also expect to maintain control over fares.
2011 Mobile and Transit Payments Summit The Smart Card Alliance will hold the 2011 Mobile & Transit Payments Summit on February 15-17, 2011, at the Marriott City Center Hotel in Salt Lake City, UT. This important industry gathering will focus on exciting new trends and projects involving mobile payments and the continued movement towards open contactless bank card payments for transportation and general retail payment applications. The mobile and transit markets have many common industry stakeholders including the chip and card manufacturers, terminal manufacturers, payment brands, issuing banks, payments processors, systems integrators and new mobile technology suppliers. Having a summit for Smart Card Alliance Payments Council and Transportation Council members and other common stakeholders to meet in joint sessions to discuss the opportunities and obstacles ahead will allow everyone present to gain more insight into the commonalities that connect these two markets. There will be individual breakout sessions scheduled for mobile payments and transportation payments stakeholders to meet separately for more in depth discussions on specific topics related to the NFC proximity payments and remote mobile industry and the transit industry respectively.
The Summit will include sessions on current U.S. and international mobile payments operators and handset manufacturing trends including devices and applications supporting NFC payments, mobile marketing, peer-to-peer payments, alternate mobile payments platforms, and mobile wallets. Transit payments sessions will include reports from major transit operators and integrators discussing the advances in closed-loop payments, open loop bank card payments, prepaid cards and emerging international standards.
MOBILE PAYMENTS Topics List Includes: Mobile Network Operator Panel • Mobile Payments Services Providers • Issuers Perspectives on Mobile & Transit Payments • Mobile Associations Panel • Mobile Applications Panel • Mobile NFC Devices • Mobile Handsets • Merchants on Mobile Payments Panel • TSM Panel • Prepaid Mobile Phones of the Unbanked • Potential regulatory impact on mobile payment • Mobile Alternate Payments TRANSIT PAYMENTS Topics List Includes: Open Payments Transportation Operators Panel • Strategies to Address the Unbanked • Transit Integrator Panel – Vision for Future • Transit Chip Technology Panel • Transit Mobile Ticketing Applications • Transit/ ID Convergence • Transit Operator’s Panel (closed loop) • Migration strategies from closed loop to combination closed/open loop payments • ISO /CEN/ GlobalPlatform standards • International Transit Standards
Marriott City Center Hotel • Salt Lake City, UT • Feb. 15-17, 2011 Register and view agenda online at www.smartcardalliance.org.
In the first phase of the bid process, CTA received proposals from 12 private sector teams. Cubic is among those pursuing the contract. The transition is expected to save CTA the money it currently spends to issue transit cards and to manage the fare payment and collection system. “Reducing our expenses by continuing to leverage emerging technologies allows us to maximize our limited financial resources,” says Chicago Transit Authority President Richard Rodriguez in a statement. The CTA expects to begin the transition to an open-fare system this summer.
Defense’s new approach to transit In Washington, D.C., there is a heavy population of Department of Defense employees with Common Access Cards and there’s an interest in using those cards for transit payments. The Common Access Card is the standard ID for active duty military personnel, selected reservists, civilian employees and eligible contractor personnel. “It would be good for the transit agency because it’s one less card for them to issue and manage,” Dixon says.
The agency is seeking information from vendors on the addition of open-loop payment functionality to the credentials. Because the Common Access Card is compliant with FIPS 201, this approach could eventually be deployed on PIV credentials throughout government. The Defense Department wants an application that can work as a prepaid solution that is funded from single or multiple sources. The RFI states that the card should be fully functional in U.S. public transportation environments where the system architecture is compatible. Responses to the RFI were due in October.
Cubic drives open payments In line with the payment trend, Cubic has been branching out to develop more open-fare payment systems and is pursuing contracts in the United States and Canada, including Chicago, Philadelphia and Toronto. “Part of what we’re doing to support agencies is building what they call account-based systems,” Dixon says. “We have created equipment that is certified by all the payment brands – MasterCard, Visa, Discover and American Express. So part of what we have to do is certify our system to those payment brand standards.” In September, Cubic was selected to conduct an open-loop payment pilot for Philadelphia’s Port Authority Transit Corp. The pilot, that will involve commuter trains between New Jersey and downtown Philadelphia, is scheduled to begin in early 2011. Cubic is the principal provider of ticketing operations for the Transport for London system and its multi-use Oyster card. Cubic and Transport for London previously worked with Barclays Bank in London to develop a card to host both the Oyster transit pass and Barclaycard Visa on a single piece of plastic. The first Barclaycards to include Oyster were tested in London in 2007. Now, Cubic is working on a full open-payment system for London’s buses to accept contactless credit and debit cards from Visa, MasterCard and American Express. The initial bus launch is scheduled to take place in early 2012, in time for the Summer Olympics that will take place there. If successful, the system is slated to later expand to the London Underground.
Apple: A love letter Identity and NFC rumors have staffers salivating for iPhone 5
I cannot tell a lie, I am an Apple fanboy. Most of us at AVISIAN Publishing are big fans of Apple products. We use them to write, edit and produce the magazines and Web sites we publish. Most of us also have iPhones and an iPad may be in my future (hint, hint boss). Even though the iPhone 4 has only been out for a few months, the Apple rumor sites have been filled with predictions for iPhone 5. If near field communication technology isn’t included in that version of the phone it will be shocking as most seem to think it’s a given. Adding NFC and wallet app to the iPhone shouldn’t be that difficult, but more intriguing rumors suggest that the iPhone 5 will use NFC to enable remote computing on select Apple computers. The phone would carry or point to a users desktop data and preferences and enable them to load it on to other NFC-enabled Macs. When a user waves the iPhone at a Mac, the computer would load all applications, settings and data … as if the user was sitting at their own computer. When the iPhone is out of range the Mac would return to its original settings. I’ve heard of many different NFC applications before but not one like this. I’m not sure how it would work, but it would easily be the coolest NFC application I’ve encountered. Also rumored in November was that Apple was working with Gemalto to develop an integrated SIM for its iPhone. The new built-in SIM may enable Apple to bypass mobile operators in offering service to its customers. Some say this indicates Apple is finally ready to deliver an iPhone with a mobile wallet. Apple has had other patent filings that show its interest in NFC. Concert Ticket + is a patent that could be used for any number of events, including sporting events, amusement parks and, of course, concerts. The app’s NFC interface would enable a user’s iPhone to communicate with other iPhones or various NFC enabled devices and RFID tags, meaning that future tickets could be bought contactlessly at kiosks and turnstiles. It could also enable for peer-to-peer transfer of tickets, as well as allow companies to target the ticket purchaser with live recordings, exclusive content and vouchers for food and beverages. Adding NFC to the iPhone will give the technology a huge bump in the U.S. where a decent number of contactless merchant terminals are already deployed. If they launch even one of the applications above it would add an entirely new dimension to the device and make it a must have upgrade around the AVISIAN offices.
Zack Martin Editor, AVISIAN Publications
THERE ARE TWO SIDES TO EVERY SUCCESSFUL
IDENTITY MANAGEMENT SOLUTION
When it comes to identity management, trust is not a one-way street. You need a solution that not only establishes foolproof identities but also protects the personal information of every citizen. At CSC, we deliver integrated identity management and privacy assurance solutions that create confidence and earn public trust. You can count on us to seamlessly integrate the latest technology, systems, policies and business processes into a solution that is secure, efficient and, most of all, trustworthy. CSC Public Sector CSC.COM/NPS
Printing as easy as 1,2,3.
A breakthrough in easy-to-use, powerful and secure card personalization The range of FARGO速 DTC printers are ideal for your customers who need a flexible and simple way to color personalize and encode technology cards, while protecting their investment with field-upgradable options whenever their needs expand. Backed by a two year warranty from HID Global, the world leader in secure identity solutions. *To learn more, contact an authorized Fargo Integrator hidglobal.com/fargo-dtc-REID
Published on Jan 31, 2011