42 A SURVEY OF ID TECHNOLOGY - SUMMER 2015 - ISSUE 42
PALTRY SPEND ON
IDENTITY
STYMIES USER
4%
AUTHENTICATION
Of the $77 billion to be spent on cybersecurity in 2015, a meager 4% will be devoted to identity and access management. Sadly, building higher walls and deeper moats still reigns. With the bulk of breaches caused by the much-maligned password, this lack of commitment to user authentication leaves the proverbial castle gate wide open.
+ Securing the electric grid RedeďŹ ning ID convergence Aiding refugees via biometrics
HOW DOES YOUR COMPANY IDENTIFY ITS VISITORS?
By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.
www.evolis.com
“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”
— Robert H. Marketing Director Corporate Technologies
Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.
Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.
© 2015 Entrust Datacard Corporation. All rights reserved.
DATACARD GROUP IS NOW ENTRUST DATACARD
CONTENTS
United Nations global biometric system streamlines relief to refugees
45
22 Cover Story: Cybersecurity leaves front gate unguarded When it comes to cybersecurity building taller walls and deeper moats is still the norm. But the front gate is unguarded as corrupt credentials account for two-thirds of breaches and a paltry 4% of cybersecurity spending goes to identity and strong authentication.
China, India dominate Asian eID issuance
60
6
Editorial: The identity disconnect Breaches galore, pittance invested, creepy tech
8
ID Shorts News and posts from the web
22
4
Summer 2015
Cybersecurity: Taller walls, deeper moats but the front door is unguarded 24
Password problems plague federal agencies
27
Analysis: Identity is hard
28
Could states crack the digital ID dilemma?
GAO studies smart cards for Medicare
54
Password managers address the cybersecurity problem 30
38 Opportunity and issues surround electric grid security standard
45 UN biometric system streamlines relief to refugees
A new physical access standard aims to secure the electric gird, but is it enough? It should provide opportunities for vendors, but according to some industry advisers, that’s only if they can make sense of the specification.
Refugees face untold challenges when they flee war torn areas without identity documents. A UN agency is rolling out a global refugee biometric system to create permanent records that add speed and efficiency to aid delivery.
30 Password managers address the cybersecurity problem 31
Security expert: Complexity negates password strength
34 Credential convergence takes hold in key industries Health, finance lead charge to unite PACs and LACS 36 Pharmacy benefit manager deploying FIDO framework Health org among early adopters of mobile biometric standard 37
Microsoft enabling multiple biometrics with Windows 10
38
Electric grid security standard creates opportunity and confusion
56
The key to future authentication: Be yourself
58
Advanced card materials enable advanced security features
60
re:ID national eID series: China, India dominate Asian issuance
41 Medical identity theft drives biometrics in health care 45
United Nations global biometric system streamlines relief to refugees
50
Biometrics secure next generation of mobile banking apps
64
GAO studies smart cards for Medicare
GSA to reveal physical access procurement changes
66
Bluetooth winning with Vegas hotel access
54
62
Hong Kong eID tops 7 million cards
Summer 2015
5
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline
THE IDENTITY DISCONNECT
ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com
BREACHES GALORE, PITTANCE INVESTED, CREEPY TECH
SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301.
ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2015 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
6
Summer 2015
Let’s mull: More than a billion user names and passwords are for sale on the dark web Two-thirds of breaches are caused by corrupted or misused user names and passwords Of the billions of dollars being spent on cybersecurity only 4% is going toward identity and access management An executive for one of the more prominent online payment systems tells the media that consumers will be swallowing sensors – or having chips implanted in their brains – to secure online access. The first three items are serious problems that show that identity is an enormous issue for enterprises and they don’t know how to deal with it. The last item shows the disconnect when it comes to identity technologies. We are still getting our heads around fingerprint scanners on mobile devices – I don’t know that consumers will ever be ready to ingest or implant something for access or identification. Yes, there are those random computer programmers who have placed RFID or NFC chips under their skin to show it can be done, but they are outliers. Ask Joe or Jane Q. Public if they would be willing and you would likely get a resounding “no.” Which is why when PayPal executive Jonathan LeBlanc started detailing different ID technologies that will “kill the password,” I was taken aback. According to LeBlanc’s Wall Street Journal interview, the next step is identification via our body functions:
“
Leblanc said that identification of people will shift from ‘antiquated’ external body methods like fingerprints, toward internal body functions like heartbeat and vein recognition, where embedded and ingestible devices will allow ‘natural body identification.’ These devices include brain implants and attachable computers, which ‘put users in charge of their own security,’ he said. Ingestible devices could be powered by stomach acid, which will run their batteries, he added.
”
PERSPECTIVE So in order to check my banking statement I’m going to have something inserted into my brain? I don’t think so. I’ve spent my career covering his industry, and this creeps me out. There are people who would embrace these advanced authentication technologies, but there are almost certainly far more who would oppose them strenuously. It was only months ago when Apple announced Touch ID that people were convinced that the fingerprints would be shared with the FBI or NSA. The vast majority of people don’t understand these technologies and we must move thoughtfully to have them adopted. Saying that consumers will be ingesting or implanting sensors is the wrong way to go, as we are still struggling through the non-creepy side of the authentication technology adoption curve. The industry can’t get people to use one-time password technology so how does LeBlanc think PayPal will get people to swallow a pill? When discussions turn to consumer use of strong authentication technology it won’t be long before the word “friction” comes up. Yes, swallowing a pill and having it automatically transmit a signal authenticating the individual cuts down on the friction but there has to be something in between. Identity providers, relying parties and consumers are going to have to make some changes in order to improve identity and reduce friction. All three parties
will have to make some changes in order to secure cyberspace. There are plenty of solutions that can make online authentication easier and more secure that don’t require a consumer to swallow it or have surgery. The identity industry also needs to work on better selling its own technology. Touting the reasons why strong authentication and advanced identity and access management are necessary would be a good first step. Yes, identity is a hard sell to c-level executives because it’s hard to explain and can be complicated to deploy, even though it can cure a lot of ills. The same is true for consumers and as an industry we must never forget that fact … even during forward-looking WSJ interviews. Enterprises are hemorrhaging data and securing the front door – user credentials – should be one of the first efforts. Identity companies need to stress the importance of using these systems or the bleeding won’t be stopped and we could be heading to a true identity crisis.
Certification Training for E-PACS About CSEIP • The Certified System Engineer ICAM PACS (CSEIP) Training and Certification Program provides advanced training for systems engineers configuring and testing E-PACS to align with government-wide specifications • This training and certification is recognized and approved by GSA About the Training • Comprehensive three-day program includes expert classroom instruction, hands-on training using commercial E-PACS equipment and testing for competency on course objectives • Course offers instructor-led training on how E-PACS work, how PKI is managed, and how PIV/PIV-I credentials interface with security systems • Individual test workstations using commercial E-PACS hardware and software provides hand-on exercises for configuration of live PKI-based access control systems • A comprehensive written and practical exam wraps up the program with certificates issued upon successful certification
Who Should Attend? • Commercial security firms looking to sell and install ICAM PACS to GSA managed properties under updated GSA procurement guidelines for vendors and integrators • Physical access control vendors who need to train their employees and resellers about proper steps to configure PKI-based PACS • Government security officials responsible for implementing and operating PACS at their department or agency Meets Federal Requirements and Highest Industry Standards • Certification means that you have passed a rigorous, GSA-approved training program which demonstrates your ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACs • CSEIPs demonstrate knowledge of the latest security industry standards and meet federal procurement requirements
Learn More Today Visit the CSEIP section of the Smart Card Alliance website for complete training information, Summer 2015 7 prerequisites, exam dates, and a full description of this program; http://www.smartcardalliance.org
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
CRYPTOMATHIC WANTS EU TO RECOGNIZE CLOUD-BASED DIGITAL SIGS Cryptomathic is calling for new European Union standards to recognize cloudbased digital signature schemes, which do not use a secure element. This comes as the European Commission Directorate General prepares to mandate electronic identification and trust services to boost confidence in digital services and encourage more EU citizens to use e-signatures. Cryptomathic released a position paper requesting that the upcoming regulation be technology-neutral. The paper calls for the EU security standards to ensure that cloud-based central signing services be enabled as Qualified Electronic Signature Creation Devices. In the paper, the company highlights the successful use of such central signing schemes by more than 10 million users across several European countries including Denmark, Norway, Luxembourg and Austria and urges the regulation to formally recognize them. Cryptomathic also notes that centralized signing systems leave secure logs during the signature generation process, which can be
8
Summer 2015
used in dispute cases, giving cloud-based server signing an advantage over alternative methods.
QUALCOMM UNVEILS ULTRASONIC FINGERPRINT SCANNER Qualcomm Technologies Inc. launched its Snapdragon Sense ID 3D Fingerprint Technology, a biometric authentication system based on ultrasonic technology.
Qualcomm’s ultrasonic fingerprint technology has the ability to scan through a smartphone cover that is made of glass, aluminum, stainless steel, sapphire and plastic. The user experience is improved by being able to scan through various contaminants that might be present on the finger, such as sweat, hand lotion and condensation. The solution uses sound waves to penetrate the outer layers of skin, detecting three-dimensional details and unique fingerprint characteristics, including
ID SHORTS
ridges and sweat pores. The result is a highly detailed surface map of the fingerprint. Snapdragon Sense ID is expected to be available in commercial devices later this year and is already in various sampling stages with manufacturers. This new authentication platform utilizes FIDO Alliance Universal Authentication Framework specification to provide passwordless authentication.
CALENDAR 2015 Cloud Identity Summit June 8-11 Hilton Torrey Pines La Jolla, Calif.
Entrust Datacard unveiled the new Datacard TruCredential Suite Software designed to help organizations of all sizes deploy a secure ID program that meets a wide range of application requirements – from basic photo IDs to high-assurance credentials. The software suite can be used to issue a variety of credentials such as student, faculty or visitor IDs; employee or contract badges; patient and staff health care IDs; credentials for local government programs; membership and customer loyalty cards; and transit passes. It is available in four editions that enable organizations to scale from a single workstation to a multi-station, enterprise-wide application without increasing complexity. Features include pre-configured card design templates that can be customized to develop unique designs; enrollment and data capture capabilities with support for QR code, photo and signature devices for capturing physical and logical cardholder data; workflow tools for reduced set-up time; enterprise integration including physical access control system interfaces; and smart card encoding support.
SEPTEMBER
Global Identity Summit September 15-17 Tampa Convention Center Tampa, Fla. eIDConference 7TH edition September 28-29 Washington Marriott Wardman Park Washington, DC SIA Securing New Ground October 28-29 Millennium Broadway Hotel New York
OCTOBER
ENTRUST DATACARD DELIVERS NEW CREDENTIALING SOFTWARE
SIA Government Summit 2015 June 8-10 The W Hotel Washington, DC Smart Card Alliance Government Conference June 9-10 Walter E. Washington Convention Center Washington, D.C.
NOVEMBER
Gallagher has been chosen by the U.S. Customs and Border Protection to secure a terminal cross-border facility on the west coast. This new development will use the FIPS 201-2 compliant Gallagher PIV Solution, implementing access control with video surveillance through one management platform. The PIV Solution’s capabilities enable PKI authentication and full certificate path validation at the door without the need for additional hardware modules. It also allows for remote firmware updates to system devices over a RS-485 connection. This architecture enables faster card reads by eliminating the use of unsecure Wiegand communications protocol. The Gallagher PIV Solution is listed on the GSA’s PACS Approved Products List for single and dual factor authentication solutions for procurement by the Federal government.
JUNE
CBP TAPS GALLAGHER FOR ACCESS CONTROL
Smart Card Alliance NFC Solutions Summit October 28-29 Arizona Grand Resort Phoenix, Ariz.
Cartes Secure Connexions November 17-19 Paris-Nord Villepinte Exhibition Centre Paris, France ISC East 2015 November 18-19 Javits Center New York
Summer 2015
9
ID SHORTS
ZWIPE EMBEDS FINGERPRINT TECH INTO HID CARDS Zwipe announced that HID Global’s iCLASS and 125kHz ProxCard users can now integrate the Zwipe Access biometric card, eliminating the need to add biometric readers to an existing HID Global iClass or Prox-based system. By providing authorized users with Zwipe Access biometric cards that work with existing iCLASS and 125 kHz ProxCard readers, these organizations can incorporate the card into their existing systems in the same way they already
incorporate proximity or HID Global smart cards. With Zwipe’s on-card authentication technology, only the authorized cardholder can activate card communication with the reader. This means no more lending or borrowing of ID badges for access. Zwipe’s biometric authentication technology uses an on-card fingerprint scanner with 3D capacitive technology that resides on the contactless smart card. The Zwipe biometric card is also compatible with MIFARE Classic and DESFIRE EV1.
EVOLIS ADDS OPTIONS TO ACCESSORY LINE Evolis added 27 new products to its accessory offerings to expand support for applications that require and use highly secured personal data such as professional badges, transportation passes, event badges and more. The new range includes card cases, lanyards, clips, badge holders, card racks and cutting tools. All products have undergone quality control and are sold through Evolis channel partners.
U.S. STUDENT LOAN SERVICER TAPS GEMALTO Gemalto is providing multi-factor authentication to MOHELA, one of the largest student loan servicers in the United States, with more than one million borrowers serviced. MOHELA selected Gemalto’s IDPrime .NET converged badge as their strong authentication solution to comply with the Federal Information Security Management Act (FISMA). Under FISMA, it is mandatory for agencies funded by federal programs to use multi-factor authentication when accessing sensitive government data. FISMA’s accreditation is based on three primary security objectives: the confidentiality, integrity and availability of systems and data. To meet these demands, MOHELA needed a simple solution that was compatible with their existing infrastructure. Gemalto’s IDPrime .NET Converged Badge with its support for public key infrastructure integrates with MOHELA’s existing Microsoft environment for an easy deployment and user desktop experience. Interoperability of the technology with MOHELA’s existing
10
Summer 2015
ID SHORTS
HOMELAND SECURITY WILL CONDUCT THREE PILOTS TESTING BIOMETRIC EXIT AT U.S. AIRPORTS AND LAND BORDER CROSSINGS
physical badge access system was also a business necessity, resulting in fewer complexities and lower costs.
INDIA POLICE FORCE TAPS NEC FOR FACIAL RECOGNITION NEC’s face recognition technology is being deployed by the Surat City Police in Gujarat India. NEC’s NeoFace Watch for Live CCTV surveillance and NeoFace Reveal for forensic criminal investigation is an important step in Surat’s safe city initiative. NeoFace Reveal is a software solution for forensic investigation that provides law enforcement and crime laboratory agencies with the ability to enhance poor quality latent face images, search against their mugshot databases, and locate potential suspects. NeoFace Watch
integrates with existing video surveillance systems and matches faces in realtime against a watch list of individuals to trigger an alert.
HOMELAND SECURITY TESTING BIOMETRICS FOR EXIT The U.S. Department of Homeland Security will be testing three different biometric systems to track exits from the country. Biometric entry and exit was mandated in legislation after the 2001 terrorist attacks. Biometric entry – US-VISIT – was deployed in 2004 but finding a solution for tracking exit has been more difficult. Numerous pilots over the past 10 years have been unsuccessful. There was an effort to have airlines capture the biometrics for those leaving from airports
but that was met with heavy opposition from the airlines. Adding biometric exit at airports has been difficult because U.S. airports aren’t built to track people and record them until they get in the plane. Land borders also prove difficult because the facilities don’t exit to stop people exiting the country and collect biometrics. The new pilots will test biometrics at both airports and land border crossings. A pilot underway at Dulles National Airport in Virginia matches the face stored on an electronic passport to the person standing in front of the kiosk, said Mike Hardin, Deputy Director of the Entry/Exit Transformation Office at U.S. Customs and Border Protection at the Connect ID conference. Another pilot slated to start this summer at Hartsfield International Airport in Atlanta will use fingerprint to record an exit from the country. The last pilot will
Summer 2015
11
ID SHORTS
THE CONSUMER’S HANDSET ACTS AS AN ADDITIONAL FACTOR OF AUTHENTICATION MATCHING THE DEVICE, CONSUMER AND MERCHANT VIA GEO-LOCATION
use face and iris recognition at a southern land border to track pedestrians exiting the country. Exact details of the workflow on these projects were unknown.
FINSPHERE LINKING THE MOBILE TO CONSUMERS Linking an individual to the location of a specific transaction is often discussed but hard to do. Using geo-location from a mobile device to make sure that an
12
Summer 2015
individual is in the same location of a payment or authentication request is one of the core tenants of an adaptive authentication system, and FinSphere is now bringing this to payments world. The seven-year-old company has a focus on using the mobile device as an identity proxy, says Mike Buhrmann, chairman and CEO at FinSphere. The company announced a deal with Visa Inc. to use the Mobile Location Confirmation technology with some of its credit card issuers.
Mobile Location Confirmation uses Finsphere’s geo-location technology combined with other information sources to predict whether the actual cardholder or an unauthorized user is attempting to make a payment with a Visa card. That determination can be important to avoiding the delays that confront merchants, cardholders and card issuers worldwide when legitimate transactions are denied for suspected fraud. Mobile Location Confirmation is built into a credit card issuer’s mobile applica-
ID SHORTS
ZETES PROVIDING HEALTH CARE IDS FOR CÔTE D’IVOIRE Côte d’Ivoire’s SNEDAI, the national company for the issuing of administrative identification documents, selected Zetes for registration and production of 4 million health care cards. The United Nations has repeatedly pointed out that a universal healthcare system would play a key role in the development of Africa. In 2014, the government of the Côte d’Ivoire decided to set up a universal medical system. Zetes is setting up the infrastructure for the biographical and biometric registration of citizens as well as the biometric database, which ensures the integrity and uniqueness of the data collected. Cards that comply with the security standards for identity documents are then produced and personalized. Finally, they are given to the beneficiaries. Together, Zetes and SNEDAI have been managing the Ivorian biometric and electronic passport since 2008, distributing more than 600,000 secure passports.
IDENTICARD RELEASES WEARABLE PROX CREDENTIALS
tion, Buhrmann says. Consumers would have to opt in to enable the system on their mobile device but after that it would run in the background and not require any input from the consumer. It also runs on a broad geographic pattern, Buhrmann says. For example, if a consumer forgets his mobile device at home and runs down the street to buy a coffee the transaction won’t be declined. “We just want to know that you and your phone are in the area but not specifically at Macy’s,” he explains.
Financial service was the first market FinSphere wanted to explore, but it is also looking at applications in the enterprise authentication and access management markets and health care as well, Buhrmann says. ”We’re looking at leveraging something you already have and use the password but then pinning the second factor to an identity score, similar to the technology we have running in the background in the banking market,” he explains.
IDenticard announced the release of UBand Prox, the latest product in its line of wearable access credentials. UBand Prox is a silicone wristband containing an internal proximity chip that enables the wristband to perform the same functions as a standard proximity card. UBand Prox is available in the most common proximity technology formats, including 26 bit, 35 bit and 37 bit. Each wristband is approximately the width of a standard rubber band, while the internal chip is less than 4 mm thick and 20 cm in diameter. The band sits on the wrist and can be put on or taken off with ease. UBand Prox is available in two in-stock colors – black or blue – and three wrist circumference sizes.
Summer 2015
13
ID SHORTS
PINELLAS COUNTY USING MOBILE FINGERPRINT SCANNERS The Pinellas County Sheriff’s Office in Florida deployed a MorphoTrak mobile identification solution that enables officers to capture and search fingerprints against state and national FBI databases from any location. The solution consists of a Morpho Maestro gateway for system communications and 65 cell phone-size MorphoIDent mobile devices for capturing fingerprints in the field. Within the first week of deployment, the mobile system identified an unknown subject as a wanted felony suspect by searching the FBI Repository of Individuals of Special Concern database. In addition to criminal apprehension, the mobile system makes immediate identification of lost and deceased individuals possible when no other means of identification are available. MorphoIDent devices give deputies the ability to capture high quality fingerprints quickly and intuitively in a small package. The Maestro gateway provides the interface to statewide and national fingerprint databases and gives the Pinellas County Sheriff’s Office the ability to track and report on device usage and outcomes.
14
Summer 2015
ID SHORTS
HID, SAMSUNG PARTNER ON MOBILE PHYSICAL ACCESS HID Global and Samsung are providing enterprises with a new physical access tool via the KNOX 2.4 mobile platform that will be integrated into the new Samsung Galaxy S6 smart phone. Enterprises can deploy HID Mobile Access using Samsung’s Android secure mobility platform in combination with Seos, a mobile access platform. Users can download the HID Mobile Access App to their Samsung mobile device and access doors and gates via NFC or Bluetooth Smart by interacting with iCLASS SE readers from HID Global. In addition, administrators can issue and revoke Mobile IDs via the HID Secure Identity Services portal.
YAHOO ROLLS OUT ‘ON-DEMAND’ PASSWORD Instead of accessing a Yahoo account with the traditional login information, account holders can now opt to be send a code to their mobile device. After choosing the new security feature and enrolling the mobile device the user will receive a temporary password to access information. Reaction to the news has been mixed. LastPass, a password manager provider, says the solution is actually weaker since it is only one factor of authentication and phone numbers can be ported to different devices. Ping Identity says Yahoo isn’t killing the password but optimizing the reset flow, says John Bradley, senior technical architect at Ping Identity. “Yahoo has automated account recovery so it can be done for every login, which matches the way a lot of people manage passwords now – they don’t bother remembering them and do a reset every time they want into an account,” he explains.
This solution can be more secure than how individuals reset passwords traditionally. “Sending a new password via SMS is probably more secure than sending via email, which is likely available on your unlocked phone and other places,” Bradley adds.
IDENTIV PARTNERS WITH 3M Identiv announced that it has entered a partnership with 3M to integrate Identiv’s uTrust TS Reader technology into 3M’s MiY multi-factor authentication biometric devices. Both Identiv and 3M will sell the completed solution. This partnership provides Identiv and 3M’s customers with high-security assurance and forward compatibility to meet multiple compliance mandates. Identiv’s uTrust TS Reader is designed to support any existing building access system – such as Identiv, Lenel, AMAG, Honeywell, Bosch, Casi, or Software House – and provide a forward path to newer standards, such as U.S. government Federal Identity, Credential, and Access Management (FICAM) compliance and network cabling. The uTrust TS Reader platform supports all commercial and government access credentials, including U.S. government PIV, PIV-I and CAC.
ASSA ABLOY LICENSING SEOS PLATFORM ASSA ABLOY announced that it will license its Seos platform for mobile credentials to the identity and access management community as well as application developers and consumers. Seos can communicate over multiple interfaces, including NFC and Bluetooth. It incorporates design features that enable any smart device – from phones to tablets and wearables – to become a trusted
Summer 2015
15
ID SHORTS
credential. Applications built on the Seos platform do not reveal any unique identifiers to unauthorized readers, thereby protecting privacy. Built on a common, interoperable standard, Seos enables smart devices from different manufacturers to speak the same language, creating secure transactions and trust between devices.
FIS ENABLES TOUCH ID FOR BANK CUSTOMERS FIS is adding the ability to access account information and withdrawal cash at ATMs with Apple’s Touch ID.
16
Summer 2015
FIS, a provider of banking and payments technology as well as consulting and outsourcing solutions, is including biometric access to its Mobile Banking application. This functionality enables customers to check account balances and access to cash with only a touch. With this, FIS is offering fingerprint access to its Cardless Cash ATM application. Cardless Cash enables users to make cash withdrawals at an ATM using only their smartphone. Authentication, account selection and amount selection all occur through the mobile app and a QR code is scanned to complete the transaction.
MONEY APP USES SOCIAL MEDIA TO VERIFY USERS The Payfriendz smartphone app launched last summer, and now the company is kicking off a marketing campaign focused on the UK student market. It has also teamed up with Veridu, using the company’s social identification platform to vet the identity of users by analyzing an individual’s social media footprint. Payfriendz enables users to immediately transfer money between mobile devices for free. For a 1% fee, it also works across currencies. “Whether you’re collecting money for gig tickets or chatting to split the bill, you can clear off payments within a heartbeat straight from your mobile,” says Volker Breuer, co-founder & CEO of Payfriendz Ltd. “All you need to get started are friends to share money with. Your details are stored securely so you don’t have to worry about your money landing safely, and you can choose to withdraw your balance at anytime.” Breuer met Veridu founder and CEO Rasmus Groth last year during a payment exhibition at the Dragon’s Den competition, and their partnership was born. “Veridu helps us to run certain background checks to support our risk management without breaking the smooth user flow,” Breuer says. “Instead of asking the same old questions your bank might ask – “Please provide us with a utility bill” – we’ll simply dig into your social graph – “Please connect with Facebook” – to mitigate risk. Veridu covers all the complicated statistical analysis. For our users, it’s simple and nonobtrusive.” As users send money from one phone to another, their fi-
ID SHORTS
GRANT REFLECTS AS NSTIC TURNS FOUR Jeremy Grant is leaving the National Strategy for Trusted Identities in Cyberspace in capable hands as he departs the program office, but before he exited he shared some of his thoughts on how the strategy has progressed over the last four years. Grant says the U.S. is in good shape and seen a lot of advances made in the identity ecosystem. He points to efforts by the FIDO Alliance and OpenID Connect, which are offering standards-based two-factor authentication. The national strategy has funded 15 pilots effecting students, senior citizens, veterans, and consumers of all types. “The pilots are collectively laying the groundwork for a vibrant new market; they are developing and deploying solutions, models, and frameworks for online identity that didn’t previously exist. And, they are informing the development of the Identity Ecosystem Framework being developed by the Identity Ecosystem Steering Group,” Grant says. Connect.gov will launch with a vision of the identity ecosystem. Several agencies will rollout the system that enables citizens to use credentials they already have for access to government sites. “It ensures that a veteran who wants to not only get access to digital services at the VA – but also access digital government applications at the State Department, GSA, and NIST – can use the same strong credential across all of those sites, without having to create a new account at each,” explains Grant. More importantly with Connect.gov, the government won’t issue that credential – because the system is built to enable people to use a credential they already have. Because of President Obama’s Executive Order last year, other U.S, agencies will also be integrating their digital applications with Connect.gov.
He also points to the progress of the IDESG. The group is an independent, non-profit corporation, and is making progress toward delivering version one of an Identity Ecosystem Framework this year. “This framework will deliver a baseline set of standards and policies that enables individuals and organizations to start using a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the Internet,” he adds. In honor of NSTIC’s fourth anniversary, the National Program Office will be publishing a series of blogs on standards, pilots, Connect.gov and the IDESG. These posts will be reviewing the progress that has been made, as well as laying out the work still to be done. “And to be clear, there is still a lot to do, and many ways for people to still get involved. But the progress that this effort has made these last few years is notable,” Grants states. “At a time when concerns about security and privacy continue to keep the Internet from reaching its full potential, the philosophy underpinning the NSTIC is more vital than ever.” Mike Garcia, the program office’s deputy director, will be stepping into the director role with Grant’s departure.
Summer 2015
17
ID SHORTS
nancial information is encrypted and stored on secure servers. Transfers are sent over a 256-bit Secure Socket Layer (SSL). “It’s a very social approach to P2P payments,” Breuer says. “You already get an instant in-app chat, and we’ll release a bunch of features making Payfriendz even more social and fun to use.” Payfriendz will likely expand to other markets. For now, the app is available to users over 18 years old with access to the UK Apple App and Google Play stores.
solutions for managing identities, access compliance and provisioning access within physical security infrastructure. Quantum Secure’s SAFE software suite provides an integrated physical security policy platform to manage secure identities, compliance and operational analytics across multiple sites and systems. Terms of the deal were not disclosed.
HID BUYS QUANTUM SECURE
More than one million people are now enrolled in the Transportation Security Administration’s TSA PreCheck program. MorphoTrust, a provider of iden-
HID Global announced the acquisition of Quantum Secure, a provider of software
18
Summer 2015
TSA’S PRECHECK PASSES 1 MILLION ENROLLED
tity services and solutions, is a partner of TSA and the sole enrollment services provider for TSA PreCheck. MorphoTrust supports this program by enrolling approximately 4,000 people per day in its growing network of more than 330 TSA PreCheck application centers, including locations at 31 airports and many IdentoGO Centers operated by MorphoTrust. TSA PreCheck is an expedited screening program that enables low-risk travelers to experience faster, more efficient screening at 133 U.S. airports. TSA PreCheck travelers may leave on their shoes, light outerwear and belt, and keep their laptop in its case and their 3-1-1 compliant liquids bag in a carry-on in select screening lanes. Since the vast majority
ID SHORTS
of travelers pose little-to-no threat, the program provides effective security while gaining efficiencies and improving the travel experience for a growing number of passengers every day.
IDENTITY ALGORITHM KEEPS TINDER USERS FROM FINDING LOVE IN THE WRONG PLACES Tinder, a social app helping singles find love around the world, is doing a better job of keeping fake users out of the matchmaking process. The mobile identity company TeleSign says it has reduced Tinder’s spam traffic by 90 percent. TeleSign’s system weeds out nefarious entities using real-time risk analysis of phone numbers. The process starts by verifying the user’s identity through their mobile number, “the single greatest unique identifier for a person online” according to TeleSign co-founder and VP Ryan Disraeli. “Starting with our PhoneID Score product, we analyze the risk level associated with a user’s device – identified through the phone number – and then determine if they should be verified through our SMS Verification product,” Disraeli says. “By utilizing both products, we are able to identity risky phone numbers associated with new accounts, challenge them through SMS, and then ultimately block fraudsters before they are ever able to create an account.” Tinder says these capabilities are delivered via a TeleSign REST API and easily integrated into the mobile app. Within a month of implementing the system, the matchmaking company says there was a plummet in the amount of phone numbers the algorithm recommended blocking. “It is a huge feat to categorize the billions of phone numbers out there,” Tinder CTO Ryan Ogle says. “Once we had TeleSign in place, we were able to block fraudulent accounts in a much
more sophisticated way. It’s been 100 percent accurate.” Tinder launched in 2012, logging over a million users within a few months. Now the company claims an estimated 50 million active users each month.
FACEBOOK MAKES COMEBACK IN Q1 SOCIAL LOGIN REPORT Identity management provider Janrain is out with its Q1 social login report. It quantifies the specific social media account – Facebook, Google+, LinkedIn, etc. – that individuals opt to use as credentials at a other federated sites accepting social login. The data covers media, entertainment, B2B, brand, music, gaming and retail sites. The report shows mobile is driving more of the trends. Some report highlights:
Facebook is regaining ground lost in Q4 2014, with growth in Consumer Brand (9% increase) and B2B (11% increase) After dominating the B2B vertical with a 35% share of social logins in Q4, LinkedIn logins decreased 10% with Facebook taking the lead Google+ saw an overall decrease of 6% from last quarter, widening the gap with Facebook to 8% “Facebook’s spike on B2B websites may indicate consumer acceptance of more closely aligning professional identities with personal identities,” says Janrain marketing VP Jamie Beckland. “Also, Google’s overall share has declined across all verticals, and we continue to see volatility between Facebook and Google. Consumer preference seems evenly split between the two.”
Summer 2015
19
ID SHORTS
The growing inclination to mesh personal and professional identities may explain why LinkedIn logins are down as Facebook is gaining. “Facebook’s v2 app framework is now required, which includes line-by-line controls,” Beckland says. “We know that consumers prefer to control the data that they are sharing with brands. So, this may be an early sign that line by line controls are successful.” Beckland says the implication is that consumers still have different social media preferences depending on the situation, and brands have a responsibility to keep them engaged. “Consumers expect value if they are sharing data with brands, and Facebook’s additional controls reinforce this,” Beckland says.
KICKSTARTER CAMPAIGN FOR SESAME SMART LOCK PASSES $1 MILLION Sesame, a new smart lock, has surpassed $1 million in pledges with just under two weeks to go in its Kickstarter campaign. The initial $100,000 fundraising goal was reached in just nine hours. Sesame was launched in February. It’s the first brainchild of CANDY HOUSE Inc., a design and manufacturing company founded by Jerning Gu and other Stanford University students. Gu, a mechanical engineering master candidate, says his product is designed to bring simplicity to people’s lives. “When people leave home, they always bring three things: phone, keys, wallet,” Gu says. “I believe the three things should be one single device.” Users can lock and unlock their doors using the Sesame smartphone app with Bluetooth low energy. Sesame works with most deadbolt locks and some mortise locks. The company says it uniquely syncs the movement of the lock with the phone, providing exact control of the angle in which the lock turns. It’s
20
Summer 2015
AES-256-GCM and TLS 1.2 encrypted – military grade encryption. Sesame doesn’t require any installation. “You only need to attach it on the door,” Gu says. “No other smart lock can do that.” An optional access point connects Sesame to the Internet and gives users control from anywhere. Users can decide who has access to the lock, and the Sesame app sends a notification when the door is opened. Sesame is currently available as a preorder for Kickstarter backers for $99. The regular retail price will be $149. Delivery is anticipated to begin in May.
AMAG FIPS 201 READY AMAG Technology announced that its Symmetry security management system has been approved as a Federal Identity Credential and Access Management (FI-
CAM)/FIPS 201 compliant solution by the U.S. General Services Administration. AMAG Technology has partnered with HID Global to provide an end-to-end physical access control system to government entities requiring GSA-approved physical security solutions. AMAG’s Symmetry Access Control software and Symmetry Intelligent Control panels along with HID Global’s pivCLASS Validation Engine, pivCLASS Authentication Module and pivCLASS RK40/RKCL40 readers met the testing requirements. Security manufactures’ products must be FICAM-compliant to meet specific security requirements mandated by the US government. AMAG Technology has been installing Symmetry in the federal government market for more than 20 years and secures branches of the Department of Defense, Department of the Interior, most branches of the military and many other government agencies.
Easy to Authenticate. Difficult to Replicate.
TESLIN® substrate (pictured left) is the proven global substrate for secure credentials and ID cards.
When credential security and durability are paramount, TESLIN® substrate… • Offers exceptional flexibility to outlast more rigid card materials while protecting and cushioning embedded electronics.
• Features the ability to be customized with embedded security features for program-specific formulations that enhance material tracking and credential authentication. • Locks in printed graphics and forms virtually indestructible bonds with overlay and card body substrates to deliver highly secure card constructions. • Delivers tamper-evident protection by permanently distorting if alteration is attempted. • Prints unparalleled high-definition color images for quick and easy authentication by field agents.
Learn more by visiting Teslin.com/Easy.
© 2015 PPG Industries, Inc. All Rights Reserved. Teslin is a registered trademark of PPG Industries Ohio, Inc.
4% CYBERSECURITY: TALLER WALLS, DEEPER MOATS BUT THE FRONT GATE IS UNGUARDED ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
22
Summer 2015
Imagine walking into a warehouse store that, instead of selling bulk amounts of toilet paper and paper towels, sells addresses and house keys. Now imagine that these address and keys open doors that already belong to other people. This warehouse actually exists, albeit virtually, and fraudsters visit to buy email addresses, account logins and passwords for more than a billion accounts. For a bit more, they can add Social Security numbers, physical addresses and other demographic information. All of this is made possible thanks to the dark web. Database and password hacks are so commonplace, that unless a breach registers in the millions it won’t even garner attention in the press. In recent months, these breaches have left everyone from casual web surfers to the president of the United States calling for efforts to better secure cyberspace. The majority of these efforts seem to revolve around building taller towers and deeper moats to prevent hackers from gaining access. What’s lacking, however, are the efforts to add strong authentication and advanced identity and access management to make sure only those authorized are enabled to gain access. The best firewalls and intrusion detection won’t matter if someone has keys to the front door. Making identity a foundational component to cyber security, then, is paramount to any attempt to solve the issues facing enterprises. The number one way hackers are gaining access to information on computer networks continues to be the misuse of usernames and passwords. So says the 2014 Data Breach Investigation Report from Verizon, citing that two of every three breaches exploit weak or stolen passwords.
The U.S. government is also feeling the pain. More than half of cyber intrusions to federal agencies could have been prevented using strong authentication, according to a report from the White House Office of Management and Budget. The annual report to Congress on the Federal Information Security Management Act (FISMA) details how agencies are still behind when it comes to using PIV credentials and strong authentication technologies. Additionally, US-CERT found that 52% of 2014 cyber incidents were related to or could have been prevented by strong authentication implementations. Strong authentication for civilian agency user accounts is at only 41%, well below the 75% target.
much easier to steal through either malicious software or social engineering. Budgets also don’t seem to be going to identity and access management. In 2015, Gartner Research predicts that $77 billion will be spend on IT security, but just 4% – or $3.3 billion – be spent on identity and access management related products and services. Enterprises are investing in firewalls, secure gateways and other security systems – but still neglecting the proverbial front door key. “There’s no silver bullet for cybersecurity,” says Jeremy Grant, former director of the National Program Office for the National Strategy for Trusted Identities in Cyberspace. “But if you’re getting hacked because of your password technology that’s a pretty good
PEOPLE RELEGATE THE IDENTITY ISSUE TO THE BACKBURNER BECAUSE THEY DON’T WANT TO DO SOMETHING THAT’S DIFFICULT. IT’S A BATTLE GETTING PEOPLE TO TAKE THE IDENTITY THREAT SERIOUSLY AND PUT SOME SIMPLE THINGS IN PLACE. E-Gov Cyber reviewed agency performance against authentication-related FISMA Metrics. As part of the reporting process, agencies describe the different authentication methods employees use to gain access to Federal information and networks. Of the 24 agencies evaluated, 16 had weak authentication profiles, enabling the majority of unprivileged users to login with user IDs and passwords alone. This makes unauthorized network access more likely as passwords are
sign you should do something with identity.” Information security professionals have never put a focus on identity, says Jeff Nigriny, president at CertiPath. “The bulk of product development has been centered on anti-intrusion detection for the network,” he explains. “Identity has revolved around creating a better password.” Despite the Verizon and FISMA reports, enterprises aren’t taking identity issues seriously, Grant says. “Identity is the red-headed stepchild of cybersecu-
Summer 2015
23
rity,” he explains. “People relegate the identity issue to the backburner because they don’t want to do something that’s difficult. It’s a battle getting people to take the identity threat seriously and put some simple things in place.”
IDENTITY PEARL HARBOR Numbers from the last 12-months are staggering. The Anthem Health Insurance data breach has impacted 80 million customers, and reports have it
Password problems plague federal agencies The U.S. government is not immune to cyber threats. While many agencies have taken steps to improve identity and access management, a lot of work remains to be done as a recent report shows more than half of cyber attacks could have been prevented with strong authentication. Federal agencies issue employees PIV smart cards for use for physical and logical access. However a report from the White House Office of Management and Budget shows that in too many cases, the credentials have not been enabled for widespread logical access. The Department of Veteran’s Affairs has more than 350,000 users accessing information with only usernames and passwords, while the State Department has 100,000. On the positive side, the Department of Homeland Security leads the way for PIV access with almost 250,000 employees using the credentials followed by Health and Human Services with almost 100,000. The Defense Department was not included in this survey but requires its employees to use the Common Access Card for strong authentication. While the substantial number of unprivileged user accounts – of which there are more than 5.3 million – are able to access Federal networks with only a username and password, the more troubling concern is the number of privileged accounts that require only username and password. Unprivileged user accounts are the ones regular employees use to access email, applications and services. Privileged accounts are the administrators of those systems and are typically the ones that are able to create new accounts and access additional information. Privileged user accounts, of which there are 134,287 across the government, possess elevated levels of access to, or control of, Federal systems and information, increasing the risk to resources if their credentials are compromised. There are 18 agencies that do not require a majority of their privileged network users to login using two-factor PIV authentication. Health and Human Services and the State Department are the worst offenders when it comes to having privileged users accessing networks with usernames and passwords.
24
Summer 2015
linked to corrupt credentials of privileged IT users. But that’s a drop in the bucket compared to the Russian hackers’ theft of 1.2 billion usernames and passwords across 420,000 sites. These are just two of the more highprofile breaches. Some would think that they would be enough to push organizations to start doing more with identity. The thought has been that a single event might finally push the collective “us” over the edge and into battle – a metaphoric identity Pearl Harbor. Sergio Galindo, general manager at network security developer GFI Software, wishes that were the case. His family’s data – including that of his children – was stolen in the Anthem breach. Anthem has offered a year of identity theft protection, but he wants it for the rest of his children’s lives. “Their digital life is at risk forever,” he says. Since the breach involved Social Security numbers, he fears his children will be battling fraudsters forever. “The Social Security number lasts forever and that’s how people will be impacted,” he explains. Others aren’t as sure there will be one event that is the impetus for change. “Will it be death by 1,000 cuts?” asks Nigriny. “Or will it be some financial institution that loses a tremendous amount of money that makes everyone finally feel vulnerable?” Consumers are already paying for these breaches, they just don’t know it yet, says Daniel Turissini, CTO at SolPass. In medical fraud alone hundreds of billions of dollars are wasted. “It’s a ridiculous amount of money and some of it can be mitigated,” he adds. “Too many people think it’s an unsolvable problem and it’s not.” Turissini fears that the data breaches over the past two years are harvesting data. “The actors are harvesting this
We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.
gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm
© Gemalto 2014. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. January 2014 - Credit photos: Thinkstockphotos - CC
Trusted and convenient digital services for billions of individuals
information and piecing it together to attack something else,” he explains. “People are at the point where they think it’s inevitable.” Even if an individual changes passwords every couple of months but ends up using the same one two years later they are at risk, says Pamela Dingle, senior technical architect at Ping Identity. “People are being systematically logged and tracked and nothing that they have done in the past has evaporated,” she explains. “I don’t understand why people aren’t running to multi-factor authentication vendors to put another obstacle in the way.” Still, Dingle says the great identity breach is not inevitable. “There won’t be an identity Pearl Harbor, but we need a Winston Churchill to realize we’re under a protracted siege and make some changes,” she says.
CATALYSTS FOR CHANGE Part of the problem is that digital identity is daunting. In the corporate world, enterprises can force employees
he says. “You can’t force customers to use them or they’ll go somewhere else where it’s easier to make a transaction.” There are also issues with semantics. Some in the IT world don’t put identity under the cybersecurity umbrella, says Mary Ruddy, research director at the Gartner Group. “When people think cybersecurity they don’t think about identity,” she says. “But having strong authentication is a key piece of what needs to be done.”
THE PROBLEM WITH PEOPLE The biggest challenge when it comes to online security and identity, however, is the consumer and employee. A CompTIA report found that the biggest factor when it comes to security breaches is people. Some type of formal security training could help mitigate these breaches. But while training employees and consumers not to click suspicious emails is a step in the right direction, it’s not enough. Better authentication technology is mandatory.
THERE WON’T BE AN IDENTITY PEARL HARBOR, BUT WE NEED A WINSTON CHURCHILL TO REALIZE WE’RE UNDER A PROTRACTED SIEGE AND MAKE SOME CHANGES.
to comply with whatever authentication processes it deems necessary, says Jamie Cowper, senior director of business development and marketing and Nok Nok Labs. “In the consumer world the identity problem is a bit more complicated,”
26
Summer 2015
Usernames and passwords remain popular because they’re easy to use. A common word in the strong authentication business these days is friction. It refers to the complexities that are added
to a transaction when new authentication is deployed. “When talking to banks and large consumer-facing web sites, the word friction comes up almost immediately,” says Jim Reno, chief architect for security at CA Technologies. “A tiny increase in friction means a solid drop in service or a significant increase in help desk calls or recovery mechanisms – which drives up cost.” Google, Apple and others have implemented two-factor authentication as an option but have had limited success, Reno says. “Multi-factor authentication is important but we need to do it while maintaining a user-friendly experience,” he adds. The mobile is a key piece to this identity puzzle and frictionless authentication, says Gartner’s Ruddy. Instead of issuing hardware tokens enterprises can use a secure app or send a one-time password for multi-factor authentication. “It’s cheaper than hardware tokens and easier to use and implement,” she adds. Mobile devices have the ability to democratize identity, says Alan Goode, principle at Goode Consulting. “You can’t replace passwords,” he says. “But you can deploy thousands of software tokens to mobile devices and strengthen security overnight.” Using existing mobile devices is key, Goode explains. “We need to leverage existing authenticators and see them integrate into risk and adaptive security for stronger identity,” he says. “The major authentication platform providers have realized that technology is changing, and there needs to be less emphasis on the authenticator and more emphasis on using risk-based solutions and integrating into threat intelligence.”
Adaptive authentication is another popular term. Adaptive systems use multiple identity attributes to verify an identity – geo-location, biometrics, IP address and others. “The authentication of the future will look like a medical feedback system,” says Ping Identity’s Dingle. “It will be constantly checking for major and minor events and detect a sickness like an EKG detects an arrhythmia.” Part of the problem is gathering all this data and making it usable. “The idea is to use applications that will take our daily interactions and form a tapestry that can be examined for anomalies or abuse,” Dingle explains. And the password will most likely still be a part of that tapestry, albeit only one of many threads. “If you look at a bank vault, the combination is just one piece of the security,” Dingle explains. “You don’t put the vault door on the outside of the building. Before you need that combination, you must get past all the guards and cameras.” Corporate enterprises are starting to use these systems for employees and they will trickle down for use by consumers, says Kayvan Alikhani, senior director of technology at RSA. The next couple of years will see more uses of advanced technologies. For one, Microsoft’s adoption of fingerprint, iris and face for access and use as authenticators marks a big step. “We’re moving in the right direction but it’s a massive beast and I would say we’re three to five years away from total adoption,” he adds.
HERE FIDO, HERE Alikhani is referring to Microsoft’s recent adoption of the FIDO Alliance specification for authentication. FIDO standards rely on the existing security
of handsets and computers for secure access to other systems. “FIDO turns credential management upside down,” says Ramesh Kesanupalli, FIDO vice president and founder of Nok Nok Labs. “Instead of generating the private keys on the server side they are generated on the device and the service provider gets the public key back.” With FIDO a user authenticates to the device and then the device authenti-
cates to the server, Kesanupalli explains. If a service provider is hacked all the fraudster would receive are public keys. In order to get the private key a hacker would have to have access to each specific device. The user would also have the option of choosing the authenticator, be it a built-in fingerprint scanner, facial recognition, voice or a simple PIN. FIDO has existing deployments enabling the fingerprint scanner on the Samsung Galaxy S5 with PayPal
Analysis: Identity is hard IT personnel trying to convince executives that they need a new firewall or intrusion detection system have an easy sell. Both are simple to explain products, one keeps the bad guys out while the other informs if the bad guys get in. Identity and access management isn’t the same, some would call is squishy. Is it what enterprises use to enable employees to access systems and applications? Yes. Can is be used by partners to easily place orders or share information? That’s possible. Do customers use it to access information, buy things and keep track of data? That can fit the bill as well. Can one system address all three purposes? If you want it to, yes. And while explaining what an identity and access management system can do is difficult, that is nothing compared to the actual deployment. “Identity is a complex problem, even for smart people,” says Mary Ruddy, research director at Gartner. Taking all employee, partner and customer information, making sure it’s properly loaded along with the proper attributes and permissions is a daunting task. And how does an enterprise justify the expense and time? What’s the benefit? There are not that many people who know how to answer these questions and solve the problem. “There’s a big hole in cybersecurity and there aren’t too many people out there who now how to fill it,” says CertiPath’s Nirgriny. But just because it is challenging, doesn’t mean it can be ignored.
Summer 2015
27
and Alipay. Google is also enabling the FIDO specification for two-factor authentication to Gmail and other accounts. Along with numerous pilots already underway, more relying parties will be deploying uses for FIDO in the coming months, Kesanupalli says.
BUSINESS PROBLEMS One issue is that some in the identity and access management world have wanted to make money at the cost of good security, says SolPass’ Turissini. “Instead of making this an ecosystem of collaboration, everyone wants to corner
Could states crack the digital ID dilemma? State governments might not be known for taking progressive stances on new technologies but a handful are starting to issue digital identity credentials to citizens for access to government services. While these credentials are initially only used to access one or two sites, other functionality could be added. Virginia, Michigan, Pennsylvania and North Carolina are issuing digital IDs to citizens for access to Medicaid services. The programs all have a slightly different spin, but in Virginia and North Carolina, the states are leveraging the driver license database to issue higher-assurance credentials. In North Carolina the credentials are being used to enable access to the state’s Health and Human Services systems, but if the pilot goes well other functions could be added, says Mike DiFraia, senior director of solution strategy at MorphoTrust. When a person decides to participate in the North Carolina pilot they download an app to their smart device. They scan their driver license, take a selfie and submit that information to be checked through the North Carolina Department of Motor Vehicles, explains DiFraia. Once a match is made, an eID is tied to the app. When returning to access information on the HHS site they click a different login button and are presented with a QR code. The code is scanned with the app – information is exchanged between the mobile and the site – and access is granted. The project is in a pilot phase now, but if successful the state plans to allow other relying parties to consume the credential, DiFraia says. “Consumers are aware that they are vulnerable but they don’t know what they can do about it,” he explains. “The average individual doesn’t have something they can run to, so we’re trying to create an electronic ID that’s the same level of trust as the driver license.”
28
Summer 2015
the market,” he explains. “Industry needs to embrace a framework and move it forward.” The payment card market could be an example of how the identity world could work, Turissini says. When the credit card companies federated – decided to all use the same basic infrastructure – it made payments simpler for the retailer and the consumer. “They wanted as many people as possible to come and swipe their credit cards,” he adds. There are frameworks that identity could borrow from, but there are nuances to identity that make it a bit more difficult. Five years ago if someone found an unauthorized charge on their card they were upset and jumped into action, Galindo says. Now the reaction isn’t as strong, and it can be resolved by simply clicking on a button next to the transaction online. Identity is harder to resolve because it’s personal. If someone hijacks a Facebook account it’s much more troubling than if an errant charge shows up on a credit card statement. Identity is forever and along with teaching his children how to ride a bicycle and drive, Galindo also has to teach them to check credit reports and make sure no one has stolen their identities. “We have the usual parental conversations, but now also have to add identity theft and technology use to the list,” he concludes.
Identity Is the New Perimeter: Embracing the Identity of Things Identiv and Cisco have joined forces to provide next generation physical access for the IoT Identiv is allowing customers to build connected systems linking: • Buildings • Mobile • Devices • Cloud Services • Information Systems
Easy To Use | Standards Based | Cost Effective | Secure Download Gartner Research Paper on IoT Identity is the New Perimeter: www.identiv.com/gartner
identiv.com | identivlabs.com
PASSWORD MANAGERS ADDRESS THE CYBERSECURITY PROBLEM AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Individuals and companies rely on a virtual alphabet soup of usernames and passwords to protect their assets and personal information online. But it can be difficult to keep track of login information for a multitude of sites and networks, especially when security standards dictate that users maintain a different complex password for every site and reset passwords regularly. Enter the password management system – a software application or service that helps users keep track of all of their logins, usually by securing them under a single master password. Some password managers can generate unique, strong passwords for the user, and others even log into websites automatically, eliminating the need to remember or enter the passwords in the future. “There’s always a tradeoff between security and convenience, but password managers are one of those rare tools that makes
30
Summer 2015
you more secure and makes life easier,” says password security expert Jeremi Gosney, CEO of Sagitta HPC, a firm offering password-cracking services. Gosney is also a co-founder of the hacker conference PasswordsCon. Though there’s been talk about the death of passwords, password management companies maintain that the age-old method continues to be the principal form of authentication for both individuals and enterprises, even as multi-factor authentication gains acceptance. “The reality is that it will take decades to see the end of passwords. Companies need to be proactive now,” says Joe Siegrist, CEO and co-founder of LastPass, a password management tool. Despite their drawbacks, passwords remain because they are simple for an enterprise to set up as an authenticator,
DESPITE THEIR DRAWBACKS, PASSWORDS REMAIN BECAUSE THEY ARE SIMPLE FOR AN ENTERPRISE TO SET UP AND EASY TO MAINTAIN
and they’re easy to maintain as well. Not every institution has the resources to incorporate biometric authentication or a two-factor system. “Passwords are still the most cost-effective security solution on the market,” says Amber Gott, marketing manager for LastPass.
Security expert: Complexity negates password strength
There are a number of companies offering password management systems, and for the most part there’s very little to separate them. Typically these companies employ one of three different approaches to how they store data. The systems can be cloud-based, PC-based or built into a Web browser with an encrypted database on a PC. Most password management systems offer a free version and a paid version, as well as a distinct system for consumers and another for enterprises. Cloud-based password managers have become more prevalent in recent years, with the notable advantage being the added convenience that the cloud offers. “You don’t have to do anything to sync devices,” Gosney says. A user could log in to a cloud-based system from any location using the device of choice, and all of the password information would be right there. “Say your computer crashes. You don’t have to worry about it because everything is stored in the cloud, so it’s automatically backed up for you,” Gosney says. The advantage of local, or PC-based password managers is that the security of that database is completely in the user’s control. Some are hesitant to allow this treasure trove of login data to leave their possession. That control, however, could be a disadvantage for someone who isn’t very security conscious, says Gosney. Local solutions tend to be less feature-rich than cloud alternatives. “It’s the bare-bones functionality that you would expect from password management. And some people like that,” Gosney says. Another drawback of PC-based systems is that they don’t readily sync with other devices. Although some platforms offer a plugin that does enable syncing, modern users that access services from multiple devices and locations are likely to find this added step burdensome.
P@$$W*R|)
DATA STORAGE METHODS VARY
Anyone who’s ever had to create or change a password probably learned at some point that a strong password includes a hard-to-remember combination of numbers, symbols and letters of different cases. But according to password expert Jeremi Gosney, it doesn’t have to be that way. In fact, it probably shouldn’t be that way. “The more complex a password is, the weaker it is,” says Gosney CEO of Sagitta HPC, a firm offering password cracking, and co-founder of the hacker conference PasswordsCon. Hackers can apply algorithms to figure out pretty much any password with numbers and symbols. If this is the case, why then he asks would you choose one that could never be remembered. A much better idea, he says, is to come up with a long password that combines three or four unrelated words. This can be arguably as strong as a true random series of characters, yet still possible to recall. He suggests that the best way to choose this passphrase is through a method known as diceware, an application that essentially rolls virtual dice to pick words at random for you. “If you go try to generate your own complex password, you’re going to come up with a password that’s hard to remember, but still really easy for us to crack,” Gosney says. The key is randomness. As long as those three or four words are chosen completely at random, the password is more difficult for a hacker to crack, Gosney says. And beyond that, it’s a lot easier to remember four words than 15 numbers and symbols.
Summer 2015
31
With the browser-based password manager, the advantage is that there is no software to install. A pop-up appears asking whether the user wants to save the password. The downside, Gosney says, is that if the operating system is running, the password database is open for anyone at that computer to see. “It’s very convenient, but it’s not secure,” he says. Many password managers come equipped with a number of features such as two-factor authentication, the ability to fill out online ordering forms with personal data, and a security checkup option that can see if any accounts have been compromised or if duplicate or weak passwords are being used.
CLOUD VERSUS PC LastPass helped pioneer cloud-based password management, says Gott. It helps users remember any information they want to store digitally, backup or encrypt – everything from passwords to credit card numbers to membership information
32
Summer 2015
for airline mile cards. It facilitates automatic form filling while securing notes and other digital information. “It really helps you manage your online life,” she says. LastPass syncs through the cloud, but the master password never leaves the user’s device. A recent feature automatically changes passwords on behalf of the user at the more than 70 supported websites. For instance, if a user wanted to change their online login information for Home Depot’s website following a data breach, LastPass would go to homedepot.com, go to the account settings page, create a new password and save all the changes. “We want to make the chore of changing passwords as easy as possible,” Gott says. Whereas many of the newer password managers default to the cloud for storage, password manager RoboForm stores information on a user’s PC with the option of storing it in the cloud. RoboForm has been around since 1999, making it one of the older password management systems.
“There was no cloud when we first started,” says Bill Carey, vice president of marketing for Siber Systems Inc., the software company that offers the RoboForm platform. A user can run RoboForm in “desktop mode” just on a computer, or in “everywhere mode,” which puts a copy of the information in the cloud so that you can sync with other devices. “We like giving people the option of where to put their data. We think that’s important,” Carey says. RoboForm creates a browser file that’s similar to a bookmark that keeps track of all of the websites you log into regularly. If you were to click on “Facebook” in that list of logins, RoboForm would take you to the Facebook website, enter your username and password and then click the submit button for you. “It’s kind of like having bookmarks on steroids,” Carey says. Many password managers offer both free and premium versions for personal and commercial use, with paid versions typically running from $20 to $30 per year, per user. “I think it’s very important for password managers to have a free option so users can touch and feel and see how they work. Because once you have a password manager, you won’t go back to the old way of doing things,” Carey says. While newer password managers are taking passwords to the cloud and securing a host of other personal information, one of the innovators in the space prefers to maintain a minimalist approach.
Schneier says adding more features such as auto fill of address pages or the ability to move passwords between devices, could introduce a host of security risks. “There are lots of options I could have added and decided not to, very deliberately,” he says.
IS PASSWORD MANAGEMENT ENOUGH? When it comes to choosing a password management system, some enterprises might be willing to trade convenience for better security, or vice versa. Gosney recommends taking a risk-based approach, cautioning that adding more steps to the user’s normal workflow means they likely won’t use it. “You don’t want a password manager to be an extra step or a burden. One or two extra steps tends to be one or two too many,” Gosney says. Carey believes a password management system can solve the same problems for enterprises that large, integrated single sign-on solutions can, but for a fraction of the cost. That’s because password management systems are designed to sit on top of a company’s existing software, he says. In addition, a company would have to tweak its entire infrastructure in order to work with a complex, single signon engine, whereas a password management system can be installed, and in the same day, be fully functioning. “You can be up and running with a password management system in days, as opposed to months with a single signon solution,” Carey says. Gott adds that organizations using single a sign-on system can still benefit by pairing it with password management. The secondary system can help to fill in any gaps – sites or services – not covered via single sign-on. And while two-factor authentication might be ideal, Gott contends that changing the way people authenticate on a massive scale will take a long time. The password, she stresses, isn’t going anywhere anytime soon. “If companies want to protect their assets and profits, they need to invest in a password manager because the reality is that passwords are still the primary form of authentication,” she says.
TAKE A RISK-BASED APPROACH WITH PASSWORD MANAGERS … ADDING MORE STEPS TO THE USER’S NORMAL WORKFLOW MEANS THEY LIKELY WON’T USE IT. ADDING ONE OR TWO EXTRA STEPS TENDS TO BE ONE OR TWO TOO MANY. Technologist Bruce Schneier created PasswordSafe more than a decade ago as a simple and free way for users to store and track their passwords. Since then, he intentionally hasn’t added any features to the solution, even as other systems are doing just the opposite. “The more complicated ones have security issues,” says Schneier, who is now chief technology officer of Co3 systems, which does instant response coordination software. The concept of PasswordSafe is simple: A user puts all of the passwords in a database and encrypts it with a single, master password. There is only one version of PasswordSafe for both consumers and companies, and it is free. “It stores passwords. It creates passwords. That’s it,” he says.
Summer 2015
33
CREDENTIAL CONVERGENCE TAKES HOLD IN KEY INDUSTRIES HEALTH, FINANCE LEAD CHARGE TO UNITE PACS AND LACS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
The idea of using a single credential for both physical and logical access is an idea as old as smart cards. It makes sense, the card used to open the door in the morning should be the same one used to access a computer, secure networks and authenticate to applications. But this concept of identity convergence has seen only modest acceptance outside of the federal government with its deployment of PIV credentials. The obstacles are frequently cited. ‘Physical access staff and IT staff don’t play well together.’ ‘Who is going to pay for a system that crosses responsibility lines?’ These are just a couple common refrains. Some experts say this is starting to change as regulatory requirements and fear of data breaches drive key industries including health care and financial services to consider converged credentials.
CONVERGENCE IN THE BAYOU Ochsner Health System in New Orleans is rolling out a converged credentialing system to its 16,000 employees at 10 hospitals in the area, says Mark Dupuis, security director at the health care provider. “We have an old, outdated system, and an update is necessary for security,” he says. “We wanted to look where we could take this and have a credential, not just an ID badge.” The health care system was using a combination of proximity and bar code technology for physical access and has decided to go with HID Global’s Seos technology for the converged credential, Dupuis explains. The organization is just at the start of rolling out the system, issuing the IDs to new employees and those needing a replacement badge. “We’re
34
Summer 2015
developing a plan to get the cards out to all employees,” he adds. Ochsner has some multi-technology door readers already in place and will be transitioning other access points to the same readers. From there it’s a matter of adding applications where the card can be used, and Dupuis sees no limits. One of the most important apps will be an easy but secure login for physicians and other health care practitioners who use multiple workstations through the course of the day. These employees will login with a user name and password plus the credential at the start of the day, and then on subsequent logins just tap their card for access. The same tap will also be used to authorize jobs at multifunction printers and scanners. Oschner Health will also use the system to track the attendance of medical students. The organization has a partnership with Queensland University medical school, and university officials want to leverage the system to keep track of students. The full roll out of cards, readers and applications will take most of 2015, and Dupuis stresses his goal is to have everything in place by the end of the year.
STUDENT LOAN SERVICER GOES CONVERGED MOHELA is the higher education loan authority for the state of Missouri and one of the top 10 largest student loan servicers in the U.S. Based in St. Louis, the organization employs 400 full-time staff that work with students, schools and lenders to service upwards of $18 billion in student loans. Because employees work with such confidential information, it’s paramount
that access be secure. The Federal Information Security Management Act (FISMA) was enacted to require stringent security practices for companies that receive federal grants or support federal programs. Because MOHELA services federal student loans, the agency is required to abide by FISMA requirements, including using multi-factor authentication when accessing sensitive data. The company didn’t want to add another token so it opted for a converged credential. “We wanted a solution that would integrate desktop authentication with our existing door badging system,” says Don Bertier, CIO at MOHELA. The company opted for Gemalto’s IDPrime .NET Converged Badge. Because Microsoft solutions were already being used there wasn’t the need to install or maintain extra software or middleware. The smart cards were integrated with door security at MOHELA’s facility, making a converged badge for physical and logical access as well as photo identification. Because MOHELA employees are already in the habit of carrying door access cards, the added logical security was implemented with little adjustment. When arriving at work, a MOHELA employee will first badge into the office. Once at the workstation, the employee inserts the same card into the card reader before entering their complex password to securely access the network. This combination secures the logical access and complies with the multi-factor requirements set forth by FISMA.
CHANGES IN CONVERGENCE The traditional definition of convergence as one credential for access to physical
and logical resources still holds true but it’s also been somewhat modified. “A converged access credential is still the poster child but there are other use cases coming to the fore,” says Julian Lovelock, vice president of marketing at HID Global Identity Assurance. “When people talk about convergence now they don’t just mean a single credential but also a single identity that’s managed within an organization for both purposes.” It begins when a company hires a new employee and the individual has their
est levels of security the complexity and cost of such a system was daunting to some, explains Lovelock. Some of the more recent health care deployments that have gone with a converged identity have passed on PKI in favor of less expensive and easier to deploy options, he says.
CONVERGING ON THE MOBILE? With a lot of hype around the use of mobile devices for identity and the availability of near field communication and
basic infrastructure is capable of reading a contactless credential without spending anymore money,” he explains. Still, the cards may be tough to beat as a form factor, Brady says. “I don’t think we’ll see the cards go away any time soon,” he explains. “It’s such a common form factor and it has shaken out as the technology that’s accepted by everyone.” Smart cards have also proven to work over a number of years. “The technology is very well vetted,” Brady says. “There are lots of standards around it and you’re starting to see the card trickle down from
WHEN PEOPLE TALK ABOUT CONVERGENCE NOW THEY DON’T MEAN A SINGLE CREDENTIAL, BUT RATHER A SINGLE IDENTITY THAT’S MANAGED FOR BOTH PURPOSES identity vetted, Lovelock says. “Convergence includes everything, even these initial processes that get you to the point of issuing a credential,” he says. Health care organizations in particular have been opting to take this approach when rolling out new identity systems, Lovelock explains. The Health Insurance Portability and Accountability Act aims to ensure that patient data is secure and protected, but new regulations around e-prescribing mandate that physicians use another factor of authentication when prescribing controlled substances. “Eprescribing is strict in the binding of a credential with an identity proofing process,” he explains. Since physicians don’t want to have to carry an additional token or device the ID badge is frequently being used to meet the e-prescribing mandate, Lovelock says. Then once in place, health care organizations are expanding the use of the badge. Physicians can tap in and out of systems as they move from room to room seeing different patients. A converged identity badge was typically synonymous with public key infrastructure. While PKI offers the high-
Bluetooth low energy, it seems likely that handsets will surpass smart cards as the converged token of choice. “We’ll see the inclusion of the mobile devices as one of the form factors you can use,” says Paul Brady, senior director of sales engineering at Identiv. “You can put derived credentials on the phone for secure messaging or you can add credentials physically to the device with a sticker inside it.” Enabling handsets for physical access is possible, whether they have NFC or not, as Bluetooth low energy has emerged as an option for opening doors. And using the same handset for logical access has been possible for some time, says Lovelock. “It’s well established in the IT world where phones generate one-time passcodes,” he adds. Using NFC for logical access isn’t something that’s become widespread yet. But as a new generation of tablets and laptops come equipped with NFC, the ability to reach the technology from other devices is a possibility. It will also lower the cost of the credentials as readers will be embedded and cards won’t have to be issued, Lovelock says. “Your
earlier programs like the Defense Department’s Common Access Card, EMV payment cards and others.”
BEYOND THE HANDSET While the mobile device seems the likely usurper to smart cards, companies are already looking beyond that to wearable devices. “In certain environments you would have a wearable get you in the door, check you in to a time and attendance system and enable you to pick up print jobs,” Lovelock says. “A wearable can be a good second form of authentication so it’s not limited to a card.” A few years ago smart cards were the only possibility for converged credentials. Now, the mobile device has emerged as another viable possibility with wearable technologies on the horizon. While convergence has been slow to take flight, the idea isn’t dead. In fact, with more and different form factors now available to contain these identities, it’s an idea that might finally be ready for take off.
Summer 2015
35
PHARMACY BENEFIT MANAGER DEPLOYING FIDO FRAMEWORK HEALTH ORG AMONG EARLY ADOPTERS OF MOBILE BIOMETRIC STANDARD Health care organizations are under increased scrutiny following the breaches at insurance companies and other entities. Making access to systems secure can be difficult as physicians often switch back and forth between multiple applications and rooms during a work day. Most consumers probably aren’t familiar with the role a pharmacy benefit manager plays in health care. The insurance company typically contracts with a pharmacy benefit manager to handle everything related to prescription drugs. This includes designing the benefit structure, adjudicating claims and making sure that prescriptions don’t have harmful interactions. They also work with physicians to make sure a patient meets all the benchmarks when an expensive drug is needed. “Patients are often taking medications pre-
36
Summer 2015
scribed by multiple doctors who can’t easily share medical records with each other in real time,” says Steven Secker, application development manager at MedImpact Healthcare System Inc., a pharmacy benefit management company. “To avoid dangerous drug-to-drug interactions or wasteful duplication of therapy, our health insurance clients rely on us to provide doctors with a complete picture of what the patient is or has recently been taking.” To enable physicians and their staff to access MedImpact pharmacy records easily and securely, the company is rolling out a strong authentication solution, Secker says. This summer MedImpact will use Nok Nok Labs technology to secure its physician access portal with biometric fingerprint authentication using the FIDO Alliance standard.
Insurance companies will identify physicians for the project, and these physicians will be contacted via email and given a confirmation code to enroll their mobile device of choice. After completing enrollment the mobile device with fingerprint scanner will be used to grant access to patient prescription information. Existing users of MedImpact’s Physician Portal will be able to switch from passwords to biometric authentication if they have a compatible smartphone with a fingerprint sensor, or a Windows 7 – or later – computer with a fingerprint reader. A high number of the physicians participating will likely have either iPhones – where the FIDO client app provided by Nok Nok Labs can be downloaded from the App Store – or Samsung Galaxy models with fingerprint scanners that have the
FIDO client pre-installed, Secker says. For those that don’t, they can continue to use the same username/password and later switch to using FIDO when they get a compatible device. Physicians will also be able to create proxy accounts for physician assistants or clerical staff to access the records, Secker explains. They too will enroll their own fingerprint-enabled devices. And while the authentication will take place on the mobile device, Secker expects most of the data to be viewed on workstations in the doctor’s office. When first enrolling a device into the program the doctor or staff will go to the portal and see a QR code, which they scan with the mobile device using the downloaded FIDO client app. After the scan the individual will be prompted for a biometric and after successful authentication they will be able to use FIDO on subsequent logins. When returning they simply click the “login with FIDO” button and enter their username. That triggers the server to push a message to the FIDO client on their device, which then wakes up and prompts the user to authenticate with their fingerprint. If successful, a message is sent back to the server approving the user login. The ability to eliminate the password entirely is what has MedImpact excited about this system. “If there is no password, it can’t be phished, cracked by brute force, or stolen by any means because there simply is no password to steal. That is what is really a game changer,” Secker says. “To compromise a login account that is using FIDO UAF, one would have to get physical possession of my device and be able to fool the fingerprint reader. While that’s not impossible, it’s definitely in the realm of ‘Mission Impossible’ stuff.’” The portal will give the physician access to all prescription drug information for a particular patient, no matter where it was prescribed or what pharmacy filled it. This can help make sure that the patient is taking the necessary medication and make sure there are no harmful drug interactions.
Microsoft enabling multiple biometrics with Windows 10 When Microsoft joined the FIDO Alliance it sent a ripple through the identity and access community, but the latest announcement about Windows 10 will make a full-blown splash. The software giant announced that the latest version of its operating system will come equipped with Windows Hello and support finger, face and iris biometrics, according to a blog post from Joe Belfiore, corporate vice president in the Operating Systems Group at Microsoft. If a system already comes with a fingerprint scanner it can automatically be enabled for the consumer to access the system, web sites or applications. Facial and iris recognition will require additional hardware. Microsoft 10 will be rolled out this summer. Microsoft Passport will enable consumers to use the same biometric modalities to access secure web sites and keep track of login information. Instead of a password, Windows 10 will help securely authenticate to applications, websites and networks on a user’s behalf without sending up a password. This eliminates the possibility of a password being compromised. Windows 10 will ask a consumer to verify that they have possession of the device before it authenticates, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with “Passport,” a consumer will be able to access a set of websites and services across a range of industries – favorite commerce sites, email and social networking services, financial institutions, business networks and more. Use of Windows Hello or Passport won’t be mandatory and consumers will have to opt in to use the services. All biometrics will also be stored locally on the device and never shared. Microsoft is working with hardware partners to deliver Windows Hello capable devices that will ship with Windows 10, and all systems incorporating the Intel RealSense 3D Camera (F200) will support the facial and iris unlock features of Windows Hello, including automatic sign-in to Windows and support to unlock “Passport” without the need for a PIN.
Summer 2015
37
ELECTRIC GRID
SECURITY STANDARD
CREATES OPPORTUNI AND CONFUSION AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
New security standards for securing the grid provide opportunities for vendors, but according to some industry advisers, that’s only if they can make sense of the specification. Security and regulatory adviser Patrick Miller voiced his concerns that the new Critical Infrastructure Protection (CIP) standards by the Federal Energy Regulatory Commission are somewhat unclear and might actually complicate the process of securing the grid. As a result, inconsistencies are likely in how the standards are applied. “I think they’re a mess. They made things a lot more difficult. There are a lot of unanswered questions and a lot of utilities trying to get things done the right way, and they’re probably going to miss the mark,” says Miller, managing partner at consulting firm Archer Energy Solutions. He has seen CIP regulations from all angles, having previously served as an author, implementer and federal auditor for past utility standards. Sal D’Agostino, identity consultant and CEO of IDmachines, says that while the new standards will yield market prospects for physical security vendors, those opportunities could vary greatly from one utility to the next. “How utilities address security is very different from place to place,” he says.
38
Summer 2015
FERC issued its CIP-014 standards in direct response to an April 2013 attack on the Metcalf electric substation in San Jose, Calif., where unknown gunmen fired more than 100 rounds into electricity infrastructure equipment owned and operated by Pacific Gas and Electric. Although the grid never lost power, the attack resulted in hundreds of thousands of dollars in damage, and no suspects were ever identified. In March 2014, FERC ordered the North American Electric Reliability Corp. (NERC) to establish CIP standards governing the 500 most critical substations in the electric sector. NERC filed its proposal in May 2014, final rules were published in November and it became effective in January 2015. Electric utilities are now actively developing and implementing their physical security plans. The standard serves as a blueprint to help utilities and security professionals understand what’s required to protect grid assets. As a result, utility owners and operators are looking at new technology to safeguard substations. This can include things like live video surveillance with intrusion-deterrent technologies, access card systems and security fencing.
D
ITY
Some of the standard’s recommendations could work for the construction of new substations. The bigger problem, Miller says, is with retrofitting existing substations. “We could design a transformer in a way that it could get cooled appropriately,” he says. “But as an afterthought, that gets very hard to do. And it gets very expensive.” While the new standard includes more of the grid’s assets, Miller says it doesn’t say much about what’s required to protect those assets. “There are a lot of details that are frankly just very unclear,” he says. A positive is that it creates a shared lexicon for dialogue about securing the grid, Miller says. “We can have a common discussion, and that really does help,” he says.
WHERE CYBER AND PHYSICAL MEET On the physical security side, D’Agostino says few companies have taken a proactive approach to the threat of attack. Most companies are interested in addressing only the failures of a security audit, he says, because then significant penalties can come into play. “That’s the sorry security story everywhere. Even with everything that’s going on, no one really invests in this stuff unless they
UNINTENDED CONSEQUENCES Much like requiring travelers to remove their shoes at airport security checkpoints, new standards for physically securing the electrical grid could prove to be another impulsive response to terrorist threats, Miller fears. He questions whether such standards can realistically prevent an attack in common scenarios. “My personal opinion is they’re going to spend $1-2 million hardening a substation, and then a guy with a $200 deer stand is going to circumvent that with a rifle,” says Miller. “We’re looking at a knee-jerk reaction to something that frankly is extremely hard to stop.” Some requirements of the standard could even put the grid itself at risk. “It juxtaposes physical protections against engineering needs,” Miller says. For instance, placing a concrete barrier around transformers to shield them could be dangerous because transformers need to have space around them to cool off. Not having sufficient space could blow the grid. Miller says this is the reason this type of shielding hasn’t been put in place in the past.
THEY’RE GOING TO SPEND $1-2 MILLION HARDENING A SUBSTATION, AND THEN A GUY WITH A $200 DEER STAND IS GOING TO CIRCUMVENT THAT WITH A RIFLE have to,” he says. Regulations, however, could force this hand. D’Agostino believes the new standard will drive up the demand for physical security vendors. However, he contends that the cyber security aspects of physical security systems are where the possibilities exist for vendors to make their offerings stand out. “It’s not physical security alone, but the cyber-physical combination where the industry has a real opportunity,” he says.
Summer 2015
39
THE PHYSICAL SECURITY REQUIREMENT IS NEW AND EVOLVING, AND DOESN’T CONTAIN A TREMENDOUS AMOUNT OF DETAIL, WHICH WOULD DRIVE FEATURES FOR VENDORS TO EXPLORE
The cyber security aspects of physical security systems are where D’Agostino spends most of his time helping customers. He says that vendors shouldn’t focus too closely on what’s in CIP-014, but instead take a more general look at what’s going on in the world of critical infrastructure protection. Almost all of the other NERC CIP standards emphasize cyber security. “If you only focus on the new physical security piece of this, you’re not really looking in the right place,” he says. The physical security requirement is new and evolving, and doesn’t contain a tremendous amount of detail, which would drive features for vendors to explore, D’Agostino says. “I would be very surprised if there is a vendor in the marketplace who can make the claim that they’ve got some unique capability that sets them apart from others to better address NERC CIP-014,” he says. During a webcast with the Security Industry Association, Brian Harrell, director of operations for NERC’s Electricity Sector Information Sharing and Analysis Center, noted that physical security in the industry is not a completely new idea. NERC previously published guidance for developing physical security plans through its CIP committee and held training exercises in 2011 and 2013 that simulated breaches at power plants where attackers used improvised explosive devices. “The physical security piece in this industry is not new,” he says.
MARKET OPPORTUNITIES SightLogix president John Romanowich believes the new requirements could provide opportunities for companies like his. The company focuses on physical security through intelligent video surveillance. Electric grid security was one of the main applications that led to the company’s creation nearly 11 years ago. “I’ve been at many a conference where people feared the cascading consequence of the grid going down. And I think that the event out west – the Metcalf substation attack – made it much more alive in the minds of Congress and other stakeholders,” Romanowich says.
40
Summer 2015
One of the things companies like SightLogix appreciate about the new standard is that it’s a lot easier for utilities to convince their state or municipal governing bodies to raise customer rates when a law mandates a security change. These kinds of upgrades will require regulatory approval before utilities can invest in them. “The mandate is going to drive the funding, which is kind of exciting,” Romanowich says. Romanowich believes the new standard could bring physical security more in line with his company’s business model. SightLogix offers thermal cameras that use GPS-based video analytics. A single sensor can cover an area the size of a football field or larger, and the cameras can capture video down a facility’s fence line or throughout the entire substation. The Metcalf station had only monitoring camera in place, which Romanowich says brought to light the need for better detection and prevention. “There’s this misunderstanding that if I have cameras, I have security. You do have security, but it’s forensic security. You’re going to have a video of someone doing something bad the day after it happened,” he says. “So without detection, you don’t have security,” he says. D’Agostino believes utility companies will be calling on vendors to help them understand how all of the different security pieces fit together, and he’s been seeing utilities seek out help. “That’s where a security professional can add a lot of value,” he says. “But it requires an investment and it’s not necessarily the case that you get a big return on that investment.” The new standard doesn’t require the transmission owners and operators to do much other than have a security plan, which includes a risk assessment, some counter measures and documentation, D’Agostino says. Auditors will look at how a facility does its risk assessment, whether that assessment is valid, what level of risk it rates itself, and then whether the facility did things that were appropriate for the level of risk involved. “So this is Compliance 101 stuff, quite honestly,” he says.
MEDICAL IDENTITY THEFT DRIVES BIOMETRICS IN HEALTH CARE Hospitals and health care organizations across the country are starting to rollout biometric technology to identify patients, reduce identity theft problems and solve the problem of duplicate medical records. A study by the Ponemon Institute 2013 found that nearly 2 million Americans had become victims of medical identity theft. Medical identity theft is defined as someone using another individual’s identity to fraudulently receive medical services, obtain prescription drugs or commit fraudulent billing. Only 11% of victims said they had completely resolved the problems stemming from having their medical identities stolen. Consequences include loss of money, higher insurance premiums, lost medical coverage and lower credit scores. The report estimated the economic impact in the
United States at more than $41 billion a year. The estimated cost included money and time spent dealing with reported incidents. In the continual push to curb fraud and protect personal information, biometrics has emerged as a sound option for identfying and authenticating both patients and health care workers. Novantis Health in North Carolina and Ohio-based Holzer Health System have taken very different approaches to revamping patient security, though each relies on biometrics at the core.
A MULTI-MODAL APPROACH M2Sys Technology is capitalizing on the opportunity with its RightPatient identity management and data integrity platform.
The platform links a patient’s biometric data to their medical records for instant retrieval and enables the patient’s identity to be quickly confirmed when interacting with a health care provider. It also helps prevent the duplication of files and the overlay of medical records – a common problem in which a patient’s clinical information is accidentally overlaid or placed onto the wrong patient record. “We support fingerprint, finger vein, palm vein, iris, facial recognition,” says Michael Trader, president and cofounder of M2Sys Technology. “The system helps to eliminate medical identity theft and enables caregivers to accurately access a patient’s complete medical history.” Trader says patients don’t seem too skittish about getting an iris scan or giving a fingerprint once they understand it’s being
Summer 2015
41
used for highly accurate authentication, protection from identity theft and quick retrieval of medical history. Hospitals adopting the RightPatient system cite patient safety, better record keeping and fraud reduction as the top reasons for making the change. “Hospitals have ‘frequent flyers’ that come through the facilities and use different aliases to gain access to prescription drugs,” Trader says. “Once you’re enrolled in the system, it is impossible to utilize someone else’s identity from that point forward. We actually perform a real-time,
one-to-many biometric search during the patient enrollment process, so if you’ve been enrolled previously, we catch it right then and there.”
REDUCING WAIT TIMES AND ERRORS M2Sys Technology says its RightPatient platform is in use – or will be soon – at more than 70 locations. North Carolina-based Novant Health came onboard as a client in August 2013. The not-for-profit health care system oper-
ates 15 hospitals, 350 clinics and additional care facilities in four states. It deployed iris scanning technology in its hospitals, along with some rehab clinics and outpatient surgery centers. “We were on a journey to change our overall IT platform for all of our patients and saw the need to ensure that their identities and medical records were protected,” says Melanie Wilson, Novant’s vice president of Revenue Cycle. “So we started looking at the various forms of biometric data and really thought that RightPatient
ONCE A PATIENT IS ENROLLED IN THE BIOMETRIC SYSTEM, IT IS IMPOSSIBLE TO UTILIZE SOMEONE ELSE’S IDENTITY FROM THAT POINT FORWARD 42
Summer 2015
met all the criteria that we were looking for.” The company is already experiencing improved patient wait times and fewer errors involving medical records. “We do expect to see some financial improvement just from the decrease in duplicate medical records and fraud,” Wilson adds. Ease of use is a bonus. The patient stands a foot away from the camera, making the iris scan noninvasive and contactless. “There’s no red laser that’s shot into anybody’s eye,” Trader says, referring to some misconceptions in the marketplace. “You just take a picture of the patient. We utilize the information to match you and retrieve your medical records.” Wilson admits there were concerns that patients would resist the iris scan and complain about privacy issues, but these concerns proved to be unfounded. “Once patients understand fully what the benefit is to them and how easy the system is to use, they’re very quick to get on board with it,” she says.
FINGERPRINTS ELIMINATE DUPLICATE RECORDS While M2Sys enables mutiple biometric modalities for identification, CrossChx is focused on fingerprints, says Sean Lane, co-founder of the two-year old company. We help health care organizations resolve duplicate records by adding a fingerprint biometric to each record that can be retrieved from a health care provider using the system, says Lane. The company’s solution is deployed at 54 hospitals across seven states. It has enrolled some 8.5 million patients and processed more than 1 million patient verifications to date. Holzer Health System was the first company to deploy the CrossChx system, says Brent Saunders, CEO at the health care provider. The organization’s 150 physicians
serve more than 500,000 patients a year at locations in Ohio and West Virginia. The goal with the project was to make sure that patients were correctly identified, Saunders says. The primary concern out of the gate was to make sure that patients didn’t feel alienated with the fingerprint scanner. “We came up with a script that our registration staff used and indicated to patients that this was for their protection,” he explains. “The refusal rate was very low and has gone even lower since.” Once a health care provider signs on with CrossChx, the company runs an algorithm on its patient records, Lane says. It looks at names, addresses, dates of birth and other factors to spot duplicate records. If suspected duplicate records are spotted they are flagged for further review. For the biometric portion of the program, arriving patients enroll their fingerprint and it is linked to the medical record. During future visits, patients are authenticated with the fingerprint. Patients can choose to opt out of the system but once they are told it’s for their protection the vast majority agree to participate, Lane says. While other companies offer other biometric modalities, CrossChx is sticking with fingerprint. “Fingerprints are well accepted and less likely to change over time,” Lane says. He envisions a global CrossChx system where patients records are securely accessible by physicians across the country.
SECURING PATIENT IDENTITY AND DATA Education is key when it comes to explaing these systems to patients. “The use of biometrics for patient authentication is still relatively nascent,” Trader says. “As much as this is a solution to boost patient safety, reduce duplicates and mitigate fraud, it’s also a mechanism to protect our identities from being stolen. This is a platform that
can be utilized as a strong authentication tool on the front end to help better protect access to clinical data.” Electronic medical records are becoming the norm, enabling organizations across the country to integrate health information. “If I’m a patient and I am traveling out of the service area where my healthcare provider may be, eventually the goal would be that all of my health care information travels with me,” Wilson says. “I hope to see more health care providers taking steps toward the utilization of biometrics because it’s the one true way of securing data for patients.” The potential to extend secure access to records outside of the medical office is also growing. A mobile device could be used to log into a patient portal, for example, and the biometric could be checked via the handset. “Our facial recognition engine can be leveraged in mobile areas for front end strong authentication,” Trader says. Trader says health care systems that want to prevent duplicate medical records need to be able to perform real-time, oneto-many searches where a patient could be identified and authenticated just by providing his biometric information. At Novant Health, patients are encouraged – but not required – to provide a biometric. “Part of the training program focuses on how to explain to the patient what you’re doing and the benefits associated with it,” Wilson says. “Through just that explanation – this is why we’re doing this, this is why this is important to you, and this is the benefit that it offers you – our patients immediately go from being concerned to being grateful for this investment in their protection.” “When they walk in the door, patients aren’t having to recapture information that was already captured at another location,” Wilson says. “Via biometrics, we can pull that patient account up immediately and have all of their information there and available.”
Summer 2015
43
44
Summer 2015
UNITED NATIONS GLOBAL BIOMETRIC SYSTEM STREAMLINES RELIEF TO REFUGEES GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Hundreds of thousands of refugees are finding assistance – and something unexpected – in safe camps around the world: a biometric identity they can use long after they move on. These permanent biometric records are being created by the Office of the United Nations High Commissioner for Refugees (UNHCR), better known as the UN Refugee Agency. “When we were out in Thailand, we definitely saw what it means first hand when someone has to bring every shred of documentation they have – which is not much in many cases – and prove who they are,” says UNHCR Biometrics Project Manager, Jim Ragle. He likens a biometric identity to a passport for someone who suddenly has no home. “It’s the fingers or their eyes, but it’s documented. It’s in the system; everybody else in the camp has the same thing,” says Ragle. “No one can pass themselves off as you. They’ve been given a documentation of their identity.” The agency recently finished testing a biometric system at safe camps in Thailand for registering and identifying people who’ve been displaced. About 10,000 refu-
Summer 2015
45
gees were enrolled at one of the camps as part of a verification exercise. “For them, it’s a countrywide census where they bring all the refugees in and update their information,” Ragle says “They record new births and deaths that have occurred and just generally sort of use it to clean up their registration information. So this time, we added biometrics as a part of that.” Some bugs were worked out, and the new system remains in operation. The first step involves getting as much documentation as possible from the new residents. “When we enroll them biometrically, we’re saying this is your new identity, your fingers and your irises,” Ragle says. In the past, every time they received services they had to prove who they were via documentation, but with biometric enrollment they
no longer have to do that. “It enables them to have a very easy, undeniable means of proving who they are,” he explains. When refugees move among camps or return for food and other assistance, the team can accurately verify their identity within seconds. “If they were a refugee in another camp and they move, the system will identity them,” says Ragle. “They’ll put their fingers down or their eyes in front of iris scanning goggles, and they’ll be identified and we’ll be able to see where they’ve come from.” Knowing where refugees come from enables their entire case to be transferred to the new camp so that care can continue just as it was at the prior location. “With a global system, as people move around they don’t have to reestablish their identity at every place,” he adds.
VIA GOGGLES OR SCANNERS, REFUGEES ENROLL IRISES OR FINGERPRINTS TO ESTABLISH A NEW, VERIFIABLE IDENTITY
46
Summer 2015
BIOMETRICS IDENTITY MANAGEMENT SYSTEM The Biometrics Identity Management System (BIMS) was piloted in a Malawi refugee camp in December 2013. It had a final field test in Thailand before the global deployment phase began last January. The agency has long used biometrics for identification in its camps. Now, this global system gives travelers the ability to be quickly verified at each new camp. “Biometrics has been in use by UNHCR for many, many years now and it’s been used successfully across Africa, Asia and the Middle East using both fingers and irises separately,” says Sam Jefferies, deployment manager for the new biometrics system.
Assured Authentication
Lumidigm® is now HID Biometrics. Sometimes you need more assurance about who is requesting access. Only biometric authentication verifies who is present... and only Lumidigm® multispectral imaging provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose HID Biometrics.
Your Security. Connected. Visit hidglobal.com/lumidigm to see what we’re all about.
BIOMETRICS HAS BEEN IN USE BY THE UN FOR MANY YEARS, AND IT’S BEEN USED SUCCESSFULLY ACROSS AFRICA, ASIA AND THE MIDDLE EAST
With the new system, all ten fingerprints and two irises are captured for each enrollee. “With that full set of biometrics it only then takes one biometric, whether it’s one finger or one eye, to accurately and undeniably identify someone’s identity,” Jefferies says. “Refugees rely on UNHCR for food provisions, and biometrics can help rapidly identify the populations as they move from camp to camp.” The agency hopes to roll out the new tool to 10 countries this year. An operation underway in Chad will eventually biometrically enroll up to 450,000 people at 18 camps. Advances in biometric technology provide more accuracy and efficiencies than the previous localized systems.
48
Summer 2015
“To UNHCR, this is very important because our populations are displaced from their homes. They often flee from areas of conflicts and lose their documentation or don’t even have any documentation to begin with,” Jefferies says. “So being able to assure that identity from the moment we meet them over time through their journey, through their life cycle with UNHCR, is very important to us.”
NO NEED FOR SMART CARDS Though the agency has used smart cards in emergency situations like the massive flooding in Pakistan in 2010, smart cards aren’t part of the BIMS project. Jefferies
says there’s no need for a card thanks to the centralized biometrics system. “In the past you needed a smart card which could be carried from site to site to prove your biometrics belong to you,” Jefferies says. “Now that the identity is held centrally, provided the operator has access to the internet, all it takes is for someone to put their fingers down on any reader to prove who they are within seconds.” But the UNHCR system may be the exception instead of the rule. According to ABI Research, the general trend shows biometrics being used as an additional or secondary factor of authentication. Dimitrios Pavlakis, biometrics and security analyst for ABI Research, doesn’t think this
global biometrics system will completely replace smart cards for the UN as a means of identification and receiving services. “Smart cards have so much investment, and there is too much existing infrastructure for them to disappear completely,” he adds. Education about the advantages of biometrics does make it an attractive option for identification though, Pavlakis says. “It depends on how exactly that biometric information will be used and how it helps in the task at hand. If it is for identifying individuals, then yes, it does help, and imagine how you can identify people with no papers whatsoever,” he explains. Jefferies says data privacy and protection are paramount. “By the nature of the work we do, we’re privileged to get some very, very sensitive information which if in the wrong hands could have dire consequences for our populations,” Jefferies says. “A centralized system takes away the need to have that sensitive information stored locally. So in cases where offices might be compromised and servers might get lost, damaged or stolen, having it centralized removes that risk.” Enrollment in BIMS is strongly encouraged, but it isn’t mandatory. Refugees don’t have to provide any data, biometric or otherwise, to receive help. “Refugees know that the more they are able to tell us, the better we are able to assess their need for protection and other services,” Jefferies says. “As many refugees aim for resettlement in countries like the US, they are aware that providing an undeniable source of identity throughout their life cycle with UNHCR gives the receiving countries more confidence that the person they look to resettle is the same person arriving at their border.”
Photos courtesy of S. Jefferies, UNHCR Thailand, January 2015 /UNHCR Malawi, December 2013
Summer 2015
49
BIOMETRICS SECURE NEXT GENERATION OF MOBILE BANKING APPS GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
When USAA announced biometrics would soon be used for mobile logins, the company staked its claim as the first U.S. financial institution to offer face and voice recognition for authentication on a mobile app. The banking and insurance company, which serves military members and their families, has 10.6 million stateside customers. All of them are expected to have access
50
Summer 2015
to biometric login capabilities in early 2015 on the company’s iOS and Android apps. “The problem of account takeover is rampant because of identity theft, and the user ID/password is merely a speed bump in today’s sophisticated threat environment,” says Gary McAlum, USAA’s chief security officer. “Biometrics raises the level of security significantly beyond a user ID and password, but it doesn’t necessarily
slow customers down. The login process is actually about the same if not faster.” The face and voice biometrics are captured during enrollment using the customer’s own mobile device. For facial recognition, users look at the screen and blink when prompted. For voice recognition, users read a short phrase. The addition of biometrics extends the multi-factor authentication options, all of which work in conjunction with a security code generated by the app for each login. Users who try the biometric login and don’t like it can have their data purged from the system within 30 days. “We’re tackling the same problem that every Internet-based organization is trying to tackle right now, which is how do you protect that first line of defense when
you’ve got to authenticate who’s coming in the front door,” McAlum says. “If we have a really high confidence that we can authenticate you using a biometric – maybe you want to transfer money to an external account, maybe you want to conduct a wire transaction – we can pass that enhanced authentication along the line so we’re not going to slow you down later in the process.” USAA’s customers weren’t eager to adopt two-factor authentication outside of biometrics. “Anything that slows them down is not naturally attractive to them even though it’s more secure than a user ID and password,” McAlum says. “So we took on the challenge to ask, ‘How can we leverage new technologies to raise the level of security but speed up the process? For us, operationalizing the biometric technology does that,” he explains. USAA members who’ve embraced biometrics so far are choosing facial recognition over voice. The company also plans to offer a thumbprint option later this year. “In today’s threat environment, we just don’t see the common password as viable for the long term,” McAlum adds.
Last fall the Canadian financial services provider added fingerprint biometrics to its mobile banking app that complements username and password for logins. The bank’s nearly 2 million customers now have the option of using the fingerprint scanner on iPhones that have Touch ID as an additional factor of authentication. Working with Massachusetts-based software provider Nuance Communications, Tangerine also became the first bank in Canada to offer a voice-controlled mobile app, with voice authentication expected to follow. Customers with devices running iOS 6 and above can now maneuver account information using their voice. Users can check account balances, ask complex questions about expenditures and send instructions to transfer money or pay a bill. “We’ve always believed that biometrics is a powerful authentication and verification mechanism,” Kithulegoda says. The company says it won’t dump usernames and passwords entirely until users are comfortable with the new technology.
TANGERINE REVOLUTIONIZES BANKING IN CANADA
US Bank has been testing different authentication methods for a couple of years, says Beth Gallagher Dumke, vice president of innovation in Payment Services at the institution. She detailed the bank’s biometric plans at the Connect ID conference in March. Having consumers type in long passwords caused too many issues and some other technologies weren’t user friendly. “The best technology available is not good if customers refuse to use it,” Dumke said.
As early as the year 2000, Tangerine (then ING Direct) was trying to develop a mouse that contained a fingerprint scanner. It worked but it was a cumbersome user experience, explains Tangerine CIO Charaka Kithulegoda. “Depending on the operating system and other factors, getting it up and running wasn’t easy,” he says.
US BANK ‘VOICES’ BIOMETRICS SUPPORT
For the time being, the company has chosen voice biometrics for mobile app login, Dumke says. Internal tests have shown positive results. Two percent of total sessions were false rejects, and there were no instances of false acceptance. Also, some 88% of sessions were authenticated in either the first or second attempt. The voice templates for the system are stored in the cloud rather than on a user’s device. While US Bank is rolling out voice biometric first, it’s not going to stop there. The institution is also looking at fingerprint and facial recognition as possibilities for access too, Dumke says.
WELLS FARGO GOING MULTI-MODAL Biometric technology isn’t new for Wells Fargo, says Andy Foote, vice president and strategist for Innovation Research and Development at the financial institution. The bank has been using biometrics in some form since 2007, starting with voice recognition for password reset. While voice recognition worked, it wasn’t ideal with 10% to 15% false reject rates, Foote said at the Connect ID conference. “The phone you enrolled in might have been fine, but then the phone you call in on might be different,” he says. In 2014 Wells Fargo started an internal pilot with multi-modal mobile biometrics, Foote explains. Though handsets are often equipped with fingerprint readers, it is the one modality the institution is not likely to use. Traditional biometric systems return a score that shows the likelihood of a match, and depending on the threshold of a par-
“IN TODAY’S THREAT ENVIRONMENT, WE JUST DON’T SEE THE COMMON PASSWORD AS VIABLE FOR THE LONG TERM.” - USAA Summer 2015
51
ticular system access is either granted or it’s not. “The problem with fingerprint scanners in mobile devices is they just give a yes or no response, but provide no score,” he says. Because of this, Wells Fargo is going with face and voice system that detects liveness as well. Customers will use their mobile device to match their face and will speak a dynamic passphrase for access, Foote says. The system also captures the customer’s movement, and since the passphrase changes each time it makes sure that a photo isn’t being held up or that the voice has not been recorded. The internal pilot has a false reject rate of less than 1%, Foote says. Test participants like the facial recognition aspect of the app – though it did take some time to figure out how close to hold the device. Wells Fargo is storing the templates for the system in the cloud for now but wants to place them securely on the customer’s device in the future.
52
Summer 2015
MOVE TOWARD MAINSTREAM In a broader sense, one little application is opening up the world of biometrics to potentially hundreds of millions of users. Apple Pay, which launched last fall, is available on later model iPhones, iPads and the Apple Watch. With Apple Pay, users add credit or debit card information to their iPhones and the cards must belong to participating banks or credit unions. They can then pay for purchases at participating stores by holding their device near the scanner while putting a finger on the handset’s TouchID biometric sensor. The crossover to widespread use of biometrics for secure mobile logins may not be far behind. Efforts are popping up domestically and internationally toward biometric logins, and companies often cite the ineffectiveness of passwords as the catalyst for change. “The growing use of mobile devices with their cramped keyboards has only worsened the security value of passwords, as smartphone and tablet users are 25% more likely to reuse passwords across multiple logins than the average consumer,” says Al Pascual, director of Fraud & Security at Javelin Strategy & Research. Usability is another issue for passwords, which can be annoying to enter on a mobile device. Pascual says biometric solutions like voice and fingerprint have been shown to be more user-friendly.
But security is at the heart of the biometrics trend. “One of the largest impediments to the adoption of mobile banking has been security concerns on the part of consumers,” Pascual says. “Biometrics provide for a conspicuous solution that can bolster the security image of mobile banking, helping increase consumer adoption of this lowcost channel for financial institutions.” Biometrics is nothing new to the financial industry overseas. “For nearly 20 years, financial institutions have been testing voice biometrics for use through the phone channel, though it only took off over the past few years,” Pascual says. “Palm-vein scanning has found success at ATMs overseas, including in Japan and Eastern Europe, and there is a distinct possibility that we will see some of that here as well.” Pascual says privacy is the top concern American consumers have regarding the use of biometrics. But he doesn’t think Americans will be much different in their willingness to use biometrics than Europeans who also see privacy as a big issue. “U.S. financial institutions are hyper-conscious of FFIEC (Federal Financial Institutions Examination Council) guidelines on authentication, which for better or worse have yet to specifically address the mobile channel,” Pascual says. “Fortunately, there has been some guidance on the use of biometrics – all relatively positive – but as bankers tend to be a conservative lot, this has still been a bit of an impediment.” In spite of the challenges, Pascual believes mobile biometric logins for financial applications will be relatively commonplace in the next two to three years, with other consumer applications following soon after. Still he is convinced passwords will remain for at least a number of years. “Passwords have been around for thousands of years – since the Roman empire,” Pascual says. “Given their ubiquity and cost benefits, they are likely to be supplemented in the short term within the financial industry and largely replaced over the next five to ten years in both the online and mobile channels.”
June 8 – 10, 2015 • W Hotel, Washington, DC
Where Technology Leaders Connect to Meet Security Challenges R E G I S T E R T O D AY ! V I S I T: S E C U R I T Y I N D U S T R Y. O R G / S U M M I T
FEATURED GUEST SPEAKERS Congressman John Ratcliffe, R-Texas Chairman, House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies
Sen. Ron Johnson, R-Wis. Chairman, Senate Homeland Security and Governmental Affairs Committee
Rich Stanek Sheriff, Hennepin County (Minneapolis), Minn.
PRECONFERENCE SESSION: JUNE 8
General Services Administration (GSA) Contracting and the Security Industry « Essential Contracting Trends for Government Customers, Security Manufacturers, Integrators and Participating Dealers « Schedules 84 and 70 Technical and Procurement Changes in 2015 « Working Together to Preserve “Best Value” Government Procurement
CONFERENCE PANELS: JUNE 9 – 10 « Securing the Electric Grid: How Utilities Are Meeting the « The Convergence of Cyber and Physical Security: Implica-
New Federal Standard for Physical Security
tions for Federal Agencies
« Keeping Air Travelers Safe: Public Financing for Airport
« Law Enforcement Technology Trends: Body-Worn Cameras
« Safe Schools: How School Districts Fund and Implement
« Smart Buildings: Integrating Security, Safety and Automation
REGISTRATION RATES:
HOTEL:
Security Improvements Security Improvements
Member: $595 Non-member: $795 Government Employees: FREE Media Partner
and Integrated Video for Public Safety Technology for Government Facilities
The W Hotel, 515 15th St. NW, Washington, D.C. 20004 Special group rate available. Visit securityindustry.org/summit for details.
Security Industry Association securityindustry.org
GAO STUDIES SMART CARDS FOR MEDICARE Medicare doles out more than $600 billion a year to health care organizations. Specific fraud statistics range but estimates suggest $20 billion is going toward fraudulent claims. The Medicare ID card is paper, has the owner’s Social Security number printed on it and bears no real security features. Congress requested that the Government Accountability Office look at how the U.S. Office of Health and Human Services and the Centers for Medicare & Medicaid Services (CMS) might use electronically-readable cards to reduce fraud as well as open up use of the credential for other purposes. The report considered mag stripe and bar codes but spent the most time on smart cards. During the past five years, there have been other efforts to get CMS to consider issuing smart cards to beneficiaries. Before the GAO report there was language in a House of Representatives bill that asked the secretary of Health and Human Services to consider a smart card implementation. “It’s not a mandate but it put it on the secretary’s radar,” says Kelli Emerick, executive director at the Secure ID Coalition. There are also rumors that a bill might be submitted that would mandate the use of smart cards for Medicare recipients. The GAO report examined which electronically-readable cards could be used in Medicare and evaluated functions, features, benefits and limitations of each. It also reviewed steps CMS and Medicare providers would need to take to implement
54
Summer 2015
and use electronically-readable cards and explored lessons learned in other countries. The GAO analyzed the capabilities of the cards for three key proposed use cases: authenticating beneficiary and provider presence at the point of care electronically exchanging beneficiary medical information electronically sharing beneficiary identity and insurance information with providers and even populating electronic forms and systems. Using electronically-readable cards for patients and providers at the point of care would seemingly eliminate a significant portion of Medicare fraud. Surprisingly however, that fraud might not be mitigated due to policy issues within CMS. In response to the GAO report, CMS stated that they would continue to pay claims regardless of whether a card was presented by the beneficiary. The GAO also looked at bar codes, mag-stripe and smart cards as options for electronic media. The report found that all of the cards could be used for authentication, storing and exchanging medical information and conveying beneficiary information. The crucial difference with smart cards, however, is their ability to process data. This enables them to provide higher levels of authentication, and to better safeguard information than cards with magnetic stripes and bar codes.
THE U.S. EXAMINED SIMILAR INITIATIVES IN GERMANY AND FRANCE TO DETERMINE BEST PRACTICES FOR A POTENTIAL MEDICARE ID
Germany and France have both implemented smart cards for health care services and the GAO looked at their programs as examples. In 2013 in France, 50 million citizens used a beneficiary card and more than 300,000 health care providers used a health care provider card as part of a national health care service. Transactions involving both a beneficiary and a health care provider smart card accounted for 90% of France’s health care claims. In 2014, 70 million German citizens used a smart card provided to beneficiaries as their health insurance card. But getting both of these programs up and running is still ongoing. France launched its program in 1998 and had slow acceptance from health care providers as they lacked the IT equipment to accept the cards. Fourteen years after the implementation of the system, still some providers in France are yet to use the cards. Issuing the original cards was done in about three years, but updating the French cards with photos has been a challenge. They started issuing new cards in 2007, but more than one-third of cardholders still use the cards issued 15-years ago. Germany’s program started in 1995 issuing memory-only chip cards but upgraded to microprocessor cards in 2011. By the end of 2013, almost all of the population insured through the health insurance system had been issued the new cards, and providers were equipped with the readers that could access information. But there were delays. German officials told the GAO that the full transition to the new cards would not be complete until early 2015. Full implementation of the new smart card, with all of the applications, will not be completed until 2018 – more than 10 years later than mandated.
There would also be a cost to moving to a Medicare smart card. Officials in both France and Germany told us that they experienced significant costs related to managing the system beyond initial implementation costs. French officials explained that it costs about $37 million annually to maintain the infrastructure for the beneficiary card and nearly $31 million per year in IT and human resources costs for the provider card. In addition, there are annual costs to produce, issue and deactivate cards. In France, for instance, the cost to produce and issue beneficiary cards is approximately $2.50 per card. Production and issuance costs for provider cards ranging from $8 to $12 per card. In Germany, officials say that they are paying about $2.40 per beneficiary annually for the development of the infrastructure. In 2014, there were approximately 70 million beneficiaries using the German cards, which equates to about $168 million in development costs per year. Ultimately, consideration to increase the functionality of the Medicare beneficiary card will rest on the applications for the card. The GAO concluded that electronically-readable cards would have a limited effect on program integrity but could aid administrative processes. Unless CMS changes its policy and requires cards for providers and patients for payments, it’s likely true that a smart card would be hampered in its ability to reduce fraud. If the policy changes, there would be a great opportunity to reduce fraud. “Ultimately, a decision about whether to implement an electronically-readable card will rest upon a determination regarding the costs and benefits compared to the current paper card or other strategies and solutions,” the report concluded.
Summer 2015
55
THE KEY TO FUTURE AUTHENTICATION:
BE YOURSELF PAUL MADSEN, SENIOR TECHNICAL ARCHITECT, PING IDENTITY
For some time, we’ve been aware of the long list of issues that comes with using passwords as an authentication mechanism, including poor usability, expensive maintenance and vulnerability to server breaches. Despite this, there hasn’t been a particularly compelling authentication technology that could serve as a viable replacement for passwords. Fortunately, that is changing. A number of recent developments, trends and new standards are coalescing to enable a powerful new model for user authentication – one that minimizes the “something you know” of passwords in favor of “something you have” plus “something you are.” The first trend leverages a user’s mobile device for either supplementing or even replacing a password login. Mobile phones, due to their processing power, connectivity, user interface and the affinity their owners have for them, make a very useful “what you have” authentication factor. It doesn’t require that employees carry their phones with them to enable a second authentication factor, as employees already carry them. There exist different models for using a phone as an authentication factor. A popular one is the evolution of previous SMS-based systems. In this new version, the user installs an authenticator app onto the device. In doing so, that device is effectively bound to its account at the authentication server. At login time, the authentication server sends a notification to the app through the relevant push notification service. Then on the phone, the user responds to the notification whether through a simple gesture or copying a code from phone to another computer. If the response is successful, then the authentication server can be confident that the valid device owner is attempting the login. A second authentication trend leverages the emerging biometric capabilities of PCs, laptops, and mobile devices. More and more computing devices are being shipped with integrated biometric hardware, such as the iPhone’s TouchID and Samsung S5’s fingerprint scanner. In addition to biometrics in hardware, there are multiple apps available for download that enable other biometrics, like voice or face recognition. There is even an app that authenticates the user by detecting the characteristic pressure pattern on the screen when the phone is held to the ear for a call.
56
Summer 2015
Typically, phone biometrics present an alternative to the typical PIN or pattern modes for unlocking the phone – or potentially a particular app on that phone. While useful, these biometrics don’t enable authentication of the user to an online server – a fundamental requirement if we are to reduce the use of passwords for that mechanism. The FIDO Alliance is defining a suite of specifications that close this gap. FIDO standardizes a model in which the user logically authenticates to a device, potentially – but not exclusively – via biometrics. This local authentication serves to unlock a cryptographic key can then be used to authenticate to an online authentication server. Critically, in the FIDO model, the biometric data never leaves the device and won’t be compromised should the authentication server get breached. Another example of a biometric authentication model is that of Nymi - a wristband that can measure a user’s ECG and compare it to that previously recorded. If the patterns match, then the wristband indicates that to a companion phone application. The authentication models discussed so far presume an explicit authentication action by the user – be it entering a PIN, swiping a phone screen or applying a fingerprint to a scanner. While these alternatives offer a better user experience than passwords, there is a need for a more seamless authentication experience. The third authentication trend moves away from explicit logins, toward a more passive model – characterized as “recognition” by Bob Blakley in 2011. This authentication model is generally referred to as “continuous” to distinguish it from today’s intermittent reality. The premise is that the systems, applications and devices with which we interact will constantly monitor our behavior, actions and physical attributes. Then they will compare all that information to the expected patterns, transactions, face geometry and more to assess the identity of the user. The list can include measuring how hard we swipe our phone screens, how fast we type common words, our gait as we walk, having our computer mouse scan our fingerprints and perhaps even how often we Tweet or post to Facebook. Initially, continuous authentication models were more likely to be used to detect anomalous behavior, such as determining
biometric
continuous
mobile
AUTHENTICATION MODELS PRESUME AN EXPLICIT AUTHENTICATION ACTION BY THE USER – BE IT ENTERING A PIN, SWIPING A PHONE SCREEN OR APPLYING A FINGERPRINT. WHILE THESE ALTERNATIVES OFFER A BETTER USER EXPERIENCE THAN PASSWORDS, THERE IS A NEED FOR A MORE SEAMLESS AUTHENTICATION EXPERIENCE.
that somebody else is not you. As a concrete example, Apple was recently awarded a patent for using its phone camera and facial recognition software to authenticate the user. Of course, this is not a new idea. What is arguably novel here is that Apple’s model will not allow the phone to take a picture of the user once, but rather at a defined frequency. According to the patent: “In an embodiment of the invention, an unlocked mobile device is configured to capture images, analyze the images to detect a user’s face, and automatically lock the device in response to determining that a user’s face does not appear in the images.” In other words, in addition to unlocking the phone when it recognizes the user, the system will lock the phone when it does not recognize the user.
We’ve presented three authentication trends - mobile devices, biometrics becoming mainstream and the emergence of continuous authentication. While discussed as mostly independent, their real impact lies in their combination. In the future, explicit logins will become the exception rather than the rule – the decision to require a login determined by some calculation of risk by the system. When we occasionally do have to login, we’ll leverage the biometric capabilities of the mobile devices and other things around us. That being said, passwords will also be the exception and not the norm. And those same devices will monitor us over time, alerting the authentication server if and when our status changes. Taken together, these technologies and models enable a far less intrusive authentication experience for users, yet with enhanced security characteristics compared to today’s password status quo – a dynamic thought to be impossible in the past.
Summer 2015
57
➇
r ve
O
➀
? 18
Ap onl age
➁
➆
➅
t i e d v r a o C r e Pith the Ag ➃
➄
ADVANCED CARD MATERIALS ENABLE LAYERED SECURITY FEATURES There are a great many security features that can be placed on identity documents – holograms, laser engraving, embossing – but not all card materials are able to handle the different security features available to issuers. Modern issuers are looking at their identity credentials and doing a costbenefit analysis of the card material and security features, says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. Issuers need to look at how long they want the card to last, combined with the security features they want to use and then figure out the best card materials for the document. “The security of the card is derived from embossed features, microtext, holograms
58
Summer 2015
W
and unique program-specific security features,” he explains. But each of these security features has different requirements from the card materials and production process, says Scaglia. Card issuers need to do their homework. If they want laser engraving, a smart chip and 10-year lifespan it might require a specialized card substrate. “You can’t assume that every personalization will work with each substrate,” says Mary Olson, senior marketing manager for government solutions at Entrust Datacard. Identity cards are not made of a single piece of plastic, but rather they are comprised of numerous thin layers of plastic.
ca s y a Alw
These layers are often made of PVC, but more durable and secure cards can be made combining different materials to create a composite card. Identity credentials typically need to last 10-years for adults, Scaglia says. This means they need to actually be able to physically survive for that long and the security features need to remain unassailable. To achieve this goal, security-conscious issuers layer different security features onto one document so counterfeiters have to combat or clone many different features. But to utilize multiple security features, an issuer must build the card from feature-friendly materials. Some security features work better on differ-
ar d C e ur Ag o y rr y
An G S ío c
➂
Identity credentials such as Ireland’s ‘agecard’ use advanced materials to enable layering of security features.
➀
Card number, date of bith and name shows in blue under UV light
➁
Color of emblems invert when card is tilted back and forth
➂
Letters change to emblems as card is tilted
➃
Embossed special symbols add tactile element
➄
Animated movement appears around map of Ireland as card is moved
➅
Embossed date of birth floats in transparent window
➆
Text appears in various colors as card is tilted
➇
Metal hologram adorns reverse of card
ent materials and using different card printer technologies, says Carla Boria, director of supplies & secure technologies product management at Entrust Datacard. “Unfortunately, there is no one card type that gets good grades across the board,” she adds. For example, PVC is low cost, widely used and compatible with the majority of printing technologies and laminates. On the downside, it’s not very durable and has only a three-year average lifespan. Composite cards – made from PVC and a polyester material such as PET – are more expensive but last longer than cards made only from PVC. But these cards can delaminate and are not compatible with embossing, which means they can’t be used for payment cards that require that feature. Adding synthetic materials – such as Teslin – to a composite card can increase efficiencies and significantly boost card durability through flexibility, resistance to delamination and protection for embedded electronics, says Scaglia. Polycarbonate cards are another common choice for secure IDs. These cards are durable and enable fraud resistant laser engraved personalization. They do not require laminates so delamination is not an issue. The cards are typically
more expensive, and via typical laser engraving they can only be personalized in black and white.
LAYERING VARIABLE DATA When it comes right down to it issuers need to layer variable data throughout the card, Boria says. Traditional variable data includes photo, date of birth and ID card number. “You take this standard variable data and by using something unique, like laser engraving, make it extremely difficult to recreate,” she explains. Another option would involve digital printing of variable data on the Teslin layer within a composite card. Because the layer is embedded below other layers, it is very difficult to alter or counterfeit. By using different techniques such as these – along with traditional holograms, optical variable devices and other security features – counterfeiters would have to defeat multiple strong features. “By the time they add these things up, most counterfeiters find it’s too costly and move on,” Boria explains. Issuers also need to make sure the quality of the card substrate is good as manufacturers are using different for-
mulas to create these substrates, Olson says. “People think if they have a polycarbonate card they’re always going to see quality results,” she explains. That’s not always the case and issuers would be wise to test the card substrate with the personalization equipment prior to rollout. For years, composite cards have been the standard for high security identity cards and government IDs. Today, financial institutions are considering these substrates for payment cards as EMV is making these cards more expensive to produce and banks want to make sure they last, Boria says. “Chips are changing the whole construction of the card and becoming 80% of the cost,” she explains. “Banks are worried that the cards won’t last three years.” Clearly, composite cards are becoming more popular and nudging out PVC because of their longer lifespan and their ability to better handle embedded electronics, such as contact and contactless technologies, Boria says. “Composite cards are crossing over into different uses, and issuers are using two or three of these substrates to achieve great results,” she explains.
Summer 2015
59
60
Summer 2015
re:ID NATIONAL eID SERIES:
CHINA, INDIA DOMINATE ASIAN ISSUANCE
ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS
km
After establishing Europe as a leading region in eID, due in part to an infrastructure and social framework that supports the delivery of a national eID, the second installment of the re:ID eID series highlights Asia. Understandably, the countries with the most significant influences in the region are those with the largest populations, China and India. More specifically, the future growth of eID issuance in Asia will greatly hinge upon how these countries have and will decide to implement and issue credentials to their respective citizens.
THE WHALES OF EID Per Acuity Market Intelligence’s “The Global National eID Industry Report” detailing the region, China alone represents 87% of Asian eIDs issued, 60% of global eIDs issued and a remarkable 47% all global IDs of any kind. “The most significant factor in the Asian region’s National eID market is China’s ID program producing nearly 300 million eIDs annually,” says Maxine Most, founder and principal of Acuity Market Intelligence. “This represents almost all 2013 eIDs and 70% of 2018 eIDs. Simply put, China isn’t just the whale of eID, but of ID issuance in general. The caveat to this, however, is that only domestic suppliers have had access to the opportunity that is the country’s eID program. “China’s restricting of vendor participation to domestic companies only limits the true impact of a program of this size,” says Most. India, meanwhile, marks another significant portion of the Asian eID landscape, though it’s a presence that is yet to arrive.
India announced plans to introduce national eIDs beginning in 2016. Provided things go according to plan, the Acuity report suggests that India along with China will account for 500 million of the total 588 million national eID cards issued globally in 2018. Central to the eID initiative in India is the county’s national registry program. The Unique Identification Authority of India, UIDAI for short, conceived the eID project as a means to provide identification for each resident across the country. This form of identification would be used primarily as the basis for efficient delivery of welfare services, but would also serve various other government programs and schemes. UIDAI intends to issue a unique identification number that can be verified and authenticated online in a cost-effective manner and is also robust enough to eliminate duplicate and fake identities. UIDAI’s efforts go back as far as 2006, when the ID project first received administrative approval. The now decade-long process has been hampered by delays, but the country is approaching a delivered solution. “In 2014, India announced it would begin a National eID program linked to the biometric enrollments and issuance of unique ID numbers in 2016. India is on track to capture biometrics for one billion citizens by the end of 2016,” says Most. Further delays are likely, however, and current projections assume a 2017 start date, says Most. “The scale of India’s biometric national registry project, as part of a truly open international tender process, will profoundly influence global market development,” she adds. “Issuing national eID cards to accompany its registry program will add 200 million cards per year.”
BEYOND THE HEAVY HITTERS: BAHRAIN, MONGOLIA GO EID While China and India will account for a majority of the credentials in the region, it’s important to note that there are other Asian countries working with eID. Nestled in the Middle East, the KingAs of 2003, Hong Kong started its own eID card program. In fewer than four dom of Bahrain, has been working on a years, the new card was in the hands of more than seven million citizens and comprehensive eGovernment initiative foreign residents. since 2004. As part of that project, the kingHong Kong’s eID card houses a microprocessor that stores personal data, a dom’s Central Informatics Organization digital photograph and fingerprint biometrics. The credential not only serves (CIO) has been responsible for implementas the country’s primary identity document but also is required for employing a smart card-based eID project along ment, voting and accessing social services. with improving infrastructure, equipment The use of the card for e-Services is activated voluntarily at the post office, and procedures to bring Bahrain up to using the “e-Service” certificate. Based on a Public Key Infrastructure (PKI), this speed with national citizen ID. authentication and signature function is central to the development of public Partnering with Gemalto since 2007, the and private e-Services in Hong Kong. Kingdom of Bahrain’s credential acts as a travel document and a tool for procuring eGovernment services, while meeting security and privacy standards. Bahrain’s eIDs are being issued to every citizen and resident in the Kingdom and include fingerprint biometrics, as well as the cardholder’s phoprogram tasked with replacing the country’s previous identificatograph and signature. The cards feature contact and contactless tion system with a new eID card. technologies, match-on-card biometric capability, and a range of Also partnering with Gemalto, Mongolia’s smart card includes embedded software and security features. an embedded microprocessor that houses citizens’ personal data Bahrain’s card doubles as a driver license and a travel document. along with facial and fingerprint biometrics. The eIDs facilitate They can carry medical information, including URLs linked to the eGovernment services including voting, tax services, customs, holder’s electronic medical files and vaccination history. Access passport functions and military uses. to eGovernment services is made possible through a home card reader. Future functions include an ePurse and voting application. BIG POPULATIONS, BIG ISSUANCE Mongolia is another Asian country that has deployed an eID credential to its citizens. Despite being a massive country spanning With nearly one third of the world’s total population residing over 600,000 square miles, roughly one-third of Mongolia’s total in Asia, it should come as little surprise that eID issuance in the population resides in the country’s largest cities. region is significant. The already impressive number of eIDs Mongolia’s decision to issue an eID dates back to 2008, when the in circulation across Asia will only grow further as other large government launched the Policy of Millennium Development – a projects, like that in India, come to fruition.
Hong Kong eID tops 7 million cards
62
Summer 2015
Global and Asian eID Card Volume Forecast Unit Forecasts (millions)
1500 802 1200 681
Global
627
900
741
540 459
600
300
601
336
2013
388
354
2014
2015
588
422
Asia
2016
2017
2018
Source: Acuity Market Intelligence, “The Global Automated Border Control Industry Report”
National eID card volume share (Asia)
CHINA VIETNAM THAILAND PAKISTAN Other MALAYSIA NORTH KOREA SOUTH KOREA India INDONESIA INDIA OTHER* South K
2013 2018
India China
Vietnam
China
Indone
Malays
Pakista * AZERBAIJAN, ARMENIA, AFGHANISTAN, BANGLADESH, BURMA/MYANMAR, BRUNEI, CAMBODIA, NEPAL, MONGOLIA, MACAU, HONG KONG, KAZAKHSTAN, SRI LANKA Summer 2015
Other
63
Thailan
GSA TO REVEAL PHYSICAL ACCESS PROCUREMENT CHANGES DAVID SILVERBERG, SECURITY INDUSTRY ASSOCIATION
If all goes as planned, by the end of May providers of identity, credential and access management (ICAM) programs and tools to federal agencies will learn the government’s latest requirements for their products and services. That’s because May 14 is the date for an Industry Day at which the General Services Administration (GSA) will reveal its responses to industry concerns. It’s been a long time coming for this Industry Day. Its most recent origins can be found in a December 2014, GSA-issued request for information from vendors, industry and other government agencies asking how best to accommodate changes in ICAM technology and the marketplace. But in a broader sense, it goes back much further. Indeed, it could be said that it goes back to the very concept of securing access.
BEYOND PADLOCKS Where once locks and keys provided security and access to sensitive items, today the role falls to ICAM. It is one of the most complicated, intricate and rapidly evolving sectors of secure technology, and nowhere are the secrets more vital or the stakes higher than in government. Industry is ready, willing and able to meet the challenges of providing secure access tools to government, but the path has been confusing and complex. GSA, which does all the purchasing for the civilian side of government, fully recognizes that fact.
64
Summer 2015
The civilian consumer marketplace has seen radical changes in ICAM tools and technology, but the U.S. government has had to do some catching up. The feds have vast requirements and mandates such as Homeland Security Presidential Directive 12, which sets standards for secure government access. It was this need that prompted GSA to re-evaluate its ICAM standards in the first place. The re-evaluation impacts the two schedules that GSA uses to make its ICAM acquisitions. Schedule 70 covers a vast array of information technology products and services and, with a list of 5,000 vendors, is the most widely used schedule in the federal government. More to the point, it covers physical and logical access control systems. Schedule 84 covers law enforcement, disaster response and security products and services and in particular, physical access control systems. It’s a massive schedule of $1.55 billion in indefinite delivery and indefinite quantity contracts and includes more than a thousand vendors, according to Brenda McCall, the lead contracting officer for GSA’s Law Enforcement and Security Branch. Within these schedules, GSA realized that it needed to update the descriptions of products contained in its list of Special Item Numbers (SINs) as well as its criteria for evaluating those products. Further, it had to align its acquisitions with government policies and requirements mandated by the Office of Management and Budget.
INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.
In response to the December request for information, companies and industry representatives, including the Security Industry Association (SIA), submitted 14 comments. GSA followed up with an Industry Day on February 3 to discuss the results, and on February 25 SIA hosted a webinar to further answer questions and concerns.
CLEARING CONFUSION Industry confusion was found in several areas, explained Chi Hickey of the GSA Office of Government-Wide Policy Identity Assurance and Trusted Access Division, during the webinar. One of these was the fact that vendors could only be listed on a single schedule. “We realized that was a huge confusion and we’re working to clarify that in our terms and conditions agreement,” said Hickey. “We did not intend to restrict the community to one schedule or one SIN,” she said. GSA has proceeded to work on a means to allow listings on multiple schedules. Certification requirements for workers on government projects were another major source of confusion and attracted the most industry questions. “There was confusion over who needed to be certified,” Hickey explained. The requirement to use Certified System Engineer ICAM Physical Access Control Systems led to major questions, especially in Schedule 84 contracting. “There was confusion over who needed to be certified and who qualified as a past integrator,” according to Hickey. “Respondents are unclear over the distinctions between ‘integrators,’ ‘services’ and ‘service providers.’”
Hickey clarified that certification only extends to individuals, rather than companies as a whole, in order to maintain control over the people doing the work. This extends to both installers and engineers. Additionally, state and local agencies were interested in whether GSA would accept certifications outside GSA’s current arrangement for CSEIP training by the Smart Card Alliance. Other concerns included questions of whether approved products for physical access controls needed special indicators, whether certified engineers and products needed to be used for training and whether SIN descriptions were outdated.
THE NEXT STEP “Since we’ve had the Industry Day we’ve received a lot of comments from the community as well as other stakeholders, and GSA embarked on the process of analyzing and consolidating the comments,” Hickey reported. SIA added its comments and many companies echoed them. The results of those comments and their incorporation into GSA requirements will be revealed, but it is reasonable to expect that many of the industry’s concerns will be met. SIA will follow up that Industry Day with a preconference session during the SIA Government Summit on June 8 at the W Hotel in Washington, D.C., offering attendees an exclusive opportunity to engage GSA officials before they finalize the requirements, which are anticipated to be published in July. For more information on the Summit, visit www.securityindustry.org/summit.
Summer 2015
65
BLUETOOTH WINNING WITH VEGAS HOTEL ACCESS The Cromwell is a boutique hotel owned by one the legacy players on the Las Vegas Strip. The Caesars’ property wants to appeal to the tech-savvy guest and offer a personalized and convenient experience, says Danielle Gaccione, director of digital products at Caesars Entertainment. “We want to use technology to tailor the guest experience,” she adds. To aid in this effort, in January the resort began offering guests the ability to access their room with their iPhone, Gaccione says. The system uses Bluetooth low energy to enable guests to access elevators and rooms. The Cromwell is also working on a version of the app for Android devices. The Cromwell decided to use a combination of the LEGIC Connect trusted service, Kaba Mobile Access Solutions and Bluetooth low energy. LEGIC provides its service through an existing Kaba Saflok room key management solution.
66
Summer 2015
Caesars has worked with Kaba locks for some time, Gaccione says. LEGIC Connect ensures that the complexity of deploying electronic room keys to mobile phones stays in the background, keeping the established processes at the hotel’s front desk unchanged. The service is operated in a highly secure data center, prepared to support multiple technology vendors and any given number of hotel properties. Prior to arrival, guests receive an email with information about the electronic keys, Gaccione explains. When they arrive to check-in the guest is given the option of an e-key. Using the e-key is as simple as downloading the app and registering a PIN. Then a guest number unique to that stay is texted to mobile and entered into the app. If the floor that the guest is staying on requires a key for access they simply present it to a reader on the elevator.
When they arrive at their room they just tap the card and the door unlocks, Gaccione says. The guest doesn’t have to activate a specific app or even activate the phone. “It’s very similar to the Apple Pay experience,” she adds. They are also looking at self check-in, but having to check identity documents and explain other details at the front desk has put that on hold, Gaccione explains. At some point in the future it’s likely that all the Caesars properties will be offering electronic keys using Bluetooth low energy, Gaccione says. “It’s part of our long-term vision,” she explains. “We are evolving the product at the Cromwell and have plans to extend it to other properties.”
MORPHOWAVE
™
AWARDED BEST NEW PRODUCT OF 2015 BY SIA MAXIMUM SECURITY Multi-Finger Matching
HIGH THROUGHPUT On the Move Matching
EXTREME CONVENIENCE Touchless Operation NO COMPROMISES: Ultra Convenient Frictionless Access AND Maximum Security from the world leader in biometrics with #1 NIST rated fingerprint technology. ACCESS CONTROLLED WITH A WAVE OF THE HAND info@morphotrak.com • 1-800-444-0496 • www.Morpho.com/USA
Make sure every visitor is a welcomed one.
HID Global Secure Visitor Management solutions track your guests and protect your facility. Upgrade from unsecured paper guest books to the robust security of our EasyLobby® Secure Visitor Management solution. With EasyLobby, you can identify who is in your facility and why, control access to secured areas, screen against unwanted guests and more. Just scan each visitor’s ID and print a customized badge in seconds. And it’s scalable, so you’ll get the protection you need as your company grows. Request a free web demo at hidglobal.com/welcomed-cr80 © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and EasyLobby are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.