Regarding ID Winter 13 by AVISIAN

36 A SURVEY OF ID TECHNOLOGY - WINTER 2013 - ISSUE 36

Remote proofing for secure identity

To reach Internet scale, face-to-face vetting must be moved online

With our know-how, you know who.

Proven secure identity systems. Rapidly evolving technologies. HID brings them all together. HID technology provides access validation and transaction authentication at millions of points worldwide – one individual at a time. To manage single-building access, a multi-national corporate network, or a comprehensive government ID program – our partners and customers recognize flexible solutions from HID translate into more secure, effective and efficient identity systems for organizations of every size and type, worldwide. Get to know us better. Visit hidglobal.com/know-how-reid © 2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, and the Chain Design are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.

WhAT SECURITY DEMANDS, DATACARD ID SYSTEMS DELIVER. ®

Whatever you need for a secure ID card program, you can get it from a Datacard® system. Datacard Group offers ID card printers, software and supplies — plus 40 years of experience and the support of authorized Datacard providers worldwide. To contact a provider near you, call +1.800.621.6972 or visit datacard.com/id. Datacard is a registered trademark and/or service mark of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved.

AUTHENTICATE PHYSICAL IDENTITIES, AUTOMATE PHYSICAL ACCESS, ACHIEVE AUDIT & COMPLIANCE 24/7 the safe software suite centralizes your disparate physical access platforms into a policy-based system that automates physical identity and access management. safe ensures that the right physical identity has the right access – for the right reasons – at the right time. With instant verification of who is where, why they are in that location, and who authorized their physical access. all managed automatically to achieve full auditability and compliance to various regulations. safe’s ability to automate these processes drives down operational costs. it’s the most efficient way to manage employees, contractors, visitors and their access lifecycle in your organization. make your world safe with quantum secure. quantumsecure.com • info@quantumsecure.com • 1.408.687.4587

phy siC al

titie

s pr iv

iden

s se oC

pr ing rd

oa -b

/o n-

w o

rk o w

va l

o pr

ar ed

pl m Co ty

ri Cu

at e om ut ll ya fu Ct ri

e ar

ati o

kf or

&e xpi r

se y-b a

gs tat us

tra

liC

inin

nC heC

syste

ileg es b ase

g vis itor

tiv tia

agin

ity & a CCess

on rol e

ini

aCC es

l aC

phys iCa

ies

oCa tion

Cess priv

ies

s Ce

liC

i lyt

itie

ian ss

ana

pl Ce

d on

and

ide

ilege s bas e

tit

man

rt i

siC yC

l id en

loCa tion

epo lr

hy rit

aCCess requ est and appr ovals

eve

self-serviCe

e-l

iCa

for

al se Cur

rl og

iCies

physiC

pol

and

rate

tiv

dispa

ses

Ces

rates

pro

oma tes

liz

ma te

siC

rifiCation watCh list ve

exe

integ

te ma

-b

-/o

aut

vid

e at

physiCal aCCess privileges based on baCkground-CheCk status

pro

liz

at e

SAFE

™ SAFE attestation audit SAFE

software suite

Ew e

er ag an m ty ti en id r to si vi

t ly

a an

iCs

C at

yt al

mp lia ng nC er FE eg S A do ul at F E Cu or in me fr nt m aC an ti ag on er m an ag er w

F SA

bb adg i

self s erviC

atio

al o rt

str egi

ine

tor

g n en

rit

raC

latio

t Con

re Cor

SAF

en E ev

al id

ger

SAF

physiC

a s man

SAFE

aCCes y and entit

d re matCh an SA FE data

tion ConCilia

SAFEGUARDING TODAY’S COMMERCE

DISCOVER THE NEW SCIENCE OF TRANSACTION SECURITY Innovations in transactions have created new challenges related to interoperability, reliability, fraud, malware and theft. With New Science, UL is working to mitigate emerging transaction security risks and safeguard innovation.

CONTENTS

38 BREAKING DOWN

DIGITAL ID STANDARDS

VOICE BIOMETRICS

COVER STORY:

Moving identity proofing online Financial institutions have dabbled with proofing identities online for years, but as corporations demand higher assurance of users and governments explore citizen-wide digital identities, secure online proofing becomes imperative. These processes are evolving to check different records and data stores in order to let enterprises know who is accessing information and services.

38 Breaking down voice biometrics

Some may think that voice recognition and voice biometrics are the same thing but thereâ&#x20AC;&#x2122;s a critical difference. One simply recognizes speech while the other one connects that speech to a specific individual. Because it requires no additional hardware, the modality is gaining traction in the mobile, financial and a host of other markets.

44 Digital ID standards Securely managing the identities of employees, customers and partners is of paramount importance, and standardized approaches can make this challenging process easier and cheaper. Highlighted in this issue are four key standards and the role each plays in identity management.

NIST RELEASES FIPS 201-2

Winter 2013

64 NIST releases FIPS 201-2 The hotly anticipated revision to the federal credentialing standard has been released and the industry is pleased. Changes include an enhanced contactless interface, derived credentials for use on mobile devices and a more secure approach digital certificates.

CONTENTS

MOVING IDENTITY PROOFING ONLINE

6 Editorial: Biometrics going mainstream? iPhone 5S brings identity tech to the masses 8 ID Shorts News and posts from the web 21 Moving identity proofing online Alternatives to face-to-face checks can save money, offer user convenience and deliver identity on a global scale 26 Identity & access management policy for the 21st century Tips, tricks and rules for creating IAM protocols 29 Smart cards stem the tide of Medicare fraud and abuse Why ‘after-the-fact’ fraud fighting is not enough 30 Motorola ‘skips’ the unlocking process with NFC 32 Bionym taps into the heartbeat of biometric market 35 How does aging effect biometrics? Initial studies suggest iris may be good for a decade or more 36 ToBiometrics changing iPhone authentication 38 Breaking down voice biometrics

42 Biometrics lets New Guinea clinic manage services, medical records

57 NSTIC winner: PRIVO Creating a kid-friendly identity ecosystem

44 Digital ID standards

58 NSTIC winner: Georgia tech Research institute establishing a trustmark framework

45 SAML 2.0: the Universal ID Solvent 46 OAuth 2.0: Enabling identity for the cloud, mobile 47 XACML: setting enterprise access rules, policies 48 SCIM: provisioning users, killing connectors 49 How to manage identities in an era of regulation ID and security solutions enable industries to address unique compliance challenges

59 NSTIC winner: Troop ID Enabling veterans to prove online identity 60 NSTIC winner: Michigan Remotely proofing applicants for public assistance 61

NSTIC winner: Pennsylvania Tearing down identity silos en route to statewide federation

52 Evolving IAM: Shifting to Identity Relationship Management

62 Cultivating an ID program Tailoring cards, peripherals and printers for your organization’s needs

54 New NSTIC pilots raise total to a dozen Pilots address untapped markets, vulnerable demographics

64 NIST releases FIPS 201-2 Derived credentials, beefed-up contactless, post-issuance updates added

55 NSTIC winner: TSCP Federating credentials across enterprises 56 NSTIC winner: Exponent Using the SIM and wearable devices for secure online ID

65 Usability issues confound NFC and derived credentials 66 Biometric payments take stage at U.K. music festival

Winter 2013

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andy Williams, andy@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Andrew Hudson, Jill Jaracz, Gina Jordan, Ross Mathis ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2013 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.

Winter 2013

BIOMETRICS GOING MAINSTREAM? IPHONE 5S BRINGS IDENTITY TECH TO THE MASSES ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

It finally happened, a handset manufacturer put a fingerprint scanner on a mainstream device. And not just any handset manufacturer either: Apple put the scanner on the iPhone. The fact that Apple did it was not surprising, as the purchase of fingerprint scanner manufacturer AuthenTec foretold the technology’s eventual inclusion. It was interesting to watch the reactions on Twitter and the flow of media comments from the announcement of Touch ID. The Twitterverse was exploding with commentary claiming Apple would be giving the NSA your fingerprint along with a host of other comments of that ilk. There were also comments that fingerprint biometrics aren’t secure because people leave their fingerprints on just about anything they touch. This is true, no doubt, but the effort it takes to recreate one of these latent images isn’t for the layman. Needless to say, I wasn’t surprised when a German hacker group spoofed the fingerprint scanner just two days after its release. As soon as Apple announced the fingerprint scanner on the 5S it was a giant target for hackers. The mainstream media reaction was typical, stating that is was a huge security flaw. There’s nothing easier in my mind than capturing a clean latent image from the user, photographing it at high resolution, cleaning it up in graphics program, laser printing it on to a transparent sheet and then using glue to create a copy image. Not to mention using that image to gain access to the phone, which someone has to get from the owner. The fingerprint may not be a perfect authentication mechanism, but it’s far better than a PIN. If a fraudster wants to take a phone that’s PIN protected, all they have to do is shoulder surf the victim. And rest assured, we’re not going to start seeing fingers cut off because people want to steal iPhones.

PERSPECTIVE

My main concern when the fingerprint rumors for the iPhone started circulating was usability. Fingerprint scanners can be one of the more accurate biometrics, but there are still small fractions of time when a user might experience a false reject. But the device has been in circulation for some time and I am yet to hear complaints about usability. After enrollment, each time the owner puts their finger on the scanner, it just seems to work. It’s going to be fun to see how Apple evolves the use of Touch ID. Currently it’s being used for access to the device and to confirm purchases in the App store. Allowing other apps and developers to access the Touch ID API will only increase the value of the identification technology.

Other handset manufacturers are following Apple’s lead as well. HTC will be introducing a handset with a fingerprint sensor, and the rumors about Samsung range from them buying their own fingerprint sensor manufacturer to using iris recognition. 2014 might well turn out to be the year of the biometric handset. Should be fun to watch.

Winter 2013

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

BIOMETRICS ON THE BATTLEFIELD: TELLING FRIEND FROM FOE The Marine Corps Systems Command is giving its Marines in the field the ability to pick out the bad guys from the good with a new biometric enrollment and screening device. An Urgent Statement of Need was issued six months ago and the Marine’s Force Protection Systems team along with Marine Air-Ground Task Force Command, Control and Communications, collaborated with the Army to provide the biometric devices to personnel in Afghanistan. The biometric enrollment and screening device, dubbed BESD, is a rugged

Winter 2013

handheld device that collects and stores biometric data. Once enrolled, the device can then compare and match fingerprints, iris images and facial scans against an internal biometric database in the hopes of positively identifying individuals encountered on the battlefield. The BESD is expected to facilitate Marines in detainee management and questioning, physical access to bases, counterintelligence screening, border control and law enforcement. “The BESD provides Marines the ability to identify friendly or neutral individuals’ true identities while denying the enemy anonymity,” said Ilich Bello, a senior program analyst with Force Protection Systems. “It supports the biometric enterprise requirement to

capture forensic-quality rolled fingerprints and meets Department of Defense and FBI standards.” The Marine Corps is already hard at work training its personnel to use the BESDs. More than 2,000 Marines and coalition personnel have received BESD training, enrolling between them some 19,000 persons of interest – 300 of whom have been placed on a watch list.

CENTRIFY UNVEILS UNIFIED IDENTITY SOLUTION FOR MAC USERS, MOBILE DEVICES Centrify announced availability of its Centrify for Mac solution, an Active Directory-based authentication, policy

ID SHORTS

CALENDAR

FEBRUARY

management, single sign-on and user self-service for connected and remote Mac OS X systems. With Centrify for Mac, on-premise and remote Macs and mobile devices are integrated into Microsoft Active Directory, enabling organizations to leverage existing Active Directory infrastructures and skill sets to deliver management for IT and secure access for Mac users at work. Administrators and users provided with self-service capabilities such as remote lock and remote wipe of a Mac with the included Centrify Cloud Service. With this cloud-based option, IT staff have the flexibility to use a single solution to manage Macs using a combination of both on-premise software and a cloud-based offering.

ALLRE, MIICARD PARTNER TO SELL HOMES ONLINE

RSA Conference 2014 Feb. 24–28 Moscone Center San Francisco, Calif.

APRIL

ISC West April 1–4 Sands Expo & Convention Center Las Vegas, Nev.

MAY

CARTES America May 6–8 Mirage Conference Center Las Vegas, Nev.

JUNE

NACCU Annual Conference April 13–16 Sheraton Chicago Chicago, Ill.

NFC Solutions Summit 2014 June 3–4 Renaissance Arboretum Hotel Austin, Texas

SEPTEMBER

A partnership between Web-based real estate broker Allre and miiCard aims to provide a real estate transaction platform that securely connects homeowners and buyers, enabling home purchases and sales completely online and independent of real estate agents. Allre announced that the partnership with miiCard, an online identity proofing service, will save homeowners time, money and stress by providing secure disclosure, identity verification, valuation and negotiation tools minus the real estate agent’s commission. “Allre is disrupting the real estate industry, empowering homeowners just as Expedia and others did for travelers,” says miiCard CEO James Varga. “For the first time ever, an entire home purchase from start to finish can happen online. It is an example of the powerful new online services that are enabled with true trust through proven identity verification.” In addition to its latest partnership with miiCard, Allre also maintains professional relations with FRS National and Guaranteed Rate to manage a complete real estate transaction on its web platform. The new online platform promises to provide for buyers and sellers the same tools and support they would find in a traditional, in-person transaction, but the major draw for online transactions is the elimination of agent commissions, which typically reach 6% of the purchase price. In lieu of the traditional agent commission, Allre charges a flat $100 fee to initiate closing and another $100 at its completion. miiCard’s brings its Level of Assurance 3+ identity verification service that leverages the security inherent in an individual’s online financial accounts – a utility that proves online identity to the level of a passport or photo ID check.

2014 Payments Summit Feb. 5–7 Grand America Hotel Salt Lake City, Utah

Global Identity Summit Sept. 15–18 Tampa Convention Center Tampa, Fla.

Winter 2013

ID SHORTS

Prior to conducting a transaction on the new online system, both the homeowner listing a property and the prospective buyer must first sign up for a miiCard account to verify their true identities. Once they have their miiCard identity, parties can move into direct negotiation with confidence. The Allre system will launch in San Diego, Calif., with plans to roll out to other major markets en route to a nationwide system.

TSA PRECHECK ADDS 60 AIRPORT LOCATIONS The Transportation Security Administration (TSA) is expanding its expedited screening program, TSA PreCheck, to include 60 new airports. The new air-

Winter 2013

ports will join the list of 40 existing sites, bringing the total number of nationwide airport locations to 100. Airports participating in the TSA PreCheck program will have express lanes by the end of the year. Additionally, the agency has plans to expand the number of TSA PreCheck lanes at the existing 40 airport locations this fall. TSA PreCheck is an expedited screening program that eliminates the need for pre-approved travelers to remove their shoes, light outerwear or belts. It also allows them to keep their laptop in its case and compliant liquid-and-gel bags in a carry-on in select screening lanes. Since the programâ&#x20AC;&#x2122;s inception in October of 2011, more than 15 million passengers have utilized TSA PreCheck express screening.

Eligibility for the TSA PreCheck program requires U.S. citizenship and membership invitation from a participating airlineâ&#x20AC;&#x2122;s frequent traveler program. Additionally, U.S. citizens who are members of a U.S. Customs and Border Protection Trusted Traveler program or Canadian citizens who are members of the NEXUS program, also qualify. To further expand the program, the TSA has plans to launch a mobile app that will allow more U.S. citizens to enroll. The list of current airline participants includes Alaska Airlines, American Airlines, Delta Air Lines, Hawaiian Airlines, United Airlines, US Airways and Virgin America, while JetBlue and Southwest are expected to begin participating in the near future. Once a passenger is eligible for expedited screening, a TSA PreCheck indica-

ID SHORTS

tor will be embedded in the barcode of their boarding pass so that when scanned at the checkpoint, the passenger may be referred to a TSA PreCheck lane. A number of the participating airlines already print TSA PreCheck indicators directly on the boarding pass meaning passengers will know in advance whether they have been cleared for expedited screening. For security purposes, the TSA maintains that it will always incorporate random and unpredictable security measures throughout the airport screening process, meaning no individual will ever be fully guaranteed expedited screening.

FRENCH EDRIVER LICENSE TO USE INFINEON MICROPROCESSORS Infineon Technologies will provide its security chips for France’s new electronic driver licenses. The new, polycarbonate smart cards will contain Infineon’s

SLE78 microprocessor that securely stores both the biometric and personal data of the license holder protecting identity and helping to reduce fraud. France’s state printer, Imprimerie Nationale, will produce the cards. As many as 10% of all French driver licenses in circulation are believed to be counterfeit, and thus French police expect to see increased safety on the street following the introduction of the new license. France, one of Europe’s most populous countries at 65 million citizens, is setting an example for the rest of the continent by issuing electronic driver licenses and residence permits in line with the latest EU standards. The eDriver license will also be used as an identification document and must be updated every fifteen years. Fully standardized polycarbonate driver licenses will become mandatory across the European continent by the year 2033. At present, there are 110 different licenses, with varying formats and

security levels, in circulation throughout the EU. Joining electronic passports, IDs and electronic residence permits, the eDriver license is another benchmark in the introduction of synchronized, electronic identification documents within the European Union, an initiative largely driven by the European Commission’s Digital Agenda.

HID EXPANDS PIVCLASS LINE HID Global’s pivCLASS product portfolio enables customers to comply with government physical access control mandates. The expanded suite now incorporates a family of software solutions from Codebench, part of HID Global, with HID’s pivCLASS Authentication Module, readers and credentials. The pivCLASS portfolio supports credential verification of FIPS 201-based credentials – including PIV, PIV-I, CAC, CIV, TWIC, and FRAC – and physical access control registration into more than 30 different physical access control system head end products. The portfolio enables government agencies to comply with FIPS 201 requirements by leveraging their existing technology and eliminating the need to rip and replace systems. The portfolio includes pivCLASS hardware and software that can be used independently or in conjunction with each other to create a complete PIV-enabled access control system. The integrated product family includes: pivCLASS Validation Workstation: Enables compliance officers to verify cardholders’ identities and validate the cards’ revocation status. pivCLASS Registration Engine: Allows customers to validate and

Winter 2013

ID SHORTS

authenticate FIPS 201 cards, harvest the cardholder data and register the data into a supported physical access control system. pivCLASS Certificate Manager: Revalidates the harvested certificates after registration and can suspend credential in the physical access control system if the certificate has been revoked. pivCLASS ID Publisher: Imports credentials from an identity management system, card management system, human resources database or other authoritative sources and provisions credentials into a PACS database. pivCLASS MultiPACS: Concurrently registers identification credentials into multiple similar or disparate PACS. pivCLASS Authentication Module: A small embedded computer with pre-loaded, updatable firmware that can be installed between readers and the existing physical access control system panel. The authentication module conducts PIV cardholder credential validation as cards are presented to readers. pivCLASS Reader Services: Configures the authentication level to be used with each pivCLASS Authentication Module. pivCLASS Reader Family: Supports PIV, PIV-I, CIV, CAC, TWIC, iCLASS, HID Prox. Authentication modes can be executed in conjunction with the pivCLASS Authentication Module to meet any security assurance level. pivCLASS Credentials: Dual interface smart cards

Winter 2013

for FIPS 201 deployments used for combined logical and physical access.

APTIQMOBILE IS TURNING SMART PHONES INTO CREDENTIALS Ingersoll Rand Security Technologies’ aptiQmobile web-based key management system enables NFC-enabled smart phones to be used as a credential for physical access to buildings and a host of other ID card applications. Using strong security to create an easy to use access management solution, aptiQmobile allows people to use their smart phones to enter buildings in the same way they present a badge. After downloading the aptiQmobile app to their handset, the user’s access control

administrator uses aptiQmobile’s cloud service to send a secure mobile credential directly to the user’s device. The user then opens the app on their smartphone and simply taps their device on the reader as if it were an ID card. The aptiQmobile solution was piloted at Villanova University and the University of San Francisco, where users attached an NFC-enabled case to their iPhones to test the program. The latest version of aptiQmobile now allows students and employees to use Android phones, as well, eliminating the need for an NFC case. Also testing the solution are the employees at Heartland Payment Systems’ corporate campus, who are using aptiQmobile on their phones for access control.

BIOMETRIC EXITS, VISA OVERSTAYS ARE HOT TOPICS FOR DEPT. OF HOMELAND SECURITY Border control is an all too familiar and vital focus of U.S. national security and the time has come again for the U.S. Department of Homeland Security (DHS) to consider the implementation of biometric exits at air and seaports. Representative Candice Miller (R-Mich.) and Representative Loretta Sanchez (D.-Calif.), a senior member on the House Committee on Homeland Security and former chairwoman of the Subcommittee on Border and Maritime Security, introduced the Biometric Exit Improvement Act of 2013 (H.R. 3141). Following written testimony from the U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement entitled “Fulfilling a Key 9/11 Commission Recommendation: Implementing Biometric Exit,” the need for

ID SHORTS

a comprehensive exit system has once again been raised. DHS officials lay out developments that have been made and enhancements that are planned. To Homeland Security’s credit, progress has been made over the last ten years, from a time when screening of passengers entering the United States fell to the Department of State’s visa process. At that time, there was no biometric collection for individuals seeking admission to the United States beyond a photograph. In the time since, DHS maintains that it has enhanced its ability to detect threats early. Those intending to travel to the United States under the Visa Waiver Program must now acquire authorization from the Electronic System for Travel Authorization program prior to boarding an airplane or ship traveling to the United States. The system checks passengers against a number of government databases and has digitized arrival and departure records (Form I 94W) for authorized travelers from other participating visa waiver countries. Under the Secure Flight program, all passengers seeking to fly to, from, or within the United States are screened in a similar manner prior to boarding an aircraft. For non-citizens, biometric data are collected and checked against terrorist watch lists prior to being issued a visa or being permitted entrance to the United States, with participating agencies sharing data of known or suspected terrorists with one other. Part and parcel to biometric exit is another heavily debated issue, visa overstays. The federal government has long tried to effectively and efficiently log accurate and timely data on those who overstay their period of admission in the United States. In response to this desire, Congress enacted legislation at the suggestion of the 9/11 Commission to institute a biometric entry and exit system.

According to a July U.S. Government Accountability Office report, however, there are currently more than 1 million unmatched arrival records, a figure that suggests the DHS has no knowledge whether or not foreign visitors ever left the country. The H.R. 3141 bill mandates the creation and implementation of a biometric exit system to track if and when a foreign visitor exits the country. “We’ve known for a long time that visa overstays make up a large portion of illegal immigration – up to 40% – but the DHS has yet to implement a working biometric exit system,” says Rep. Sanchez. “It is impossible to secure our borders and keep our country safe if we’re only addressing half of the problem. Our bill’s concrete requirements will finally get a comprehensive biometric exit program off the ground.” The Biometric Exit Improvement Act of 2013 includes the following requirements for Homeland Security: Submit within 180 days a plan to establish a biometric exit data system at ports of entry. Establish a biometric exit data system, not later than two years after enactment, at the ten U.S. airports and ten U.S. seaports with the highest volume of international travelers. Establish a six-month pilot program to test a biometric exit system on non-pedestrian outbound traffic at not fewer than three land ports of entry with significant cross-border traffic, including not fewer than two southwest border ports of entry, and at least one northern border port of entry. Expand the biometric exit system to all pedestrians at land ports of entry not later than three years after enactment and would expand biometric exit to all air and seaports not later than five years after the date of enactment.

AAMSCO, DATACARD GROUP CHOSEN FOR ARKANSAS VOTER ID CARD PROGRAM A partnership between Arkansas-based AAMSCO and Datacard Group was selected to provide Arkansas with a voter ID card program, scheduled for rollout in 2014. A new state law requires that effective January 1, 2014, citizens will need to provide photo identification in order to vote at the polls. After a consultation with AAMSCO to determine specific needs for the program, the voter ID card requirements and design preferences, the state of Arkansas purchased 98 Datacard SP25 Plus card printers to be installed in each of the state’s 75 county clerks offices. State officials will use Datacard ID Works identification software and cameras for photo capture. AAMSCO will provide card personalization support and local services. Each Arkansas county clerk office will personalize their own voter ID cards for citizens living within that designated county. Every citizen will have their cardholder information and photo captured by the disparate county offices, after which the voter ID cards will be produced on-sight using the Datacard solution. Additional security measures including photos, county clerk signatures and watermarks will be printed on the cards.

CERTIPATH ACQUIRED BY INVESTMENT BANKING FIRMS CertiPath announced its acquisition by two U.S.-based investors – Crawley Hatfield Capital, a subsidiary of Crawley Ventures, and SHiRT LLC, a partnership between Shawn Hughes and Robert Trump. The acquisition will provide increased stability and capital to expand CertiPath’s offerings and increase its

Winter 2013

ID SHORTS

focus on the usability of high assurance digital credentials in both logical and physical access. Hughes was the CEO of Fortress Technologies, a company acquired by General Dynamics in 2010. He will assume the CEO role for CertiPath, and prior CEO Jeff Nigriny will serve as president and oversee day-to-day operations. CertiPath’s Public Key Infrastructure Bridge services are used to establish trust in high assurance credential issuers globally. CertiPath was heavily involved in the creation of the first HSPD-12 physical access control system and the PIV-I standard. In much the same way CertiPath certifies identities, it also certifies the access control systems that leverage them. The company also provides the PACS testing lab for the General Services Administration’s Approved Products List.

SALESFORCE.COM STRIVES TO PROVIDE IDENTITY FOR A CONNECTED WORLD Salesforce.com’s new Salesforce Identity solution provides integrated identity services that can connect every employee, customer and partner to any app, from any device. Built on the Salesforce Platform, Salesforce Identity helps an organization break down identity silos, enabling CIOs to offer a simple and customizable user experience spanning web, mobile and on-premise apps. Salesforce serves a wide range of customers including New England Biolabs, Sierra Club and Varsity Brands who all centrally manage the proliferation of apps and devices. According to Andy Kellett, principal analyst at Ovum, “Salesforce is a significant new entrant into the Identity and Access Management (IAM) market because it is looking to cover all aspects of the identity management lifecycle, and although

PODCASTS The National Institute of Standards and Technology awarded seven additional pilots and $9 million to help create an identity ecosystem for the National Strategy for Trusted Identities in Cyberspace. The awards range from creating a trust framework for minors to testing different hardware solutions for online identity. Each of the seven winners detailed their plans in an episode of the re:ID Podcast series. Episode 112: NSTIC pilot winner Troop ID

provided as a cloud-based service is not restricting itself to just protecting access to cloud-based applications,” says Kellett. Ovum’s 2013 Enterprise Insights survey reveals that IAM is a valued resource across many business verticals, but the technology particularly thrives in highly regulated areas, with 60% of retail banking respondents planning a transition to or installation of new systems in the coming 18 months. “Most existing platform vendors are categorized as performing within the enterprise space and looking out towards the cloud for future opportunities,” says Kellett. “Previous new entrants over the last two years have joined the IAM sector as cloud-only specialists. They want to provide simple to use and cost effective solutions without taking on the overheads of enterprise environments.” Kellett explains that the cloud vs. enterprise divide over IAM was never a comfortable situation, but Salesforce has shaken things up. He says that the company’s approach may actually be seen as disruptive to the identity management sector. Salesforce Identity is currently available and comes bundled with Enterprise and Unlimited Edition licenses for Salesforce Sales Cloud, Salesforce Service Cloud, Salesforce Communities, Force. com and Chatter Plus. Pricing for the service starts at $5 per user per month and includes Single Sign-on, Mobile Identity, Salesforce Chatter, User and Access Management, Cloud Directory, Multi-factor Authentication, Reporting and Dashboards, Brandable Identity Services and Social Sign-on.

Episode 113: NSTIC pilot winner PRIVO Episode 114: NSTIC pilot winner Georgia Tech Research Institute Episode 115: NSTIC pilot winner TSCP Episode 116: NSTIC pilot winner Michigan Department of Human Services

HID GLOBAL DELIVERS E-PASSPORTS TO IRELAND

Episode 117: NSTIC pilot winner Exponent Episode 118: NSTIC pilot winner Commonwealth of Pennsylvania

Winter 2013

The successful rollout of the new Irish electronic passport was made possible by HID Global and its partners DLRS Group and X InfoTech. Together, the companies

ID SHORTS

are providing an end-to-end solution that includes e-passport delivery, personalization and production management. The newly designed Irish e-passport leverages the latest security technologies to safeguard citizen identity and provides the country with a flexible, efficient solution. Ireland-based DLRS is the prime contractor for the project, providing its high-level security printing. In addition to serving as project manager for the joint venture, DLRS is also manufacturing and delivering the new Irish passport booklets. X InfoTech will provide its MultiPerso personalization solution for contactless chips, which includes ICAO data preparation. The new Irish e-passport will be a straight swap for the previous passport document and promises to offer a new level of security thanks to HID Global’s polycarbonate electronic data page complete with contactless chip inlays. The new documents also incorporate HID Global’s Crack Prevention Feature (CPF), which enhances the durability and reliability of polycarbonate e-passport data pages – particularly those with embedded RFID chips. Thanks to CPF, governments can leverage the advantages of smart card technology, while protecting their investment by extending the life of the ID credentials for up to 10 years. Ireland’s Department of Foreign Affairs and Trade reports that more than 630,000 Irish passports were issued in 2012 and there are approximately 4.5 million citizens to whom the new epassports could be issued.

NCSA, PAYPAL PUBLISH NEW ONLINE SAFETY STUDY The National Cyber Security Alliance (NCSA) along with partner PayPal released the 2013 edition of their National

Online Safety Study, which examines the cyber security behaviors and perceptions of Americans as well as their mobile device usage habits. The study surveyed some 1,100 adults nationwide, posing 25 questions related to use and access of the Internet. Highlights include:

Respondents were asked to indicate their device of choice when accessing the Internet – desktop, laptop, smart phone, tablet – with a final option available for those who had only used a desktop or laptop to access the web. Despite the popularity of mobile, the desktop was the most preferred device for for more than 35% of respondents.

Winter 2013

ID SHORTS

Respondents were asked to indicate, on a scale from “much more” to “same” to ”much less,” if they were more or less cautious when surfing the web on their smart phone as opposed to their desktop. The most common answer was “about the same,” but a significant portion of respondents (20%) reported being “much more” cautious when surfing the web on their mobile device. Nearly 40% of respondents reported being “very concerned” that data on their mobile device would be compromised if the phone were lost or stolen, with an additional 30% being “somewhat concerned.” When asked about shopping tendencies in a given week, respondents indicated that more than 50% of their weekly shopping took place online using a credit or debit card, and 40% of weekly shopping was conducted using a laptop or desktop. Respondents were asked to rank the security levels of various payment methods – cash, credit/debit in person, smartphone in store, smartphone online, tablet online and PC/laptop online. Of the various options, respondents believed that both smartphone online and in store along with online tablet purchases to be the least secure methods of shopping. To better put this in perspective, however, respondents were asked how many daily transactions – banking, shopping, coffee, etc. – they conduct using their smartphone. An overwhelming 72% reported zero mobile transactions. Respondents were then asked to indicate which security features, if any, would make them feel more secure when conducting mobile transactions. The responses were as follows:

Strong password protection- 29.9% Buyer protection- 25.1% Phone tracking- 16% Remote deactivation- 21.7% Anti-virus or security software- 30%

Winter 2013

Two-factor authentication- 22.3% Facial recognition- 17.1% Biometrics identification- 18.7% None/nothing- 24.4% Not sure- 24.2%

The survey also discusses the role of biometrics in securing online identity by asking respondents to rate the most popular biometric modalities based on their comfort in using the technology to conduct mobile transactions. The modalities in question – fingerprint, retinal scan, photo ID, automated facial recognition and hand gesture recognition – were evaluated on a comfort scale ranging from ‘not at all’ to ‘extremely’ comfortable. Fingerprints and retinal scans were the preferred modalities for use in mobile transactions at 30% and 27% respectively. While the results of this study suggest a need for more secure online identity, the need to do away with passwords and PINs is even more evident. The number of PINs that we each maintain grows seemingly by the day, and when asked how many PINs or passwords they currently maintain, the most common response was “6 or more” with 31.5%.

NEW PARTNERSHIPS EXPAND THURSBY’S FEDERAL MOBILE SECURITY SUITE Thursby Software is working with Juniper Networks, Acronis and Silanis to develop a secure mobile solution for iPad and iPhone users in the Department of Defense and other federal agencies. Thursby will provide its secure mobile hardware, software and support solutions, which are currently deployed at more than 400 U.S. Government agencies

ranging from the Pentagon to civilian parks. The expansion with Juniper, Acronis and Silanis will leverage Thursby’s secure PKardweb browser and email apps – a solution that also doubles as an authorization agent by coordinating reader and card access for a secure app ecosystem. The PKard Toolkit v2.0 focuses on data management with strong twofactor (2FA) smart card authentication and FIPS 140-2 encryption. It includes a software development kit (SDK), sample apps, documentation, a Mac simulator and tools for secure enterprise policy management. Adding to the ecosystem is Juniper’s Junos Pulse app that provides secure Virtual Private Networking (VPN). Acronis will add its mobilEcho solution to provide secure Mobile File Management (MFM), while Silanis will provide e-signature handling. Along with Thursby’d PKard solution, Juniper’s Junos Pulse Secure Access Service will allow government personnel to use the same smartcards currently in circulation for all levels of authentication – both physical and online – to connect to private or carrier mobile networks using their iPhone or iPad. Acronis’ mobilEcho solution will leverage its file access and editing capabilities that, when combined with CAC/PIV authentication, will allow IT personnel at federal agencies and the DoD to enable employees to access files, browse the web and check email on their Apple devices – all while meeting government standards. Finally, Silanis’ e-signature solution and accompanying app will allow the user to securely access documents in their email account using their CAC or PIV card and Thursby’s PKard Reader. The new family of apps can be seamlessly deployed to both personal and government furnished devices either directly or as part of a managed rollout.

ID SHORTS

EU FUNDS BIOMETRIC RESEARCH PROJECT, SHIFTS FOCUS TO SPOOFING With the number of biometric identification initiatives growing in number and now being implemented into mobile devices, the European Union (EU) has opted to fund a biometrics research project examining spoofing. Supported by EU research and investment, the TABULA RASA consortium is tasked with identifying how well the new generation of biometrics software works, especially as it relates to spoofing attacks. Spoofing is the process by which a fraudulent user can subvert or attack a biometric system by pretending to be another registered user. The TABULA RASA consortium is comprised of 12 different organizations, spanning seven countries that have worked together over the past three years to uncover as many of these vulnerabilities as possible and develop countermeasures en route to a new era of safer biometric systems. As part of TABULA RASA’s research, the consortium hosted a “Spoofing Challenge,” inviting researchers from around the globe to develop their best schemes to deceive various biometric systems. Participants of the challenge displayed that the number of spoofing techniques is not only vast, but creative as well. One of the more innovative spoofing techniques displayed during this challenge used make up to spoof a 2D facial recognition system – where an impostor successfully tricked the system into thinking it was a legitimate user. Also on display were the more traditional techniques that leverage photographs, masks, fake fingerprints or gummy fingers. The EU has invested some €4.4 million in the TABULA RASA project, which accompanies the €1.6 million investment made by the Consortium itself, to carry out the extensive biometrics research and testing. The TABULA RASA research

project has logged an extensive list of possible spoofing attacks, evaluated the vulnerability of biometric systems to these attacks and developed countermeasures to improve security of biometric systems.

transactions made at different retailers to be handled with only one transaction processed through the payment network, lowering the overall transaction costs.

USE YOUR VOICE TO PAY FOR K-CUPS Mobile commerce solutions specialist, Spindle, announced a deal with ValidSoft that will use voice biometric authentication to pay for K-Cup coffee products at vending machines. Also partnering on the project is vending machine manufacturer, Multi-max, whose machines are specifically designed for small to mid-size offices. The company maintains contracts throughout North America, Europe and Asia. As part of the agreement, Spindle will integrate its MeNetwork mobile commerce technology into Multi-max’s line of K-Cup vending machines. Spindle’s MeNetwork solution will support all card-based payment services, as well as mobile marketing services. Accompanying the more conventional payment methods, however, will be ValidSoft’s In-band Voice Biometrics authentication technology. Spindle plans to deliver its KCup systems to businesses and coffee service suppliers throughout the United States. Spindle’s MeNetwork360 platform supports a number of features, including loyalty programs, e-coupons, rebates and special offers. The app also allows consumers to locate merchants, take advantage of offers, collect loyalty points and make purchases from their mobile devices. Underlying Spindle and ValidSoft’s biometric implementation is Cardis USA. Cardis will provide the technology that will enable multiple consumer

Winter 2013

ID SHORTS

DIGITAL IDENTIFICATION SOLUTIONS REBRANDING TO MATICA The familiar monikers “Digital Identification Solutions,” “DISO” and “EDI Secure” are being replaced as the com-

pany embraces its new brand with the Matica Group, under the tagline, “The art of card issuance.” The new brand will be rolled out in force at the Cartes 2013 Conference in Paris. “Changing our name to Matica Technologies formalizes a shift in corporate strategy that has been underway since we acquired Digital Identification Solutions,” says Sandro Camilleri, CEO at Matica. “As part of our strong focus on innovation and technology, we now offer to our customers a complete technology platform. We believe it is the right time to rebrand DISO and bring together all technologies under one roof for the benefit of our customers. While the new brand is a big change for the company, there are also changes coming to the business, says Shane Cunningham, director of global marketing for Matica Technologies. The company is setting up dealer networks for its higherend systems; sales of these products had previously been handled directly to the client. In Europe, Matica has dealer networks set up for its lower-end products, but the company is also partnering with large systems integrators and prime contractors.

Winter 2013

Matica is also manufacturing its own card printers, Cunningham says. Previously, a Japanese manufacturer had produced the majority of the company’s printers, but now Matica maintains facilities in Germany and Italy for its printer production. “It’ll give us power to make

changes quicker,” he adds. “We can be more responsive to the changing market.” This change is going to enable Matica to offer a better price point on the highend printers, be more responsive to requests from clients and produce products for specific geographic markets.

TULANE, QUINNIPIAC PILOTING COMPLETE NFC ECOSYSTEM FROM BLACKBOARD Tulane University and Quinnipiac University are piloting a complete near field communication system on campus. The Blackboard Transact system uses NFCenabled Android handsets and students can use the devices for physical access control, payments at the point-of-sale, vending, laundry, copying and printing. The pilot is using Samsung Galaxy S3 handsets that are being provisioned over the air using a trusted service manager, says Dan Gretz, senior director at Blackboard. Blackboard is working with one of the largest mobile carriers in the U.S., which the company has declined to name. Tulane and Quinnipiac were chosen for the pilot because of the large installed base of contactless readers. Blackboard’s

contactless readers are capable of working with standard contactless cards as well as NFC-enabled devices. “It’s not just about door access, it’s about using the mobile for everything,” Gretz says. “It really covers the entire campus ecosystem.” Pilot participants have to swap out their device’s existing SIM with one enabled for NFC, Gretz says. These SIMs are available at the campus card offices and are activated with a call to the mobile provider. The student then logs into the Blackboard Transact system on their mobile and the credential is downloaded to the device. Then the student can choose how they want to use the credential, Gretz says. There’s a manual mode where the student activates the app and it stays on for 60-seconds. There’s also an automatic mode that enables the device to communicate with the reader whenever it’s presented. “The student never has to interrupt what they’re doing,” Gretz explains. “They approach the residence hall and just present the phone and within a second they’re through the door, even if on a call. With automatic mode the phone doesn’t have to be turned on, as long as the battery has a little bit of juice the student will be able to interact with a reader.” Blackboard hopes to get around 100 students on each campus to test the system, says Jeff Staples, vice president of marketing and business development at Blackboard. “We have a range of criteria we want feedback on,” Staples says. “But the biggest thing is how it works from a user perspective – is it compelling and can we shape it right for the students?” The pilot is scheduled to run through May but other institutions may be able to join sooner. Blackboard Transact NFCenabled contactless readers are installed in more than 250 campuses throughout North America.

Text it. Tap it. Launch it.

OMG.

Take your campus card program mobile with CBORD®. • Access • Spending • Online Ordering • Account Management • Attendance Monitoring • And More!

CBORD 61 Brown Road Ithaca, NY 14850 607.257.2410 www.cbord.com Winter 2013

MOVING IDENTITY PROOFING ONLINE ALTERNATIVES TO FACE-TO-FACE CHECKS CAN SAVE MONEY, OFFER USER CONVENIENCE AND DELIVER IDENTITY ON A GLOBAL SCALE ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Winter 2013

The ability to enroll an individual online – and then issue a credential with some level of assurance behind it – is becoming increasingly crucial in the modern Internet economy. Financial institutions have been doing this for years, enabling customers to open lines of credit online. Enterprises are beginning to use the solutions to issue credentials to employees who require access to web-based systems. The Affordable Care Act – less affectionately known as Obamacare – is providing a major impetus for states to step up online identity vetting. In the past, Medicaid recipients would have to fill out paper forms,

LexisNexis, Experian and others have been breached, bringing to the public consciousness the idea that this secret information is not so secret. The reality is that much of it wasn’t secret to begin with as it can be readily mined from social networking or other online sites. Providers are quick to point out that knowledge-based questions are just one aspect of identity vetting services. There are many other tools that should be leveraged in a multi-layered proofing process. Health care may be the largest market that is looking to streamline identity vetting in the wake of the Affordable Card Act. The

STATES SUCH AS VIRGINIA AND MICHIGAN ARE PROOFING CITIZENS ONLINE IN AN ATTEMPT TO STREAMLINE DELIVERY OF BENEFITS AND SERVICES interview with a social service agent and then await notification of eligibility. The Affordable Care Act is going to see citizen participation in Medicaid programs grow, as it may be the only option for many. States want to streamline the enrollment process and many are investigating online identity vetting. Enterprises are also routinely turning to online identity vetting for business partners, contractors and even remote employees. The time and money these systems save are great for the enterprise and the individual receiving the credential. Online identity vetting is not without issues, however. A large component of these systems use knowledge-based authentication, asking questions such as the name of the bank holding your car loan, the address you lived at in 1996 or the square footage of your current house. This method has come under fire recently as several providers of these online identity vetting services have been hacked.

Commonwealth of Virginia launched the Commonwealth Authentication System that is proofing resident identities using information from its Department of Motor Vehicles databases. The system went live Oct. 1, and instead of having to fill out paper forms and wait for a response from the Department of Medical Assistance Services, everything can now be done online. The commonwealth is expecting to save significant resources by conducting online identity checks versus in-person interviews. Virginia isn’t alone. One of the latest pilot award recipients from the National Strategy for Trusted Identities in Cyberspace is setting up a system to accurately identify residents applying for benefits online. The Michigan Department of Human Services pilot is working to end the manual review of applications, giving clients a fast and accurate way to prove their identity in an automated way.

Winter 2013

SAFE-BIOPHARMA HITS 60% WITH ONLINE PROOFING SOLUTION More than two-years ago, SAFE-BioPharma was looking for a quick and secure way to get credentials to members, says Gary Secrest, chief technology officer at the organization. This led the group to go to the Federal Public Key Infrastructure Management Authority who pitched online identity proofing. The group was successful and now offers online identity proofing to members in the U.S. SAFE-BioPharma was established by the biopharmaceutical industry to help speed the transformation to an electronic environment by providing standardized digital identity and signature standards.

SAFE is also one of four organizations cross certified with the federal PKI Bridge. In order for a SAFE member employee to receive a credential, they first must be invited via email, Secrest says. The employee then clicks on the link that takes them to the registration site. From there, they fill out initial demographic data, name, Social Security number, date of birth, etc. That information is sent to the identity vetting service, which brings up five knowledge-based authentication questions that the individual must answer within two minutes, Secrest explains. If the individual answers one of the five questions incorrectly they are taken to another service, which asks another five questions that again must be answered in two minutes. If all the questions are answered correctly they are considered to have proven

An exercise in remote proofing: Checking Social Security benefits online Experian provides online identity proofing to the U.S. Social Security Administration. For the uninitiated, here’s what happens. I first entered my name as it appears on my Social Security card, my date of birth and address. If you want to enroll your mobile device to receive information you also have to enter the last eight digits of a credit card. Next came the knowledge-based authentication in multiple-choice format. It asked for terms of my auto loan, a previous employer and the model of car owned. Then it provided a previous address and asked me to supply the city in which the address was located. The questions were not a problem. The problem came next when it asked me to choose an eight-character password that had to contain one uppercase letter, one lowercase letter, one number and one symbol. I’ve already forgotten what I picked. Here’s hoping that efforts like NSTIC and the new Federal Cloud Credential Exchange will make logging on for online government services a little easier down the road.

Winter 2013

their identity and the process to issue a credential begins. If they don’t answer the questions correctly – and 40% do not – then they are required to present documents to a notary for verification and go through a paper-based verification process, he says. SAFE realizes that a 60% pass rate for online verification isn’t ideal. “We want to get it higher,” Secrest admits. “Some of the questions are structured in a way that people have trouble understanding or answering.” Also, some answers can be overly exact, posing a problem. “For example, question might be what’s the square footage of your house and sometimes the multiple choice answers are too close together,” Secrest says. SAFE is working with the providers to address these issues. “It’s not perfect but on the other side of the coin, the people who do pass think it’s the greatest thing ever,” Secrest says. “Six minutes and you can be credentialed.” The five questions in two minute rule was put in place to help gain approval for the process from the Federal PKI Management Authority to issue a level of assurance three credential, Secrest says. There was some back and forth with the feds before online identity vetting was approved, he explains. Level three is as far as it goes for now and it’s unlikely that online only will be used to issue a level four credential. “You need person to person, but could it be done over a secure video link?” Secrest asks. “There could be different processes put in place that would be the equivalent of face to face.”

SALTO Electronic Locking System

THE KEYLESS SOLUTION TO MECHANICAL KEY CONTROL The SALTO Virtual Network - System Description

Features & Beneﬁts

The Wirefree battery operated locks, cylinders and lockers are networked to your server without wires.

· No wiring costs, simple installation and reduced material costs · Adaptable to any kind of door, including lockers and glass door locks · Track events in the facility, such as battery status, access granted/denied and staff activities · Smart battery management and innovative design · Wall readers and door controllers are used for elevators, gates, barriers or speed gates

The link that enables communication is carried by the “intelligent” smart RFID card, which acts as a 2-way data transporter that grants access, provides audit trail and informs about battery status. The wall reader is the updating point and links the credential and the PC. It also permits special functions. FOR MORE INFORMATION PLEASE CONTACT US SALTO Systems Inc. 3073 McCall Drive - Suite 1 · Atlanta, GA 30340 Phone: 770-452-6091 • Toll Free: 1-800-GO SALTO • Fax: 770-452-6098 info@salto.us • www.salto.us • www.saltosystems.com

i ns pi r e d access Winter 2013

EXOSTAR PUSHES ONLINE VETTING FOR AEROSPACE AND DEFENSE Providing a business-to-business exchange portal for some of the largest manufacturers in the world poses an interesting identity management issue. Since launching in 2000, Exostar has expanded its service offerings and extended its supply chain to identity management and collaboration. Exostar now on-boards individuals for access to the supply portals and various applications, says Vijay Takanti, vice president of Security and Collaboration at Exostar. Boeing, for example, has a supply portal with different applications ranging from purchase order processing to design specification management. “There are thousands of apps in the portal and 150,000 users who need access,” Takanti says. “Part of identity management is to prove the assurance of the identity, and we assure that they are who they say they are and that they have proper access.” It’s Exostar’s responsibility to vet the identity of those who want access to the portal, Takanti says. “Depending on the levels of assurance required – some want a level four check – we send someone out to physically check a passport and then provide the credential,” he explains. For users requiring level three credentials, the entire process occurs online.

SCORING IDENTITY WITH EXPERIAN Exostar contracts with Experian to conduct online identity vetting. Remote identity

proofing services reduce the time needed to on-board individuals into a community while balancing identity-proofing requirements. The service includes online credit bureau-based identity vetting options. Through Experian, Exostar conducts a knowledge-based verification process wherein an individual must answer questions drawn from the credit-related information maintained in the Experian databases. If the individual passes through the Experian vetting successfully, they are then sent a one-time passcode token in the mail or can download an app for use on their smart phone, Takanti says. Start to finish, the process takes 72 hours if the token is being shipped. Exostar chose Experian because it has provided similar services to the Social Security Administration and other U.S. federal agencies, says Keir Breitenfeld, vice president of fraud and identity solutions of Experian’s Decision Analytics. Exostar uses the Experian’s Precise ID platform that has achieved Federal Identity Credential Access Management recognition at assurance level 3 for identity proofing. Experian launched it service in 2006 and uses credit profiles, along with millions of other records associated with consumers, to create a risk-based identity score that is similar to a credit score. “We’re checking against 200 million identity transactions to piece together a more holistic view of identity and deliver a score back,” Breitenfeld says. “We’re scoring the confidence of an identity in a non face-to-face environment.” These identity transactions include anything from credit inquiries to authentica-

TO PROVIDE TRUSTED IDENTITY PROOFING FOR NON FACE-TO-FACE ENVIRONMENTS, PROVIDERS FREQUENTLY CHECK THOUSANDS OF DATA SOURCES

Winter 2013

tion inquiries and an array of queries in between. This enables Experian to develop a strong idea of how an identity is being used, Breitenfeld explains. For example, if Experian sees the same name, address or Social Security number six times in three weeks they can be confident of an identity. If, on the other hand, they see a name, address and different Social Security numbers coming from that address, they would be less confident, Breitenfeld explains. Experian is also using device identification as part of the identity score, Breitenfeld says. The company acquired 41st Parameter, which tracks web fraud origination. If Experian notices that an identity request is coming from an area where fraud is high, it can use that to help determine an identity score. Records of these identity transactions along with knowledge-based authentication questions are two parts that make up the final identity score, Breitenfeld says. Knowledge-based authentication – the use of questions derived from information in an individual’s credit report and other public records – has come under criticism for not being secure or secret. Following several highly publicized breaches of these service providers, information once thought to be secret may no longer be secret. Experian counters this by explaining that knowledge-based authentication is just one part of the identity score. “There’s a perception that we just use knowledge-based authentication or that it’s heavily weighted in a positive or negative way because it’s what the consumer or analyst sees,” Breitenfeld says. But that is not the case, he says. Additional information is always used to deliver an accurate identity score. “If you’re basing an identity claim on knowledge-based questions alone, it’s not good enough,” Breitenfeld explains. Breitenfeld argues that online identity verification can actually be better than inperson checks. Face-to-face checks typically rely on documents – such as a passport or driver license – but these documents can

be altered. It also relies on the capability and attention of the human verifier. Online verification, on the other hand, offers dynamic checks of an individual’s data because the individual doesn’t know what questions will be asked and there’s a time limit to answer. It also eliminates the vagaries involved with human checking.

LEXISNEXIS ENABLES A MULTI-LAYERED APPROACH Similarly, knowledge-based authentication is just one piece of the proofing solution LexisNexis offers its clients, says Kimberly Little, director of market planning for Identity Management Solutions at LexisNexis. The first step for most clients is verification; checking name, address, date of birth and other demographic data against public records. LexisNexis can filter through more than 36 billion public and proprietary records from more than 10,000 separate data sources. “The goal is to make sure we have seen the combination of data elements before,” Little explains. The verification step makes sure the identity is valid and the steps that follow validate that the person answering the questions is who they claim to be, Little says. This is where dynamic knowledgebased authentication comes in; it asks questions and validates identity. “Knowledge-based authentication remains one of the more effective ways to authenticate an identity the first time you see a customer,” Little explains. “The biggest challenge is that knowledgebased authentication is treated like one big bucket. There are so many analytics that can be built in, so many ways the questions can be delivered, and we give our customers the ability to figure out how strong to make that process.” There are other protocols layered in as well. LexisNexis can check for fraudulent phone numbers and check the geolocation of IP addresses to make sure requests

SOME ARGUE THAT ONLINE IS ALREADY BETTER THAN IN-PERSON PROOFING AS FACE-TO-FACE RELIES ON DOCUMENTS THAT CAN BE ALTERED, BUT ONLINE OFFERS DYNAMIC CHECKS OF NUMEROUS DATA SOURCES. aren’t coming from suspicious areas, Little says.

THE ROLE OF SOCIAL MEDIA IN IDENTITY PROOFING Ask most people the role of social media in proving an identity and each will most likely give a different answer. At its core, a Facebook or LinkedIn profile is a level one, self-asserted identity, but groups are now looking at how this data can be used to better proof an identity. Others are even considering ways to “level up” a social credential to a higher level of assurance. LexisNexis says some of its customers are interested in seeing how social media data can be used, says Little. “We are seeing more customers who are interested in learning about or evaluating the effectiveness of non-traditional data sources, including social media and social networking data for identity proofing,” she explains. “As our physical and digital identities continue to intersect or even merge, I think we will see an increase in the need for and use of non-traditional data sources in the identity proofing process.” The problem is the self-asserted nature of this data and its potential reliability. “There have been limited published studies on the applicability of these types of attributes in fraud or risk models, and it probably requires more analysis to determine their appropriate use in identity management processes,” Little adds.

Experian is another group that is employing a wait and see approach to determine how social media data can be used to proof an identity. “At this point, that type of data still lacks enough certainty and consistent structure to warrant direct use in online identity authentication,” says Breitenfeld. “That said, we continue to look at social media data both on our own and with our clients to determine at what point social media footprints, for example, may play a weighted role in our overall identity authentication processes.”

THE FUTURE OF ONLINE PROOFING Online identity vetting now consists of multi-layered techniques and the future will just keeping adding layers. Secure video chat is one of the obvious next steps, says SAFE-BioPharma’s Secrest. He’s not sure whether that could replace face-to-face identity verification, but it’s something that is going to emerge. “The techniques will continue to evolve and we will see new methods,” he adds. As the need for strong online identities grows so too will the need for strong identity proofing. This will likely consist of different processes – public records, financial transactions, social media, etc. – so the user can apply for, receive and use a credential from the comfort of home while the issuer can have a high confidence that the user is who they claim to be.

Winter 2013

IDENTITY & ACCESS MANAGEMENT POLICY FOR THE 21ST CENTURY TIPS, TRICKS AND RULES FOR CREATING IAM PROTOCOLS AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

Gone are the days when securing sensitive business information meant locking up documents in the company filing cabinet. Modern organizations are rapidly recognizing that even user names and passwords aren’t enough to limit access to networks and applications. Businesses and government agencies are struggling to figure out the best way to adapt to these changes and redefine their Identity and Access Management (IAM) policies. As mobile devices and cloud-based access gain momentum, organizations have to rethink these policies for employees who need to access business networks and apps. Additionally they need policies for consumer and vendor access as well. “We’ve got 40 to 50 years of security practitioners thinking within the four-walled fortress model. Access control is not about that,” says Jeff Nigriny, CEO and president of CertiPath LLC.

Winter 2013

In the past six to eight years, there has been a shift from all applications and IDs being safe and secure within an enterprise. Now much of that information is external in the cloud. “That changes the way you think about handling policy,” says Andrew Hindle, Director of Worldwide Technical Marketing for Ping Identity. Large enterprises are suddenly finding that the only way to protect access is by using standards and ID policies to make sure only the right people are accessing the right things at the right times, he says. Some businesses and agencies are adapting their approach to access. If someone is trying to access an app outside of business hours, an organization might ask for an additional piece of authentication, Hindle says. Given the many changes in technology, progressive enterprises are building policy and deploying tools that layer on top of existing infrastructure, Hindle says. Companies don’t want to have to rip out and replace all of their existing technology.

IT-BUSINESS DISCONNECT Building policy around an organization’s old and new infrastructure is not a simple task. Earl Perkins, research vice president for Gartner Inc., sees a disconnect between companies’ IT departments and the managers who run business operations. It is a divide that enterprises are having to learn how to bridge. That disconnect, he says, creates a lack of awareness on the part of the business on how to create Identity and Access Management policies. Businesses have long depended on their IT departments to provide guidance on IAM. The problem, Perkins explains, is that while IT understands the technical issues that surround implementing these policies, they don’t fully understand the business implications. At the same time, the business side doesn’t fully grasp the technical issues. For example, a business manager might want to equip one of the company’s engineers with certain access privileges, but that manager might not know how to have the conversation with IT regarding mapping and setting up those privileges. “Business and IT speak two different languages,” Perkins says. The IT vendors who make IAM software are gradually improving their products to make them more business friendly, Perkins says. In the meantime, however, businesses have to rely on consultants and integrators to help configure and apply IAM policies and products. “As long as there’s that complexity in terms of changing business policy into tech policy and those product vendors don’t fix it, you’ll always need these consultants,” Perkins says.

TECHNOLOGY BLURS NETWORK BORDERS Defining an enterprise’s network borders is another challenge organizations are facing when managing identity and access controls, Nigriny says. Mobile and cloud-based access has blurred the lines that define an organization’s logical boundaries. So if a company like Boeing has a wing design that it needs to share with suppliers and then with a customer, the company needs to figure out how to protect this data and trust the identities of its partners, he says. “Being able to identify the resources and requestors is easily said, but far more difficult to do,” explains Nigriny.

He insists that granting access must to be based on more than name alone. Businesses need to first make sure that the person requesting access is indeed who they say they are. Next, they need to make sure that the person still works for the company. Finally they need to find out where that person is physically located through GPS for instance. He points to the example of ExxonMobil, which doesn’t let anyone have access to its drilling maps unless that person is physically on an Exxon rig. This is one reason why more organizations are looking to identity federation to securely exchange identity information online. “The big trend is making identity portable, and making sure that a resource holder can accept identities issued by entities other than themselves,” Nigriny says.

MAPPING OUT AN IAM POLICY Every identity policy should cover three main areas, says Judith Spencer, Policy Management Authority Chair for CertiPath. First, the organization creating the policy needs to plan the actual credentialing of the community who will need identification, whether that’s employees, customers, vendors or some other group. Second, businesses need to consider how individuals will use those credentials. Finally, you need to account for exception cases, such as when a credential is lost or left at home. Organizations also need to tailor their access requirements to the various user communities – employees, customers or vendors – to which they will grant access, Spencer says. For example, an organization can impose more requirements on its employee community than it would on its customers because of privacy concerns. Even when dealing with employees, Spencer still believes it’s important to be cognizant of the cultural and social aspects of that community to keep an ID program running smoothly. She recalls that prior to the U.S. federal government’s PIV credentialing program, several federal agencies were rebadging their employees. One agency had switched to smart card credentials and planned to collect fingerprints as part of the badge and issuance process. However, the agency failed to inform employees that they would be fingerprinted. Federal employees routinely provide their fingerprints as part of the hiring process, so being fingerprinted wasn’t an issue in other circumstances. In this case, however, the bio-

Winter 2013

metric request caused uproar amongst employees. “They didn’t understand why they needed to give a fingerprint,” Spencer says. Spencer also points to the example of when the Canadian government tried to enable citizen access to its online resources. Users were asked to set up an ID and password to access the website. The site asked password recovery questions such as, “What is your favorite color?” and “What is your favorite vegetable?” Though this process is common for most Internet users, some residents actually became paranoid that the Canadian government was going to use this information for purposes other than identity.

PLANNING FOR THE WHAT-IFS Organizations tend to overlook certain factors when creating IAM policies. Spencer believes it’s important to plan for exceptional cases and write those what-ifs into the policy. One such consideration is what to do when an employee shows up to work without his or her ID badge. Companies might assume that they would just send that employee home, but the reality is that this isn’t always feasible, especially in a place like Washington, D.C. where

Winter 2013

two-hour work commutes are common, Spencer says. Spencer recently witnessed what one federal agency did when an employee forgot his badge. The agency asked him for his driver license, checked it into the system, and then gave him a temporary badge for the day. What made this situation unique, she explains, is that the agency also disabled the badge in the system until the employee showed up again with that credential. “A lot of other organizations would have given a temporary badge without disabling the actual credential. But someone else could have taken possession of the other badge,” Spencer says. “Pieces like that need to be included in identity policies.” Another problem businesses and agencies face is that they set the bar for access too high by creating policies that they can’t meet, says Gordon Hannah, principal at Deloitte & Touche LLC. Implementing too many complex standards and safeguards can end up shutting out individuals who need to conduct high-risk, high-level functions and applications. “If you’re setting up policies that can’t be met, you’re already forcing your organization onto a noncompliant path,” Hannah says.

Before the federal government started to deploy smart card technology, they relied on user names and passwords. It got to the point that passwords had to be 14 characters long with both numbers and symbols and those passwords couldn’t be used repeatedly, Hannah explains. “You have to be careful that you can enforce the policy that you establish,” he says. On the flip side, he says organizations need to create policies that hold users accountable and find ways to measure whether users are adhering to the policies. Nigriny points to the fact that policies need quality assurance: How do you prove it’s actually working once it’s running, and how are you testing it to see whether it’s working? “We’re pretty good at doing this on the physical side, but I don’t think we’re quite as good on the logical side,” he says. He believes this is due at least in part to the fact that access is shifting away from the traditional “four-walled fortress” model. Nigriny suggests that in the modern world access is about selfprotecting a resource that could be exposed to hundreds, thousands or even millions of people. “That’s a very hard problem, but it’s the one that we have to solve,” he says.

SMART CARDS STEM THE TIDE OF MEDICARE FRAUD AND ABUSE WHY ‘AFTER-THE-FACT’ FRAUD FIGHTING IS NOT ENOUGH NEVILLE PATTINSON, VICE PRESIDENT OF GOVERNMENT AFFAIRS AND BUSINESS DEVELOPMENT, GEMALTO NORTH AMERICA

Two-years ago we asked the question: Can smart cards save the Medicare system $30 billion per year? Although there has been some success in combating Medicare fraud, we still do not have an answer to this question because implementation of a smart card program has yet to come to fruition. The idea of using smart cards to protect the Medicare system is a hot topic on Capitol Hill, however, as lawmakers continue to try and find ways to save this institution. Medicare covered about 51 million Americans in 2012 and this number continues to rise, expected to reach 70 million by 2013. Each year, the Medicare program loses tens of billions of dollars to fraud and abuse. It is estimated that Medicare could be bankrupt as soon as 2017, leaving a huge percentage of retired Americans without access to health care. Earlier this year, the Department of Justice and Health and Human Services announced record-breaking recoveries resulting from their joint efforts to combat health care fraud. They recovered $4.2 billion in taxpayer dollars in 2012, an increase of $1 billion from 2011. Although this number is impressive, the estimated fraud total is $100 billion, and Medicare fraud enforcement failed to investigate more than 1,200 cases over the past year due to staff shortages. To make matters worse, the Office of the Inspector General is expecting more cuts this year. Much of the fraudulent activity slips through the cracks because the current

system operates in a backwards manner. Currently, all claims are approved and reimbursed without first checking for validity. A task force then looks back through all of the claims to chase stolen or improperly obtained funds from federal health care programs. Integrating smart card technology into the Medicare infrastructure could prevent a high percentage of the fraud from happening, causing minimal loss of taxpayer dollars and eliminating the need for a task force. At the end of 2012, I submitted testimony to the House of Representatives Energy and Commerce Committee during their hearing titled “Examining Options to Combat Health Care Waste.” The purpose of this hearing was to examine the current anti-fraud measures and to explore potential new approaches to address the substantial and ongoing threats. The Subcommittee Chairman, Rep. Joseph R. Pitts (R-Pa.), opened the hearing by calling for mechanisms that would prevent fraudulent payments from being made in the first place, thus reducing problems that arise due to the current system of pay first and chase fraud after the fact. This point speaks directly to my testimony, which highlighted the benefits an upfront investment in smart cards can provide. Using smart cards and PINs for both providers and patients could rapidly decrease the ability for criminals

to fraudulently bill Medicare by falsely posing as a medical provider or patient. The battle over how to fight Medicare fraud has been taken a step further by Rep. Jim Gerlach, sponsor of the Medicare Common Access Card Act of 2013, which would establish a smart card pilot program for Medicare. The bill cites increased quality of care; improved accuracy and efficiency of billing; reduced potential for identity theft; reduced waste, fraud and abuse of the Medicare system; and the ability to evaluate the efficiency of patient matching as key areas that could be improved through the use of smart cards. The Common Access Card pilot would take place in five geographic areas that are seen as high risk for waste, fraud and abuse. The initial program will last six months, after which a report will be submitted to Congress describing the design and development of the pilot. After one year, based on the initial success, the program could then be expanded in both duration and scope. If this pilot program moves through its congressional committee and gets approved, I believe that it will prove the benefit of smart cards to Medicare fraud prevention and encourage Congress to make plans to take the program nationwide. Smart cards could cut off fraudulent claims by providing strong, modernized verification of the cardholder at the outset of the health care visit.

Winter 2013

MOTOROLA ‘SKIPS’ THE UNLOCKING PROCESS WITH NFC Securing access to mobile devices has become more important and handset manufacturers are taking different steps to ease the process. Apple Made headlines with inclusion of a fingerprint scanner that can be used to access the device and make purchases in the App Store. Less publicized was Motorola Mobility’s unveiling of Skip, an NFC-enabled clip that can be used to unlock the company’s new flagship device, the Moto X. The Skip device is thus far only reported to work with the Moto X – the first Motorola device to fall under Google ownership, but Google’s support of NFC smart phones suggests it could have a future with other handsets. Skip simplifies the process of unlocking your handset. With quick touch of the Skip to the back of your Moto X, the phone bypasses the lock screen altogether and takes the user directly to their home screen. Setup is also simple and requires the user to first activate NFC in the Moto X’s settings menu. Next the setup app is downloaded from the Google Play store and finally the Skip device is tapped to pair it with the handset. Following the initial setup, Skip becomes a custom key fob, capable of interacting with that specific Moto X device via the NFC sensor housed beneath the phone’s back panel. The Skip device is roughly the size of a thumb. Its felt-covered design makes it easy to attach the clip to clothing fastening together with a small, but powerful magnet.

Winter 2013

It ships with three NFC-enabled stickers that can also be paired with the Moto X. These stickers, dubbed Skip Dots, are meant to be placed in areas that are frequented by the user – the dashboard of a car, bedside table, purse or office desk. Skip does not act as a straight replacement for a pattern or PIN, rather acts as a bypass of a pattern or PIN for those times when the user feels so inclined to save some time. While maintaining the pattern and PIN methods is important, and necessary, it could actually be a kiss of death for the Skip device. The folks at Pocket-Lint go on to explain that every time the user wakes their device, they are first prompted to enter their pass code on the screen, meaning Skip’s effectiveness really boils down to remembering to use it in the first place. To this point Skip may be a novel feature on an otherwise extremely advanced device. For a limited time, Skip will be bundled with all custom orders of the Moto X free of charge. Those not interested in applying a custom paint job to their Moto X, however, will have to pay $20 for a Skip – a price that may deter some consumers.

At the end of the day, Skip is yet another use for NFC technology that could make life a little easier and more convenient. The Moto X and a generation of equipped smart phones are striving to find ways to leverage NFC en route to a new level of user experience. If nothing else, Skip serves as a reminder of this trend.

THE SKIP DEVICE IS ROUGHLY THE SIZE OF A THUMB. IT’S EASY TO ATTACH THE CLIP TO CLOTHING FASTENING TOGETHER WITH A SMALL, BUT POWERFUL MAGNET.

INTEGRATED SECURITY SOLUTIONS FOR A SAFER ENVIRONMENT

ID BADGING

ACCESS CONTROL

DIGITAL SURVEILLANCE VISITOR MANAGEMENT

Idesco is your security partner to keep your employees and visitors safe and secure at all times. For over 70 years, Idesco has protected the most prestigious organizations with ID badging, access control, digital video surveillance and visitor management systems designed to meet the most stringent requirements. Our team of experts is dedicated to delivering world-class customer service and support to guide you and assist you whenever you need it. Call 1-800-336-1383 today to get a FREE consultation with a security expert. Idesco is proud to support products and services on the GSA schedule. Idesco is also on New York State contract through The Office Of General Services.

Idesco Corp. • Toll Free: 1-800-336-1383 • www.idesco.com

BIONYM TAPS INTO THE HEARTBEAT OF BIOMETRIC MARKET ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

Fingerprints, facial recognition and iris scans have long dominated the biometric landscape, but Canada-based Bionym has developed an authentication device that moves to a different beat. The company is marketing a wristband called Nymi – pronounced Nim-Me – that leverages the wearer’s electro cardiogram (ECG) as a unique identifier. ECG-enabled authentication is relatively unknown, but as Bionym CEO Karl

Martin explains, the biometric modality has been the subject of academic study for many years. “The uniqueness and permanence of the human ECG as a biometric identifier has been an established idea in the research community,” says Martin. “In a nutshell, we look at the overall shape of the ECG wave and apply machine learning to extract the unique and permanent features.” Martin and his associates at Bionym have conducted research of ECG, testing more than 1,000 subjects at the University of Toronto. The study showed the accuracy may be greater than that face recognition and competitive with highend fingerprint systems, explains Martin. But will the solution work when heart rates are elevated or racing?

THE UNIQUENESS AND PERMANENCE OF THE HUMAN ELECTRO CARDIOGRAM AS A BIOMETRIC IDENTIFIER HAS BEEN AN ESTABLISHED IDEA IN THE RESEARCH COMMUNITY

Winter 2013

The scenario: You’re walking home, minding your own business, when an attacker attempts to rob you. You break free and make a beeline for your front door – which you access using your ECG-enabled biometric wristband. Will it still work with your newly elevated heart rate? Absolutely, explains Martin, because ECG is not affected by heart rate. Granted, this is a rather far-fetched scenario, but the answer is comforting. “If you’re already wearing your Nymi, you can rest assured that it would remain in an authenticated state no matter how fast you’re running,” he says.

HOW IT WORKS “We use the ECG recognition as one of three factors,” explains Martin. “The other two factors are the possession of your particular wristband and the possession of a phone, tablet or computer that was registered to be used during the authentication process.” The accompanying mobile app plays a key role in the system’s convenience and security. It is compatible with major mobile and computer operating systems including Android, iOS, Windows and Mac. After installing the app to a tablet, computer or smart phone, the user puts the wristband on and touches the device with the opposite hand for several seconds. This action initiates the enrollment process using Bluetooth to transmit the ECG to the app. In the future, the app conducts the authentication. When the user puts on the wristband, it is in the unauthenticated state so no access transactions would be granted. To switch it to its authenticated state, the app is enabled and a biometric match

is conducted by comparing the user’s actual ECG template with the enrolled version stored in the app. “The process takes only a few seconds, and once positively authenticated, it will transmit a signal back to the Nymi device to put it into the authenticated state,” says Martin. At this point the wristband is completely independent, no longer needing a smart phone or tablet to operate. It runs independently, maintaining its authenticated state until the wristband is removed from the user’s wrist. Removal disrupts the ECG reading and returns the wristband to the unauthenticated state. The wristband’s battery currently lasts about a week and is charged via standard USB. This means that, if not removed, it could remain in the authenticated state for a full week.

CONVENIENCE Martin describes Nymi as a discreet but stylish wristband that the user can forget about. “You put it on at the start of your day, touch the device for a few seconds to activate it and go about the rest of your day,” he says. As Martin jokingly explains, it’s a concept that follows the old adage of inventor and infomercial guru Ron Popeil: Set it and forget it. “Nymi sort of blends into the background, no longer leaving the user to think about where their authenticated identity is being used,” says Martin. Convenience is an aspect of the biometrics equation that Martin believes the market is yet to achieve, and so Bionym is focused on user experience. “The Holy Grail that nobody has seemed to do yet is convenience plus security, not convenience versus security,” says Martin.

Bionym is focusing its efforts on the developer community in an effort to grow organically. “We’ll have our own apps for each platform, but we will also have SDK’s for each of the platforms as well,” reveals Martin. “Our launch is very much focused on getting developers engaged – from solo developers to major companies.”

AT THE FLICK OF A WRIST … Nymi also houses a motion sensor that can enable task-specific gesture commands. “Developers can have access to the raw data to create additional commands, but Nymi will ship with a small set of gestures that the user can use for context-dependent actions,” says Martin. “If integrated with the user’s vehicle, for example, one motion could be used to unlock the driver’s side door, while another motion would unlock the trunk.” The aspect of gesture commands can be context-dependent. “The idea is that the wristband is not just about the user’s identity, but what the user wants to do with their identity,” explains Martin. “In the case of a physical lock, you may not want it to lock every time you walk by, but rather choose through a specific motion to control when the door locks or unlocks.”

SECURITY By attaching three factors to the user’s identity – ECG biometric, the wristband and the phone or tablet used for the authentication – Martin says hacking the system is highly unlikely. “The hacker would have to steal the wristband, steal the smart phone or tablet with the accompanying app and then spoof the ECG biometric,” he says.

Winter 2013

INSTEAD OF BEING AUTHENTICATED ONCE – AS IS TYPICAL WITH PASSWORD, PIN OR BIOMETRIC AUTHENTICATION SOLUTIONS – NYMI ENABLES A USER TO BE CONSTANTLY AUTHENTICATED.

Also key to Nymi’s security is a hardware-based security element embedded within the wristband itself that conducts cryptographic functions and also stores keys – a utility that as Martin explains, provides two main benefits. “First, all the data that comes out of the wristband is securely signed so it can’t be spoofed,” explains Martin. “This function is coming from the hardware itself, not software that can be compromised. The wristband is digitally signing all the data.” Second, the device is also encrypting the data, which according to Martin, means that a third party cannot track the wearer without their express consent. “The big concerns here are, of course, privacy, broadcasting your identity and being tracked,” says Martin. “The data coming out features strong encryption and requires the user to opt in to share data with third parties.”

Winter 2013

CHANGING THE NATURE OF AUTHENTICATION, MORE THAN THE MODALITY One of the unique features is the one-time authentication process that leaves the wristband in a constantly authenticated state. “We’re not looking to simply replace password and PINs with biometrics,” explains Martin. “The way the world works today – whether password, PIN or biometric – you authenticate your identity at the time of need, when trying to gain physical access at a door, logical access to a desktop, etc.” Every time a user needs that authenticated identity, they provide that credential at that time. This really displays how the solution differs from other biometric offerings. Martin is skeptical of initiatives like Apple’s new fingerprint sensor-enabled

iPhone, questioning whether the user actually gains substantial benefit. “It’s only reducing their friction a little bit over the current method because, as you can imagine, the iPhone user provides a fingerprint to unlock the phone, but also has to provide that print again to make a digital payment,” explains Martin. The point here is that the password/ PIN, along with more traditional biometric modalities, still require the user to input their credential every time they want to use their identity. “Simply going from passwords to biometrics is not improving people’s lives much,” says Martin. “What we’re doing is putting the authenticated identity onto the body, which requires the user to take only one action when putting Nymi on. We’re separating the authentication process from the access or time of identity use.”

HOW DOES AGING EFFECT BIOMETRICS? INITIAL STUDIES SUGGEST IRIS MAY BE GOOD FOR A DECADE OR MORE To truly get a picture of how age progression impacts biometrics, researchers need operational data from systems. Lab tests just won’t cut it. The problem is that the vast majority of biometric systems haven’t been deployed for long enough to really evaluate the toll that time takes. “There’s no way to fake it, you need aged data,” says Patrick Grother, a computer scientist and Biometric Testing Project leader at the National Institute of Standards and Technology. Even the popular fingerprint modality hasn’t been adequately tested for aging to know how time impacts the systems. NIST has embarked on a range of studies examining the different biometric modalities and the impact of time, Grother says. The group released its first study, examining the stability of iris biometrics over an eight-year span. Researchers examined anonymous data from millions of transactions from NEXUS, a joint Canadian and American expedited border crossing program used by travelers to move quickly across the Canadian

border. As part of NEXUS, members’ irises are enrolled into the system, scanned and then matched to system files when they travel across the border. NIST researchers also examined a larger, but less controlled set of anonymous statistics collected over a six-year period. In both large-population studies, NIST researchers found no evidence of a widespread aging effect, said Grother. A NIST computer model estimates that iris recognition of average people will typically be useable for decades after the initial enrollment. “We used a mixed effects regression model to capture population-wide aging and individual-specific aging as well as to estimate the aging rate over decades,” said Grother. “We hope these methods will be applicable to other biometric aging studies – such as face aging – because of their ability to represent variation across individuals who use a biometric system infrequently.” A previous study had suggested that iris did not remain stable with age, reporting an increase in false rejection rates over time.

NIST researchers reanalyzed the images from the earlier study’s 217 subjects. They found that while the rejection numbers were high, the results did not necessarily demonstrate that the iris itself was changing. Researchers instead identified pupil dilation as the primary cause for the false rejections. NIST researchers showed that due to an unknown external cause, dilation in the original pool of subjects increased in the second year of the test and decreased the next. When they accounted for the dilation changes, researchers didn’t observe an aging effect. NIST is planning to do age comparison studies with other modalities as well, Grother says. The agency is hoping to look at facial recognition and the impact of aging. “It’s clear that teenagers’ appearances change more rapidly than adults, but what about when people get into their 20s and 30s?” he asks. “We need to look at that data.”

NIST HAS EMBARKED ON A RANGE OF STUDIES EXAMINING THE DIFFERENT BIOMETRIC MODALITIES AND THE IMPACT OF TIME. THE GROUP RELEASED ITS FIRST STUDY, EXAMINING THE STABILITY OF IRIS BIOMETRICS OVER AN EIGHT-YEAR SPAN.

Winter 2013

BIOMETRICS CHANGING IPHONE AUTHENTICATION The inclusion of a fingerprint scanner on Apple’s latest iPhone was one of the worst kept secrets leading up to the device’s September launch event. Rumors had been circulating on gadget blogs for months about the likely biometric inclusion. So to affirm what the world already knew, the computing giant made the iPhone’s biometric utility official, and while Apple might not be the first handset manufacturer to include a fingerprint scanner, it will almost certainly have the biggest impact.

THE FACTS Rather than inputting a numerical PIN, the new iPhone 5S enables users to simply place their finger or thumb on the home button to wake the device. In addition to activating the device, the fingerprint sensor will also be used to approve purchases on the iTunes, App and iBooks Stores, eliminating the need to enter a password. Touch ID, as it is called, supports 360-degree fingerprint readability, meaning the orientation of the applied fingerprint doesn’t matter. The system enables the iPhone’s owner to add multiple fin-

Winter 2013

gerprints, even enabling the enrollment of other trusted individuals. The fingerprint template is stored on a secure element on the iPhone itself and never leaves the device. Use of the fingerprint scanner is optional so users can opt for a PIN or forgo security features altogether if they so choose.

REACTION Still twitter and other online venues were ripe with fears that Apple would be sending fingerprint data to the National Security Agency. There was also a common concern regarding fingerprint biometrics and the criminal stigma associated with the modality. While Apple stated that the fingerprint template would be encrypted and never leave the device, fears of compromised fingerprint images proliferated on social networks. “People don’t understand how this technology works,” says Phillip Dunkelberger, CEO at Nok Nok Labs. “The scanner doesn’t take a picture, it essentially maps it, encrypts and then encrypts it again in the hardware.” Consumers need to be educated on how these systems work so they under-

stand how they can improve privacy, Dunkelberger says. The gummy finger has also been brought up as security vulnerability. More than a decade ago Japanese researchers were able to replicate fingerprints and use them to spoof fingerprint scanners. While some fingerprint scanners are designed to test liveness this is still a vulnerability of many readers. The exact details and specifications of Apple’s scanners weren’t released, but AuthenTec – the biometric company Apple bought and whose technology is almost certainly being used to power the scanner – did have some anti-spoofing technology in place, says Walter Hamilton, senior consultant at Identification Technology Partners and vice chair of the International Biometrics & Identification Association. “AuthenTec had implemented some fake finger counter measures in their commercial fingerprint sensor products some time ago,” Hamilton explains. “They measured the electric field emitted by living human skin so that a plastic or other inert material molded from someone’s fingerprint lifted from a glass wouldn’t work.” That said, no security system is foolproof and because of the high-profile

nature of the iPhone 5S, it was spoofed quickly after release, says Bryan Ichikawa, senior manager in Enterprise Risk Services at Deloitte and Touche. Lifting a latent print and recreating a finger can be difficult but using it to fool a device is not, he explains. “If you’re going through a security checkpoint with a guard and trying to use a fake finger it’s obvious,” Ichikawa explains. “But if you’re using it to access a device it’s fairly easy.” The iPhone 5S was spoofed within 48 hours of release and a YouTube video was online. Apple has not responded and Ichikawa has concerns about the longterm impact. “I’m worried this is going to give biometrics a black eye.” The old adage when it comes to security technology is that with enough time and money any system can be hacked, an idea that applies to Touch ID as well. “No security system is ever 100% foolproof,” Hamilton says. “It’s more realistic to phrase the question another way: Is the fingerprint sensor more secure than a simple password? I think that the answer to that question is a resounding yes.” PINs and passwords are easy to exploit and can be acquired by social engineering attacks, shoulder surfing or a number of other methods. In order to compromise a biometric sensor, the data has to be retrieved, replicated and then entered, none of which are as simple as entering a user name and password. “This is much more difficult than entering a stolen PIN or password and assumes that the sensor has no liveness detection countermeasure capability,” Hamilton adds. There is also the user convenience factor. Touching a finger to a mobile device is far easier than typing a complex password. “Complex passwords or multi-factor challenge and response carry significant negative impacts to user convenience, and users will simply avoid them,” Hamilton says.

Apple’s Touch ID spoofed Who had 48-hours in the Touch ID spoof pool? Come on up and claim your prize. Two days after the iPhone 5S was released the Chaos Computer Club in Germany usefully spoofed the Touch ID fingerprint scanner. This surprised exactly no one. With the popularity of the iPhone and the introduction of the fingerprint scanner there was a target painted on the new handset from the moment it was announced. It’s also not a secret that fingerprint scanners can be spoofed – or fooled – using a number of different techniques. The Chaos Computer Club described the process here: “First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.” The process, while not simple, is also not that difficult, says Bryan Ichikawa, senior manager in Enterprise Risk Services at Deloitte and Touche. The Chaos Computer Club will be but the first to perform this spoof with more to come. “I suspect there will be a whole new cadre of skilled fingerprint spoofers in the very near future,” he explains. “And I’m sure there will be new techniques that simplify the process very soon.” Apple hasn’t responded to the spoof.

Fingerprint limited to App store Apple’s iPhone 5S fingerprint announcement is certainly an important development for the biometrics industry. A downside at this point is that the scanner can only be used for access to the device or to confirm purchases in Apple’s App Store. Opening up the Touch ID application programming interface to other apps would make it possible for secure login to banking, social networking and other apps. This also could be done in a privacy enhancing way so that the other apps don’t have access to the user’s actual fingerprint image. “It would be fantastic if Apple would enable third parties to utilize the sensor as a second factor of authentication,” says Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs. “Want to use your company’s VPN? Please enter your password and place your finger on the sensor. The additional security to mobile apps like banking, Facebook, Twitter and the like would be a no-brainer as well.” Apple declined to comment on whether the API for Touch ID would be made available.

Winter 2013

BREAKING DOWN VOICE BIOMETRICS ANDREW HUDSON, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

It is a common misconception that voice biometrics and voice recognition are one in the same. Recognition, however, lacks the biometric component. This confusion and the fragmented terminology used to characterize the technology are responsible for at least part of the apprehension that surrounds voice biometrics. “Voice recognition, to me, means talk and type – I say a sentence and the computer types that sentence,” says Walter Hamilton, executive director and vice chair of the International Biometrics & Identification Association. “The computer doesn’t know who I am, it just knows what I’m saying.” Hamilton is among those who see promise in voice biometrics noting that if the pros and cons of voice can be navigated effectively, it could have a very big future. Voice recognition is a common component in everything from PCs to smart phones. It is the addition of a voiceprint – an enrolled voice sample to be used as a verification factor – that gives rise to voice biometrics. “Voice biometrics, more formally knows as speaker recognition, answers the ques-

Winter 2013

tion ‘who is speaking?’ rather than ‘what they’re saying?’” says Hamilton. “Voice biometrics is not voice or speech recognition, it is figuring out whether the person’s utterance matches their known, registered voiceprint.” Voiceprints are the biometric reference that an individual can use to verbally claim their identity by matching against a known sample for that identity. “It is a one-to-one verification,” explains Hamilton, “typically used for access to a computer, physical access to a building or to conduct a telephonic transaction with a financial institution.” But voiceprints can also be used for surveillance. “The other implementation of voice biometrics involves no presumption or claim of identity,” says Hamilton. “Instead, this scenario uses an utterance and attempts to find a match from a previously unregistered voiceprint.” Currently used in law enforcement and military intelligence, Hamilton explains that this implementation of voice can be used to monitor electronic communications and determine if the captured voices

belong to wanted criminals or those on a watch list. The more commercially understood use of voice biometrics uses telephony. A familiar scenario is calling a financial institution and speaking a passphrase or account number to authenticate. “This requires an enrollment process that establishes a voiceprint for each user and can then be used to verify identity at the time of transaction,” explains Hamilton. “The matching of an utterance and passphrase takes place on the bank side.”

NUANCE’S SUBTLE TOUCH Exemplifying voice biometrics’ rise in popularity is Nuance Communications. The number of individuals using the company’s voice solutions has jumped from 10 million to 32 million in the past two years and more than 300 organizations use Nuance voice biometric solutions today. This roster includes enterprises like Barclays, TD, T-Mobile and Vodafone as well as a number of government organizations. The increase in number is due to voice biometrics being deployed in smart phone

Knowing “who” matters! Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or a smartcard cannot provide alone. With patented multispectral biometrics, only Lumidigm can answer who without question. When it’s important to have greater assurance of who is accessing your assets, choose an authentication solution from Lumidigm. Questions? Visit www.lumidigm.com, email us at sales@lumidigm.com or call +1 (505) 272-7057.

AdvantageTM Winter 2013

apps and away from traditional telephony, says Bretislav Beranek, senior principal solutions marketing manager at Nuance. Nuance maintains three distinct biometric algorithms, each offering a different user experience. The company’s text-dependent voice biometric is used to authenticate an individual with a predefined passphrase. The passphrase can be common to all users in a system or unique to each individual, e.g. a phone number or account number, Beranek explains. “To create a voiceprint, the user is asked to speak their passphrase three times and for verification, the user is asked to speak the passphrase just once.” The second of Nuance’s algorithms is text-prompted and is used to authenticate an individual with a random passphrase. “For example, the user could be asked to speak a random set of digits, a set of letters, a set of words or a combination of any of these,” explains Beranek. Hamilton believes that the third of Nuance’s algorithms is the one that is likely to be most attractive from a user’s perspective. The company’s text-independent algorithm is used to authenticate an individual during a conversation, eliminating the need for a canned passphrase. “Once you establish voice communication with your financial advisor, guess what, they have a voiceprint from your previous call in which a high level of confidence was already established,” explains Hamilton. “Now you can en-

Winter 2013

gage in casual conversation with your financial advisor who is flagged on the computer screen as to whether there is high or low confidence in the identity claimed on the call.” Dubbed FreeSpeech, it’s a solution that Beranek feels is as fast as it is effective. “FreeSpeech delivers authentication capabilities direct to the contact center during a live conversation between a caller and an agent,” explains Beranek. “It analyzes the caller’s voice to determine their identity, requiring just 10 to 20 seconds of speech to accurately identity an individual.” FreeSpeech improves the experience for both the user and enterprise. On the enterprise side, Nuance’s voice biometric solutions promise to deliver operational savings, increased automation rates and fewer cases of fraud. It’s the user experience, however, that is likely to impress. “The user can authenticate to systems without the need to remember a password, PIN or security question and they aren’t required to carry a token or card,” explains Beranek. As Beranek explains, Nuance is using voice biometrics to analyze more than 100 unique characteristics of a person’s voice, including physical characteristics such as the shape and size of their vocal tract as well as behavioral characteristics such as rhythm of speech and accent. “The combination of these characteristics make every human’s voice unique, much like the unique ridges of a fingerprint,” he explains.

OTHER INNOVATIONS IN VOICE Another company helping chart the future of voice biometric is U.K.-based VoiceVault. The biometric vendor offers a voice recognition system that places a premium on the mobile environment. VoiceVault’s platform is a softwarebased solution that can either be vendor hosted or on-premise, says Julia Webb, VoiceVault’s vice president of sales and marketing VoiceVault provides voice solutions to a number of financial institutions in the U.S. and the U.K., including an unspecified top-three global U.S. financial institution as well as the UK branch of a U.S. based stock trading company. In addition, VoiceVault has seen a number of health insurance companies adopt the its voice biometrics as well, a list that includes WellPoint/Anthem, Aetna, Blue Cross Blue Shield of Kansas City, and phone-based clinical documentation service Dial-n-Document. VoiceVault needs just 10 seconds of enrollment audio and less than five seconds of verification audio for operation. First, VoiceVault maintains an identity verification solution to ensure that users are who they claim to be. “Voice biometric identity verification involves a person providing their claimed identity, which might for example be an account number, and a sample of their voice,” says Webb. “This voice sample is then compared to the enrollment voice model

associated with their claimed identity. It is a process that requires less than five seconds of actual speech and is applicable for both call centers and mobile device authentication.” The second of VoiceVault’s offerings is a voice e-signature solution that, as Webb explains, provides a “speak on the dotted line” capability to landline as well as Android and iOS phone-based transactions. “It enables the implementation of legally binding transaction authorization applications where your voice is used to perform an e-signature,” says Webb. VoiceVault also provides an out-ofband authentication process. “Its primary function is to confirm that the transaction details originated with the user,” explains Webb. “Our voice biometric solution is phone-based and uses either an out-ofband call to a user’s registered phone number or an Android or iOS app. In this instance, the phone line or app is regarded as one of the trusted parts of the multi-factor authentication process, and the voice biometric element adds yet another factor.”

THE PROS AND CONS OF VOICE A disadvantage associated with voice biometrics is that it may be impacted by extraneous background noise, for example on a noisy street, on a plane or on public transportation. Utterances are not as pristine as they would be in a quiet room or office.

A robust voice biometric solutions need to implement software and algorithms complete with counter measures to account for background noise. The fear of an eavesdropper catching wind of your passphrase, however, is minimal. Voiceprints only work with the enrolled user so a passphrase doesn’t need to be a secret as would a password or PIN. The danger associated with spoofing voice comes in the form of recording attacks. “Someone could, in theory, obtain a high-quality recording of you speaking your passphrase and use that to hack your accounts,” says Hamilton. There are known counter measures in place to account for such attacks. One such counter measure is to employ Nuance’s method that eliminates the passphrase altogether. Another counter measure that can be used in those scenarios requiring passphrases sees a user set up multiple passphrases at the time of enrollment. Using this method, the user would be prompted on screen to speak a randomly generated enrolled passphrase at the time of transaction.

COMPARING VOICE TO FINGERPRINT “Fingerprint is more convenient, unobtrusive and depending on how smart phone manufacturers design their instruments the sensor can be hidden beyond recognition,” says Hamilton. “Finger-

print, however, is primarily a local authentication function.” The advantage that voice biometrics has over fingerprint is that it takes place on the authenticator’s side, giving enterprises more power and assurance when conducting transactions. “If I want to remotely conduct a transaction with my bank in New York from my mobile phone, they don’t know about my fingerprint and they don’t have it on file,” explains Hamilton. “Even if they did, I’m not sure that my bank would trust the device – they would likely trust an utterance more than an unknown hardware sensor in a mobile device.” “For external transactions, voice biometrics seems much more appropriate, particularly from an infrastructure perspective,” says Hamilton. Hamilton also believes that voice biometrics make more sense for cloud-based authentication. “Logistically speaking, I would think that voice would be preferable to fingerprint because the enterprise can use their own voiceprint algorithm – not your device’s algorithm – and are only dealing with raw sample .wav files.” It is for this reason that Hamilton, and others see promise in voice biometrics, but ultimately he sums up the difference between the modalities by stating, “Voiceprint trumps fingerprint for the cloud, but fingerprint trumps voiceprint for the device.”

Winter 2013

BIOMETRICS LETS NEW GUINEA CLINIC MANAGE SERVICES, MEDICAL RECORDS KATHLEEN ERICKSON, VP OF BUSINESS DEVELOPMENT, FULCRUM BIOMETRICS

When a medical clinic based in Papua New Guinea was tasked with the challenge of accurately identifying repeat patients, biometrics turned out to be the ideal solution. In a culture where name changes are frequent and people often have no form of ID, the clinic found biometrics could provide a reliable form of identification for its patients. Fulcrum Biometrics worked with the New Tribes Mission Medical Clinic to create a customized application that enables the clinic to accurately identify people who come for services and ensure that their medical records are properly documented and updated. The system, based on Fulcrum’s FbF Demographica application, uses fingerprints for identification and facial recognition for additional confirmation. Founded in 1994 in Papua New Guinea, the New Tribes Mission Medical Clinic serves several thousand local citizens along with roughly 1,000 missionaries and other expatriates living in the area. In a country that is known for having a limited and highly fragmented health care system, the clinic provides vital

Winter 2013

medical care through office visits and minor procedures as well as laboratory, radiology, sonography and pharmacy services. Since its inception, the New Tribes Mission clinic had struggled to keep accurate medical records for the local citizens. Papua New Guinea has at least 840 different indigenous languages among a population of 6.4 million. Many of New Tribes Mission’s patients have no form of identification and are unable to read, write or sign their names. In addition, individuals often change their names and it isn’t uncommon for multiple family members to have the same name. This posed some serious issues for both delivery of care and for medical record keeping, as personnel risked misidentifying patients and mixing up medical histories. The FbF Demographica biometric identification system provides a quick, accurate and easy way to register patients and ensure that medical records are associated with the proper identity, even if there is a name change. Fast, accurate biometric identification helps staff spend more time with patients and

THE PATIENT SIGNS IN BY SCANNING FOUR FINGERPRINTS. THE RECEPTIONIST THEN VERIFIES THAT THE SYSTEM HAS IDENTIFIED THE CORRECT PERSON BY CHECKING AGAINST THE PATIENT’S STORED PHOTOGRAPH feel confident that records are properly assigned and tracked over time. As many local residents have no official form of ID, in the past, each time an individual came into the clinic, he or she was required to provide a name or family name along with other basic information that would help establish that patient’s identity for the creation and maintenance of accurate records. Filling out and signing lengthy medical forms was problematic for patients who could not read or write, so clinic staff were required to conduct lengthy interviews just to establish a person’s identity and determine if they had services in the past. With the FbF Demographica-based identification solution, each time a new individual comes into the clinic the patient is registered in the system with demographic data as well as four fingerprint scans and a photo. This identification information is permanently attached to the patient’s medical records. On each subsequent visit to the clinic, the patient signs in by scanning four fingerprints. The system then pulls up the

patient’s identification record with the patient’s photograph and the receptionist verifies that the right person has been identified by the system. Simply put, biometrics gives peaceof-mind. The new system is much easier and less stressful for the patients to use, and it has been well received by both staff and the local population. Not only has the system reduced the time required to ensure accurate identification of patients, but in so doing, it has also provided peaceof-mind for both patients and the health care professionals who serve them. Clinic personnel can rest assured that no matter what name the patient is using, the patient’s medical records are accurately tied to his or her unique, personal identity through biometrics.

HOW IT WORKS

The application is browser-based and operates on a standard desktop PC running a Windows OS. A Logitech Web camera is used to capture face images and a Lumidigm M-Series multi-spectral fingerprint reader is used for capturing and identifying fingerprints. As many local residents live and work in challenging physical conditions, their fingerprints can become damaged or worn over time. The Lumidigm M-Series is particularly useful in scanning difficult-to read fingerprints because it reads not only the surface print, but the subsurface print as well. Although biometric identification currently takes place using only finger scans – with pictures used solely for confirmation – the flexibility inherent in Fulcrum Biometric Framework provides New Tribes with the option to implement a full multi-biometric system in the future.

The biometric framework seamlessly blends customization and easy hardware integration.

Winter 2013

DIGITAL ID STANDARDS 46

Winter 2013

Digital identity is becoming increasingly important as enterprises strive to protect and control access to online resources. A series of maturing standards is helping make identity management and single sign-on a reality for organizations deploying systems. As 2013 comes to a close re:ID looked at four different identity standards and the roles they play in helping the enterprise create an identity ecosystem. Standards highlighted: OAuth 2.0 defines authentication, authorization and policy architecture for Web servers, mobile applications and devices attempting to communicate with the cloud XACML enables enterprises to have a central access policy definition SAML 2.0 specifies how to represent identity information and pass it between interested parties SCIM creates a uniform provisioning interface for SaaS and cloud applications.

SAML 2.0: THE UNIVERSAL ID SOLVENT PAT PATTERSON, PRINCIPAL DEVELOPER EVANGELIST, SALESFORCE.COM

It’s a familiar scene: sitting in front of a web page with two input fields, user name and password, racking your brain to dredge up the magic combination that will grant access to the web site for your bank, a social network, or your company’s health care provider. Sometimes, though, you see an out – a button that says “Login with Facebook, Google or Twitter” – or you click a link on an intranet page at your company and are taken straight to your health care benefits page, without having to authenticate. You breathe a sigh of relief, but have you ever wondered what’s happening under the covers, and how you might apply the same magic yourself? Welcome to the world of single sign-on. There are several protocols that enable web sites like Google, Facebook, and even your own employer, to assert their users’ identities to sites like Quora, Workday or Concur. The big Internet service providers are gathering around a specification called OpenID Connect, but in the enterprise world, the Security Assertion Markup Language version 2.0, or SAML (pronounced SAM-ul) for short, rules the roost. SAML 2.0, ratified as an OASIS Standard in March 2005, comprises a number of specification documents that comprehensively define how to represent identity information and pass it between interested parties. First, a bit of necessary jargon: a subject logs in to an identity provider, which asserts the user’s identity to one or more service providers. In the enterprise case, the identity provider might be a software product deployed on-premise, such as ForgeRock OpenAM, or an online service, such as Salesforce Identity. The service provider, meanwhile, could be an online service such as Workday or

Concur, or even an intranet site, such as the enterprise’s payroll department. So, how does the identity provider “assert” the subject’s identity? The SAML 2.0 Web Browser SSO Profile defines a number of related mechanisms for passing the information between the providers. Here’s one of the most common: using Salesforce Identity as the identity provider and Workday as the service provider. You (the subject) try to access Workday, via a URL specific to your company. Workday receives your request, sees that you’re not currently logged in (since your browser didn’t present a session cookie with the request), looks up the URL for the identity provider at Acme, creates a SAML Request, and sends it to the URL via an HTML form post. The SAML Request is an XML document that essentially says, “Send me a SAML Assertion concerning this subject.” It typically contains an identifier for the service provider, so the identity provider knows who sent the request, but may also contain additional instructions – for example, the ForceAuthn attribute requires that the identity provider prompts the user to authenticate, even if the user already has an existing session. Upon receipt of the SAML Request, the identity provider authenticates the user, if necessary. This authentication step is outside the SAML specification – it can be username/password, a hardware token, biometric – just as long as the identity provider establishes the user’s identity via an appropriate mechanism. After successful authentication, the identity provider creates a SAML Assertion. This is the centerpiece of the SAML spec, a signed XML document identifying the user and asserting that the identity provider has authenticated that user.

At minimum, the Assertion contains an identifier for the user (email address, for example), a timestamp, and a reference to the authentication mechanism, perhaps “password over SSL/TLS.” The identity provider wraps the Assertion in a SAML Response and sends it back to the service provider, again via an HTML form post. Now the service provider can validate the SAML Assertion, checking that a trusted identity provider signed it and issued the user a session cookie. The user has access, just as if they’d authenticated at the service provider directly, simply by hitting the Workday/Acme URL. Job done! So, the SAML 2.0 Web Browser SSO Profile is the basis for enterprise single sign-on, but SAML as a whole can do much more. Since the actual authentication step is outside the scope of SAML, you can embed any protocol there – biometric authentication, or Integrated Windows Authentication perhaps. SAML itself can be embedded in other protocols, such as OAuth, and the SAML Assertion is widely used as a token format for communicating identity, authentication and authorization data across the web and within enterprises. At the ripe old age of eight, SAML is the “Granddaddy of Internet identity protocols.” Internet providers and enterprise products almost ubiquitously support it, but to a certain extent it represents the “old guard” of protocols – an XMLbased, voluminous specification that tries to address every possible use case. The past and present belong to SAML, but most identity pundits point to OpenID Connect as the future, a lighterweight JSON-based protocol that implements the most common single sign-on use cases.

Winter 2013

OAUTH 2.0: ENABLING IDENTITY FOR THE CLOUD, MOBILE PAUL MADSEN, PING IDENTITY

The key technical underpinnings of the cloud – and the emerging Internet of Things – are APIs. Otherwise known as Application Programming Interfaces, APIs provide consistent methods for outside entities, such as server clients and mobile applications, to interact with services and data in the cloud in a clean, standardized manner. APIs whittle away the underlying complexity of the application, making available to outside clients a well-defined set of possible requests and responses. Because of the advantages they offer for building scalable and available architectures, APIs will be used more to move data, as opposed to browser applications. Is was only until recently, however, that the security and scalability of APIs were threatened by an authentication and authorization model sometimes called the “password anti-pattern” – a method wherein clients wanting to call an API on behalf of a particular user would collect and replay the password for that user on its calls to the API. This authentication model is characterized as an anti-pattern because it both inappropriately relies on passwords being shared outside the proper context and is unable to support adequate granularity of permissions and revocation.

Winter 2013

OAuth 2.0 provides an alternative to this password anti-pattern by defining consistent, flexible authentication, authorization and policy architecture for Web servers, mobile applications and devices attempting to communicate with Cloud APIs. OAuth 2.0 defines a framework for securing application access to protected resources – often but not solely identity attributes of a particular user – through APIs, most typically RESTful. REST defines a set of architectural principles by which users can design Web services that focus on a system’s resources, including how resource states are addressed and transferred over HTTP from clients writing in different languages. There are three primary participants in the OAuth flow. OAuth first enables a client – an application that desires information – to send an API query to a Resource Server, the application hosting the desired information, such that the server can verify that the message was indeed sent by a valid client. The client then authenticates to the Resource Server via the inclusion of an access token in its API message, a token previously provided to the client by an Authorization Server. In those OAuth scenarios in which the API in question protects access to a

User’s identity attributes, it may be the case that the access token will be issued by the Authorization Server only after the user has explicitly given consent to the client accessing those attributes. OAuth offers significant advantages over the password anti-pattern. First, by having the client present a token representing the user and their consent for a given API interaction, rather than the user’s password alone, the client doesn’t actually need to see the password. Consider, for example, the ‘Nest’ Internet-enabled thermostat. While it may be acceptable to have Nest’s own Android application authenticate it’s API calls to the Nest servers via inclusion of the user’s Nest password – by which the thermostat can be managed, queried, etc. – it would be inappropriate for a third-party application to do the same. Instead, the third-party app should be issued an access token that can have reduced privileges, for example read but not write, and be revoked when desirable. Large-scale API architectures for the cloud, mobile and Internet of Things are simply not viable without an authentication and authorization model that can scale accordingly. As it were, OAuth 2.0 defines such a framework, and should be a critical piece of the API security toolbox going forward.

XACML: SETTING ENTERPRISE ACCESS RULES, POLICIES Ensuring that only properly authorized individuals have access to necessary data is a basic tenet of access control systems. The eXtensible Access Control Markup Language – XACML, pronounced “zakmil” – is the identity standard that enables enterprises to enforce access rules. “It enables enterprises to manage and enforce a wide array of access rules in a standardized, policy-based way,” says Gerry Gebel, president at Axiomatics Americas, a provider of attribute-based access control solutions. Some enterprises can have hundreds, if not thousands, of applications for users, Gebel says. Making sure the user is able to access only the necessary data in the proper application is important. Look at the health care market. Doctors need to be able to access and change patient records while nurses will have different access rules than technicians or those working in the hospital billing office. “It can be set up so that doctors can update patient records assigned to their clinic,” Gebel explains. “Nurses can update records for patients in their department but not others.” The standard enables enterprises to have a central access policy definition. Developers don’t have to write their own access logic but instead can call into the

policy services for access permissions. “XACML would enable you to codify the rules for what person can access which data and resources,” Gebel says. XACML has been around for a long time and has no competing standards,

XACML ENABLES ENTERPRISES TO HAVE A CENTRAL ACCESS POLICY DEFINITION. DEVELOPERS DON’T HAVE TO WRITE THEIR OWN ACCESS LOGIC BUT INSTEAD CAN CALL INTO THE POLICY SERVICES FOR ACCESS PERMISSIONS. Gebel says. It’s hit the early adopters and it about the take off in the mass market. “If you look across the markets – government, manufacturing, etc. – all these groups have the same pain points; they need to share data but it’s difficult to restructure and filter that data, which

is why you see exposure and loss,” he explains. One of the keys to mass adoption is making XACML easy to use, Gebel says. “The tools using XACML have to hide the complexity, but make the functionality easily consumed,” he says. “That’s where you see vendors improving the policy authorization functionality and the developer interfaces.” A knock against XACML is that is uses XML – Extensible Markup Language – a markup language used for encoding documents on the web. Many developers now like to use JSON, JavaScript Object Notation, a text-based open standard designed for human-readable data interchange, or REST, Representational State Transfer, a style that abstracts the architectural elements within a distributed system. XACML standards workers are attempting to remedy this issue by creating REST and JSON profiles for the access rules standard, Gebel says. These new profiles will be approved by mid-2014. “Developers will be able to more easily work with lighter weight formats and protocols won’t be stuck with XML,” he adds.

Winter 2013

SCIM: PROVISIONING USERS, KILLING CONNECTORS KELLY GRIZZLE, PRINCIPAL SOFTWARE ENGINEER, SAILPOINT

One of the fundamental jobs of an identity and access management (IAM) system is managing changes to users and their access to various enterprise resources – a subset of IAM called provisioning. The typical organization has hundreds, sometimes thousands, of applications, servers, databases and file shares that must be provisioned, in fact I know of one recent company with approximately 3,500 unique systems. Historically, enterprises have automated the provisioning of resource changes by using “connectors” between the IAM system and those resources to push or pull changes back and forth to make any required alterations to identities. The recent explosion of SaaS and cloud-based applications has made it even more difficult to keep up with the need for new connectors. IAM vendors, customers and systems integrators alike need to continually build and maintain hundreds upon hundreds of connectors to make all that work. It’s no simple task, however, and many legacy IAM vendors charge a price for every connector a customer uses. The growing abundance of available SaaS applications, and the speed at which they can be deployed, has caused the IAM market to hit a tipping point. It’s no longer practical for IAM vendors to keep writing connectors, and it’s too expensive for end users to keep using separate connectors for every application. To address this challenge, a new standard called System for Cross-Domain Identity Management (SCIM) has been

Winter 2013

developed to create a uniform provisioning interface for SaaS and cloud applications. SCIM’s intent is to reduce the cost and complexity of managing users in and out of SaaS applications by eliminating the need for separate and proprietary connectors to each individual application. A cross-industry team, which includes my company, SailPoint, Cisco, Ping, Salesforce.com, Technology Nexus and UnboundID, designed this specification with an emphasis on simplicity, while supporting existing authentication, authorization and privacy models.

KEEPING IT SIMPLE From the onset, SCIM was designed to be simple. It does not try to cover every provisioning use case, but rather supports the most common situations. Based on the 80/20 rule, SCIM focuses on the core tasks – the essential CRUD (create, read, update, and delete) operations – of account management and leaves out the 20 % of the “provisioning platform” extras that individual organizations have added into their respective connectors. It does this by utilizing an extensible user schema that means the same thing, regardless of which application is being provisioned. The schema can then be extended to handle any necessary, specific IAM vendor or service-provider requirements. This simplifies provisioning for the SaaS providers, as well as for IAM vendors and customers. SCIM clearly and simply addresses the account creation, management and

deletion “interface” using a full RESTful web services approach that can be used by any application. This takes the simpler, more direct use cases and implements them using a “resource-centric” approach that is easier to write, use in the code as well as easier to read and understand in the specification.

APP VENDOR SUPPORT While the need for SCIM is well understood, it’s incumbent for SaaS vendors to adopt SCIM and make the standard widely available. Several SaaS vendors, including Salesforce.com, Google and Cisco, are on the forefront of solving these issues, investing significant time to help drive SCIM forward and build SCIM interfaces into their products. Support by the major SaaS vendor platforms will prove critical if SCIM is to achieve widespread adoption.

CUSTOMERS DEMAND FOR SCIM The SCIM standard also needs the support of public and private organizations that want to simplify how they manage their identities and applications in the cloud. Many organizations now specify requirements for a simple, standardized way of managing their SaaS accounts. This growing and real customer need has resulted in pressure on SaaS vendors to support SCIM on one side, and a push for IAM vendors to make use of SCIM on the other.

HOW TO MANAGE IDENTITIES IN AN ERA OF REGULATION ID AND SECURITY SOLUTIONS ENABLE INDUSTRIES TO ADDRESS UNIQUE COMPLIANCE CHALLENGES AJAY JAIN, PRESIDENT AND CEO, QUANTUM SECURE

Identity is the new firewall. Recognizing the need for rigorous identity management is built on understanding that no individual in a facility or campus can ever be allowed access to an area they are not authorized to enter. This is a major security issue at most organizations, and is often mission-critical with no margin for error. Beyond the essential physical safety of all individuals on the property, this concern relates to the security of data, the protection of both physical and logical technology located on the premises, intellectual property theft, vandalism, workplace violence and liability. The need for protection and total control of identities resides at the center of a large portion of today’s compliance regulations. Additionally, the ongoing development of new compliance laws and standards relating to the comprehensive monitoring and management of employee and visitor identities requires security direc-

tors to maintain a high level of education and knowledge about physical identity and access management. Every industry has a unique set of rules and regulations developed to address the specific needs of its own facilities and organizations. Just as each industry is different, so too is the manner in which physical identity and access management addresses each industry’s requirements.

HEALTH CARE The Health Insurance Portability and Accountability Act (HIPAA), among other topics, defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. These rules apply to “covered entities” as defined by HIPAA and the Department of Health and Human Services and include health plans, health care clearinghouses, such as billing ser-

vices and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. With physical identity and access management, the user defines who has access, where and when they gain said access and to what information they have access based on their specific role. Each identity – doctor, contractor, administrator, visitor, patient, etc. – can access only what policy dictates. So if a role or policy changes, that alteration triggers an automatic, complementary revision in other sets. Once the policies and workflows have been created, physical identity and access management software’s integrated monitoring and reporting features provide auto-remediation of compliance anomalies and reporting to enforce and maintain compliance. In the event of suspicious activity, identities can be easily tracked or alert triggers can be created.

ENERGY The North American Electric Reliability Corporation (NERC) is a nonprofit, selfregulatory organization whose standards are mandatory and enforceable throughout the United States and several Canadian provinces. NERC’s major responsibilities include working with stakeholders to develop standards for power system operation, monitoring and enforcing compliance with those standards, assessing resource adequacy, and providing educational and training resources as part of an accreditation program to ensure power system operators remain qualified and proficient. Physical identity and access management solutions enable compliance with the three enforceable cyber-security standards defined in NERC’s Critical Infrastructure

Winter 2013

Protection document. This can help organizations perform a wide range of required activities and avoid significant fines. For example, regulations require all operational and procedural controls to manage physical access at all perimeter access points to be documented 24/7. Complex tasks like this are an essential element of a physical identity and access management system.

BANKING/FINANCE The Federal Deposit Insurance Corporation (FDIC) is responsible for overseeing that insured financial institutions adhere to reporting requirements required by statute. All regulated financial institutions in the U.S. are required to file periodic financial data and other information with their respective regulators and involved parties. As physical identity and access management software is designed for policy-based and rules-based processes, instructions can be written in the system to automatically perform required tasks such as initiating

Winter 2013

background checks on identities at specific intervals. Accompanying policy could be written to perform background checks more frequently for contractors or temporary employees. Automatic alerts can even be created if there is a change in status when a background check is performed. The Federal Financial Institutions Examination Council (FFIEC) is an inter-agency body of the U.S. government empowered to prescribe uniform principles, standards and report forms for examination of financial institutions by various government agencies. Physical identity and access management is ideal for setting role-based access and authorization for secured areas. Authorized approvers/signatories are appointed, and per the policy set forth in the policy engine, only those authorized identities will have access to areas for which they have been provisioned. When access is required, the authorized signatory is alerted via an automated process and they are required to approve or deny the request in a web-based portal

before access is enabled. The automatically documented processes can be used for attestation reports that verify who approved access to what doors over any duration of time. The Statement on Auditing Standards Number 70 (SAS 70) is a widely recognized auditing standard of control objectives and control activities developed by the American Institute of Certified Public Accountants. Physical identity and access management addresses the provisioning, auditing, reporting and off-boarding processes. Once provisioned, the system can automatically generate reports of who visited, who approved the visit, duration and where in the facility the visitors had access. BASEL III, the Third Basel Accord, is a global voluntary standard for bank capital adequacy, stress testing and market liquidity risk developed by the Basel Committee on Banking Supervision. Physical identity and access management enables convergence between physical and logical security systems in order to provide security intelligence and analytic data from a variety of sources. It facilitates the necessary checks used to measure liquidity risk exposure by pulling reports at pre-determined intervals. Physical identity and access management software also streamlines monitoring processes by having all policies reside in the system. The Sarbanes-Oxley Act addresses corporate responsibility for financial reports and lays the foundation for IT to enable compliance. With physical identity and access management, users can readily audit and report activity pertaining to identities within the organization. System reports identify an individualâ&#x20AC;&#x2122;s activities such as location, what they are accessing, for what period of time they have access or any changes to established policy rules. Physical identity and access management software can create alerts when policy or rules-based criteria are not met. Audit reports can also be generated on an as needed basis or at specific intervals.

GOVERNMENT There are three progressive regulatory initiatives, which together build a very strong case for physical identity and access management in addressing conformance and compliance. The Homeland Security Presidential Directive 12 (HSPD-12) issued in 2004 calls for a government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and to employees of federal contractors for access to federally-controlled facilities and networks. This directive led to the development of a Federal Personal Identity Verification (PIV) system. Physical identity and access management addresses management of all forms of identity badges and any assets or authentication rights, including PIV smart

cies with architecture and implementation guidance to modernize, streamline and automate privilege management as it relates to both logical and physical access. It also ensures that the PIV and PIV-I cards are provisioned and managed securely throughout the lifecycle of the card holder. Finally, OMB M-11-11 requires that an agency’s existing logical access control systems be upgraded to align with the FICAM Guidelines for PIV usage, and validate and use PIV cards issued outside a given agency. To address these three requirements, physical identity and access management software provides processes to manage the intersection of physical identities, digital identities and various credentials into a policy-based management approach. It streamlines and consolidates disparate systems into a single and centralized FICAM-

cards which enable government employees to move between facilities and ensure that they are recognized across agencies. The Federal Information Processing Standard Publication 201 (FIPS 201) was issued in 2005 in response the HSPD-12 directive. It specifies PIV requirements for federal employees and contractors. The Federal Identity, Credential and Access Management (FICAM) Roadmap and Implementation Guidance Version 2 was completed in 2012. The purpose of the FICAM document is to provide agen-

aligned, integrated and auditable system. Software provides a one-step policybased approach to manage and enroll PIV cardholders – including biometric and biographic data capture from the PIV card – into various physical access control systems. Lifecycle management of the PIV card in physical access systems including activation, status inquiry, lost or stolen card handling, provisioning and revocation, expiration and so on can all be managed centrally. Moreover physical identity and access management is the missing ingredi-

ent in legacy federal systems, which connect the authoritative and trusted data sources for identities and PIV attributes to physical access control systems to ensure security and achieve the target state for a modernized physical security system.

CROSS-INDUSTRY CAPABILITIES While the functions of physical identity and access management software are complex and diverse, technology does exist to help manage governance and compliance of the many government or industry-issued access and identity rules and standards. With adherence to specific regulatory guidelines built into the rules of the software, users can perform important identity and access control functions while meeting regulatory requirements. Physical identity and access management software can also analyze risk and compile key data across the physical security infrastructure. Integrated infraction management can automatically trigger notifications or change access privileges. The software can define, audit and enforce Segregation of Duty policies across the physical infrastructure. These systems can also manage risk levels associated with persons of interest based on lists of physical identities that are potential threats to an organization along with their risk profile and historical details. Customized assessment reports covering global locations can be provided to a single Web console, allowing for daily, weekly and monthly operational reports to be generated automatically to provide security practitioners with information to optimize staffing, budgeting and other resources. For government, financial, health care and many other industries, security requirements demand a comprehensive security infrastructure that includes both the physical and logical security spectrums. Physical identity and access management effectively addresses these challenges with best practice processes that reduce both costs and risks.

Winter 2013

EVOLVING IAM: SHIFTING TO IDENTITY RELATIONSHIP MANAGEMENT JONI BRENNAN, EXECUTIVE DIRECTOR, KANTARA INITIATIVE

Identity and Access Management services were traditionally built for a company’s internal use to assist with manual on and off boarding or to establish access privileges to company data and systems behind the firewall. Today, however, a company must implement a dynamic Identity and Access Management solution that serves employees, customers, partners and devices alike, wherever they might be. This is the evolution of Identity and Access Management to Identity Relationship Management. As more and more people, devices and “things” are assigned identities across

networks, simple, flexible and scalable Identity Relationship Management services designed to quickly verify identities and access privileges are becoming imperative for any business to safely and efficiently engage with their customers. Today’s solutions must link devices – laptops, phones, touchpads, cars, etc. – with new mobile and social apps into a single security platform that works all the time, everywhere, whether on premises or off in the cloud. This is the standard that customers, citizens and students have come expect. CIOs and their businesses – along with governments and universities – must identify vendors that can provide this standard because the methods of consumer engagement directly drive revenue. Customers might deposit checks from their phone, order a service through a cloud app or make a purchase from a laptop that recognizes their identity and in turn shares the right information with the vendor. As consumers look for and expect more ways to engage with businesses, companies are making the shift from the closed,

protective world of Identity and Access Management to the open, evolving and confidently secure Identity Relationship Management universe. This is because Identity and Access Management tools are a necessity for managing trust relationships with parties inside and outside of a company – relationships that are now tied directly to the bottom line. This shift in business emphasis has a direct technical impact on how we think about Identity and Access Management. As a result, CIOs need to take into account the following four business-focused pillars when choosing an IRM solution:

CONSUMERS AND THINGS OVER EMPLOYEES Traditional Identity and Access Management platforms were designed for onpremises employee use and are unable to meet the need for a quick, secure and device-flexible experience that customers seek. Modern identity management must manage access privileges for all stakeholders across a variety of devices.

MODERN IDENTITY RELATIONSHIP MANAGEMENT SOLUTIONS NEED TO MANAGE SEVERAL STAKEHOLDERS IN THEIR ACCESS SYSTEM – CONSUMERS, PARTNERS, EMPLOYEES, DEVICES, ETC. – AND THIS CHANGE IS LIKELY TO GROW THE USER BASE EXPONENTIALLY

Winter 2013

ADAPTABLE OVER PREDICTABLE Unlike traditional Identity and Access Management designed for specific static events, Identity Relationship Management must understand contextual circumstances. For example, a user logging in from a different device or location should have access to the information they need.

TOP LINE REVENUE OVER OPERATING EXPENSE Identity and Access Management has always been viewed as a necessity for employees and therefore a business cost. In today’s world, the security system is used to authenticate and authorize both consumers and employees. If an Identity Relationship Management solution is efficient, secure and accurate, it can directly contribute to a business’ top line revenue, as customers will have easy access to secure applications where they can buy services.

VELOCITY OVER PROCESS Today, CIOs make Identity Relationship Management decisions based on speed, ease of use and the ability to scale to handle customer volume – not on implementation and cost of deployment.

CHANGING BUSINESS VALUES AND A NEW TECHNICAL APPROACH TO IDENTITY AND ACCESS MANAGEMENT With this shift in business values, vendors also need to change their technical approach to Identity and Access Management. There are additional pillars that focus on technical values that coincide directly with business values, which are essential to modern organizations. Modern Identity Relationship Management solutions need to manage several stakeholders in their access system – consumers, partners, employees, devices, etc. – and this change is likely to grow the user base exponentially. These Identity Relationship Management systems need to be able to provide access at Internet scale, verifying millions of identities instantaneously – the direct result of which will be an internet-connected, consumerfacing world. Due to the wide variety of devices that now exist, Identity and Access Management systems need to provide access in an “anywhere, anytime” environment and must implement a borderless design to do so. Data users’ access is spread out across various locations – company premises, the cloud, hosted by SaaS providers – meaning borderless design will help to account for this increase in complexity. A good Identity Relationship Management solution is one that is

designed from the ground up to handle multi-faceted Identity and Access Management issues, with an integrated and cohesive stack. Identity Relationship Management solutions that are able to satisfy the business needs of an organization, and the new values of the CIO, will shape the future of Identity and Access Management. The shift to cloud, social, mobile and SaaS is revolutionizing the enterprise. Identity and Access Management needs to evolve to help businesses capture new opportunities without worrying about the associated complexities that are a result of this change.

CALL TO ACTION These pillars, found at KantaraInitiatve. org, form a simple framework to shift thinking from the way we see and manage digital identity today to the reality of what is possible. It’s a framework for a simple and agile movement that will impact your business opportunities for the better. If you agree with the pillars please visit KantaraInitiative.org to find out how you can become a signatory to show support. Find out how you can join this conversation and help shape the future.

Winter 2013

NEW NSTIC PILOTS RAISE TOTAL TO A DOZEN PILOTS ADDRESS UNTAPPED MARKETS, VULNERABLE DEMOGRAPHICS GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLISHING

Itâ&#x20AC;&#x2122;s been more than a year and the National Strategy for Trusted Identities in Cyberspace has spent $18 million to fund 12 pilots to help create the new identity ecosystem. Seven new pilots were announced in September, focused on a variety of new markets and questions. The NSTIC National Program Office is in planning for 2014 so no details were available on plans for the coming year or additional projects. Goals for the latest round of pilots include: Creating a trust framework Providing online identities to veterans Eliminating passwords and using different hardware solutions for online IDs Supplying a trusted framework for children Implementing a statewide identity federation Establishing an online system to stop online identity theft

Winter 2013

NSTIC WINNER: TSCP FEDERATING CREDENTIALS ACROSS ENTERPRISES The Transglobal Secure Collaboration Program (TSCP) was born out of a challenge shared by aerospace and defense companies: the need to be able to securely collaborate with suppliers, teammates and government customers. So together, they agreed to work on ways to securely email and share documents as well as how to trust each other’s issued credentials. “The work really involves creating specifications, a sort of ‘rules of the road’ on how to prove an individual is who they claim to be, how to issue a very secure credential to be able to assert that identity and then how to use that credential with the common

cure business-to-business, governmentto-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these crosssector transactions will be TSCP’s development of an open source, technologyneutral Trust Framework Development Guidance document that can provide

WITH THE HELP OF FIDELITY INVESTMENTS AND CHICAGO MERCANTILE EXCHANGE, THE TSCP PILOT WILL ENABLE EMPLOYEES TO USE EXISTING CREDENTIALS TO CONDUCT SECURE TRANSACTIONS. everyday collaboration products,” says Steve Race, vice president of operations for TSCP. Early on, these collaborative products weren’t built to accept high level of assurance identity credentials. So TSCP expanded its membership to include many of the leading technology companies, like Microsoft, and incorporated those new specifications into new products. The roster of TSCP members includes four governments, 19 technology companies and seven corporations. It is also expanding beyond the aerospace and defense industries to include others verticals such as oil and gas, Race explains. This would seem to make TSCP a natural to lead a pilot project for the National Strategy for Trusted Identities in Cyberspace (NSTIC) and indeed the group did receive funding. TSCP’s pilot will deploy trusted credentials to conduct se-

a foundation for future cross-sector interoperability of online credentials. TSCP will work on the liability and privacy areas, as well as the other common operating rules that the trust environment needs. The collection of models and rules will be packaged into a Trust Framework Development Guidance document that will be available to industry and government to facilitate adoption of a more secure, easy to use and affordable way to access systems. “We will be setting up demonstrations using tabletop environments first, then pilots and finally small scale production. This will allow us to really test and prove out the new models and rules for using higher level of assurance identity credentials,” Race says. He expects a difficult journey. “Fundamental and legitimate concerns exist across the industry, across the govern-

ment and the private citizens,” Race says. “They range from privacy, legal liability, cost, ease of use … the list goes on and on.” TSCP has engaged a wide range of partners beyond its membership to help develop the trust guides and test secure transactions with real systems. They’ll utilize a $1.2 million grant from NSTIC for the first year and the same amount for year two provided the project’s benchmarks are met. Race says the most difficult step will be finding those brave initial adopters. “My hope is that our efforts will accelerate the early adopters’ willingness to step up and adopt,” Race says. “I mean the bad guys are out there. They’re damaging our economy. They’re threatening our national security every day, and moving to a more secure identity ecosystem will have a very positive impact going forward.” TSCP did what Race considers to be groundbreaking work a few years ago around federation. “This is a concept of taking a credential that one entity issues and having another entity trust their credential and accept it to gain access to their system,” Race says. “One of the fundamental challenges with doing this is determining who is liable if there’s a problem.” TSCP worked with its members and the American Bar Association to create the basis for law, describing a third-party assurance model. The work was published and has allowed federation to be adopted more widely. “There’s really much more work that needs to be done to ground our identity and access management framework – or the Identity Ecosystem as NSTIC refers to it – to common law,” Race says. “That’s a large part of what we propose to do for the NSTIC grant.”

Winter 2013

NSTIC WINNER: EXPONENT USING THE SIM AND WEARABLE DEVICES FOR SECURE ONLINE ID

“Advancing a national strategy for assuring one’s identity in cyberspace isn’t really a particularly easy proposition,” says Brad McGoran, a principal engineer at Exponent. The company has provided independent testing of various identity technologies for years and is one of the largest engineering and scientific consulting firms in the U.S. Exponent emerged in the 1960’s specializing in scientific research and

“The team that we formed includes HID and Gemalto, Stanford University’s computer science department and Experian,” McGoran says. “We also have three relying parties that include a social media provider, a medical facility and the Department of Defense’s Defense Manpower Data Center.” The grant is worth $1.6 million for the first year of the pilot, with another $1.9 million available in the second year if

The Exponent team will demonstrate: A derivation process to add credentials to a mobile device A secure and easy method for doctors to access medical records A user friendly means to secure social media “We have a very strong emphasis on open standards and a responsibility to give the national program office a system that will be interoperable and

THE EXPONENT PILOT DIFFERS FROM SOME OF THE OTHER NSTIC PILOTS BECAUSE OF THE HARDWARE IT WILL LEVERAGE. THE PLAN IS TO DEMONSTRATE TWO FORM FACTORS. ONE WILL LEVERAGE THE UICC IN A PHONE AND THE OTHER LEVERAGES A SECURE ELEMENT THAT’S EMBEDDED IN A WEARABLE DEVICE.

analysis as well as rapid response evaluation. “We often do component and system level evaluations in the areas of interoperability, security, reliability and performance,” he says. The company was a finalist in the first pilot competition last year but did not make the final cut. At that point, McGoran says team members hunkered down to learn everything they could about the initial group of projects, and they put their focus on eliminating passwords using strong authentication techniques.

Winter 2013

milestones are met. “One of the differentiators I think for our solution is that we do have a significant hardware component, namely the secure element,” McGoran said. “We will demonstrate two form factors. One will leverage the UICC in a phone and the other leverages a secure element that’s embedded in a wearable device, which we call a PAD – or Personal Authentication Device.”

non-proprietary,” he adds. McGoran says the company is particularly excited about the opportunity to leverage some of the emerging NIST special publications. “Our solution is focusing on compatibility with existing federal programs and infrastructure – such as FICAM, the DOD common access card and the federal PIV infrastructure,” he says. This coupled with the use of the UICC and the ubiquity of the mobile phone promises to make this a closely watched project.

NSTIC WINNER: PRIVO CREATING A KID-FRIENDLY IDENTITY ECOSYSTEM

Privacy Vaults Online, commonly known as PRIVO, was established in 2001 to enable web sites to comply with the Children’s online Privacy Protection Act (COPPA). “We embarked on building the tools necessary for companies to comply with the law – tools built around identity management,” says Denise Tayloe, PRIVO co-founder and CEO. Additionally, the company has been authorized to certify compliance with COPPA. PRIVO was a finalist for the first round of NSTIC awards last year, but didn’t make the cut. This year, Tayloe and her crew dug deeper and found more than 50 relying parties willing to participate. They also found some larger technology partners. “We brought more muscle this go round. The other thing that’s happened is that COPPA went through a major review,” explains Tayloe. “In December of this past year, it hit the mainstream. COPPA 2.0 brought in mobile, third party advertising networks and social sharing. It added pictures, video and audio as Personally Identifiable Information.” Keeping up with a child’s online activity can be difficult. “Parents are inundated. They’re overwhelmed. They don’t exactly understand what’s going on,” Tayloe says. “So there’s a big opportunity for education here and for kids to sort of drag their parents into the identity ecosystem and let them get some good

lessons in the name of protecting their children.” They’ll start by establishing a Minors Trust Framework by the end of the first year. This will create an online identity trust model compliant with COPPA 2.0 and other nuances around children. “We’ll certify a diverse set of identity providers that are compliant with the model at a certain level of assurance,” Tayloe explains. “We’re going to establish secure and privacy-enhancing identity credentials that actually bind children to their parents so that they can be used

vices and applications,” Tayloe says. “It’s going to eliminate the need for multiple user name and passwords across these different sites and prevent the sort of correlation and linking and tracking of child data across the Internet, but still enable business to communicate products and services and engage in an interactive way.” The company was awarded $1.6 million for the first year of the pilot. If all the milestones are met, it will receive about the same amount for year two. By the end of the second year, PRIVO plans

PRIVO WILL PILOT A SOLUTION THAT PROVIDES FAMILIES WITH COMPLIANT, SECURE CREDENTIALS TO ENABLE PARENTS TO AUTHORIZE THEIR CHILDREN TO INTERACT WITH ONLINE SERVICES IN A MORE PRIVACY-ENHANCING AND USABLE WAY. within our Global Kid Network and foster adoption by a broad array of identity ecosystem participants to help advance the initiative.” PRIVO will also create a children’s identity and parental consent management platform – the Parents Hub – that supports the Global Kid ID Network. “That’s going to enable parents to easily permission their child to access Minors Trust Framework-approved online ser-

to protect at least 10 million children via the Kid Identity Network. “I think that we have a lot of opportunity in front of us if we get this right,” Tayloe adds. “This is a protected demographic that we have a lot of experience with, and I think that we’re going to show that we are the right organization for this very specific space.”

Winter 2013

NSTIC WINNER: GEORGIA TECH RESEARCH INSTITUTE ESTABLISHING A TRUSTMARK FRAMEWORK Georgia Tech Research Institute is the non-profit research arm of the Georgia Institute of Technology. The research institute was established nearly 80 years ago and has long partnered with government and industry to solve complex problems through innovation and customer-focused research and education. The institute’s proposal for the National Strategy for Trusted Identities in Cyberspace (NSTIC) is to develop and demonstrate a trustmark framework

enforcement. Agencies wanted broader interoperability across the whole law enforcement community, Wandelt says. Plus, law enforcers needed access to other communities of interest like first responders and private industry. “We realized that whatever we do for law enforcement within our community, there were other drivers outside,” says Wandelt. Drivers such as NSTIC will play a large role in shaping the way forward for online identities.

THE GEORGIA TECH RESEARCH INSTITUTE PILOT WILL DEVELOP AND DEMONSTRATE A TRUSTMARK FRAMEWORK THAT SEEKS TO IMPROVE TRUST, INTEROPERABILITY AND PRIVACY WITHIN THE IDENTITY ECOSYSTEM. that facilitates a cost-effective, scalable, interoperable trust across multiple communities of interest within the identity ecosystem. Privacy and transparency will be enhanced through third-party validation. “The outcome of this pilot is going to be very important to us,” says John Wandelt, Georgia Tech Research Institute division chief and director of the National Identity Exchange Federation. “After 9/11, it was widely recognized that we needed to do a better job sharing information across the various law enforcement agencies and communities.” The foundation for the NSTIC pilot comes out of work the institute did in law

Winter 2013

That’s what led the Georgia Tech Research Institute to propose a model based on trustmarks, the primary focus of its pilot grant. For this project, a trustmark is a rigorously defined, machine-readable statement of compliance with a specific set of technical, business and policy rules. “The assessment criteria will specify what due diligence is necessary in order for a trustmark provider to issue a trustmark. So this is essential because it improves transparency and consistency,” says Wandelt. “We believe that an ecosystem based on machine-readable trustmarks has a potential of changing how we think about the traditional trust frameworks.”

The institute was awarded $1.7 million for its Trustmark Marketplace initiative in the first year and a similar amount for year two if benchmarks are met. Under the grant funding, the institute plans to develop a trustmark technical framework, some sample trustmark definitions that address concerns like privacy policies and interoperability communication protocols and some open source tools to seed the marketplace. “Once we have that completed, we’re going to pilot this in an operational capacity among the National Identity Exchange Federation members,” Wandelt said. “Creating this ecosystem based on trustmarks that can thrive and connect our community among themselves and also lower the barriers to bridge between different communities of interest would be a huge success story – and in our opinion cost savings – so that it’s not required to join multiple federations to conduct the necessary business.” The idea is to simplify the Identity Ecosystem’s trust landscape. The project seeks to clear the environment, which currently harbors an assortment of federations with their own individual standards. These federations tend not to trust each other and don’t work together. Wandelt hopes the institute will be able to inform and contribute in a way that inspires broader adoption. “It’s very difficult to draw a dotted line around any region – community of interest – and say that’s an island,” Wandelt said. “At the end of the day, we need to connect the islands.”

NSTIC WINNER: TROOP ID ENABLING VETERANS TO PROVE ONLINE IDENTITY Troop ID is part of the ID.me identity network and a digital authentication engine for verifying active military members and veterans online. The system enables users to both share and protect their information and sensitive data. “ID.me is essentially PayPal for digital identity where we’ve created a digital ID card for members of the military community, first responders, students, other affinity groups,” said co-founder and COO Matthew Thompson. “Individuals can tie attributes about themselves and share that in a privacy enhancing and user-centric way across the web, across a network of relying parties to access different benefits and online services.” ID.me is largely a veteran-run organization. Thompson served four tours in Iraq and Afghanistan. He spent 11 years in the Army before attending Harvard Business School. He met another Army Ranger and combat veteran at Harvard named Blake Hall, and together they hatched the idea for Troop ID in 2009. “We really connected around this challenge that service members and veterans had accessing benefits online,” said Thompson. “We saw all these examples where the benefits were going offline but not online, and we said there has to be a better way.” Veterans who want to take advantage of retail discounts and special services have been stuck carrying around a document – DD Form 214 – that Thompson likens to a birth certificate and a resume. The form is the discharge paper every military service member receives and it contains more than enough information for an identity thief.

There is no federal veterans identity card. While the DD 214 is a unique way for service members to prove they were in the military, it presents a tremendous risk for fraud and misuse. Thus, Troop ID

security and privacy for ID.me. “That will then enable us to not only have commercial transactions but to do business with the federal government and serve as a federated credential that an individual

ID.ME’S TROOP ID WILL DEVELOP AND PILOT TRUSTED IDENTITY SOLUTIONS THAT WILL ENABLE MILITARY FAMILIES TO ACCESS SENSITIVE INFORMATION ONLINE FROM GOVERNMENT AGENCIES, FINANCIAL INSTITUTIONS AND HEALTH CARE ORGANIZATIONS IN A MORE PRIVACYENHANCING, SECURE AND EFFICIENT MANNER. was born. “For 24 million members of the veteran community, digital anonymity prevents meaningful interaction online and the current status quo really creates issues around access, liability, and awareness,” Thompson says. “Digital identity solves all of those issues by minimizing the data that’s shared.” Troop ID has more than 250,000 users, with a thousand new users added each day. The National Strategy for Trusted Identities in Cyberspace pilot award will speed up product development as well as commercial and government adoption. It will also be used to more quickly bolster the product beyond what is now essentially a Level 1 credential. “The ultimate goal is for us to achieve what’s known as a Level of Assurance 2 and Level of Assurance 3 within the FICAM Trust Framework,” says Glenn Schoonover, director of information,

can use on a daily basis.” Schoonover served on active duty, was the first chief of network security at the Pentagon and has been doing cyber security for almost 20 years. He says the company is taking extraordinary steps to protect client information. “We are applying federal standards even though we’re a commercial organization because we want to ensure that the data is encrypted from the second the member connects to our network,” Schoonover says. “Identifying information is encrypted in transit, it’s encrypted at rest and we apply federal standards to all of our business processes.” Troop ID was awarded $1.2 million for the first year of the pilot project, and if all goes as planned, another $1.6 million is available for year two.

Winter 2013

NSTIC WINNER: MICHIGAN REMOTELY PROOFING APPLICANTS FOR PUBLIC ASSISTANCE

Michigan’s Department of Human Services will use a $1.3 million NSTIC grant to pilot an automated initiative to help clients establish their identity and avoid concerns related to cyber fraud. Michigan is among the top states for identity theft complaints, and today half of the agency’s applications for benefits are made online. “We just want to ensure that a client is who he or she says they are,” says Dave Akerly, acting director

does make it clear to the person who’s applying – the person who is putting forth sometimes intimate personal details that have to be cleared through federal regulations, statute and state law – that they are who they say they are,” Akerly says. The human services department will pilot the initiative in conjunction with a system called Bridges. “It does a lot of the program work by ensuring that

THE MICHIGAN DEPARTMENT OF HUMAN SERVICES WILL PILOT THE USE OF SECURE, PRIVACY-ENHANCING ONLINE IDENTITY VERIFICATION AND AUTHENTICATION SOLUTIONS WITH BRIDGES, MICHIGAN’S INTEGRATED ELIGIBILITY SYSTEM THAT SUPPORTS ONLINE ENROLLMENT AND REGISTRATION FOR CITIZENS SEEKING PUBLIC ASSISTANCE.

of communications for the Department of Human Services. The new initiative will focus on eliminating the manual review of applications, giving clients a fast and accurate way to prove their identity. “We want there to be a front-end component that really

Winter 2013

notices are properly sent and benefits are correctly loaded,” Akerly says. “This will help us institute a protocol at the front end to help vet an identity. What we want to avoid is a situation where folks have to come in and get a manual review of their application. It slows down

the process, and the slower that goes, the slower benefits get out to people who are truly in need.” The human services department is drafting a waiver to the U.S. Department of Agriculture to use automatic online software to screen for identity theft. The team that will help implement the pilot includes LexisNexis, Deloitte and the Michigan Department of Technology, Management and Budget. “This will be a team effort through Bridges to identify and implement the best way to go forward with this,” Akerly says. “In early 2014, I anticipate that we’ll be making some real headway.” Within a few years, Akerly expects clients will be able to receive their application decision in a very efficient manner online without having to show up in person and wait. “Hopefully, the literally millions of people that we serve who truly are in need, will think the process is working for them and is being conducted in an efficient and honest manner, and that their identity is safe,” Akerly says. “That’s our number one goal.” The Michigan Department of Human Services plans to integrate the autoverification process with the help of LexisNexis and the other partners early next year following successful testing of the new solution.

NSTIC WINNER: PENNSYLVANIA TEARING DOWN IDENTITY SILOS EN ROUTE TO STATEWIDE FEDERATION

The Commonwealth of Pennsylvania has had an identity and access management road map in place for a number of years. “It encompasses things like directory services, single sign-on identity management provisioning, and we have bestof-breed applications at the enterprise here for each of those areas,” says Frank Morrow, program manager for Identity and Access Management with the state. “We have been involved with the various identity and access managementrelated federal programs, and certainly when National Strategy for Trusted Identities in Cyberspace (NSTIC) came up a year or so ago we were out there looking at it,” Morrow said. Pennsylvania was awarded $1.1 million for a one-year pilot to enhance existing user identity management for citizens and modify various applications. Pennsylvania applied for an NSTIC grant in 2012, but Morrow said it wasn’t a good fit because it was geared more toward the private sector. Now that they have the funding, the state will work toward a more pleasant and secure experience for users. They’ll start breaking down some of the barriers that greet citizens as they wade through different agencies and applications. “Like many state governments, a lot of our applications and resources for citizens have been developed across agencies – each having their own user

ID, password and security models,” Morrow says. “A citizen moving between applications or seeking services from different agency may have to register multiple times and maintain different IDs and passwords.” With the help of the grant, Morrow sees a future in which Pennsylvania residents will be able to interact with government agencies in a more seamless way, free from all the silos that they currently encounter.

each of those applications or agencies. “For the government, we’ll be breaking down some of these silos, sharing the information rather than creating more information at each level,” Morrow says. In addition, they’ll also reduce the number of errors during data collection, lessening the potential for fraud. “This will be a voluntary application for our citizens, they do not have to enroll in it. This is in keeping with the NSTIC principles. Obviously, we think it would

PENNSYLVANIA IS GOING TO USE THE NSTIC PILOT FUNDS TO ENHANCE USER IDENTITY MANAGEMENT AND MODIFY DIFFERENT APPLICATIONS TO CREATE A STATEWIDE FEDERATION. “Within our own government itself we have a lot of duplicative efforts here – both maintaining all the different systems that track the users, the user populations that are coming to them, validating their identities and making sure we’re dealing with the people they claim to be,” Morrow said. If this pilot project is a success, Morrow says consumers will be able to go from one application to another, or from one agency to another, without the hassle of having to create new identities with

be to their benefit, but it is voluntary,” Morrow said. “I think this will have some great benefits for both the citizens and our government.” The Research Triangle Institute will help determine the value of the work being done in Pennsylvania as well as in Michigan. The institute was awarded $300,000 to evaluate the results of the identity solutions deployed by both states.

Winter 2013

CULTIVATING AN ID PROGRAM TAILORING CARDS, PERIPHERALS AND PRINTERS FOR YOUR ORGANIZATION’S NEEDS CONNELL SMITH, VICE PRESIDENT AT DATACARD GROUP

Organizations are constantly challenged with how best to combat daily threats to protecting identities, proprietary information and equipment from falling into the wrong hands. One of the best ways to do this is to implement a secure identification program that provides credentials for everyone walking through the doors. Implementing a streamlined issuance process can guard even the most sensitive data and ultimately boost productivity and profits. If your organization would like to implement or upgrade an ID card program, how do you get started?

DETERMINING YOUR BUSINESS NEEDS The first step is to determine your needs. This will help ensure that you are selecting the best solution for the size of your organization, which is vital as needs vary from large to small organizations. Before you can really begin searching for the appropriate vendor and products, you must figure out how the ID cards will be used: visual identification, machine-readable authentication as well as physical and logical access control. In addition, it’s important to determine how many cards you will need to print and then establish an annual quota. Will you be doing a small batch of printing, which is typically less than 1,000 cards annually, large batch printing of more than 5,000 cards annually, or somewhere in between? You will likely start with a higher volume issuance at the beginning of your program, but the number of cards printed annually may decrease if the company will only be

Winter 2013

conducting re-issues or issuing credentials to new employees. By knowing the card’s purpose and quantity, you can begin to determine the level of sophistication needed in your overall solution.

CONSIDER THE CARD ITSELF Before choosing a system, it is important to consider the card itself. This will help determine the type of printer you will need. Organizations should always take into consideration the following three elements when determining the card that will suit their needs: Visual elements: Consider how you want the card to look. Visual elements include logos, photos, signatures and other items that are printed on a card. Anything printed on your ID cards will play a part into your overall brand so printing should be consistent and high quality as the cards are “mini billboards” often seen out in the community. In addition, it’s important to consider if you want one or two-side printing as well as monochrome or full-color cards. This also helps narrow down the printer you will need. Security, durability, overlays and lamination: How long do you want to the card to last? Do you want it to last one year, five years, 10 years? Durability of the card will play a large factor in determining how long a card can last, and overlays provide varying levels of durability, abrasion resistance and chemical resistance. Lamination is also great way to help extend the life and allows for more added security features with holographic printing, optical variable devices (OVD), mi-

croprinting, etc. This also protects cards against fraud and counterfeiting by using sophisticated technology and print capabilities. Technology features: Consider what technologies will need to be incorporated on the card. Will there be a smart card chip, biometric data, bar code or magnetic stripe? Will there be a photo and a signature on the card? Standard card security is used with magnetic stripe encoding, and nearly all card printers can be purchased with this feature. The common uses for these include secure access along with time and attendance monitoring. Alternatively, you can upgrade a system or purchase a more robust printer that supports smart card technology to allow more advanced or detailed information to be stored directly on cards.

SELECTING THE RIGHT SOLUTION With all this information in hand, you can now consider the solution that best suits your needs. An ID card program should have three key elements: Software: Having the right software that can easily integrate with the printers you have selected will help streamline the issuance process, guard the most sensitive data, and ultimately boost productivity and profits. The software should offer powerful, user-friendly tools for card design, secure card production and flexible management of your complex integrated ID program. Hardware: Choosing the right ID card printer that is coordinated with appropriate ID software and associated camera(s),

can create a powerful impact in your card program for many years. There are various hardware options that you can choose from for your ID card programs that, depending on your needs and budget, can vary from entry-level systems to high-end systems that have the most robust technology and personalization features on the market today. Supplies: ID card printers require various types of printer ribbons depending on your needs and the printer model you select. Each ribbon has the capacity to print a certain number of cards, so once you determine how many cards you will print annually, you will be able to calculate the number of ribbons you will need. In addition, you may need laminates and overlays for the security features on the card.

THE IMPORTANCE OF INTEGRATED PLATFORMS Having a tightly integrated platform of hardware, software, supplies and global support from a single source – as opposed to a collection of disparate systems from various companies – can prove invaluable when shopping for your ID card program. After the thorough evaluation of the function and business needs for your organization, a supplier can give recommendations to help narrow down the search for a complete ID card program. The following questions are crucial in selecting the right solution:

Will the cards be printed and personalized on one side or two sides? Will you need full color options or monochrome (single color)? Do you need the cards to be embossed? Where do you need the data encoded (magnetic stripe, bar codes, contact or contactless chip)? What level of security you will need on the cards? What cardholder information are you looking to include on the card (photo, signature, biometrics, personal data)? Answering these questions will help determine the ID card solution that best fits your needs from specific features on print-

ers – such as full color printing with directto-card or retransfer printing, embossing, indenting and multi-hopper options, or smart card encoding – to UV and holographic security features – such as topcoats, overlays and laminates to protect against daily fraud and counterfeiting threats. It’s important for companies to integrate technology for their identity programs that will help them protect their investment as well as grow and change with their needs. Ultimately, finding a trusted partner is key. Together you can evaluate needs and select a solution that seamlessly integrates into existing systems and can scale to ensure that your organization gets the best possible return on its investment.

Winter 2013

NIST RELEASES FIPS 201-2 DERIVED CREDENTIALS, BEEFED-UP CONTACTLESS, POST-ISSUANCE UPDATES ADDED The latest smart card specification for U.S. government employees was released by the National Institute of Standards and Technology. Federal agencies will now have 12-months to issue cards that comply with the revised FIPS 201-2 standard. The standard followed the path laid out in previous drafts, says Bob Dulude, director of Federal Identity Initiative at HID Global. “It’s pretty much what we expected,” he adds. The industry seems positive about the path forward with the new spec. “FIPS 2012 is a major improvement and update of FIPS 201-1, which was published in March, 2006, more than seven years ago,” says Steve Howard, vice president of credentials at CertiPath. “During this time, we have seen a tremendous uptake in the use of PIV technology, and with that uptake, a laundry list of desired changes had accumulated.” More than two-years has passed since the first draft of FIPS 201-2 was released, so a lot of time and effort went into perfecting the draft, Howard explains. One of the bigger accomplishments with the latest spec is that it didn’t wipe away existing systems, says Neville Pattinson, senior vice president of government affairs for Gemalto. “They didn’t break the legacy and didn’t strand the entire installed base. It could have been a nightmare of backward incompatibility,” he explains. As expected, FIPS 201-2 will enable derived PIV credentials on mobile devices as well as a virtual contact interface that expands the functionality of the contactless portion of the card, says Hildegard Ferraiolo, a computer scientist in the Computer Security Division, Cryptographic Technology Group at NIST. The derived credential specification will be detailed in a special publication due out soon, Ferraiolo says. At a high level the derived credential will enable an agency to place a type of PIV credential on a mobile device so the user can access enterprise applications, virtual private networks or other uses.

Winter 2013

“As mobile and alternative devices become more prevalent, using them within the PIV identity ecosystem has been established as a top priority,” Howard says. “This is a welcome change, bringing the use of high-assurance PIV identity into the mobile device ecosystem. This paves the way for a new level of security in iPads, iPhones, Android phones and tablets, BlackBerry’s and new devices yet to be introduced.” But the derived credential could also enable a more secure and faster physical access control system, says Dulude. OPACITY, a contactless interface standard, can be used with the derived credential and the virtual contact interface. The virtual contact interface will play a role in the realm of mobile devices as well. This interface will enable some of the contact functionality of the credential on the contactless interface. A special publication detailing this portion is being circulated as a draft. One possible use for this could be the tapping of a PIV onto a NFC mobile device to gain access to secure networks and services, Ferraiolo says. “It’s taking advantage of the NFC channel,” she explains. “The virtual contact interface will protect that channel if it’s used with the mobile device.”

BIOMETRIC UPDATES FIPS 201-2 mandates that the cardholder’s facial image be placed on the smart card, Ferraiolo says. The facial image could then be used at guard checkpoints and for automatic comparison when reissuing credentials. Facial images were optional in the previous specification. The spec also offers iris biometric and match-on-card fingerprints as additional authentication options. “Contactless biometric on-card-comparison is provided as a new means to activate the card, minimizing the need for the use of the PIN in some settings,” Howard says.

POST-ISSUANCE UPDATES The new spec also enables post-issuance credential updates, Ferraiolo says. Agencies had run into problem because digital certificates on the device would expire before the card and post-issuance updates were not enabled.

CERTIFICATE CHANGES FIPS 201-2 alleviates prior reliance on the Cardholder Unique Identifier and puts the focus on the Universal Unique Identifier, which will bring PIV and PIV-I closer together. “PIV now provides a mandatory Universally Unique Identifier for each credential issued,” Howard explains. “PIV issuers are now required to issue Asymmetric Card Authentication Keys. Both of these changes align PIV with PIV-I, easing the engineering costs of relying parties supporting both credential types and significantly increasing interoperability between federally and non-federally issued credentials.”

REVISED ‘CHAIN OF TRUST’ The new spec enables federal employees to transfer agencies without requiring that a completely new background check be performed. “This is achieved using the new concept of the ‘chain of trust’ in identity management,” says Howard. “The chain of trust is essential to ensure proper linkage of the individual to the source of authority for the identity record and thus to the credential and the background investigation. Using biometrics, agencies can now swap identity records safely and securely as individual move within the federal enterprise. This represents significant cost savings and security improvement by avoiding re-vetting of individuals by multiple agencies during the individual’s service to the federal government.”

Usability issues confound NFC and derived credentials Part of the reason it took two years for FIPS 201-2 to be released was that issues had to be worked out to allow use of a PIV with a mobile device. The early draft of the spec didn’t enable this functionality and was criticized by federal agencies and industry. The ratified version released in September 2013 rectified this issue by enabling derived credentials, using the PIV to spawn credentials on to mobile devices. Exactly how the derived credentials will be placed on the mobile devices has yet to be detailed, and there will likely be more than one way. One option is to use a mobile device manager and trusted service manager to place the derived credential on the handset’s secure element, be it the SIM or another embedded hardware module. Another option – with Android handsets embracing NFC and the virtual contact interface enabling a more secure contactless channel – is using the short-range communication protocol to place the derived credential on the handset. But that might not be the best way, says Neville Pattinson, senior vice president of government affairs at Gemalto. “It’s a little impractical,” he explains. “Holding the card with the phone is a little awkward and I’m not sure people will enjoy that for decrypting and signing emails.” A potentially larger issue is that most NFC handsets are acting as card emulators and not card readers with that functionality turned off, Pattinson says. Then there are battery issues that arise when using handsets as readers. Only a couple of Samsung handsets have addressed this using a special battery capable of handling the extra NFC power demand.

Winter 2013

BIOMETRIC PAYMENTS TAKE STAGE AT U.K. MUSIC FESTIVAL Large concert and festival organizers have been issuing RFID-enabled wristbands for ticketing so attendees don’t have to worry about losing paper tickets. As an added utility, these same wristbands often enable a user to check in at different stages or performances and have that info posted on social media sites. Adding payments to these wristbands has been on the wish list for some time but has yet been slow to develop. Payments company Sthaler wants to make purchases easier at festivals by enabling a biometric option, says Nick Dryden, CEO at Sthaler. Instead of having to carry a payment card or cash around a music fest Sthaler partnered with Hitachi and BT to create a biometric option

Winter 2013

using finger vein biometrics. “What we wanted was something that was convenient, fast and didn’t require you to carry anything,” Dryden explained. The solution was used at the UK’s Festival Number 6 in Portmeiron, Dryden says. Performing musicians and attendees pre-registered a credit card at the festival’s web site. Once at the festival the individual showed a photo ID, had their biometric data enrolled and tethered to the payment card. “It takes about 15 seconds and then they’re off paying with their finger,” Dryden says. Some 300 attendees used the system. Hitachi’s finger vein biometrics technology powers the authentication process, capturing the vein pat-

tern within the finger rather than the fingerprint itself. The system was deployed at some of the bars scattered throughout the festival grounds. In the future the system could be used for ticketing and potentially even identification, Dryden explains. If an individual is found unconscious they could be identified via their finger vein biometric. If used for ticketing it could also prevent people from passing paper tickets or RFID wristbands back and forth preventing ticketing fraud. Sthaler is also working on a mobile version of the system that could be used with smart phones or tablets, Dryden says.