47 A SURVEY OF ID TECHNOLOGY - FALL 2016 - ISSUE 47
BLOCKCHAIN a identity cure-all or snake oil?
+
First responders ditching cards for mobile IDs Biometrics and eGates expedite global travel Future of credentialing in the U.S. Government
Securing people in today’s digital world begins with protecting their identities and personal data. Gemalto contributes to more than 100 government programs worldwide including 30 ePassport and 25 national eID initiatives.
GEMALTO.COM
IN AN INCREASINGLY CONNECTED SOCIETY GEMALTO IS THE LEADER IN MAKING DIGITAL INTERACTIONS SECURE AND EASY. LEARN MORE AT GEMALTO.COM
© Gemalto 2016. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. May 2016 - CC
Securing the identity and bringing trust to millions of citizens worldwide
TOO MANY USERNAMES AND PASSWORDS CAUSE CONSUMER HEADACHES
Alleviate the Pain with Federated Identity Networks.
Le a r n m o re a t w w w. s e c u re ke y. co m
“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”
— Robert H. Marketing Director Corporate Technologies
Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.
Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.
© 2015 Entrust Datacard Corporation. All rights reserved.
DATACARD GROUP IS NOW ENTRUST DATACARD
CN K O L HAI
B
46
Identity vetting with the mobile
C
9
200
16 COVER STORY Blockchain and identity CONTENTS 4
Catching Blockchain fever? There may be a more realistic cure for digital ID woes
6
ID Shorts News and posts from the web
16
Blockchain and identity Will the vastly-hyped tech solve the digital identity challenge? 18
Identity application for distributed ledgers
19
Bitcoin and Blockchain for dummies
22
The future of credentialing in the U.S. government Will smart cards have a role or will newer tech claim the throne?
26
Using advanced card materials with desktop printers Adding durabitlity, fraud-resistance to over-the-counter issuance
28
DHS testing mobile, attributebased identity system for first responders
30
Card printer manufacturer series: Evolis grows rapidly
34
Federated identity: building trust in an untrustworthy world
36
E-Gates ease and secure international travel Kiosks read passport, use biometrics to verify identity 37
New spec adds digital visas, stamps to ePassports
41
The ‘411’ on polycarbonate Heavy-duty document material ups security of ID documents
44
Adding even more value to video surveillance Identity and non-traditional use cases help orgs find funding
46
Identity vetting with the mobile Startup verifies driver liscense forensic features prior to digital credential issuance
36 E-Gates ease and secure
international travel
Fall 2016
5
ABOUT
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2016 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
6
Fall 2016
CATCHING BLOCKCHAIN FEVER? THERE MAY BE A MORE REALISTIC CURE FOR DIGITAL ID WOES ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
The fervor over Blockchain has reached a level I’ve never before witnessed in the identity and security market. My Twitter and LinkedIn feeds provide a daily dose of how Blockchain will save the world – I’m not exaggerating – and change the way we do business. In identity, the two basic models for Blockchain – or more accurately distributed ledger technology – put the individual at the center controlling every aspect of information given out. One has the individual doling out permission while the other acts as an attribute verification system – read our cover story to get the full rundown. In theory these ideas are great. Enabling an individual to control of each piece of their data and who has access to it is a noble idea. If it is secure and simple to use, it could solve many of the problems with online identity. But it’s not going to happen. Not because the technology is out of reach, but because this level of user centricity would force online business models to be turned upside down. The fire hose of consumer data that marketers now receive would reduce to a trickle – only what consumers allow them to see. While it may be true that this information would be of greater value to companies – because consumers are actually giving consent and expressing interest – marketers still want the fire hose. And they work with sales to bring the money in, so even if IT likes this solution they won’t get it funded. This may prove to be a shortsighted decision on the part of companies. A user-centric model – whether employing Blockchain or another approach – puts the responsibility for data in the hands of the individual. If anything should be clear by late 2016, it’s that storing consumer data is a horrible idea. Enterprises are under almost constant attack and a breach has a massive, negative impact on a company’s reputation. I’m not saying that distributed ledger technology is the answer to solve the problems with breaches, it’s largely untested and systems are yet to be stood up. There are a myriad of policy and technical issues that must be solved. And foremost, it would require fundamental change to the way most enterprises do identity. A more realistic idea would be for more organizations to embrace federated identity systems that exist today. The groundwork already exists – think logging on with Facebook – but they are not yet privacy enhancing, secure or widespread. But with some focused effort, these systems could be strengthened and linked to a high-assurance identity. Then granting the individual control over which attributes an organization can see would result in a solution that could rapidly address digital identity problems the U.S. This might not be popular with those who think distributed ledger is the best thing since sliced bread, but it can solve a problem that exists now. The Blockchain crowd will argue that federated identity systems require an identity provider – someone at the center vouching for the individual – so the user is not really in control. But perhaps their vision of a fully decentralized model comes down the road, after the world gets comfortable with a more immediate and realistic first step. I admire the wholly decentralized, user centric view of identity that Blockchain advocates promote, but much like Bernie Sanders and the idea of free college, I am not convinced that it’s realistic.
With PPG TESLIN substrate, there’s security in numbers ®
230,000,000 Driver’s Licenses
25
Years
25,000,000
500,000,000
90
e-Passports
Countries
240,000,000 National IDs
50,000,000
Other Secure Government Credentials
TESLIN substrate has been trusted for more than two decades by governments and other institutions around the world to make credentials more secure. ®
As a stand-alone material or as part of complex multi-component secure credentials, Teslin substrate can be embedded with program-specific security features to deter document forgery and enhance credential authentication. In addition to accepting printed high-resolution security features, Teslin substrate reproduces high-definition color photos, enables laser-engraving and forms exceptional bonds with security inks, laminates, coatings and patches to permanently expose any evidence of tampering. Durable, yet flexible, Teslin substrate also helps cushion and protect embedded eID electronics against mechanical stress, greatly increasing eID service life in ways that stiff printable plastics can’t. When you’re ready to design a secure and durable credential that’s easy to authenticate and difficult to replicate, visit teslin.com/numbers. And discover why, with Teslin substrate, there’s security in numbers.
© 2016 PPG Industries, Inc. All Rights Reserved. Teslin is a registered trademark of PPG Industries Ohio, Inc.
Certificates
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
GEMALTO SECURING ELECTRONIC TRANSACTION IN THAILAND Gemalto will provide its LinqUs Mobile ID solution to Thailand’s Electronic Transactions Development Agency, which aims to develop secure online services nationwide. The solution will enable mobile users to perform any online transaction on the go, with high levels of security and convenience. Citizens will be able to access Internet banking, confirm payments and digitally sign documents for sensitive activities such as online loan applications or account updates, by simply entering a PIN on their mobiles. Complete development will be followed by nationwide rollout, enabling an array of secured services for 86 million subscribers, to drive country’s digital economy plans.
ENTRUST DATACARD EASES IDENTITY WOES FOR BLACKBERRY USERS Entrust Datacard announced that the company has completed a technology
8
Fall 2016
integration between the Entrust IdentityGuard Mobile Smart Credential and the BlackBerry 10 Smart Card Service Framework. The integration is a step toward providing Entrust Datacard customers with frictionless, high assurance mobile solutions in combination with strategic partners like BlackBerry. The combined solution provides BlackBerry 10 users with secure access to both enterprise and cloud-based applications on their devices without the need for physical tokens or smart cards. Traditionally, smart card based access to sensitive enterprise applications has been
limited to desktop or laptop computers. As mobile becomes the primary computing platform, government agencies and enterprises are now able to fully utilize the power of mobile devices and provide employees access to sensitive applications or documents without compromising security policies. The Entrust Mobile Smart Credential embeds a virtual smart card in mobile devices that secures user access to a range of mobile-enabled services with a single sign on including VPN access, web application access, encrypted email and digital form signing. The solution
ID SHORTS
provides enterprise level security, while remaining transparent to the user and is specifically relevant for government agencies and enterprises that require high security or the ability to control user privileges. In addition to meeting the trusted identity needs of enterprise organizations, the Entrust® IdentityGuard Mobile Smart Credential solution helps U.S. government agencies address the NIST 800-157 Mobile Derived PIV credential standard by providing the required controls for provisioning identities and securing mobile access to applications and use.
CALENDAR 2016 Security of Things Conference October 18 – 19 Hilton Rosemont Chicago O’Hare Hotel Chicago, Ill. Securing New Ground October 19-20 The Grand Hyatt New York City ISC East November 16 – 17 Javits Center North New York City TRUSTECH (formerly Cartes) November 29 – December 1 Palais des Festivals French Riviera Cannes, France Gartner Identity & Access Management Summit November 29 December 1 Caesars Palace Las Vegas, Nevada
2017 TRUSTED IDENTITIES NEEDED IN SHARING ECONOMY The sharing economy may be small but it’s growing. Be it renting an apartment, buying something on Craig’s List or agreeing to a car sharing arrangement, it is a new way of doing business. Depending on the task, participation in this new economy ranges from just 6.2% of the population renting a personal item to another individual on up to 42% of individuals buying or selling items on Craig’s List. So says a survey of 1,000 consumers in U.S. sponsored by HooYu and conducted by Atomik Research via Power of Opinions. Participation in some sectors of the sharing economy may be low because of a lack of trust. Some 41% of respondents would want to know the identity of someone they were renting their property to beforehand, and 40% would want to know the identity of a babysitter or tutor for their children.
RSA Conference 2017 February 13 – 17, 2017 Moscone Convention Center San Francisco, Calif. 2017 Payments Summit/ICMA Expo 2017 March 28 – 30, 2017 Renaissance Orlando at Sea World Orlando, Fla. ISC West April 5 – 7, 2017 Sands Expo Las Vegas, Nevada Connect ID May 1 – 3, 2017 Walter E. Washington Convention Center Washington, D.C.
Fall 2016
9
ID SHORTS
EVEN STRONG PASSWORDS CAN BE LOST IN BREACHES OR PHISHING ATTACKS. FIDO ENABLES STRONG CRYPTOGRAPHIC OPERATIONS IN PLACE OF PASSWORD EXCHANGE THURSBY SUPPORTING IOS SUPPORT FOR DEFENSE LOGISTICS AGENCY Thursby Software Systems is providing software and support for twofactor authentication with Common Access Cards on Apple mobile devices for the Defense Logistics Agency (DLA). Over the past year Thursby Software has been working with the DLA on a pilot program that was deployed to more than 5,000 users. DLA employees with a government issued iPhone are able to plug their CAC into a smart card reader and use PKard for Good to browse two-factor web sites, including internal SharePoint sites. The users also have the ability
Only a small percentage of people are happy to trust. Taking into account all types of sharing economy transactions across both regions, on average, 8% of consumers are happy to jump straight into a sharing economy transaction without worrying about the identity of the other party in the transaction being confirmed. 34% of consumers will not conduct any sharing economy transaction without assurance about the identity of the other party in the transaction. HooYu, a company that confirms the identity of individual’s in this sharing
10
Fall 2016
to use Good for Enterprise in sync with PKard for Good to read and send signed and encrypted email. This three-year contract for agencywide support of iPhones and iPads makes DLA part of a series of agencies that Thursby Software has an-
economy, believe that verification can help the economy grow. The company uses identity attributes including social media, digital footprints, identity documents and facial biometrics. It reviews data from a person’s digital footprint to confirm their real-world identity, extracts and verifies data from ID documents and conducts a biometric facial check comparing a selfie of the customer with the image on their ID document. HooYu charges $9.99 for one check and $75 for 10.
nounced enterprise support for in the past year. Others include Navy’s Next Generation Enterprise Network and the United States Department of Agriculture.
IDESG UNVEILS REGISTRY FOR TRUSTED IDENTITIES The Identity Ecosystem Steering Group (IDESG) announced the Identity Ecosystem Framework (IDEF) Registry, a tool that enables companies to assess their own identity management methods against industry practices. The IDEF Registry will use the IDESG’s Identity Ecosystem Framework as a model so that organizations can build on common criteria for interoperability, privacy, security and usability. Meeting milestones in these subject areas is es-
ID SHORTS
sential to ensuring that digital identities are protected and trustworthy online. Companies will self-attest to meeting the criteria and being placed on the registry. The registry is an actionable step to securing digital identities, and an opportunity for online identity service providers and owners and operators of applications that register, issue, authenticate, authorize and use identity credentials to prove that they operate secure platforms for their customers. Initial listers include MorphoTrust and PRIVO. To get placed on the registry, there are a few steps:
Determine role. Organizations determine their roles in the Identity Ecosystem, like provider of digital identity services or user of web services. Perform self-assessment. Organizations perform a self-assessment to determine full or partial compliance with the IDEF requirements. Complete and submit the IDEF Registry form. The IDESG will review the form, contact the organization with any questions and then publish the listing to the Registry.
Identity Ecosystem Framework (IDEF) Registry PROVIDER
SERVICE
CORE OPERATION CATEGORIES
DigiCert, Inc.
Direct CertiďŹ cates
Registration, Credentialing
MorphoTrust USA
MorphoTrust eID
Credentialing, Authentication, Authorization, Registration
Symantec Corporation
Norton Secure Login
Registration, Credentialing, Authentication
Tozny, LLC
PDS: Authenticator
Authentication, Registration, Credentialing, Authorization, Intermediation
Privacy Vaults Online, Inc. (PRIVO)
PRIVO-Lock and the PRIVO iD Platform
Registration, Credentialing, Authentication, Authorization, Intermediation
University of Maryland, Baltimore County
UMBC Retriever Stories
Authorization, Credentialing, Authentication
The IDESG has a pipeline of applicants and anticipates significant demand. Listing in the IDEF Registry is currently free for those who self attest.
FEDS: SMART CARD USAGE INCREASING The issuance and use of PIV smart card credentials for access to secure government systems and buildings is growing, while efforts to include the use of mobile credentials are gaining strength. Civilian worker PIV usage rose from 42% to 72% as a result of the push to increase usage of smart cards and is now more than 80%, says Trevor Rudolph,
CIVILIAN WORKER PIV USAGE ROSE FROM 42% TO 72% AS A RESULT OF THE PUSH TO INCREASE USAGE OF SMART CARDS AND IS NOW MORE THAN 80%
Fall 2016
11
SHORTS THEIDEFFECTIVENESS OF PERIMETER SECURITY New research reveals many IT decision makers have a “reality distortion field” when it comes to the effectiveness of perimeter security
PERCEPTION SELF BELIEF 85% believe that their current investments are going to the right security technologies.
85%
EFFECTIVE SECURITY 61% of IT decision makers believe their perimeter security systems were very effective at keeping unauthorized users out of their network.
SPENDING
As a result, 68% said they will increase spending on perimeter security.
61%
chief of the eGov Cyber Unit for the Executive Office of the President and the Office of Management and Budget. Also, hacks and breaches relating to weak authentication have decreased by 16% in LOW CONFIDENCE the last two quarters of FY15. 69% of IT decision makers said are notseen completely confident The GSA hastheyalso increased their organization’s data would be secure if their perimeter agency adoption of the PIV smart card, security was breached. reporting a 20% increase in PIV issuance from GSA USAccess since the OMB initiative launched, says Jim Sheire, director of the Federal Identity, Credential, and Access Management (FICAM) Program at the GSA. Within Treasury, the use of PIV credentials is required for 100% of privileged users and 94% of unprivileged users, and PIV authentication is required for remote access solutions. Within the Homeland Security, the use of PIV credentials is required for 98% of privileged users and 97% of unprivileged users.
REALITY
69%
68%
SURVEY: IT EXECS FOCUSED ON PERIMETER, BUT MULTI-LAYERED SECURITY STOLEN 3.9 Billion: the number NEEDED of data records stolen since 2013.
3.9B
Despite the increasing number of data breaches and more than 3.9 billion data BREACH records being lost or stolen 27% said theirworldwide company had experienced a since security 2013,breach organizations continue to perimeter in the past 12 months. believe perimeter security technologies are effective against data breaches. This is one of the many findings of the thirdannual Data Security Confidence Index released by Gemalto. Of the 1,100 IT decision makers surveyed worldwide, 61% said perimeter security systems – firewall, content filtering, anomaly detection, etc. – were very effective at keeping unauthorized users out of their network. However, 69% said they are not confident their organization’s data would be secure if their perimeter security was breached. This is up from 66% in 2015 and 59% in
27%
CONSEQUENCES
DELAYS 36% of companies have had a delay in product or service development.
12
36%
Fall 2016
2014. Furthermore, 66% believe unauthorized users can access their network and 16% said unauthorized users could access their entire network. “The new reality is that IT professionals need to shift their mindset from THREATSprevention to breach acceptance breach 66% believe and focus more on securing the breach unauthorized users can access their by protecting the dataTHREATS itself and the users network. 16% said unauthorized accessing the data,” said Jason Hart, vice users can access their president and CTOentire for network. Data Protection at Gemalto. According to the research findings, 78% of IT decision makers said they had adjusted their strategies as a result of high profile data breaches, up from 71% in 2015 and up 53% in 2014. Some 86% said they had increased spending on perimeter security and 85% believe that their current investments are going to the right security technologies. Despite the increased focus on perimeter security, the findings show the reality many organizations face when it
66%
16%
CONSEQUENCES
92% of companies have suffered commercial consequences.
92%
LOW CONFIDENCE
ID SHORTS
REALITY
STOLEN 3.9 Billion: the number of data records stolen since 2013.
3.9B
LOW CONFIDENCE 69% of IT decision makers said they are not completely confident their organization’s data would be secure if their perimeter security was breached.
69%
BREACH
THREATS 66% believe unauthorized users can access their network.
27% said their company had experienced a perimeter security breach in the past 12 months.
66%
27%
THREATS 16% said unauthorized users can access their entire network.
16%
CONSEQUENCES
comes to preventing data breaches. Some CONSEQUENCES 64% of those surveyed said their orga92% of companies have DELAYS suffered commercial of companies havea breach at some nizations36% experienced consequences. had a delay in product or time overservice the development. past five years. More than a quarter (27%) said they experienced a breach in the past 12 months, with a LOW CONFIDENCE similar number of IT decision makers 31% of companies said (30%) reporting the same frequency in employee productivity or confidence decreased. 2015. This suggests that organizations have not made significant improvements in reducing the number of data breaches despite increased investments in perimeter security. “While protecting the perimeter is im- DELAYS AT THE CORE OF THE of companies had a RELEASES FIDOportant, organizations need to come to 28%INFINEON FINANCIAL delay in getting a product BLE REFERENCE to market. the realization that they need a layered or service CERTIFIED BLE DESIGN 27% of companies saidFIDO it affected their bottom line DESIGN IS AN INFINEON approach to security in the event the peSECURE ELEMENT, rimeter is breached. By employing tools Infineon Technologies released a FIDOsuch as end-to-end encryption and twocertified Bluetooth low energy (BLE) WHICH PERFORMS factor authentication across the network reference design for wireless authentiTHE OPERATION AND and the cloud, they can protect the whole cation tokens. By using such a token in SECURELY STORES THE organization and, most importantly, the addition to their password, consumers CODE data,” concluded Hart. can authenticate their online activities on mobile devices.
92%
36%
31%
28%
27%
Fall 2016
13
ID SHORTS
“Sixty-three percent of all successful online breaches can be tracked back to inadequate passwords,” said Joerg Borchert, vice president of the Chip Card & Security Division at Infineon Technologies Americas Corp and Board Representative in the FIDO Alliance. Bluetooth low energy is a communication protocol for connecting an authentication token to mobile and wireless applications using devices that do not have a USB port. At the core of the FIDO BLE reference design is an Infineon Secure Element, which performs the operation and securely stores the code. Being certified and FIDO-ready, the reference design allows manufacturers of connected security devices to easily integrate the FIDO Universal U2F standard with the BLE transceiver of their choice. The FIDO Alliance’s U2F standard uses public key cryptography to add
second factor authentication to online login services.
MARYLAND ISSUING NEW DRIVER LICENSES Gemalto announced that the Maryland Department of Transportation’s Motor Vehicle Administration began rolling out its new secure and redesigned driver licenses and identification cards across the state. The polycarbonate-based driver licenses give Maryland residents a tamper-resistant credential that reduces document forgery and protects against identity fraud. Maryland selected Gemalto’s line of Sealys Secure Documents for the new polycarbonate driver licenses that includes laser-engraving, hidden security elements and tactile features
specifically designed to improve document security. The material’s durability also increases the longevity of the driver license, fulfilling a state requirement to extend the document’s validity period to eight years. Maryland also chose Gemalto’s Coesys Issuance Solution to personalize and produce resident’s driver licenses and ID cards centrally within MVA’s secure, state-of-the-art issuance center. Gemalto’s central issuance solution fully aligns with Maryland’s goal of maintaining REAL ID compliance while offering additional security benefits. The central issuance of driver licenses and ID cards further enhances security by limiting access to card materials, equipment and personal information.
THE CENTRAL ISSUANCE OF DRIVER LICENSES AND ID CARDS FURTHER ENHANCES SECURITY BY LIMITING ACCESS TO CARD MATERIALS, EQUIPMENT AND PERSONAL INFORMATION
14
Fall 2016
ID SHORTS
MALI TAPS OBERTHUR FOR EPASSPORTS Oberthur Technologies is supplying a solution for issuing electronic passports to the Government of the Republic of Mali. The 10-year contract sees Oberthur assuming complete responsibility for Malian passports – from collection of payment from citizens to registration and validation of applications, through to production, personalization and distribution of the passports. Mali’s new electronic passport features the latest security innovations and includes fingerprints, further increasing the passport’s level of security.
MALI’S NEW ELECTRONIC PASSPORT FEATURES THE LATEST SECURITY INNOVATIONS AND INCLUDES FINGERPRINTS, FURTHER INCREASING THE PASSPORT’S LEVEL OF SECURITY
DAON UNVEILS FIDO QUICK START Daon announced the launch of FIDO Quick Start to provide qualifying organizations with access to a hosted IdentityX FIDO Universal Authentication Framework Server at no cost in order to evaluate the suitability of biometric authentication for their needs. Relying Parties will be able to deploy and evaluate FIDO standards-based authentication under the initiative. Daon is a board member of the FIDO Alliance and its IdentityX Platform was one of the first products to earn a FIDO Certified designation. The objective of Daon’s FIDO Quick Start initiative is to accelerate adoption of FIDO authentication and will be available to qualifying organizations that want to test a FIDO standards-based solution with the goal of offering their customers a password less experience. Organizations will be able to see and test a working implementation of a FIDO UAF Server, including configuration of applications, facets and authenticators. FIDO Quick Start will enable customers to run through the registration process as well as authentications using
biometrics such as fingerprint, face and voice with access to a working demo application, or they can choose to create their own with documentation provided by Daon.
REPORT: NO MORE PASSWORDS IN A DECADE TeleSign released a report that found that 69% of security professionals believe usernames and passwords alone no longer provide sufficient security and 72% predict passwords will be phased out within nine years. The report, Beyond the Password: The Future of Account Security, shows that security professionals are turning to behavioral biometrics
and two-factor authentication to secure user accounts. Findings from the report include: Behavioral biometrics and twofactor authentication increases account security and are on the rise Nine in 10 companies say behavioral biometrics would be extremely or very valuable for increasing security and eight in 10 say it would increase security without degrading the user experience More than half of companies – 54% – plan to implement behavioral biometrics in 2016 or later Eighty-five percent of companies will be using two-factor authentication within the next 12 months, with four in ten already using it
Fall 2016
15
ID SHORTS
for their consumer accounts with another 40% planning to adopt it in the next year Ninety-two percent of security pros agree two-factor authentication significantly increases account security on top of passwords Online fraud remains a top concern for companies, with 86 percent reporting they are extremely or very concerned about authenticating the identity of web and mobile app users. In the past year, 9 in 10 companies have experienced fraud and 79% are concerned about account takeovers. Commissioned by TeleSign and conducted by Lawless Research, the study surveyed 600 security professionals across 15 industries in the U.S. and re-
vealed that securing consumer accounts is a top concern for businesses.
TASCENT UNVEILS MULTIMODAL BIOMETRIC CAPTURE, VERIFICATION DEVICE Tascent’s new M6 mobile biometric device works in conjunction with the Apple iPhone 6 or 6s to form a multimodal biometric platform for a variety of identification applications. The M6 supports iris, face, fingerprint, and voice biometrics, and is designed to meet the global demand for establishing and verifying identity. The device is deigned for a range of applications ranging from consumer travel and financial
AS A MADE FOR IPHONE PRODUCT, TASCENT M6 LEVERAGES IOS AND THE IPHONE TO DELIVER ADVANCED CAPABILITIES CRITICAL TO THE DEPLOYMENT OF BIOMETRICS AND IDENTITY, INCLUDING FIPS 140-2CERTIFIED ENCRYPTION, ADVANCED WIRELESS COMMUNICATIONS, GPS, AND THE ISIGHT CAMERA
16
Fall 2016
services to public safety and humanitarian aid. The product is offered in two configurations, with one supporting fingerprint, face, and voice biometrics and the other enabling the full complement of iris, fingerprint, face and voice biometrics. With these devices, the Tascent M6 is capable of dual-eye iris capture and dual-print or rolled fingerprint capture, even in bright sunlight. M6 has received the FBI’s Appendix F FAP45 certification for fingerprint capture, and meets international standards for biometric and product performance. As a Made for iPhone product, Tascent M6 leverages iOS and the iPhone to deliver advanced capabilities critical to the deployment of biometrics and identity,
ID SHORTS
including FIPS 140-2-certified encryption, advanced wireless communications, GPS, and the iSight camera.
HID BUYS DEMOTELLER HID Global announced its acquisition of DemoTeller, a provider of instant issuance solutions for the financial market. With this acquisition, HID Global is able to address the needs of financial institutions and retailers for instant issuance of personalized payment cards and EMV cards. DemoTeller’s offerings expand HID Global’s secure issuance portfolio to include financial instant issuance software, card printers and HSM hardware. DemoTeller enables HID Global to sell a financial instant issuance solution to financial institutions and retailers, addressing the needs of payment card issuers wanting to offer their customers instant access to their payment card offerings. The DemoTeller solution, coupled with HID printers and consumables, gives financial institutions and retailers the ability to hand a customer a personalized card that is activated, which increases the likelihood that the customer will use it immediately.
FORGEROCK UNVEILS PASSWORDLESS ID PLATFORM New capabilities in the ForgeRock Identity Platform enable organizations to deploy a secure, frictionless user experience using push notifications. The platform now supports passwordless login and seamless second factor authentication capabilities for continuous security. Where other identity management products offer passwordless login at the start of a session, ForgeRock invokes passwordless, second factor authentication any time during a session should an anomaly occur. For example, if the laptop switches from a secure company Wi-Fi network to an unsecure network in a coffee shop, re-authentication would be invoked via a required response to a push notification sent to the user’s phone. This could require a biometric TouchID input, a swipe or other action to maintain secure access to an online service. This kind of continuous security without passwords is going to become increasingly important for a frictionless customer experience in any number of business cases – from securing the smart car and smart home applications, to health care devices, wearables, mobile banking and industrial IoT situations where ease of use and high access security are essential. With billions of Internet of Things devices and services coming online – Gart-
ner forecasts that 20.8 billion connected things will be in use worldwide by 2020 – the conventional username and password approach will no longer be workable. Also, Forrester expects that with computing power increasing dramatically, even passwords 14 to 20 characters long will be readily crack-able and largely ineffective for protecting high-risk assets and transactions by 2019. Passwordless authentication not only improves the user experience but can also increase the level of security organizations provide to their customers while reducing cost and administrative workload. In a typical ForgeRock implementation, the first authentication step happens via the Internet. The second method is ideally completed over a separate network – out of band – as is the case with push notifications that travel over the air to handsets. These steps make it more difficult for potential cybercriminals, who would need to hack into both an individual’s laptop and mobile device to gain access to user data. Additionally, using push notifications provided through an authenticated mobile app is often dramatically less expensive than conventional token-based approaches, which often include for hidden costs associated with deploying hardware and software, token licenses, maintenance and help desk costs.
Fall 2016
17
BLOCKCHAIN a identity
Will the vastly-hyped tech solve the digital ID challenge?
ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
18
Fall 2016
cure-all or snake oil? “Step right up, step right up. I am here today to tell you about the cure to all your information technology woes. It has a name, just one word… Blockchain! “This distributed ledger system will do it all. It will solve identity and access management woes, modernize banking systems and enable smart marketplaces. Blockchain is the only solution you need to cure all of your IT ailments.”
More than $1 billion has already been invested in startups and established companies working with distributed ledger technologies such as Blockchain. In the past 18-months the idea of using Blockchain for identity-related applications exploded onto the scene. “I have never seen anything as hyped as Blockchain in the identity space,” says Mance Harmon, senior director of Labs at Ping Identity. In early 2015 a leading identity conference featured just one session on Blockchain. This year, the same conference was virtually all Blockchain, all the time. There are different models for how the technology could be used for identity applications. Some propose enabling consumers and citizens to control every aspect of their identity in a digital world. Others see it empowering a universal identity attribute validation service. There are also more mundane tasks, such as making sure employees are logged out of all systems in single sign-on environments.
The validation is done via a peer-to-peer process that is hugely computer-intensive. It is supported by a global network of volunteers – known as “miners” – who are incentivized mainly by Bitcoin’s mining reward. The current reward is 25
IN THE PAST 18-MONTHS THE IDEA OF USING BLOCKCHAIN FOR IDENTITY-RELATED APPLICATIONS EXPLODED ONTO THE SCENE. INSIDERS REPORT NEVER SEEING ANYTHING AS HYPED IN THE IDENTITY SPACE
WHAT IS IT? Blockchain is a distributed ledger technology used to keep track of Bitcoin cryptocurrency transactions. Bitcoin is a popular digital currency that operates without a central bank, making it both appealing to privacy-centric users and problematic to governments. “Bitcoin started with the cipher coders that are libertarian or anarchist in their leanings,” says Harmon. “That group gravitated toward it and created a lot of excitement. They bootstrapped the whole thing and people realized there were use cases in financial services.” Distributed ledgers create a data structure – like a chain – where records of every single Bitcoin transaction live. To prevent “double spend,” all Bitcoin transactions are validated and then permanently archived in the cryptographic ledger or chain.
Bitcoins awarded every 10 minutes to a single successful miner. With the exchange rate around $600 for every one Bitcoin, that is a $15,000 bounty. There is also a way to levy transaction fees on Bitcoin movements. Many in the financial service market were excited at the prospect of Bitcoin being able to upgrade an aging infrastructure. “Some see distributed ledger technologies as a broader way to democratize financial transactions,” Harmon says. In essence, Bitcoin uses cryptography to enable participants on the network to update the ledger in a secure way without the need for a central authority. The key to Blockchain was to agree on the order of entries in the ledger. Once this was in place, distributed control of Bitcoin was possible.
Fall 2016
19
Identity application for distributed ledgers Distributed ledger technology may find its place in certain identity applications that are a bit more niche. Ping Identity found one of these applications with universal logout for single sign-on environments. An overlooked problem for enterprises is making sure employees are logged out of systems. “The identity industry solved the single sign-on problem with SAML and then OAuth, but on the flipside, universal logout has not been solved,” says Mance Harmon, senior director of Labs at Ping Identity. To help solve this problem, Ping announced a seed investment in Swirlds, a new platform that uses hashgraph to solve the universal logout problem and create a new standard for Distributed Session Management. Hashgraph is a type of distributed ledger – similar to Blockchain. Global logout is necessary in case an employee is terminated or the employee’s device is lost or stolen. When applied to identity management, the Distributed Session Management system built on the Swirlds hashgraph platform reduces risk by giving IT organizations a “kill switch” for identity authentication in instances of employee termination and lost or stolen devices. The standard enables global session logout for all active Single Sign-On and Application Sessions across both web and mobile apps, independent of the identity protocol being used. It also generates a cryptographic timestamp and proof of receipt, providing the assurance and certainty that session commands are received and when they were received. The system puts in place a session management database that the identity provider uses and each of the apps enabled by single signon also has access to, Harmon says. When an employee logs into an app an authentication session is placed into the session management database and hashgraph ensures that the record is accurate. Niche use cases like this are where distributed ledgers may prove most useful. Financial services companies are looking at it for a range of applications, says Thomas Hardjono, technical lead and executive director at the MIT Internet Trust Consortium. One application would have a distributed ledger used to keep track of an employee’s pre-IPO shares of a company, Hardjono says. For example, if a software engineer is working at a startup this ledger would be used to keep track of how many shares are issued to the employee. “They want to have a Blockchain underneath it so it would be an immutable ledger,” Hardjono explains.
20
Fall 2016
WHEN PEOPLE SAY THEY’RE GOING TO USE BLOCKCHAIN FOR APPLICATIONS OTHER THAN BITCOIN, THAT’S NOT REALLY ACCURATE. THEY’RE USING DISTRIBUTED LEDGER TECHNOLOGY
“It started with Bitcoin, but then people realized you could store more than financial service records in the ledger,” says Harmon. People started looking at use cases for Blockchain and other distributed ledgers, and identity quickly came to surface. Here’s where we need to pause for a moment and talk semantics. Blockchain is the system used for keeping track of Bitcoin transactions. The underlying technology is a type of distributed ledger. It’s the distributed ledger that many are advocating to solve the world’s problems. Blockchain is just one flavor. “All the ingredients have existed in the past, what Bitcoin did was put it all together in a specific recipe,” says Thomas Hardjono, technical lead and executive director at the MIT Internet Trust Consortium. When people say they’re going to use Blockchain for applications other than Bitcoin, that’s not really accurate. They’re using distributed ledger technology. From here on out we will use “distributed ledger” when talking about these new types of identity systems. A handful of companies have already emerged attempting to this new approach to put identity into the hands of the individual.
DEFINING SELF-SOVEREIGN IDENTITY Imagine a world where upon birth an individual’s name, date of birth, parents and some other biographical data are recorded and stored in a distributed ledger. That individual – only hours old – and her parents
CHAIN
BLOCK
2009 own that record and data, not a company, state or federal government. The identity can be used to register for school and enable access to health care and other social services. At a certain age the individual takes sole possession of their identity and can use it for a host of purposes – establishing social media accounts, opening bank accounts, signing contracts and applying for a driver license. Over time, the identity will receive attestations – credit scores, identity proofing – that give it a high assurance to be used in the same way that someone shows a passport or driver license in the real world. But the owner decides what information is given up from that self-sovereign identity. It never leaves the individual and is always under her control. This is the model that a couple of organizations are looking at to change the way identity is managed in the digital world. ID2020 wants to enable identity for the 1.5 billion people in the world currently without one, says Dakota Gruener, executive director at the not-for-profit organization. ID2020 is working toward U.N. Sustainable Development Goal 16.9 – legal identity for all – so that government and non-government organizations can help all people become part of society, financially included and economically active. The group seeks to create a system by the year 2020 that would be technically and legally compliant for children regardless of nationality, origin or status. The scenario ID2020 envisions gives the individual complete control over their identity. “We have this vision where people can self-provision bits and pieces of their identity to others,” Gruener says. “People can say ‘this is my identity and I disclose what I choose.’” This same idea is driving Evernym, a company looking to use distributed ledger technology for identity, says Timothy Ruff, co-founder and CEO at the company. He thinks the current conversations about
Bitcoin and Blockchain for dummies The term ledger conjures up images of large, leather-bound books used to record transactions of payments and goods to different people. In the 1987 movie “The Untouchables” Al Capone had two ledgers, one for official business and one that was a true record of his criminal enterprise. Blockchain takes the ledger concept and puts it online. But instead of just one person – the bookkeeper in the movie for instance – being able to record transactions, many people can do so with Blockchain. It is a peerto-peer distributed ledger of time stamped transactions. Blockchain’s distributed ledger system is used to keep track of Bitcoin transactions. Blockchain eliminates the need for central authorities and enables each user of the system to maintain their own copy of the ledger. It also keeps all copies of the ledger synchronized through a consensus algorithm. Bitcoin miners do the recording and validation of the transactions. The miners are necessary to prevent ‘double spend.’ Double spending is the electronic currency version of counterfeiting. In the real world if you receive a $5 bill it’s likely to be real, but online that’s not necessarily the case. “In the digital world, a computer file version of a $5 note, like an MP3 file or an MS Word document, can be copied perfectly at effectively no cost. There’s no way to tell which file is the original, and the ease of copying means counterfeit currency could rapidly overrun
the economy,” according to a report on Coincenter.org. To prevent this from happening the Blockchain is checked for every transaction to keep this from happening. “Bitcoin’s trick is to register every single transaction on one public tamper-proof ledger called the Blockchain, which is refreshed in such a way that the whole community in effect votes on the order in which transactions are added or, equivalently, the time when each coin is spent,” the report states. A fraudster can try and re-spend already used Bitcoins, but if they don’t check out on the Blockchain, miners won’t record them and the community ignores the attempt at fraud. If a transaction is validated, however, the miner adds it to their personal list of all valid transactions conducted over the last few minutes. Every 10 minutes, one miner will be selected to add their personal list – a new block – to the official Blockchain, thus keeping the public record up to date. To combat fraud, the Bitcoin protocol makes miners compete. A different miner is empowered to write each block. The Blockchain ledger is periodically hashed to keep it to a manageable length, but all transactions are visible, archived in effect for all time.
Fall 2016
21
IDENTITY NOW IS WHERE ELECTRIC PRODUCTION WAS IN THE 1800S WHEN EACH COMPANY PRODUCED ITS OWN ELECTRICITY IN EACH TOWN. THEN THE REALIZATION DAWNED THAT BY POOLING EFFORTS THERE COULD BE EFFICIENCIES GAINED
digital identity are too focused around access. “Self-sovereign identity is something permanent that you control and nobody can take away,” Ruff explains. “It’s something you can use to connect to someone or something else. It’s not just about access.” A baby born in a small village in a third world country doesn’t need access to anything, but they do need an identity, say Ruff. As they get older that identity can grow with them, they can use it for access and they can choose what information to give up. Evernym envisions a system that uses a combination of encryption, digital signatures and biometrics to secure the data and link it to the owner. “This is a permanent digital existence that everyone in the world should have,” Ruff explains. “Even if the government doesn’t recognize it at first, they will have to in time.” Evernym is using the term self-sovereign identity but Ruff sees it more as a self-sovereign digital existence. “An account that is yours forever fundamentally changes the way we interact, the way we buy things, the way we manage consent,” Ruff says. This idea is not without its share of obstacles. The government is the issuer of
22
Fall 2016
identity documents, everything from birth certificates, Social Security cards, driver licenses and passports. If they don’t accept a credential issued though such a system it would be a problem. Governments would have to buy into these systems to make them successful. “If this is seen as a challenge to nation states, some governments might not be excited about facilitating the system,” say Gruener says. If a country already has a national identity program in place this self-sovereign identity can exist alongside that program, Gruener says. “They don’t have to be at odds,” she adds. It will be crucial to bind or link the record created at birth with the individual as they grow up. “The biometric piece is very important because it’s a way of validating the individual,” she says. “The challenge is that the standard set of biometrics – iris or fingerprint – don’t work well on an infant.”
SECURE ATTRIBUTE BROKER Evernym and ID2020 envision a system where the user is at the center, doling out permission at will. Another model uses distributed ledger technology as an attribute verification service with a federated identity scheme. Instead of having identity at the center and doling out permissions, relying parties would ping the ledger to verify necessary attributes, says Andre Boysen, chief identity officer at SecureKey. As it stands now people have two identities, one online and one in the real world. The model that Boysen proposes would have that real world identity verified and then secured with a digital signature in
a distributed ledger. Anytime someone wanted to verify an attribute they would check the ledger. This model could offer additional privacy as well. The relying party would be able to trust the data, even though they don’t know where it’s coming from, and the ledger wouldn’t know who is checking the data. Put all of this into a federated identity scheme and it could solve a lot of problems, Boysen says. This type of federated identity standard could serve as the model for an “identity grid,” Boysen says. Identity now is where electric production was in the 1800s when each company produced its own electricity in each town. Then the realization dawned that by pooling efforts there could be efficiencies gained. The same may be true for identity. A system like this could move more transactions online and enable greater efficiencies, Boysen explains. Storing pointers to identity data may be the way distributed ledgers make their way into identity, says Eve Maler, vice president of innovation and emerging technology at ForgeRock. Distributed ledgers cannot be erased so individuals wouldn’t be able to change information stored there. “Identity information can change and if you’re under regulations where you have the right to erasure there’s a problem because you can’t erase anything on a ledger,” she explains. SolidX is a new company that aims to let consumers receive attestation to their distributed ledger identity making it a strong, high-assurance tool, says Bryan Reyhani, chief commercial officer at the company. Those bits of attestation and identity information would be stored in a distributed ledger and secured with PKI, Reyhani says.
“Today, cloud-based identity solutions are about personally identifiable information, and they’re a central honeypot,” he explains. SolidX’s solution stores a public key in the distributed ledger and the private key on the user’s phone, Reyhani says. When accessing different sites with the login, the user would choose the SolidX credential from a menu that would prompt the user to authenticate on the mobile device with either a fingerprint or PIN. After the authentication is validated the user would gain access to the site.
TOO GOOD TO BE TRUE? While distributed ledger and Blockchain might be the hot topics for identity right now there are still a host of naysayers. “Self-sovereign identity is a flimsy definition of something that is utopian,” says Steve Wilson, vice president and principal analyst at Constellation Research. “The libertarians are conflating the idea of identity with personal data stores.” Wilson likes the idea of personal data stores – a place where consumers can manage information – but they have nothing to do with identity. “Identity is a relationship one person has with another,” he explains. “Identity is how I am known in context with someone else.” He is less keen on the idea of selfsovereign identity. “You have displaced people crossing oceans and land with no paperwork; how does Blockchain help them?” he asks. The more realistic scenario is the refugee landing in a camp and working with aid workers to re-establish an identity, Wilson says. “Self sovereign is a mirage, it doesn’t help that refugee,” he adds. Some say the idea of self-sovereign identity is similar to user-managed access or user-centric identity. User-centric systems enable an individual to control when they’re giving up information and what they are willing to share.
THERE’S A WAVE OF COMPANIES MAKING BOLD CLAIMS ABOUT HOW THE BLOCKCHAIN WILL SOLVE IDENTITY, BUT MOST DON’T UNDERSTAND ENOUGH ABOUT THE BASICS OF DIGITAL ID TO SPEAK INTELLIGENTLY ON THE TOPIC
Some worry that user choice will not always be sufficient. “Self-assertion is fine when it comes to aisle versus window, smoking versus non-smoking but when it comes to an emergency situation in the hospital they’re still going to check your blood type even if you tell them what it is,” Maler explains. In order to accept third-party attributes there need to be trust frameworks put in place. As it stands now, relying parties accept attributes from third parties when they are incentivized, such as getting money or obtaining marketing data. “Maybe eventually we’ll have more trust when it comes to distributed systems but for right now I think it’s more aspirational,” Maler adds. Self-sovereign identities have to be accepted in the real world and that may be a challenge, says MIT’s Hardjono. “It sounds catchy but it needs to be grounded in reality,” he explains. “An identity needs to be accepted by relying parties.” While some make the case for distributed ledger systems to have some applications in the identity space, there is a lack of understanding from many of the market newcomers, says Jeremy Grant, managing partner at the Chertoff Group. “There’s a wave of people and companies flooding into the identity market making bold claims about how the Blockchain will solve identity,” Grant says. “Unfortunately, most of them don’t understand enough about the basics of digital identity to speak intelligently on the topic, let alone answer tough questions about why Blockchain technology provides a better approach than other technologies.” “There may yet be a great application for Blockchain in digital identity, but it will have to overcome the damage being done to the concept by this wave of ignorance,” says Grant.
THE FUTURE OF CREDENTIALING IN THE U.S. GOVERNMENT WILL SMART CARDS HAVE A ROLE OR WILL NEWER TECH CLAIM THE THRONE? ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
THE DEFENSE DEPARTMENT CIO CLAIMS THE DOD’S SMART CARD WILL BE REPLACED IN THE NEXT TWO YEARS BY AN AGILE, MULTI-FACTOR AUTHENTICATION SYSTEM
24
Fall 2016
In June Defense Department CIO Terry Halvorsen told a conference crowd that the Common Access Card – the smart card that enables Defense employees to access computer networks and physical facilities – will be gone in the next two years. It would be replaced with an “agile,” multi-factor authentication system. The cards would be replaced by “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.” The sole use of the smart card would be for physical access control. There is no mistaking what Halvorsen said, and he double downed on the comments the following week. But others argue that the reality is much different and that the Common Access Card and the PIV used by other federal agencies aren’t going away. For that to happen HSPD-12, the directive signed by President George W. Bush calling for a standard and interoperable credential across all agencies, would have to be repealed, according to government sources. There’s also a question of budget, says one government insider. It would take at least two years for any new type of authentication system to be properly funded. The other problem is that any behavioral, continuous biometric systems – such as the one Halvorsen mentions – would have to go through thorough, time consuming testing and certification before being used by federal agencies. Halvorsen’s comments do allude to a changing future. While the federal government is unlikely to stop issuing smart cards anytime soon, there will be an increased focus on the use of other approaches to authentication, including derived credentials on mobile devices that can secure access to data and enable digital signing of emails. But the smart card will persist, says one government official. Nothing can replace the security and convenience for use of smart cards in a desktop work environment. There is also a pricing leverage with the smart card. As it’s used for more applications – both physical and logical – the relative cost of the credential goes down. The mobile device will play an increasingly prominent role in identity and authentication as the years pass, but it will take a culture shift to kill the card form factor, says Steve Howard, principal at Endeavor Blue LLC. “People are used to seeing the physical badge when you’re walking around,” he explains. “It’s so ingrained in people that it isn’t going away anytime soon and nothing can replace that.” With conflicting opinions as to the smart card’s role in the government enterprise, we asked several identity experts to share thoughts on the future of identity and authentication in the federal government.
THE FUTURE OF IDENTITY
Mike Garcia and Paul Grassi, NSTIC NPO The future of identity depends on use case. Here at the NSTIC offices, we focus primarily on consumer identity across a range of services, from low assurance/low risk to high assurance/high risk. We also dabble in government and enterprise identity, both just as important and flush with awesome possibilities as it relates to new innovations. But we’ll keep it succinct and let other experts cover the enterprise. In many instances, high assurance/high risk transactions mean the relying party wants to know the actual carbon-based unit behind a digital identity. This is often quite legitimate, but should not be the default when an affirmed attribute would suffice for delivering the service. We see the following as the new normal: Bring your own This isn’t completely new to the identity industry, but we can’t emphasize enough how important it is. Market driven, innovative technologies that users can pick based on their likes and risk tolerance is what we want and where we believe the market is headed. Organizations, in and out of government, need to get out of the business of issuance and into the business of acceptance. There is less customer friction here – I definitely don’t want another username, password, AND second factor. This also results in cheaper operational and compliance costs for the organizations that embrace this approach. This will only get more attractive to consumers as smart organizations build usability into their solutions without sacrificing security. Attributes, not identity The digital economy needs validated attributes, and doesn’t need to validate them over and over again as consumers move from service to service. We also don’t need to share everything about ourselves to make a purchase or apply for a benefit or service. Pseudonymous identity should cut it so long as verified and validated attributes ride along with that pseudonym. Claims, not attributes As an extension of that, the use of attributes rather than full identity will shrink to attribute claims, or partial or derived re-
lease of an attribute value. The classic example of this is having an attribute provider assert “age >= 21” rather than “birth date = January 1, 1950”. Again, service delivery may not depend on a full date of birth, so why ask for it? We’re doing our part in shifting to this model in draft 800-63C. Section 6.4 addresses protecting information and levies the following requirements onto relying parties and credential service providers: “The relying party shall, where feasible, request attribute claims rather than full attribute values. The credential service provider shall support attribute claims.”
ORGANIZATIONS, IN AND OUT OF GOVERNMENT, NEED TO GET OUT OF THE BUSINESS OF ISSUANCE AND INTO THE BUSINESS OF ACCEPTANCE User centricity We were just talking in the office about how we don’t emphasize this aspect of the NSTIC nearly enough. User centricity has two components, with one building off the other. Users will have more control of their information. They will still be asked to provide information to obtain a service or benefit, but they will be able to challenge a relying party that they are asking for too much. Today, if a relying party asks for too much, the user either gives the data away or you don’t get the online service. In the future, the user can digitally communicate that “my full birthdate is beyond the need of this service, but I’m willing to tell you my age or maybe just that I am older than the minimum required age.” So long as the information is enough to fulfill the transaction, it should go forward. The relying party will be able to pivot from its original request, and work with the information granted by the user to provide the service. Today if you don’t consent to release the specifically requested attribute, you’re dead in the water – dropping off the service is your only option. In the future, options will exist.
Fall 2016
25
The second component is how this information will be supplied. Our digital wallets, on a mobile phone or other device, will contain digital attributes and identity. The relying party will go to the user to obtain the data necessary for a transaction. A direct connection to an attribute provider or broker will no longer exist. The data will be validated and cryptographically protected so the user can’t tamper with attributes that have been validated by others, for example that they’ve obtained a degree from a particular university, but he or she will control, when, where, and to whom it goes. And he or she will be able to pull it back when they want. Self-destructing data, not data proliferation Speaking of pulling data back, attribute information will ride along with metadata. Organizations may not interrogate any or all of the metadata, but if it doesn’t exist, the organization will throw it out or accept accountability – and the potential negative impact – of handling unlabeled data.
enable the government to leverage innovation in the private sector, while maintaining adequate security. There will need to be baseline requirements for hardware devices to provide some root of trust to secure cryptographic material, as well as biometric data on the device, such as a Trusted Execution Environment (TEE) or Secure Element (SE). It also means not only providing secure operating environments for sensitive authentication operations, but also the ability to prove the veracity of that operating environment to a remote system. While behavioral biometrics may play a role in securing identities in the future, particularly by supplementing authentication and countering fraud, the U.S. government will find that it is not a substitute for good primary authentication. Explicit user consent cannot be achieved unless the user takes a specific action like entering a PIN or taking some biometric action. Behavioral techniques offer benefits in combination with other signals like device and network information – IP, hardware and
BEHAVIORAL BIOMETRICS MAY PLAY A ROLE IN THE FUTURE, BUT THE U.S. GOVERNMENT WILL FIND IT IS NOT A SUBSTITUTE FOR GOOD PRIMARY AUTHENTICATION. EXPLICIT USER CONSENT CANNOT BE ACHIEVED UNLESS THE USER TAKES A SPECIFIC ACTION LIKE ENTERING A PIN OR BIOMETRIC.
The data will also know what its usage rules are, as set by the user or authoritative organization, a process with which the user could also be involved. So even if an organization ignores the metadata, the data itself will know when it’s being misused and will “poof!”… disappear. And on another thread altogether, reputation Identity proofing remains the stickiest wicket in the world of online identity. And traditional methods, even with innovation, may not capture the desired percentage of the target population. So reputational services, web of trusts, biometrics, social vouching, and “digital documentation” such as mobile driver licenses and other digital form factors for those that don’t or can’t get traditional breeder documents, may all be part of the proofing ceremony.
RISK-BASED AUTHENTICATION ISN’T ENOUGH Todd Thiemann, VP of Marketing, Nok Nok Labs
As the U.S. Federal Government considers moving beyond Common Access Cards and Personal Identity Verification cards to embrace biometrics and behavioral biometrics, one can expect to see a focus on standards around two-factor authentication that
26
Fall 2016
the software being used – that can be accumulated over time. They, however, lack the immediate unique characteristics provided by physiological biometrics that measure physical characteristics. Think about the difference between a fingerprint – a physiological biometric – and keystrokes – a behavioral biometric. Even if you combine a bunch of behaviors into a composite “identity,” it wouldn’t be able to be used immediately like a fingerprint. Composite identities take more time to create because they require learning the behavior. While risk/fraud signal analysis holds promise, the government needs to consider the veracity of such signals. Much of the current focus on risk-based authentication or contextual authentication is based on evaluating the device, the device’s location and health, and the pattern of user behavior. But some of those signals are essentially untrusted and unverifiable. Is the user’s device really at that location? Is the device really intact? The government has to counteract clever and well-resourced nation-state actors. While today’s risk-based authentication solutions may be good enough to thwart the current generation of attacks, attackers will gradually learn to mimic the “right” behavior and feed false signals. For risk-based authentication to be successful in the long term, the signals themselves will need to be rooted in hardware.
SPONSORED BY:
ISC EAST
2016 NOVEMBER 16-17, 2016
JAVITS CENTER, NEW YORK
REGISTER TODAY
FOR FREE AT WWW.ISCEAST.COM/AVISIAN
The Northeast’s Largest Physical Security Trade Show • SOURCE the latest products from over 225 industry leading brands, technical reps, manufacturers, and distributors. • LEARN the most current trends and technologies in the SIA Education@ISC courses provided for FREE right on the Exhibit Floor. • CONNECT with your peers and colleagues through exclusive networking.
2015 ENDORSED BY:
CORPORATE SPONSOR:
ISC East Honored by Trade Show Executive Magazine as one of the Fastest 50 Growing Shows of 2015. Exhibit Hall Expected to be even larger this year! 27 Fall 2016
USING ADVANCED CARD MATERIALS WITH DESKTOP PRINTERS ADDING DURABITLITY, FRAUD-RESISTANCE TO OVER-THE-COUNTER ISSUANCE When discussing secure, durable credentials with advanced card materials one typically imagines a large protected warehouse with card printers pumping out thousands of cards at once on massive sheets. This is the case for many countries issuing national ID cards and states churning out driver licenses in central issuance environments, however, the majority of cards are still produced on desktop card printers. Just because an issuer is using a desktop unit doesn’t mean the credential can’t use advanced card materials, have high security and improved durability. And, in most cases, it can all be done using existing desktop ID card printers. Let’s say the manager of corporate badging wants to deploy a new employee ID card with greater security and durability but doesn’t want to swap out the existing card printer. With some careful planning, it should be doable.
28
Fall 2016
The process might start with a call to the company’s badge supplier to explore options related to advanced card materials, such as composite cards that include polyester and Teslin. The composite materials increase the card’s durability and lifespan while also opening doors for increased security and counterfeit resistance. After the manager makes a card material choice, then they have to figure out how to better secure the credential. There are a number of options – different text, inks, holograms and designs – that can be embedded deep within the substrate layers of the card making tampering or altering more difficult. After choosing the composite materials and security objects, the badge supplier would prepare and pre-print the certain elements of the cards and ship them to the company. At the point of issuance, the company would insert the card blanks
into their existing desktop ID card printer for personalization, just as they had done in the past. There could be some differences depending on the advanced card material used by the company, says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. A plain PVC card could have certain security elements pre-printed and then be personalized with biographical and other data at the time of issuance. An overlay laminate could then be used to prevent alteration of that personalization. An issuer using advanced card materials would use a similar process but would have more options. Using Teslin or other advanced materials an issuer could create card blanks with security and data embedded deep in the card body, Scaglia explains. This would make it more difficult to counterfeit the card while adding durability. “You can embed
valuable data to the core material prior to lamination,” he explains. The card blanks would then be personalized with the biographical data and laminated so that the data can’t be altered. Laminates with a hologram can also increase the security, Scaglia says. Desktop card printers can be equipped with a laminator so an employee would insert the card blank, it would be personalized with the biographical data and then laminated all in one step. While the security features available for a straight PVC card versus a composite card may be similar, the true advantage of the composite card in a desktop issuance environment is lifespan of the card, says Josh Nippoldt, director of product marketing for consumables at HID Global.
ENTER POLYCARBONATE The primary difference between PVC, composite and polycarbonate cards is lifespan. PVC has the shortest while polycarbonate the longest and composite cards sit in the middle, says Nippoldt. Polycarbonate is popular and used in many national ID programs around the
USING TESLIN OR OTHER ADVANCED MATERIALS, SECURITY ELEMENTS CAN BE EMBEDDED DEEP IN THE CARD’S BODY. THIS CAN ADD COUNTERFEIT RESISTANCE AND DURABILITY TO DESKTOP ISSUANCE ENVIRONMENTS world and some states in the U.S. are starting to use it for driver licenses. The vast majority of these use cases have the polycarbonate credentials issued from a central facility because of the complexity and equipment required for laser engraving data onto the credentials. There are laser engraving desktop card printers but they are newer, not yet widespread, and five to 10 times more expensive than typical desktop printers, explains Nippoldt. That additional cost gets the issuer a credential that is more tamper resistant than an ID produced on typical dye sublimation or retransfer printers, he says. “You can’t change the data and you get tactile personalization that you can feel.” The additional expense of laser engraving is a barrier to entry for some enterprises, but it also means it’s more
difficult for counterfeiters as well. There are other solutions that use low-powered laser engraving of holographic films that can be personalized to the cardholder, Nippoldt says.
CONCLUSION While laser engraving of polycarbonate cards on the point desktop is still not the norm, there are solid steps that issuers can take to create more secure and durable ID cards using their existing desktop card printers. Composite cards containing a mix of materials including polyester and Teslin can go a long way to reducing the weaknesses – both in durability and security – associated with 100% PVC cards.
Fall 2016
29
DHS TESTING MOBILE, ATTRIBUTE-BASED IDENTITY SYSTEM FOR FIRST RESPONDERS
30
Fall 2016
The need to properly identify first responders at incident sites has been an ongoing challenge for more than a decade. Federal, state and local governments have been trying to figure out the best way to know who has arrived at a scene while also ensuring that they have the proper qualifications to be there. For years Homeland Security and FEMA wanted smart cards issued to first responders. Multiple programs were launched, but complications led to the majority being scrapped. The logical next step – as with most identity projects these days – seems to be the leveraging of first responders’ mobile devices. One such project is being piloted by the Kantara Initiative and the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA). Based at Rutgers University in New Jersey, CCICADA is a Homeland Security Center of Excellence. Called Mobile Device and Attribute Validation (MDAV), the system enables a first responder ’s smartphone to send encrypted information about their credential to another smartphone used by local authorities managing a response operation. In this
manner, the credentials can be instantly verified and access granted to the scene. The identity and access management system enables local management to access a certificate authority database containing current status and other information about emergency responders. Responders’ smartphones hold their credentials or attributes, and once verified, local authorities can be assured of who is onsite and their expertise. Examples of expertise can include hazardous material training, fire fighting or medical training. Currently, first responders present badges or other forms of ID to check-in with local authorities in a disaster situation. This is a time-consuming process and doesn’t truly verify the individual, the agency they represent or their expertise. “This isn’t an identity problem, it’s about attributes and how you get someone on the ground who is qualified and has the necessary skills,” says Steve Wilson, founder of Lockstep Technologies, the company developing MDAV. What sets this system apart from others is that it provides only the necessary attributes and nothing more, Wilson says. With the Homeland Security grant, Lockstep wants to build a
proof of concept, show how it can work and then add use cases. Two particular areas of interest are age verification and mobile driver licenses, Wilson says. Typically when someone needs to have their age verified they pull out a driver license or passport, which displays date of birth plus a variety of additional data elements that are not necessary. With this system a mobile device could communicate that the in-
dividual is the appropriate age without giving up excess personal data. The same use case would be relevant for mobile driver licenses. Instead of showing an address the system could just confirm residency or age. MDAV uses x509 digital certificates, Wilson says. “The cryptography is pretty standard, you can go into the phone and sign stuff with the certificate once you put the credential on the phone,” he explains.
What is CCICADA? Rutgers University in New Jersey is home to the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA), a group that is looking at different areas of identity and access management as well as privacy for Homeland Security, says Dennis Egan, assistant director at CCICADA. CCICADA is a Homeland Security Center for Excellence and will be searching for and funding different projects. The Kantara Initiative is helping to find worthy projects that the center might be able to help get off the ground, Egan says. The projects work in three phases. The first is a six-month project where an organization will produce a design for a system, identify customers and partners and submit it for assessment by Homeland Security and CCICADA. Phase two is building a prototype – which has a longer time span and involves more money – while the final phase is a full-blown pilot, Egan explains. The center has been open for a little more than a year, and to date only has projects in phase one. Egan expects some to move forward shortly as others in the pipeline begin the process.
Fall 2016
31
CARD PRINTER MANUFACTURER SERIES
EVOLIS GROWS RAPIDLY PRINTER MANUFACTURER GOES FROM STARTUP TO LEADER IN 15 YEARS As we explore the landscape of card printers and manufacturers, SecureIDNews editors caught up with Jean-Gabriel Martin, Marketing Communication Manager for Evolis. The French company currently ranks as a market leader in terms of units sold and boasted sales of more than 75 million euros in 2015. With more than 300 employees and distributors in 140 countries around the globe, Evolis has quickly progressed from a spinoff to a major player.
Q: Starting a printer manufacturing company from the ground up is no easy feat. Tell me how Evolis was created. Where did the founders come from and why did they see an opportunity in a new manufacturer of card printers? JeanGab: In the 1990s, four of the five founders of Evolis occupied senior positions at Privilège Card, a small French company that specialized in the production of plastic card printers. The company’s production site was located near Angers, close to the current headquarters of Evolis. The current president of Evolis, Emmanuel Picot, was head of sales and marketing at Privilège
Card, Evolis vice-president Cécile Belanger was chief financial officer, the research and development department was headed by Didier Godard and Serge Olivier was software engineer. After several years of strong growth, Privilège Card merged with the American company Eltron, which at the time was the second largest manufacturer of labeling printing systems. The combined company became Eltron Card Printer. In 1998 this French-American group was bought by the American company Zebra. Throughout these transitions, the production site continued to be based in Angers, and the founders of Evolis continued to take on further responsibilities at international level. The fifth founder of Evolis, Yves Liatard our industrial designer, arrived at that time. In 1999, Zebra decided to close the French factory and relocate production to the U.S. Anxious to preserve the jobs of the employees in Angers and convinced they had all the skills to build a new company, the five French managers founded Evolis and were quickly joined by ten ex-employees from Zebra. Sixteen years later, Evolis has become the world leader in terms of volume for desktop printing and personalization systems.
ZENIUS AND PRIMACY MODELS FEATURE FIELD-UPGRADABLE ADVANCED ENCODING TECHNOLOGIES AND HIGH PRINT SPEEDS. TODAY, THEY ARE EVOLIS’ MOST SOLD PRODUCTS.
32
Fall 2016
IN 1999, ZEBRA DECIDED TO CLOSE ITS FRENCH FACTORY AND RELOCATE PRODUCTION TO THE U.S. ANXIOUS TO PRESERVE EMPLOYEE JOBS AND CONVINCED THEY HAD ALL THE SKILLS TO BUILD A NEW COMPANY, THE FIVE FRENCH MANAGERS FOUNDED EVOLIS
Q: To my recollection, the initial Evolis product line was focused on compact, affordable printers. Over the years, however, the offerings have expanded across the range. Can you give me a bit of history of the product line? JeanGab: Our first products Pebble and Dualys were indeed situated in the mid-range price segment and excelled through user-friendliness and compactness. Our ambition was to offer the best price/ quality/performance relation. In 2003 we launched Quantum which is still our semi-industrial solution for large-scale batch printing. The same year we also launched the Tatoo Rewrite printer with an exclusive rewritable technology. In 2007 we launched Securion, an advanced printer for highly secure cards including holograms and lamination options. It was designed for issuers of secure access control badges, government ID cards and driver licenses. We know that only ongoing innovations enable a company to remain at the top. That’s why from 2010 onwards, we completely reviewed our product strategy and developed solutions that met all the needs that could exist in the market – from the entry-level product to the high end tailor-made solution. The models Zenius and Primacy in the mid-range segment replaced our original flagship products. They feature field-upgradable advanced encoding technologies and high printing speeds. Today, they are our most sold products.
Avansia is our product for the high-end segment, which uses the retransfer technology for high-resolution card printing. In 2014 we launched the entry level product Badgy, which is sold through IT office dealer networks to small companies, schools, sport clubs and associations who need a good price/quality product for small volume printing. Evolis High Trust, a new range of consumables for all printer models featuring superior graphic quality, was also developed during this period. Today we sell much more than card printers and consumables. We have diversified our product portfolio with digital signature pads, software included in our printers developed by our new subsidiary CardPresso, accessories through a new subsidiary called Sogedex and services such as warranty extensions, customized training and integration services.
Q: The other strong recollection of my first experience with Evolis was that the printers looked great. Unlike most in the market, they had a level of style and visual appeal not yet seen in our space. Was this a strategic decision or just lucky to have an industrial designer on the team? JeanGab: Right from the beginning of Evolis, we were looking to stand out in terms of design, user friendliness and quality. We knew the first impression that one gets of a product and its visual appearance is important. At a time when all competitors offered
Fall 2016
33
AT A TIME WHEN ALL COMPETITORS OFFERED CUBIC PRINTERS WITH “IT EQUIPMENT” COLORS, EVOLIS DESIGNED AND BUILT A PRINTER WITH SLEEK MODERN DESIGN THAT WAS ALSO VERY EASY TO USE
cubic printers with “IT equipment” colors, Evolis launched a printer with sleek and modern design that was also very easy to use. Yves Liatard, our industrial designer and fifth associate, made this possible. Our ambition to offer visually attractive products continues today with the recent makeover of our flagship range Primacy and Zenius.
Q: In an industry where most of the products perform at least adequately – they can all print a card – what differentiates Evolis from the competitors? JeanGab: We are recognized worldwide as the expert for card printing systems. Our solutions stand out through an extremely high printing quality and technical reliability as well as constant innovations through our design, software suite and the expandability of our printers. Evolis was the first to offer a print head replacement system called Push & Twist that works without tools or adjustment. We were the first with an encoder that is upgradeable on-site, the first to launch a half YMCKO ribbon and the first to offer a three-year warranty for most of our models. This spring we launched the first color touch screen for dye sublimation card printers that enables the user to manage the printer without being in front of the computer. The stability of our sales strategy is also a differentiating element. Our distribution network has been built up over the last 15 years
34
Fall 2016
as a 100% indirect business. For this reason, we put a lot of efforts into channel support, through the production of marketing tools and the implementation of marketing actions with our partners. Last but not least, the expertise of Evolis in specific project management is widely recognized by system integrators, resellers and end users involved in large scale projects including identification, security, transportation, government, banking and retail. Our dedicated project team and our production site is able to deliver tailor-made printing systems for large scale projects in record time, such as the 8,400 units deployed for Tanzania’s 2015 presidential elections.
Q: What does the future hold? JeanGab: We have in our DNA the ability to adapt ourselves to different markets and contexts. We have done it many times, and the products that we are currently developing will address new needs. We take risks, and we continue to invest.The next years will be marked by product launches, new banking and government projects, deployment of our diversification strategy, notably with the release of the price tag solution for the retail sector, and investment in our entry level product Badgy distributed through the IT office channel. It is all about giving ourselves the means to expand upon new opportunities.
No
mi
WomenInBiometrics.com
na
Women in Biometrics
tio
ns
clo s
eO
ct.
2016 AWARDS Biometric technologies are fundamental to securing physical and digital identities in a modern society. The incredible advancements made by the dedicated people leading this field are helping keep our cities and citizens, our companies and employees and our schools and children safe. In 2015 the inaugural Women in Biometrics Awards were launched to recognize innovative women dedicated to creating a more secure world by guiding this crucial technology market. The 2015 winners included leaders from both government and industry
In recognition of the importance of biometrics to the future of physical access control, the Security Industry Association is joining SecureIDNews as a co-presenter for 2016.
NOMINATIONS Nominations will be accepted through October 15, 2016, and may include those working for biometric companies, peripheral suppliers, system integrators, academia and end user organizations. Awards will be presented in NYC on Nov. 16 during SIA’s prestigious “Honors Night”
Presented by:
Special thanks to 2016 sponsor:
To learn more or submit nominations, visit: WomenInBiometrics.com
Fall 2016
35
15
FEDERATED IDENTITY: BUILDING TRUST IN AN UNTRUSTWORTHY WORLD ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY
In today’s world where data breaches and identity theft flood the headlines, consumers remain hesitant to share and ultimately trust their personal information with online services. Further complicating matters is the need to remember multiple usernames and passwords to access and conduct business with these services. The concept of federated identity is often thrown around as a solution, but many people still don’t understand what it is and how it secures online transactions. Federated identity enables people to conduct transactions at will, and when done correctly, can be effortless for the end-user while improving visibility and control over what is shared. It also ensures destination services don’t receive information that users have not consented to share.
SECURING TRANSACTIONS
FEDERATED IDENTITY ENABLES PEOPLE TO CONDUCT TRANSACTIONS AT WILL, AND IT ALSO ENSURES DESTINATION SERVICES DON’T RECEIVE INFORMATION THAT USERS HAVE NOT CONSENTED TO SHARE
Before credit cards and debit cards were introduced, merchants were hesitant to accept paper checks unless they had a personal relationship with a customer for fear the check would bounce. This reticence was the result of a lack of trust and too much risk. However, once banks developed credit cards, merchants didn’t have to trust the customer per se, because the bank was standing behind the consumer to vouch for the transaction. For example, when a consumer uses their Bank of America debit card – or any bankcard – to extract money from an ATM in London, they’re able to do so with zero friction because there is established trust between the consumer’s bank and the bank ATM located in London. This is federated identity at its finest, enabling the user to easily access a service of their choosing in such a way that the service provider can trust they would get paid – and the user can trust they will not be overcharged. The same authentication concept can be applied to other services. If someone is using banking credentials to access an online service,
36
Fall 2016
the online service can trust that the authorized individual is the one using the credential and there is no implication of identity. In turn, the consumer can trust that the information shared will be securely processed without oversharing personal information. Government agencies are applying this federated authentication model to their environments as well. SecureKey’s Concierge service, for example, is enabling Canadian citizens secure access to
more than 80 online government services by using their banking credentials to authenticate access. Partnering with the largest financial institutions in Canada – including BMO Financial Group, Choice Rewards MasterCard, Scotiabank, Tangerine, TD Canada Trust, Desjardins, Royal Bank of Canada, and more – consumers can use their login credentials to access many of the online services offered by the government, including those from Service Canada and the Canada Revenue Agency. Today, more than 4 million Canadian citizens are using the incredibly convenient, secure model and are free from having to remember yet another set of credentials. Canada’s successful federated network serves as a shining example that should inspire others to adopt the same model that can work at Internet scale. Done correctly, it can alleviate both the consumers’ headaches and the online services’ risk as well.
EXECUTIVE STRATEGIES FOR SECURITY SUPPLIERS AND PRACTITIONERS OCTOBER 19 – 20, 2016 • THE GRAND HYATT, NYC
MAKE YOUR IDENTITY KNOWN AT THE SECURITY INDUSTRY’S TOP EXECUTIVE CONFERENCE “At SNGTM, I gain vital market intelligence that helps me craft business strategies.” — Ken Mills, Global Marketing and CTO, Surveillance and Security, EMC Corp.
SECURINGNEWGROUND.COM
E-GATES EASE AND SECURE INTERNATIONAL TRAVEL KIOSKS READ PASSPORT, USE BIOMETRICS TO VERIFY IDENTITY AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
Air travel is on the rise, and airports around the world are looking for ways to streamline operations. The challenge is to meet this increase in traveler volume at a time when they’re also addressing heightened security concerns. Automated e-gates and other technologies are proving key to this effort, enabling airports to move travelers through immigration checkpoints faster and with less
38
Fall 2016
manpower while maintaining a high level of security. E-gates are a form of automated border control. Essentially, they are self-service barriers where passengers scan their chipenabled e-passports and other travel documents. Travelers then undergo biometric verification using face, fingerprint, iris recognition or a combination of modalities. After the identification process is complete,
a physical barrier such as a gate or turnstile opens to permit passage. The idea is to automate cross-border movement of individuals who are of a low security concern and focus manpower resources at the border to manage people who are higher risk. The number of e-gate units deployed globally is expected triple from 1,100 in 2013 to more than 3,200 in 2018, according
to a 2014 report by Acuity Market Intelligence. Most e-gates have been deployed in airports in Europe, Australia and Asia. They are especially prevalent in the United Kingdom, where most major airports have them. They have yet to gain a presence in U.S. airports.
TRAVEL VOLUME, SECURITY CONCERNS E-gates came about in the mid2000s as an automated method of reading the newly mandated e-passports. Border control had become more heavily scrutinized following 9/11, and as a result the entire process slowed down as checkpoints became congested. The combination of rising security demands and a need to move people through airport checkpoints much rapidly created an opportunity for new technology solutions. Biometric travel facilitator Vision-Box recognized the opportunity to automate the bordercrossing process using emerging facial recognition technology. Vision-Box deployed its first egate in 2007 for the border agencies of Portugal. The United Kingdom was the next country to deploy Vision Box e-gates, starting with Manchester Airport. All of those systems are still operational but have undergone several upgrades as technology matured. To date, Vision-Box has installed 800 e-gates at more than 60 airports and some land border crossings. The company is responsible for more than 90% of the e-gates in operation in the EU and nearly 11% of global airport e-gates, according to Acuity. “From the traveler perspective, e-gates streamline the airport experience, reduce lines and create a
New spec adds digital visas, stamps to ePassports Electronic passports have been issued for more than a decade in industrialized nations. The passport book with its embedded contactless smart card chip is a standard part of international travel these days. While the specification for ePassports has been thoroughly tested, the International Civil Aviation Organization (ICAO) is looking at next steps for travel documents and other possible uses for the chip embedded in the books. ICAO, the United Nations agency that oversees travel document standardization, and its New Technology Working Group have created Logical Data Structure (LDS) 2.0 to increase the functionality of the ePassport smart card chip, says Justin Ikura, co-chair of the ICAO NTWG Logical Data Structure 2. The LDS is the format used to store the data on the contactless chip. This has to be standardized so that the chips can be read on many different readers in many different countries. “It spells out how to store the biographical and biometric data so that everyone is doing it the same way,” says Ikura, who is also deputy director for the Passport Program Policy at Immigration, Refugees and Citizenship Canada. LDS2 would add applications to the ePassport by digitizing the remainder of the book and enabling other countries to digitally record travel stamps, visas and additional biometrics, Ikura explains. With the current LDS the chip is locked after issuance and additional information cannot be added. Visa and travel stamps are difficult to tamper with or counterfeit but LDS2 would strengthen the security by requiring them to be digitally signed by the issuing country, Ikura says. ICAO is still working to figure out what memory sizes the chips would require to properly support LDS2. “The standard and electronic formatting of LDS2 data not only provides protection against tampering, but also ensures that border control officers can easily decipher and analyze travel patterns and visa information,” Ikura adds. Countries may also be able to restructure border control stations with LDS, by enabling greater use of Automated Border Clearance kiosks to process more travelers. “The ‘electronification’ of the remaining document data would enable border control to further streamline passenger processing as holders of these documents could securely pass through border control with little to no human interaction,” he says. That said, adoption of LDS2 is a long way off as some smaller countries are still working to meet the 2015 deadline to place a machine-readable zone on passports. Jumping to LDS2 will take some time, though ICAO is hoping to work with countries to test the technology. Still, it could be five to 10 years before there is broad adoption, says Ikura. With that timeline in mind, is it possible citizens might see a purely mobile passport in the future? Ikura is doubtful. The ICAO NTWG is exploring the possibility of the mobile device as the passport, but there are many obstacles. “The biggest challenge that I expect relates to marrying travel documents and mobile phone specifications,” he says. “And ensuring that passport credentials stored on a mobile phone are secure.”
Fall 2016
39
seamless experience where the passenger feels in control of the whole operation,” says Michael Petrov, Vision-Box managing director for North America.
ADVANTAGES OF AUTOMATION Improved speed through automation and increased security through biometrics are the two primary advantages of e-gates. Passenger throughput is crucial because most airports have a fixed amount of space available for border control officers, says Terry Hartmann, vice president of transportation for the U.S. and Canada for global IT firm Unisys. “If you can automate the process, then that’s faster than standing in a queue and being interviewed by an officer,” he says. E-gates can relieve border control officers of simple administrative duties, such as stamping passports, and enable them to shift their attention to higher-risk travelers. While it may appear that e-gates operate unattended, Petrov explains that there is always a border control officer involved. Typically one officer oversees six gates, and intervenes if issues or concerns arise. Automated e-gates also help reduce errors from manual data entry. “The accuracy of face biometric matching at the e-gates exceeds that of a human operator, thus preventing document swapping between travelers,” Petrov says. The automation of border crossings allows border control officials to know the whereabouts of travelers inside the airport. For example, this information could help airlines to hold off closing a flight knowing that a no-show passenger has already crossed immigration and will be at the boarding gate within minutes, Petrov explains. For European airports, there’s also a revenue benefit to e-gates. Unlike U.S. airports, which are run by state and lo-
40
Fall 2016
cal governments, most airports in Europe are commercial ventures, meaning they compete to get travelers. Petrov says these airports quickly realized that deploying e-gates would translate to more business. “The airports aim to make the travel experience more pleasant, cut lines, reduce the real estate occupied by waiting areas and increase the time people spend in airport shops and restaurants. E-gates address all those goals,” he says. Australia has been adding more e-gates due to the program’s success. Vision-Box is deploying more than 100 e-gates at eight major airports throughout Australia. Since
Entry initiative that relies on kiosks as a form of automated border control. The kiosks enable expedited clearance for preapproved, low-risk travelers upon their arrival in the United States. The kiosks differ from e-gates in that e-gates are globally interoperable, whereas only registered Global Entry travelers can use the kiosks at select airports. For U.S. citizens using the kiosks, the traveler places a passport or green card on the kiosk reader, which also collects fingerprints and compares that information to the information collected when the person enrolled in the Global Entry program. If
THE IDEA IS TO AUTOMATE CROSS-BORDER MOVEMENT OF LOW RISK INDIVIDUALS AND FOCUS MANPOWER AT THE BORDER TO MANAGE PEOPLE WHO ARE HIGHER RISK
going live in December, Sydney now processes more than 90% of travelers via egates, Petrov says.
U.S. OPTS FOR KIOSKS Despite post-9/11 security concerns, the U.S. has not gone the e-gate route. One reason is that the vast majority of U.S. travelers fly domestically. In Europe, there are many more borders to cross. “Every airport in Europe is essentially an international airport designed with border control in mind,” says Acuity’s founder Maxine Most. “The vast majority of U.S. airports weren’t designed this way.” However, changes appear to be in the works for border control in the U.S. A few years ago the U.S. introduced its Global
there’s a match, the person receives a slip of paper, can then bypass the customs and border control officers, and go straight to the baggage claim. In addition to the Global Entry kiosks, some airports are introducing kiosks that can read e-passports held by people from other countries. For example, Unisys this year has been deploying a facial recognition system that can accept biometric information from e-passports at John F. Kennedy International Airport in New York and Dulles International Airport in Washington, D.C. Though the company has no e-gate installations in the U.S., Vision-Box has deployed more than 400 automated passport control kiosks to simplify the inbound immigration process at about a dozen large
Certified Smart Card Industry Professional The industry’s only standardized certification program recognizing professionals with advanced smart card industry knowledge and experience
With the CSCIP credential, you are immediately recognized as having the most up-to-date knowledge of smart card technology. The designation distinguishes you as a certified professional with knowledge of both current smart card technology and applications and emerging trends.
GET CERTIFIED
BUILD YOUR
CAREER
The Smart Card Alliance offers three separate CSCIP credentials CSCIP The general CSCIP certification is for professionals who support all applications using smart card technology.
CSCIP/Government The CSCIP/G certification focuses on identity and security applications and government-specific smart card initiatives.
CSCIP/Payments The CSCIP/P certification focuses on payment applications including EMV chip, mobile, contactless and transportation.
All CSCIP certifications demonstrate proficiency in the following principles: • Smart card technology fundamentals • Security • Application/data management • Mobile and NFC usage models • Identity and access control usage models (CSCIP and CSCIP/G only) • Payments usage models (CSCIP and CSCIP/P only)
To learn more about CSCIP certification, training dates, and fees, visit: www.smartcardalliance.org/cscip 1-800-556-6828
airports. Travelers scan their passports, fill out an immigration questionnaire and have their pictures taken and biometrically verified against the photos stored in the passports. Some of these travelers also have their fingerprints taken and verified.
BECAUSE THE U.S. REQUIRES FACE-TOFACE INTERACTION OF TRAVELERS WITH IMMIGRATION OFFICERS, THE USE OF E-GATES IS NOT YET COMMON These kiosks share many of the same hardware and software components as e-gates, but are packaged in a different form factor, Petrov explains. He says that e-gates are not used in this instance because the U.S. requires face-to-face interaction of travelers with immigration officers, forcing Vision-Box to adapt the configuration of its system.
42
Fall 2016
E-GATE EVOLUTION The e-gate market continues to grow, although it hasn’t expanded as quickly as initially projected, Most says. “There hasn’t been significant growth in the past couple of years beyond the fact that the EU and Germany committed to putting in large numbers of e-gates,” she says. Europe is in the middle of a testing phase, however, and she suspects that once complete, airports are likely to add more gates. The Acuity report states that following a spike in demand for e-gates in 2014, deployment should level off to a sustainable level by 2018 as other forms of automated border control, such as kiosks, take up more market share. Early adopter Australia is on its third generation of e-gates, and every five years the country plans to enhance or modernize what it’s doing as faster readers and new methods come into place. Hartmann says more countries are moving to a kiosk approach because passengers are becoming more familiar with kiosks through the check-in process. It’s also a much less expensive option than an e-gate. “So you have a higher level of security, but you don’t have the inconvenience of barriers and additional steps in the process that people have to go through,” Hartmann says. “As we continue to move forward, things are becoming much less inconvenient for people.” Petrov believes that five years from now, the trend will shift toward the integration of automatic and manual immigration checks. Initial traveler data could come from smartphone apps, registered traveler programs or previous trips, and that information would be verified at various stages of the trip. When travelers are securely known throughout their entire journey, the border control mission will be fully realized.
Polycarbonate Synthesis
THE ‘411’ ON POLYCARBONATE HEAVY-DUTY DOCUMENT MATERIAL UPS SECURITY OF ID DOCUMENTS NEVILLE PATTINSON, SENIOR VICE PRESIDENT OF GOVERNMENT SALES, GEMALTO NORTH AMERICA
Frank Abagnale successfully stole numerous identities and subsequently millions of dollars with a doctored license and a series of fake checks. He was so successful that it merited a feature-length Hollywood movie. Today, hackers are building ever more sophisticated tools for cyber fraud, often combining the use of a weak physical document with information accessed online. For centuries, paper was the material of choice when it came to producing identity documents. From the 1970s onwards, plastic has gradually taken the place of paper for documentation purposes. But just like we are tackling cyber-fraud, people’s physical ID documents are still the primary form of identification and are one of the weakest links in identity chain. Polycarbonate, a new stronger material, is gradually gaining traction and could represent the next-generation in secure ID documents. But is physical ID document security taking a backseat to cybersecurity? According to the CyberSecurity Market Report published by Cybersecurity Ventures, worldwide spending on software security to combat identity theft and cybercrimes will exceed $1 trillion over the next five years. Despite this investment, both government agencies and private-sector companies will remain vulnerable to fraud if the physical ID documents are not addressed. More than 15 million people in the United States fall victim to identity fraud each year in some capacity. Much of this fraud is not online, but rather the result of a fake identity cards created using tools in someone’s garage or basement. Identity protection in today’s world cannot be accomplished with software alone. It requires a holistic approach that adopts both digital and analog solutions for the physical world. Technological advances, like polycarbonate for physical identifica-
tion cards, are helping prevent identity attacks and are better preparing law enforcement to catch fraudsters. Polycarbonate card bodies for driver licenses, ID documents and even passports are providing a layered security approach to physical documents making them more complex to counterfeit. So what exactly is polycarbonate? A few distinct features of this material make it uniquely beneficial for physical identification cards. These include: Advanced, tamper-proof security features Colored photos and high-quality personalization details Stronger card material Longer document life
ADVANCED TAMPER PROOFING Arguably, the most important advantage of polycarbonate is the security benefits that the material provides. Because polycarbonate cards are made up of multiple layers of plastic, it is nearly impossible for fraudsters to change the materials or security features without destroying the card completely. This makes the card body much more secure than other available materials. Another aspect of polycarbonate is the laser engraving techniques used to embed an individual’s personal information into the card body itself. The laser engraving process adds markings deep in the document, adding another aspect that is extremely difficult to forge. Beyond laser engraving, polycarbonate cards include other tamper-proof components that can be tactile, seen with the naked eye, or only visible with additional equipment. The level of security features vary but can be easily distinguished by
Fall 2016
43
IN ADDITION TO LASER ENGRAVING, POLYCARBONATE CARDS INCLUDE OTHER TAMPER-PROOF COMPONENTS THAT CAN BE TACTILE, SEEN WITH THE NAKED EYE, OR ONLY VISIBLE WITH ADDITIONAL EQUIPMENT
law enforcement or other ID authorities. Once police officers or others are familiar with identifying the security features, verifying the authenticity of an identity document is much easier.
HIGH-QUALITY PERSONALIZATION Recent improvements have resulted in a polycarbonate material that can support high-quality color photos. This advancement enables the combination of detailed colored photos with the highest available security technology available for physical identification. For example, deep-set embedding of micro-text in the images on polycarbonate documents make alteration to ID cards nearly impossible.
ROBUST MATERIALS The actual material itself is another feature that sets polycarbonate apart from other ID materials. A type of thermoplastic technology – the same material used to make bulletproof glass – polycarbonate boasts excellent molding and thermoforming properties. Polycarbonate cards are made up of layers of plastic that overlap and intertwine. It is impossible to separate the layers of polycarbonate, which are fused together using temperature and pressure. This layering process is one of the reasons that polycarbonate is so secure, as the intertwined layers of plastic make it nearly impossible to swap out document information or photos without completely destroying the document and rendering it useless.
44
Fall 2016
LONGER LIFESPAN Polycarbonate lasts longer than other physical ID materials. Typically, IDs and driver licenses last for about eight years. But testing has shown that polycarbonate cards can last beyond the ten-year mark, giving them a longer life than other materials. In the U.S., there are more than 211 million driver licenses in circulation. Local government and law enforcement are currently facing the challenge of strengthening the security and integrity of these cards, while also having to issue more cards as the driving population continues to grow. The card body technology gives governments, states and organizations a scalable canvas for further security enhancements. The surface of the identity document makes it ideal for various distinctive, easily recognizable textures, such as guilloches, designs, micro-text and latent surface images, created by positive or negative embossing. Other new security features include microscale 3D imagery, braille, optically variable surfaces with light reflecting elements, and animation effects such as ghost images. All of these evolving security techniques make it difficult for fraudsters to keep up. In the U.S., both the federal and state governments are looking to polycarbonate. New York, Maryland and Colorado have already adopted polycarbonate technology for their personal identification cards and driver licenses, with the federal government moving to include a polycarbonate component in the U.S. passport.
Bringing Security, Privacy and Authentication to the Forefront of the Internet of Things Security and privacy are top priorities as the Internet of Things (IoT) creates an increasingly connected world—connected devices are expected to reach 21 billion by the year 2020. The Security of Things, the Smart Card Alliance’s newest event, takes a deep dive into the advantages and challenges IoT presents across every market, including payments, transportation, industrial, consumer and healthcare, and highlights the need for secure IoT architectures using embedded security and privacy technology. Don’t miss this event, the best venue to learn, communicate and network with fellow IoT security industry colleagues!
October 18-19 Chicago, IL www.sca-securityofthings.com
ADDING EVEN MORE VALUE TO VIDEO SURVEILLANCE IDENTITY AND NON-TRADITIONAL USE CASES HELP ORGS FIND FUNDING ADRIAN TURNER, SIA CONTRIBUTING WRITER
On a train platform in Washington, D.C., a lone wanderer threw himself onto inside train tracks operated by the Washington Metropolitan Area Transit Authority (WMATA). A train immediately pulls into the rail station, passing over the supposed suicide jumper. A long minute passes, and then remarkably the individual emerges unscathed from under the train. The man had survived his suicide attempt, but instead of being grateful, he makes an obscene gesture at the driver. That was the scene depicted on a video screened by WMATA Deputy Chief Engineer Marshall Epler at the 2016 SIA Government Summit in Washington. Epler showed the video to private and public sector security personnel, drawn from the security industry and government agencies, to demonstrate the dual uses of video surveillance technology. Although WMATA depends on video surveillance for security, the agency also uses the tool for safety and other purposes as well, extending its utility across its operations. Using a physical security information management (PSIM) system, WMATA integrates cameras across its transportation system via software. When an incident occurs – like a suicide attempt – they can see what is transpiring in real time from a command center as the PSIM activates the camera closest to the event. The cameras can also work in tandem with the WMATA smart card, known as “SmarTrip,” which passengers use to enter transit stations and ride trains and buses. Each SmarTrip card has a unique identifier, Epler says. As such, the movements of an individual card can be tracked throughout the Metro system. And if purchased or refueled with a credit card, WMATA can link the SmarTrip card to a residential address even if it’s not registered through the identification code. WMATA video cameras generally provide 60 pixels of resolution per foot, good enough to identify the faces of people traveling through the system. The video, coupled with the smart card information, is often enough to confirm the identity of bad actors, Epler says. Anthony Incorvati of Axis Communications chairs SIA’s Transportation Policy Working Group and moderated the panel on which Epler was speaking. He emphasized that the benefits of security technology have moved beyond traditional security applications. IP cameras are really a computer with a lens, and the processing power continues to increase much like that of a smart phone, Incorvati says. “A computer with a lens provides an open platform for more intelligence to be pushed to the edge.
46
Fall 2016
IP cameras have opened up to allow third-party developers to create applications that reside on the camera.” For example, an airport in Texas placed cameras at the entrances to its restrooms – not to peer inside but to keep watch on the entranceway. The cameras provide a security benefit, but they also have other uses such as counting the number of individuals who enter each restroom. When that count hits a certain number, the camera automatically notifies a cleaning crew. SIA works closely with the American Public Transportation Association (APTA) on security issues confronting public transit owners and operators. APTA is a big tent with lots of members of varying size and interests, but the association tries to help all of its members with technical services support, explains Randy Clarke, acting vice president for Member Services at APTA. Public transit supports 11 billion trips annually, 16 times more than airlines, Clarke says. Almost all people riding public transit go through little to no security checks. “It is all open architecture, all designed to move people. Our business in transit is speed and efficiency of moving people,” Clarke explains. “It’s very hard to get the counterbalance of security while fulfilling our mission of moving people.” “It’s an unbelievably porous environment with a lot of people and [therefore] a difficult place to maintain security,” he adds. Because public transit agencies do not always deploy access control mechanisms, many of them depend upon video surveillance for identifying problems. To compound the challenge, public transit hubs are often large buildings that serve as congregation points for crowds while also linking critical infrastructure, making them attractive targets for criminals and terrorists. Protecting public transit hubs requires cooperation between many regional and local security partners, Clarke says. Attacks on public transit systems in Madrid and London, as well as Israel in recent years, have compelled agencies to strengthen their partnerships globally. Since 9/11, the U.S. transit industry has spent about $2 billion on security and hardening measures, but transportation agencies have still identified a $6 billion gap in funding required to address all outstanding security concerns. Many public transit agencies start new security initiatives with money from a one-time grant, often awarded by the federal government. They rarely have the opportunity to refresh these grant funds, so they must make carefully considered strategic
INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.
decisions as they can only implement limited security measures with the money, Clarke says. Sometimes, however, transit agencies may choose not to implement a particular security measure for reasons other than funding. For example, public transit agencies generally do not incorporate automatic facial recognition technology into their video surveillance systems out of caution to avoid intruding on the privacy concerns of their passengers. In another video screened at the Summit, a golf cart drives by, dragging a trash bin into its wake. The trash bin drifts away from its perch against a pillar, and begins to roll across the platform towards the tracks. An Amtrak train then whisks into the station, and the trash bin flies into the train as it comes to a stop. Moments later, a worker scrambles out to collect the bin and investigate any potential damage. Edouard Sonnenschein, manager for surveillance and video systems for the National Railroad Passenger Corp. (or Amtrak), agrees that video footage like that of the trash bin helps solicit internal support for surveillance systems across his organization. By deploying such tactics, the security staff at Amtrak is able to then share the cost of maintaining video surveillance, demonstrating its utility throughout the system for uses other than security. Doing so has yielded strong results for Amtrak, where managers can figure out how to resolve issues by working together and without placing blame on specific individuals. “We have used video like this to go to operations and say, ‘look you have a situation,’” Sonnenschein told the Summit. “They can use the video to improve upon the environment.” Video then proves its worth to other departments, who are watching their environments but can also watch the people who enter those environments. All employees have protocols they can easily follow if they see something bad or unusual. By watching people as they move, transit employees can also manage the flow of passengers along the transit system. They can identify that people are where they are supposed to be and judge capacities to adjust operations accordingly. WMATA’s Epler supports dual-use arguments for surveillance cameras, emphasizing that funding for video surveillance is often limited. But making the case for video as a dual-use technology, beyond security, helps to attract more funding.
PUBLIC TRANSIT SUPPORTS
11 BILLION TRIPS ANNUALLY, 16X MORE
THAN AIRLINES, AND ALMOST ALL PEOPLE RIDING PUBLIC TRANSIT GO THROUGH LITTLE TO NO SECURITY CHECKS So WMATA can watch its platforms with cameras at its stations, where the agency usually runs about 30-50 cameras. If platforms become too crowded, it can send its police force in to conduct safety checks and direct passengers to alternate routes, Epler says. In the long run, cameras pay for themselves, Epler says. Cameras on Metro buses serve as a means to deter assaults on buses, whether against WMATA employees or passengers, thus saving potential medical and maintenance costs. WMATA also replaced parking lot attendants with cameras as it implemented SmarTrip for parking payment in the past decade. “About 10 years ago, the best paid employees at WMATA were the parking attendants,” Epler notes. Some parking attendants would run a scam and collect extra money. “One dollar for WMATA, and one dollar for the attendant!” Epler quips. WMATA phased out parking attendants and now travelers pay with a SmarTtrip or credit card. Video cameras provide a means of two-way communication with a WMATA employee if a traveler has a problem at the exit gate. “The cameras pay for themselves,” Epler says.
Fall 2016
47
IDENTITY VETTING WITH THE MOBILE STARTUP VERIFIES DRIVER LISCENSE FORENSIC FEATURES PRIOR TO DIGITAL CREDENTIAL ISSUANCE Online identity vetting is a tough nut to crack. Knowledge-based authentication is what most companies fall back to, but the preponderance of breaches and some people’s lack of credit history makes it far from perfect. To offer a more secure alternative, companies are working to enable verification and authentication of government-issued IDs for use online. Confirm.io is trying to solve this problem using smartphones and government-issued documents that people are already carrying, says Bob Geiman, co-founder of the company. But how Confirm. io came to be was not exactly a straightforward path. Geiman is also a managing partner at Cava Capital, a venture capital firm, which was
Advanced ID Detection, a company that had a desktop solution that scanned driver licenses and examined the forensic features, stepped in to fill this requirement. Drizly and Advanced ID worked together to build a mobile app that could use smartphones
FOR EXAMPLE, BEFORE USING AN ALCOHOL DELIVERY SERVICE AN INDIVIDUAL WILL SCAN THEIR DRIVER LICENSE, HAVE IT VALIDATED AND USE FACIAL RECOGNITION TO LINK THE LICENSE HOLDER TO THE SCANNED DOCUMENT working with Drizly, basically uber for alcohol delivery. In order to get licensing in different markets Drizly had to have a way to authenticate customer age before delivery.
48
Fall 2016
to authenticate more than 70 forensic features on a driver license. That’s when the idea hit Geiman. “A lot of companies, Internet based and traditional businesses, require consum-
ers to authenticate identity and would like to start enrolling people digitally,” he explains. “How do you enroll physical documents into a digital enrollment process?” Confirm.io came from this idea and lead Geiman and his partners to buy Advanced ID Detection. They then built an SDK and API that would take the mobile authentication capability and put it in the cloud so that other companies could build the functionality into their apps. Now a company can build the mobile driver license certification system into their own mobile apps. For example, before using the mobile alcohol delivery service an individual will scan their driver license, have it validated and possibly even use facial recognition to link the license holder to the scanned document. The facial recognition addition is due to a partnership with MorphoTrust, Geiman
says. The companies have combined efforts to release mobile SDKs and APIs for developers requiring advanced user verification and mobile facial recognition. Use cases include the verification of identity documents in mobile customer experiences and the use of biometrics for user authentication in high-trust transactions. With data breaches on the rise, Geiman sees more opportunities for using documents people already have to authenticate their identity. “By incorporating document authentication of governmentissued IDs, you make it harder for people to execute fraud at scale,” he explains. Confim.io is having discussions to provide identity authentication to certificate issuers as part of a tokenized identity scheme, Geiman says. “This could be part of a broader strategy to tokenize physical IDs to use in the digital world.”