Regarding ID Winter 2014 by AVISIAN

40 A SURVEY OF ID TECHNOLOGY - WINTER 2014 - ISSUE 40

IDENTITY RI ING Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential

+ ID and the airport of the future Is the end near for PIV-I? How much is your IDENTITY worth?

Some security technologies are sooooo yesterday.

Stay on the cutting edge with the interoperable iCLASS SE® Platform — for access control that’s never out of style. Choose HID Global’s iCLASS SE® Platform — the open, adaptable solution that easily integrates smart cards, mobile devices and whatever tomorrow brings, for greater security, flexibility, simplicity and performance. Now as your access control evolves, your budget will stay optimized and your security will always be in style. Start your iCLASS® SE Platform makeover at hidglobal.com/yesterday-reid © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved. HID, HID Global, the HID Blue Brick logo, the Chain Design, and iCLASS SE are trademarks or registered trademarks of HID Global or its licensor(s)/supplier(s) in the US and other countries and may not be used without permission.

HOW DOES YOUR COMPANY IDENTIFY ITS EMPLOYEES?

By providing ID badges instantly with an Evolis card printer Evolis card printers include modules allowing personal data to be encoded within the card. You can, therefore, use your badges to secure access and strengthen security within your company. Evolis printers together with cardPresso software offer an easy-to-use and powerful system.

www.evolis.com

We develop solutions designed for a secure and convenient consumer experience – across all channels. Solutions that help our customers increase efficiency, boost growth and build next-generation services. Visit our website to watch the 96 second video on how Gemalto is helping our customers to thrive in the digital world.

gemalto.com ENABLING ORGANIZATIONS TO OFFER TRUSTED AND CONVENIENT DIGITAL SERVICES TO BILLIONS OF INDIVIDUALS. LEARN mORE AT GEmALTO.COm

Trusted and convenient digital services for billions of individuals

RELIABILITY DELIVERED DEPEND ON CONSISTENT CARD PRINTING WITH DATACARD SECURE ID SOLUTIONS ®

Our printers, supplies and software are engineered and tested to work together so you can dependably deliver IDs on time and on budget. Our commitment to Secure Issuance Anywhere™ means that you can count on Datacard Group to deliver superior reliability and proven technology — anytime and anywhere you need it. Demand the performance you need. Demand Datacard® secure ID solutions. Get started by contacting an authorized Datacard partner near you. Call 1-800-995-0503 or visit www.datacard.com/id

Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2012 DataCard Corporation. All rights reserved. Datacard and Secure Issuance Anywhere are registered trademarks, trademarks and/or service marks of DataCard Corporation in the United States and/or other countries. ©2014 DataCard Corporation. All rights reserved.

CONTENTS

22 Cover Story: Identity rising It is the dawning of a new mobile identity age. Leading handset manufacturers are producing devices with biometrics and communication technologies that enable secure identities for everyone. The use of the mobile as a credential is finally within reach.

Apartments, residences explore cloud-based physical access control 64

Editorial: Identity at cliffâ&#x20AC;&#x2122;s edge Jump or retreat?

Professional lacrosse team deploys BYOD security

ID Shorts Highlights from SecureIDNews.com

Mobileâ&#x20AC;&#x2122;s other challenge: Securing data in a BYOD world

Identity rising Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential 23

Winter 2014

Chinese Payment leader Alipay launches BYOID with FIDO, Nok Nok Apple Watch as an identity token?

A cloud over Redmond: Microsoft focuses on BYOD

31 Mobile changing risk profiles in financial services 32

PIV-I, CIV Circling the drain Enterprise ID specs fail to catch on

PIV-I, CIV circling the drain Enterprise ID specs fail to catch on 32

A cloud over Redmond: Microsoft focuses on BYOD 31 42 Revising the levels of assurance

36 The airport of the future

The four levels of identity assurance, as defined by the U.S. government, have been criticized almost from the start. Eight-years later, there is an effort to revise the levels so they offer greater flexibility and are applicable to commercial markets in addition to government.

Traveling is a hassle – pulling out IDs, keeping track of boarding passes and hauling luggage from one checkpoint to the next. The airport of the future promises to ease the pain with automatic check-in, mobile boarding passes and electronic baggage tags that will personalize the travel experience.

36 The airport of the future Identity and automation customize travel experience 41

New bag tags make luggage smart

42 End of life for feds’ four levels of assurance Kill them? Revise them? Industry ponders options 43

SP 800-63 defines the four levels of assurance

InCommon tailors assurance levels for higher ed

Sending access control engineers back to school GSA mandates new certification for physical security contractors

Touchless fingerprints: A new approach to an old modality

Campuses deploy multi-factor via higher ed ‘cohortium’

MorphoTrust, Confyrm, GSMA win latest NSTIC pilots

Airports confront physical access challenges

New tools for modern identity Adaptive and mobile techniques usher in a more secure future

Apartments, residences explore cloud-based physical access control Enterprise technologies also securing the home

Vanderbilt, Vodafone pilot emerging access control tech Take your pick - Bluetooth or NFC for physical security

Winter 2014

ABOUT

EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2014 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com

Winter 2014

IDENTITY AT CLIFF’S EDGE: JUMP OR RETREAT? ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

2014: the year of password breaches, Internet of Things and biometric handsets. True, some of these started earlier, but this year saw these technologies blossom and breaches widen. These are three separate things right now, but they lead up to one thing: the mobile handset as an identifier. And yes, I know we have been here before, but I believe we’re close now. When executives at the largest card companies start talking about the mobile replacing the plastic they produce, a change is on the horizon. The smart phone – likely coupled with biometrics – will be the consumer’s key to the Internet of Things and an additional factor of authentication to embolden the password. The U.S. is on a cliff’s edge. Jumping off requires both a proverbial leap of faith and the acceptance of mobile devices to secure online access. The other option is to stagnate, remaining on the precipice with lists of complex passwords and frequent breaches. The technology to enable secure, easy access exists. It’s a matter of the relying parties – financial institutions, retailers, government agencies, health care and corporations – choosing to use it. But the past year has demonstrated that no company is safe from breach, so the hand may finally be forced. The mobile is the ideal additional factor because it is virtually glued to the vast majority of consumers. As biometric handsets are becoming the norm, every authentication can readily include multiple factors. Future authentication will be a simple exercise – receive a one-time passcode on the mobile, authenticate to an app and access a system or service … or maybe it won’t require any exercise at all.

PERSPECTIVE

Just sit down at a computer with mobile in hand or pocket, and access what you need. The authentication will take place in the background, as long as typical patterns are observed. The Internet of Things dovetails with this as well. While the term has been floated for more than a decade, in 2014 it truly surfaced. The new devices connected online – cars, wearables, thermostats – can serve as identity attributes for authentication. Adjusting the thermostat, driving to work, and a morning run can all be used as authentication factors, evaluating individual patterns throughout the course of a normal day. It’s similar to the fraud alert systems that credit card companies use, monitoring events for normal and out of norm behaviors.

It’s essential that these connected devices are secure and that no one else can gain access to them or the data they generate. Again, a biometric-enabled mobile will be key to this process. There’s a palpable optimism in the air. I think change is on the horizon and it’s just a matter of time before banks, retailers and others embrace mobile as an identifier to make accessing information easy and secure. The cliff’s edge can be frightening, but the alternative has already proven unacceptable.

Do you know...

who has proper authorization to be in your secured facility? C

us a h SCA!

h #513

SAFE

SAFE is a p is s ftwa s luti ha abl s d al ag ci s, D D aciliti s, a d h high s cu i y g a as alig wi h FICAM a d s a li h i physical s cu i y p ati s as i la s physical acc ss. Ou s luti c aliz s id titi s, su s c plia c , a d p id s c ti u us isk ass ss wi h u ha i g ip a d plac xisti g s cu i y i as uc u whil p idi g PIV, CAC, PIV-I alidati pl y s a d c ac s, ID au h ticati , a d physical acc ss audi abili y. Wi h h SAFE s luti , s cu i y a s ca w si pli y h c l pl y s, isi s, d s a d h hi d-pa y id titi s ac ss a gl bal ga izati su ach id ti y has h igh acc ss, h igh a as, h igh l g h ti . Visi

u w bsi

l a

: www.quantumsecure.com/government

Winter 2014

ID SHORTS

HIGHLIGHTS FROM SECUREIDNEWS.COM

EVOLIS UNVEILS LATEST RETRANSFER PRINTER Evolis introduced the AVANSIA, a new printer that utilizes retransfer-printing technology to deliver high quality, highly durable cards. With retransfer printing, the card layout is first printed on a transparent film and then the print layer is transferred to the card. This technology makes it possible to cover the entire surface of the card, eliminate white edges and protect the print head from damage. AVANSIA’s 600-DPI print head delivers high quality images, as well as sharp texts, microprints and watermarks. The retransfer technology supports and can improve a variety of applications including employee badges, secured access cards, student IDs, payment cards, official identification cards, driver licenses and more. The printer can issue more than 140 single-sided color cards per hour, and supports the delivery of cards in large runs thanks to its 250-card capacity feeder and output hopper. Consumables from the Evolis High Trust range that are engineered for use with the new model.

Winter 2014

Retransfer technology makes it possible to print on any card profile – PVC, PET, polycarbonate, ABA – even on cards with an uneven surface. To support specific requirements, AVANSIA supports all types of encoding including magnetic

stripe, contact smart cards and contactless smart cards. This printer offers additional security via an RFID-based electronic key, which can be removed in order to prevent rogue use. A mechanical lock system is also available as an option.

ID SHORTS

The AVANSIA comes with a three-year standard warranty, coupled with the lifetime warranty on the print head.

NOVEMBER FEB. MARCH

2015 Payments Summit February 3-5, 2015 Grand America Hotel Salt Lake City, Utah NACCU Annual Conference March 8-11 Sheraton New Orleans New Orleans, La. Connect ID March 23-25 Walter E. Washington Convention Center Washington, D.C.

APRIL

The Transportation Security Administration awarded MorphoTrust USA a contract to provide Credential Authentication Technology for U.S. airports. The $85 million contract ceiling covers seven years and enables TSA travel document checkers to scan – rather than just visually inspect – passenger credentials at the checkpoint. The MorphoTrust E-CAT automatically checks multiple security features embedded in a passenger’s identification document to ensure it has not been altered or is counterfeit. Once the E-CAT is connected to TSA’s network, this information will simultaneously be verified against the passenger boarding information from Secure Flight, TSA’s watch list matching system. MorphoTrust has provided identity solutions and services to the TSA for more than eight years. The company is the prime contractor for TSA’s Universal Enrollment Services and TSA PreCheck.

ISC East November 19 – 20 Javits Center New York, New York

RSA Conference 2015 April 20-24 Moscone Center San Francisco, Calif.

MAY

TSA SELECTS MORPHOTRUST FOR AIRPORT CREDENTIAL VERIFICATION

CARTES Secure Connexions November 4 – 6 Paris Nord Villepinte Exhibition Centre Paris, France

2015

CARTES Secure Connexions America May 5-7 Walter E. Washington Convention Center Washington, D.C.

JUNE

Quantum Secure launched SAFE for Secure Cloud, increasing the accessibility of its physical identity and access management solution. As an alternative to on-premise deployment, SAFE for Secure Cloud offers small and medium businesses a physical identity and access management solution that can increase security across multiple business operations. SAFE for Secure Cloud has the ability to: On-board and off-board personnel Establish and implement role-based physical access assignments across single or multiple systems Support regulatory governance and compliance Conduct audits and generate reports In addition it integrates with human resources, contractor management, training and physical access control systems. Small and mid-sized companies can be up and running with SAFE for Secure Cloud rapidly without the added costs associated with specialized personnel and system administrators, dedicated software and servers. In addition to improving physical and cyber security, SAFE for Secure Cloud ultimately lowers costs.

2014

SEPT.

QUANTUM SECURE UNVEILS CLOUD-BASED SYSTEM

CALENDAR

Smart Card Alliance Government Conference June 9-10 Walter E. Washington Convention Center Washington, D.C. SDW 2015 June 9-11 Queen Elizabeth II Conference Centre Westminster, London, UK 2015 Global Identity Summit September 15-17 Tampa Convention Center Tampa, Fla.

Winter 2014

ID SHORTS

PKI, BIOMETRICS PROTECT HOLLYWOOD’S BIG SCREEN MOVIES For some heading to the movie theater is a hassle, and instead of making the trip it is easier to view the latest blockbuster release in the comfort of their home screening room. This option isn’t for everyone but for those lucky enough to have the means, movie studios want to make sure that the content isn’t being copied and sold elsewhere. To ensure this is the case, PRIMA Cinema is using PKI technology from Thales to protect the data, says Richard Moulds, vice president of product strategy at Thales e-Security. Customers apply for membership to PRIMA Cinema and have to purchase a player that includes a two-terabyte drive and a swipe fingerprint sensor, Pri-

yadarshi says. Authorized users swipe their fingerprint in order to confirm a purchase, $500 for major studio releases and $250 for independent content. “We focused on the payments market, but this is an example of the digital cinema space using cryptography to protect distribution of new release movies at the peak of their value,” Moulds says. “Without cryptography and digital certificates it would not be possible to offer this service.” The movie studios were hesitant to offer content without a high-level of protection, says Shaiwal Priyadarshi, CTO at PRIMA Cinema. The system used FIPS 140-2 certified cryptography to secure the data and Thales hardware security modules to generate and protect the keys. There are also unique digital watermarks in the background of all the data sent.

“We have hardware PKI to authenticate our devices and we use PKI to control communication to the backend,” Priyadarshi says. “Only trusted devices can connect and all the identities of our users and members have unique certificates associated with them.” “The fingerprint swipe sensors were different and have a nice user experience,” Priyadarshi says. “We wanted to guarantee that the person ordering the movie is in the room and they have a simple purchase experience.” The PRIMA Cinema devices make use of Trusted Platform Modules to process the cryptographic keys, Moulds says. PRIMA is also using Thales CodeSafe, which enables the company to protect the application code as well as the keys and digital certificates.

PRIMA USES BIOMETRICS AND PKI TO SECURE MEMBER RENTALS OF IN-THEATRE FILMS – $500 FOR A MAJOR STUDIO RELEASE AND $250 FOR AN INDEPENDENT FILM

Winter 2014

ID SHORTS

Source: Gemalto

GEMALTO ACQUIRES SAFENET IN $890 MILLION DEAL Gemalto is acquiring SafeNet, a provider of data protection and software monetization, from Vector Capital for $890 million. The purchase is expected to bolster our enterprise security offering, says Paul Beverly, chief marketing officer at Gemalto. The company has dominant market share in the telecom, banking, government and machine-to-machine markets but it wanted to make a move in the enterprise world, or “security at the edge,” Beverly adds. SafeNet is involved in three primary lines of business, security for the enterprise, digital rights management software and hardware security modules, Beverly explains. The last two will be news lines of business for Gemalto. “This isn’t about buying a small company and stripping them down,” Beverly explains. “We’re taking them and putting them into a business segment where we’ve been underrepresented.” Gemalto and SafeNet also serve some of the same clients but in different areas,

Beverly says. “We’re going to have more products and services that we sell to the same companies,” he adds. SafeNet is headquartered in Belcamp, Md. with satellite locations in 27 countries. The company is one of the largest digital information security companies in the world, trusted to protect and manage sensitive data and high value software applications. As an example, SafeNet technology protects more than 80% of the world’s intra-bank fund transfers and its 1,500+ employees, including 550 cryptographic engineers, serve more than 25,000 corporate and government customers in more than 100 countries. Customers utilizing SafeNet solutions include Banamex, Bank of America, Cisco, Dell, Hewlett-Packard, Kaiser Permanente, Netflix, Starbucks and many more of the world’s best known companies. In 2013, SafeNet recorded revenues of $337 million and profit from operations of $35 million and expects revenues of $370 million and profit from operations of $51 million for 2014. The deal is expected to close in the fourth quarter.

U.S. BUSINESS OWNERS ‘CARELESS’ WHEN IT COMES TO PASSWORDS Some 74.2% of business owners keep a written log or have another type of offline system to record passwords, according to research conducted by Swivel Secure. That means Post-it notes and Excel files are still one of the main ways that people are remembering passwords. The study of 2,500 working Americans surveyed participants’ Web habits and displayed that business-owners are taking insufficient steps to secure access to their workplace systems, setting a bad example to staff and dangerously exposing company data. Other results from the survey show further apathy towards passwords. Some 63% business owners continually re-use the same passwords to log in to different systems, but 61% remain “unconcerned” with the security of their corporate systems. “Consider this: if passwords are reused across personal and corporate systems – which more than one in five

Winter 2014

ID SHORTS

MORE THAN 80,000 GUESTS HAVE USED DISNEY’S RFID-ENABLED WRISTBANDS TO ACCESS HOTEL ROOMS, EXPEDITE LINES AND PAY FOR CONCESSIONS

U.S. employees openly admit to – it only takes one employee’s Twitter or Amazon password to be hacked for unauthorized network access to be gained, compromising the entire network and all of the sensitive information held within,” says Fraser Thomas, vice president international at Swivel Secure Inc. Business owners, typically privy to the most business critical data of all, really should be trying harder to with keep their passwords closer to their chests. The study suggests that this ambivalence has trickled down to influence the

Winter 2014

attitudes and behavior of employees. In fact, 73% of full time U.S. workers admit to re-using the same batch of passwords online, with 33% using fewer than five different passwords to access between 25 and 50 personal and business sites. The study also suggests that diligence online appears to decrease with age. An incredible 71% of 55-64 year olds are ‘unconcerned’ by the security of their work IT systems, compared with 47.1% of those aged between 25 and 34.

DISNEY CEO SAYS MAGICBANDS ARE A SUCCESS Walt Disney World’s investment in MagicBands seems to be paying off, according to Disney CEO Robert Iger. In a conference call to discuss third quarter earnings, Iger said about half of the guests at Florida’s Disney theme parks are using the colorful wristbands at a cost of $12.95 plus tax. He said 90% of users rate the MagicBand experience as excellent or very good.

ID SHORTS

The MagicBand uses radio frequency technology. Guests can tap the band to touch points in places around the park, including entrances and FastPass+ locations. Guests are also required to provide biometric identification – a fingerprint – or a photo ID at the entrance. A four-digit PIN is required for purchases using the MagicBand, and the same band can be used on return visits. MagicBands are never turned off, so it’s up to guests to deactivate them. “The ability to use the MagicBand for meal and merchandise purchases is currently available only to those guests who are staying in a Walt Disney World owned-and-operated hotel,” says Disney spokeswoman Marilyn Waters. “The charges are applied to the guest’s hotel room account. The MagicBand does not connect directly to a credit card.” Resort guests can use the bands to unlock their room door and pay for most anything on site. MagicBands can be disabled if they’re lost or stolen, and there is no GPS-tracking on the bands. Disney says security measures are in place to keep users’ personal information safe. No private information is stored on the MagicBand, which contains a randomly assigned code that links to an encrypted database, which in turn keeps track of the experiences the user has selected. The bands were rolled out in conjunction with the guest vacation planner MyMagic+, an app that enables users to

book a trip and keep track of their plans through their mobile device. Q3 was the first full quarter that all Disney World guests could participate in the program. Iger says the whole MyMagic+ experience is still in a test phase so there’s no revenue impact to speak of yet. “This is a very significant undertaking from a technological perspective, and we really want to make sure that we walk before we run because we don’t really want to overload our technological backbone,” Iger told reporters. He says another beta phase started in August and he expects MyMagic+ to start contributing to park earnings growth by late this year. “Right now, we’re mostly adding costs associated with Magic+ ahead of what will be, we believe, some interesting revenue generating opportunities,” Iger says. “I can also say that it’s working, meaning those using it have reacted very well. This test that we’re in right now will be used by over 80,000 guests.”

UNIVERSITY OF TEXAS DEPLOYS ‘INVISIBLE AUTHENTICATION’ Online security firm Toopher deployed its location-based, multi-factor solution at the University of Texas at Austin, the birthplace of the company’s technology. The institution’s 24,000 faculty and staff members will use Toopher’s “Invisible Authentication” technology for all financial services, including payroll data and access to W2s. UT employees can download the Toopher app and pair their phone with the service for free. A secure, out-of-band authentication channel is used to push details of a login request. The university is considering an expanded rollout to students as well. “Using the location-awareness of a mobile device, Toopher can automate authentication based on a user’s normal

behaviors,” says Josh Alexander, CEO at the company. “The first time a user logs in, Toopher sends them a push notification with pertinent details of the request, and they either hit Allow or Deny to immediately prevent online fraud.” Users can automate future logins when their phone is in that specific location. “Securing university employees in a manner that is thorough, but also simple and non-intrusive to them was paramount to us,” says Cam Beasley, chief information and security officer at UT Austin. “That we could accomplish our goals with an authentication solution that was built right here on campus was fantastic.”

MORPHOTRUST OPENS MORE PRECHECK FACILITIES MorphoTrust USA announced the opening of several new centers for enrollment in the Transportation Security Administration’s TSA PreCheck program. Enrollment is now available at Palm Beach International Airport, San Francisco International Airport, Denver International Airport, as well as an off-airport MorphoTrust IdentoGO Center in Raleigh, N.C. This brings the total number of enrollment centers to 302. TSA PreCheck now serves more than 486,000 registered passengers. IdentoGO Centers serve as off-airport enrollment locations and offer Americans access to a number of identity-related services, such as the secure capture and transmission of electronic fingerprints. Travelers looking to enroll in the TSA PreCheck program are encouraged to pre-enroll online to begin the application process and make an appointment at an enrollment center. Once at the center, trained agents collect biographic information and verify approved identity documents. Applicants’ fingerprints are then electronically captured on a live-scan

Winter 2014

ID SHORTS

device and securely transmitted to TSA for review. The TSA completes the applicant vetting process and, assuming that the application is approved, issues a Known Traveler Number, which is sent in the mail. An $85 application-processing fee is required and the Known Traveler Number is good for five years. The entire process takes about two weeks to complete.

OBERTHUR BUYS NAGRAID Oberthur Technologies will acquire a 100% equity stake in NagraID Security SA from the Kudelski Group with financial terms of the transaction undisclosed. NagraID develops and markets powered display cards that secure access to services and sites via one-time password or dynamic card verification value technologies. The cards are typically used by companies offering payment, authentication and identification solutions.

Winter 2014

EXPECTID SCORE GIVES RISK MANAGERS MORE OPTIONS IDology has added ExpectID Score to its suite of identity verification and authentication solutions. ExpectID utilizes multiple data sources to verify an identity for any transaction where the customer isn’t present. This is done through knowledge-based authentication questions and by scanning documents like a driver licenses to verify information. The addition of ExpectID Score “gives the user the ability to assign values to the identity and fraud attributes, then categorize those attributes into risk thresholds,” says Chris Pope, director of product marketing for IDology. The company says its new solution gives risk managers more options to pass, fail or escalate transactions and to group identity risk factors into distinct categories. That, in turn, can improve the client’s efforts with regulatory mandates like the Red Flags Rules.

“ExpectID Score with Adaptive Scoring will help organizations gain a broader view of the fraud tactics that they experience on a daily basis and be able to adapt to them more quickly,” says IDology CEO John Dancu. “Scoring models can be created on demand without extensive IT resources, giving users complete control over the scoring process.” ExpectID users include financial institutions, payment companies, health care organizations and e-commerce vendors. Pope says the solution works with “any type of business that has to verify identity in order to complete a transaction or grant access to information.”

DATACARD PRINTERS ISSUE 40 MILLION DRIVER LICENSES Datacard Group announced that in one year, more than 40 million driver licenses have been issued globally utilizing Datacard government solutions. Moreover, that number is projected to grow as government organizations recognize the

PRODUCTIVITY PRODUCTIVITY AND AND COST-EFFICIENCY COST-EFFICIENCY FOR FOR YOUR YOUR CAMPUS. CAMPUS. Schools, colleges and universities are increasingly measured by their ability to: Schools, colleges and universities are increasingly measured by their ability to: - simplify the registration process -- simplify process create a the saferegistration environment for students and staff -- create a safe environment for students and staff manage real-time access control to campus residence halls -- manage real-time access control to campus residence halls provide innovative payment options for students at campus - cafeterias provide innovative payment options for students at campus and bookstores cafeterias and bookstores

Secure Student ID Cards Secure Student ID Cards With the ZXP Series 7™ you can create staff, student and visitor ID cards With the ZXP Series 7™ you can create staff, student and visitor ID cards and manage access to the entire campus. and manage access to the entire campus. Thanks to its high performance and fast throughput, the ZXP Series 7 Thanks to its high performance and fast throughput, the ZXP Series 7 provides crisp image quality and more productivity with low cost per card. provides crisp image quality and more productivity with low cost per card. Learn more at www.zebra.com/zxpseries7. Learn more at www.zebra.com/zxpseries7. ©2014 ZIH Corp. All rights reserved. ©2014 ZIH Corp. All rights reserved.

Explore Zebra’s Explore Zebra’s SMART Campus SMART Campus from Security to from Security to Mobility, Tracking and Mobility, Tracking and Registration Management. Registration Management. zebra.com/smart-campus zebra.com/smart-campus

ID SHORTS

benefits of implementing personalization and authentication solutions that help mitigate fraud, protect identities, and demonstrate service improvements to their citizens. Datacard Group’s driver license projects span globally over a wide range of delivery models, processes and environments. This enables the company to continuously learn from the large base of projects and offer insights to customers and partners. In North America alone, 18 million driver licenses were issued in more than 15 states and provinces. Globally, Datacard Group projects that the number of driver licenses issued each year will continue to increase as more and more programs transition to increased security features such as laser engraving. For example, the entirety of the European Union has already taken the action to mandate all driver licenses migrate to laser engraved polycarbonate cards.

ties to the RAPIDGate System and helps users quickly and securely authenticate TWIC and other government-issued credentials for streamlined facility or vessel access. Commercial maritime facilities and vessels subject to TSA and Coast Guard regulations require persons entering secure areas to present a valid TWIC, which may be subject to inspection using a QTL-listed TWIC reader. The RAPIDRCx Program electronically validates the TWIC using a portable handheld device to determine the validity of the card and confirm it has not been tampered with or placed on TSA’s Cancelled Card List. The program also provides multifactor authentication by using the digital ID image and fingerprints stored on the card’s chip, enabling additional authentication of the person requesting access.

EID PASSPORT PLACED ON TSA’S TWIC TECHNOLOGY LIST

Legic’s IDConnect is an aggregation service that enables a consumer to use a smart phone with for virtually any contactless smart card application. With IDConnect, mobile phones can become door openers, tickets, time-recorders and more.

Eid Passport’s RAPID-RCx Program has secured placement on the Transportation Security Administration’s Transportation Worker Identification Credential (TWIC)

Qualified Technology List. The technology was evaluated by accredited testing laboratory atsec information security. The RAPID-RCx Program adds multicredential scan, read and verify capabili-

Winter 2014

LEGIC UNVEILS IDCONNECT

The advant on mobile applet from LEGIC is stored on the secure element of the mobile device such that LEGIC takes on the role of a trusted service manager.

LEGIC IDConnect supports advant and NXP mifare and can be integrated in existing installations. The system is mobile network independent with regard to network operators, SIM providers, secure elements and wallet providers. It also supports NFC and Bluetooth Low Energy. With its API technology, LEGIC IDConnect can be integrated in back-end systems, whether access control, hotel property management or biometrics.

INTEL INVESTS IN DELTA ID TECHNOLOGY TO SPEED UP ELIMINATION OF PASSWORDS Delta ID is closer to bringing its iris recognition technology to the masses thanks to an infusion of cash from Intel Capital and other investors. The $5 million boost will help the California-based biometric authentication provider meet growing demand from some of the world’s leading device makers. The company’s main offering, ActiveIRIS, works reliably under conditions where the users normally use their devices, says Salil Prabhakar, president and CEO of Delta ID Inc. The technology includes patent-pending software to enable iris recognition using simple hardware that can be easily integrated in mobile and other devices. ActiveIRIS works by using a secure camera and performing all image processing and computations within the platform’s trusted environment, Prabhakar says. Intel is investing in biometric companies like Delta ID as part of an initiative to eliminate the hassle of passwords. “Intel Capital’s investment will help accelerate the adoption of iris recognition by the ecosystem of device manufacturers, service providers and users,” says Erik Reid, vice president of Intel’s Mobile and Communications Group.

ID SHORTS

BARCLAYS ISSUES FINGER VEIN READER TO BUSINESS CUSTOMERS Barclays is taking another step in the fight against fraud with the launch of a finger vein reader using technology from Hitachi. By scanning a finger, customers will be able to access their online bank accounts and authorize payments within seconds, without the need for PINs, passwords or authentication codes. The technology will be available to Barclays Corporate Banking clients in 2015. The device can read and verify the users’ unique vein patterns in the finger, helping to combat identity fraud experienced by UK businesses. Banks in Japan, North America and Europe use Hitachi’s VeinID for password replacement, single sign-on and ATMs. However, Barclays is combining the biometric and digital signature technology in the Barclays Biometric Reader. There is future potential for it to be introduced more widely in UK branch networks, bringing this powerful technology to millions of consumers. The launch of the Barclays Biometric Reader follows the bank’s introduction of voice biometrics for its Barclays Wealth customers to identify themselves on phone calls, removing the need for passwords or security questions.

FINGER VEIN READERS ENABLE BARCLAYS’ CORPORATE CLIENTS TO ACCESS ONLINE ACCOUNTS AND AUTHORIZE PAYMENTS WITHOUT PINS, PASSWORDS OR AUTHENTICATION CODES

MITRE TAPPED FOR CYBERSECURITY CENTER The U.S. Commerce Department’s National Institute of Standards and Technology awarded a contract to MITRE Corporation to operate the first Federally Funded Research and Development Center in support of the National Cybersecurity Center of Excellence. It includes three initial tasks totaling about $29 million. This research center is the first dedicated

Winter 2014

ID SHORTS

to enhancing the security of the nation’s information systems. The award marks a new phase for the center, which was established in February 2012 in partnership with the state of Maryland and Montgomery County, Md. The center helps businesses secure their data and digital infrastructure by bringing together experts from industry, government and academia to provide real-world cybersecurity solutions based on commercially available technologies. The contract to operate the development center is a single award contract with a maximum amount of $5 billion over 25 years, beginning with a base performance period of five years, followed by four option periods of five years each. The center engages public and private partners through long- and short-term collaboration efforts, and has been working with members of industry sectors such as health care and energy to identify common concerns and develop model cybersecurity examples and practice guides. It also works with small groups of vendors to develop building blocks,

Winter 2014

to address technical cybersecurity challenges that are common across multiple industry sectors.

NIGERIA ROLLING OUT EID CARDS Nigeria – home to 160 million residents – is launching a national identity smart card that will include biometrics and an EMV payment application. At the end of August the first residents of Nigeria received their eID, a polycarbonate contact chip card that replaced the previous printed plastic identification document. The National Identity Management Commission of Nigeria has rolled out an eID infrastructure, which includes registration authorities, identity management systems and secure card production facilities. Additionally mobile devices for enrolling, reading and even updating some data stored on the card are part of the infrastructure. To receive the card, Nigerians aged 16 and above need to register at one of the

hundreds of enrollment centers across the country. The enrollment process involves the recording of an individual’s demographic data and biometric data – capture of 10 fingerprints, facial photo and iris image – to authenticate the cardholder and ensure that there are no duplicates on the system. Upon registration, the commission issues each Nigerian a unique National Identification Number, followed by the national eID card. The Nigerian program is placing a focus on payments with the motto, “Bank the Unbanked.” It provides first time access to electronic payments for millions of Nigerian citizens. Using the card as a payment tool, Nigerians can deposit funds, receive social benefits, save, or engage in many other financial transactions that are facilitated by electronic payments with biometric verification. Cardholders can also pay for goods and services and withdraw cash at millions of merchants and ATMS that accept MasterCard payment cards in Nigeria. The eID is also being used as proof of identity and to conduct digital signatures.

ID SHORTS

In future phases the card will be extended to function as a driver license, health information card, tax record and voter ID. The various applications that run on the Nigerian eID card have been implemented with Java Card technology. The Nigerian eID project represent one of the largest Public Key Infrastructures deployed worldwide. This PKI is comprised of eight certification authorities and will issue more than 300 million certificates. Partners in the eID program include MasterCard as the payments technology provider, Unified Payment Services Limited as the payments processor and Cryptovision as the Public Key Infrastructure and Trust Services provider.

TRUST HUB WANTS TO MAKE IT EASY TO DEPLOY SECURE APPS Gemalto’s Allynis Trusted Services Hub enables financial institutions, enterprises, transport operators and other digital service providers to benefit from a single connection to securely deploy mobile services across a portfolio of smart phones and mobile networks around the world. “The trust hub connects service providers to multiple mobile network operators and helps these provider accelerate getting their services to the devices,” says Amol Deshmukh, vice president of MFS Solutions at Gemalto. Through the trust hub, customers get access to more than 1.5 billion NFC smart phones already equipped with secure

elements covered by Gemalto-contracted Trusted Services Management platforms. These include more than 100 million high-end “multi-tenant” SIM cards already in place to protect and manage sensitive application credentials. The trust hub is also ready today to handle a number of future configurations: Embedded Secure Elements, which are becoming available in some handsets Trusted Execution Environments that will be running inside nextgeneration mobile devices Emerging tokenization standards Deshmukh offers an example of how the hub could be used to provision an identity credential. In large online roleplaying games, players buy extra weap-

Certification Training for E-PACS About CSEIP • The Certified System Engineer ICAM PACS (CSEIP) Training and Certification Program provides advanced training for systems engineers configuring and testing E-PACS to align with government-wide specifications • This training and certification is recognized and approved by GSA About the Training • Comprehensive three-day program includes expert classroom instruction, hands-on training using commercial E-PACS equipment and testing for competency on course objectives • Course offers instructor-led training on how E-PACS work, how PKI is managed, and how PIV/PIV-I credentials interface with security systems • Individual test workstations using commercial E-PACS hardware and software provides hand-on exercises for configuration of live PKI-based access control systems • A comprehensive written and practical exam wraps up the program with certificates issued upon successful certification

Who Should Attend? • Commercial security firms looking to sell and install ICAM PACS to GSA managed properties under updated GSA procurement guidelines for vendors and integrators • Physical access control vendors who need to train their employees and resellers about proper steps to configure PKI-based PACS • Government security officials responsible for implementing and operating PACS at their department or agency Meets Federal Requirements and Highest Industry Standards • Certification means that you have passed a rigorous, GSA-approved training program which demonstrates your ability to efficiently and effectively implement PKI and federal ICAM architectures for E-PACs • CSEIPs demonstrate knowledge of the latest security industry standards and meet federal procurement requirements

Learn More Today Visit the CSEIP section of the Smart Card Alliance website for complete training information, Winter 2014 19 prerequisites, exam dates, and a full description of this program; http://www.smartcardalliance.org

ID SHORTS

8 BILLION SMART CARDS SHIPPED IN 2013, AND GOVERNMENT ID, PAYMENT CARDS AND SIMS WERE THE LEADING MARKET SEGMENTS ons, credits and other artifacts through their play. Once the player gets to a certain level, he might want to take extra steps to secure the account from tampering. The game can use the trust hub to provision a secure two-factor application to the player’s mobile device for access to the game. The Allynis Trusted Services Hub in particular removes the need for multiple, individual contracts between service providers and mobile security enablers, which are typically required in open security schemes. The hub is operated from Gemalto’s secure data centers, delivering standards of scalability, availability and banking-grade security.

GOVERNMENT, SIM AND PAYMENTS MAKE UP 87% OF SMART CARD SHIPMENTS Electronic passport deployments, the move to EMV and the ever-popular SIM are still responsible for the vast majority of smart card shipments across the globe. 20

Winter 2014

Smart card shipments totaled 8 billion units in 2013, with government ID, SIM, and payment and banking applications accounting for 87% of all shipments, according to ABI Research. In these three market verticals, Gemalto, Oberthur, G&D and Morpho led the way with a combined 2013 market share of 66%. It is expected that these three applications will account for 89% of all smart card shipments in 2019. In government ID, volumes are expected to increase more than two-fold between 2013 and 2019. Opportunities in the continued migration to e-passports will be boosted by the introduction of the Supplemental Access Control specification alongside migration to secondgeneration credentials by those countries that wish to use contactless functionality alongside existing contact applications. In the payment and banking market, EMV and smart card adoption is forecast to increase from 1.67 billion units in 2013 to 3.33 billion in 2019. As of the third quarter 2014, the year has been prosperous with the U.S. starting wide-scale

EMV card issuance, alongside China, ramping up its People’s Bank of China migration. Moving forward other growth countries including Indonesia and India will add additional volumes. In the SIM segment, the biggest question mark resides. SIM card shipments decreased in 2013, down to 4.9 billion units from a previous 5.1 billion. A difficult 2013 has raised questions around the ability for the SIM market to bounce back. But inclusion of SIMs into other devices bodes well. “We are already seeing greater SIM penetration into other connected consumer electronic devices, driving a new wave of growth,” says Phil Sealy, senior analyst at ABI. “Additionally, embedded SIMs could trigger greater adoption into M2M applications and likely reduce the cost barriers for inclusion into consumer devices. The message is not to write off the SIM card market just yet, as new opportunities are on the horizon.”

Text it. Tap it. Launch it.

OMG.

Take your campus card program mobile with CBORD®. • Access • Spending • Online Ordering • Account Management • Attendance Monitoring • And More!

CBORD 61 Brown Road Ithaca, NY 14850 607.257.2410 www.cbord.com

IDENTITY RI ING Handset leaders add biometrics and NFC, dawning a new era in mobile as a credential ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

Bring Your Own Device is the new sheriff in town and its deputy is Bring Your Own IDentity. But to follow the analogy, weâ&#x20AC;&#x2122;re still living in the Wild West. Thankfully, however, the future looks brighter as manufacturers are producing devices with greater security capabilities. This promises to both protect corporate resources and open doors to use of the mobile as a secure identity token. Tablets and handsets have become the go to devices for employee use, replacing desktop and laptop computers. Increasingly, employees are the ones who own these devices but are using them for both

Winter 2014

work and personal purposes. Thus the same employee-owned device enables access to secure corporate resources as well as apps, games and family photos. Using the mobile device as an identity token is the dream for enterprises that may soon be realized. As more devices deploy biometrics, use near field communication and Bluetooth low energy, securing devices and using them as tokens is becoming a reality. Organizations are also working on standards that will make the ubiquitous mobile the token everyone owns.

A BIOMETRIC ON EVERY HANDSET Two-years ago, the number of biometricenabled handsets in the field numbered in the thousands. Since then, Apple has released three iterations of its iPhone handset complete with a fingerprint scanner. This year, Samsung did the same with its flagship device, and a host of other makers are poised to follow the trend. There are now tens of millions of handsets in the market that can be secured with a fingerprint. Whatâ&#x20AC;&#x2122;s more, the

biometric capabilities embedded in these devices can also offer secure access to apps on the phone, easing the pain of having to type long passwords on tiny keyboards. Apple wasn’t the first device manufacturer to put a fingerprint scanner on a device, but it might be the first to have done it well. While Touch ID was initially limited to control access to the handset and iTunes store purchases, it has since been opened up, enabling app developers to take advantage of the scanner. The newly announced Apple Pay service will also leverage it to authorize purchases made via the handset. Samsung’s Galaxy S5 has similar abilities and can authorize payments with PayPal. Galaxy S5 owners can make purchases at brick and mortar merchants that accept PayPal and users can also authorize payments online. Developers can also use the fingerprint scanner on the Galaxy for access to apps, but there hasn’t been a rush to take advantage of the functionality, explains Alan Goode, principle at Goode Intelligence. “A few smaller banks have done it to gain publicity,” he says. “Some larger banks may integrate a part of it into their banking app, but don’t yet know if it will be for primary authentication or secondary authentication while in the app.” One issue is the detail around the authentication protocol. Developers don’t know the details surrounding the accreditation and certification of the fingerprint scanner so there are trust issues, Goode says. Though currently it might not be secure enough for some providers, more will begin to take advantage of the fingerprint scanner, Goode says. Organizations might do some authentication to the device – for instance, send an OTP – before enabling the scanner so the device is registered before the fingerprint is enrolled. The FIDO Alliance, a secure authentication consortium, has already enabled the Samsung scanner and is planning to release a client that takes advantage of Touch ID, says Brendon Wilson, director of product management at Nok Nok Labs. The FIDO

Chinese payment leader Alipay launches BYOID with FIDO, Nok Nok With more than 100 members, including some large relying parties, the FIDO Alliance wants to position itself as the standard for mobile identity. There are a myriad of authentication options available, but none has established dominance. “When you try to do this in a proprietary fashion you have 100 vendors out there and none of them are gaining traction,” says Michael Barrett, president of the FIDO Alliance. FIDO is trying to develop a standard specification that these vendors can use so the different technologies can work together, Barrett says. Companies in the different FIDO working groups are implementing the specification. The work being done by the FIDO Alliance will help make online identity easier in the future, says Alan Goode, founder of Goode Intelligence. “We’ll have a framework of standards that multiple technology vendors can support and offer strong authentication for a number of devices,” he explains. “This will make it easier for the end user to securely assert their identity.” Case in point, FIDO member Nok Nok Labs, is securing online payments for a Chinese provider via the fingerprint sensor technology in the Samsung Galaxy S5. Alipay, the largest third-party online payment solution in China, provides a way for individuals and businesses to make and receive payments online and on mobile phones. The company offers payment and escrow services for transactions on Alibaba Group’s marketplaces as well as to third parties in China. Alipay customers who make purchases and transfers using its mobile wallet no longer need to enter a password. They just apply their fingerprint to the scanner on the Galaxy S5 for a secure mobile shopping experience leveraging FIDO standards, says Jamie Cowper, senior director at Nok Nok Labs.

Winter 2014

client will enable organizations to do more with the fingerprint scanner than just unlock the device. FIDO will enable remote authentication without having to rely on Apple’s iOS keychain to store the passwords, instead creating a secure bridge that uses cryptographic keys rather than passwords, Wilson explains. With Apple, Samsung and other manufacturers implementing fingerprint and potentially other biometric modalities, it’s important to be able to use these tech-

opened up down the road, as it was for the Touch ID biometric scanner. Until it is opened, this will keep other NFC wallets off the iPhones so consumers won’t be able to use SoftCard – formerly ISIS – or Google Wallet. But this also limits NFC’s other possible applications, effectively hamstringing the device. The NFC communications protocol can be used to read smart tags, pair with other devices and replace smart cards for physical access and identity applications. While many in the identity space may have been

Apple Watch as an identity token? The Apple Watch won’t be out until 2015 and a lot remains unknown about the newest wearable on the block. We do know the watch will have near field communication and enable payments. It’s also very possible the watch will have Bluetooth Low Energy. During the keynote announcing the device, there was mention of it being used to access rooms at Starwood Hotel Properties, which has previously announced its use of Bluetooth Low Energy for room access. It’s likely that the Apple Watch’s NFC will be locked down, as it is with the iPhone. But could credentials be ported to the watch using Bluetooth? Physical and logical security providers are certainly looking at ways in which these new wearables can be used to enable additional factors of authentication.

nologies for a wide range of purposes in a secure manner, Wilson says. Whether or not Apple will change the face of online identity, Wilson wouldn’t say, but the company is having an impact. “It sets a new expectation around user experience,” he says.

NFC AND BLE LET PHONES TALK TO DEVICES, NOT JUST PEOPLE The addition of NFC to the iPhones 6 and 6 Plus is also causing a stir. While the company locked down the NFC capabilities on the new iPhones so it can only be used for Apple Pay, insiders predict the API will be

Winter 2014

Fenske, vice president of product marketing at HID Global. Host-card emulation, however, is a newer approach to NFC that eases this pain point. Instead of placing the credential in the handset’s hardware secure element, the protocol places it in secure software with access to the NFC antenna. This removes the need for the carrier’s involvement. While these options are closed off for the NFC-enabled iPhones for now, companies are not waiting. Many are pushing access and identity applications using Bluetooth low energy instead. Every handset produced in the last couple of years comes standard with the communications technology, but it does require Bluetooth to be added to access control readers. HID stores Bluetooth credentials in secure software on the handsets, enabling enterprise administrators to manage issuance via a Web portal, Fenske says. The employee receives an email or text message to download an app and the credential. Once the credential is activated, the Bluetooth access control reader can read it from 10 to 15 feet away, Fenske says. To reduce the potential for accidental reads, the employee twists the phone near the reader to invoke the device’s accelerometer and initiate access.

COULD THE APPLE PAY WALLET BE THE MODEL FOR AN ID KEY CHAIN?

salivating at the opportunity to provision credentials to new iPhones, they will have to wait before getting the opportunity. One of the biggest issues holding NFC back in general has been the process of putting credentials onto handsets. Typically, an enterprise would have to contract with the mobile network operators to get access to the secure element to place the credential on the device. This is a complicated proposition because contracts are required with multiple network operators because employees use different carriers. “Technically everything is possible, but it is a nightmare from a business model perspective,” says John

While any enterprise can take advantage of the Bluetooth on any handset, Apple might be making it easier to take advantage of the NFC functionality. As Fenske says, the obstacle to NFC has been working with all the mobile operators so that credentials could be placed on the devices. The same obstacle existed in the payments market, but banks had to deal with carriers to get credentials on handsets. Apple Pay is taking a different tact. The company is still using a hardware-based secure element, but instead of having the credentials issued over the air, consumers will be able to enroll their own payment cards for use with the payment scheme and stored in Apple’s Passbook wallet.

CMY

“The devil is in the details, we don’t know how enrollment on the iPhone is going to work yet,” says Amos Kater, practice leader for mobile and payments at UL. If Apple opens up the API for NFC, it’s possible that enterprises could use this same functionality to add access and identity credentials in the same way they add payment cards to Apple Pay. Without developer’s tools or access to the NFC, however, all agree it’s too early to tell.

Kater is optimistic about being able to use the iPhone’s NFC for more than payments in the future. Not all cards will need access to the secure element – such as loyalty and frequency cards – so host-card emulation will work in those situations. “I want all my cards, including my identity cards installed in Passbook,” he adds. “I would be surprised if Apple didn’t open up the API for non-secure services down the road.”

Professional lacrosse team deploys BYOD security Executives of the Toronto Rock professional lacrosse team had a problem and didn’t even know it. Running a professional sports franchise means being on the road a lot, and that necessitates easy and secure access to all relevant data and systems. A salesmen in one of the offices floated the idea of being able to access work servers on the road or from home. Through a sponsorship deal, the franchise started using mobile security technology from Toronto-based Route1, says Terri Giberson, director of business operations at the team. Only after Route1 installed the system for the team’s business office did executives realize what they had been missing. When at home or on the road, executives use the MobiKEY USB key fob and login to their work desktop computers. The key fob in inserted and a password is entered to begin the session. “I can access everything and have it laid out like it’s on my desktop,” Giberson says. “It’s seamless for me to work from anywhere.” MobiKEY establishes an encrypted remote session and all data remains within the corporate network and its security controls. MobiKEY only sends encrypted keystrokes and mouse movements from the mobile access point and then updates on the screen. The data the user is accessing never leaves the network, alleviating concerns about it being stolen or copied.

BYOID: USING THE MOBILE AS A TOKEN IN A BYOD WORLD The ultimate goal for enterprises may be to use employee-owned mobile devices as the tokens for access to network resources and physical locations. Instead of issuing ID cards or tokens, individual apps could be downloaded or a mobile device manager could securely load credentials or keys to a handset. Though it might seem like a no brainer for enterprises to avoid issuing costly tokens and move to the mobile, it’s not that easy, says Chris Taylor, senior product manager at Entrust. The same trust issues that exist when accessing data from a personal mobile device still crop up when using an app for authentication. Policies need to be put in place so employees know what can happen in different situations. Many early deployments that used the mobile as an authenticator did not gone as planned, Taylor says. Several large enterprises have put the brakes on the technology because employees don’t like the app as much as the hard token. “I’ve seen some large companies come back and say they’re pausing, opting instead for a mixture of apps and hard tokens,” he explains. To date, those going the mobile route tend to rely on one-time password applications as the authentication mechanism, says Goode. These apps work in a couple of ways, generating a password that the user enters or enabling the user to hit a button on the smart phone to send it directly to the server. But in the future the mobile device will enable additional authentication mechanisms, some that won’t even require action from the user, Goode says. “The GPS on the device, behavioral biometrics and learned individual patterns can be used for authentication,” he adds. “All that information goes into a service provider’s risk engine to get a level of assurance.”

The MobiKEY Classic2, a USB dongle with an integrated smart card, enables remote access from a Windows or Apple laptops. For iPads, iPad Minis and iPhones the goal is accomplished via the MobiKEY App.

THE FEDS TAKE ON BYOID

The system has made a huge difference for the ticketing office, says Mike Forty, manager for ticket sales and services. The Rock uses Ticketmaster for its sales and software, but unless he was in the office Forty couldn’t access the data, he explains. The MobiKEY has enabled Forty to access sales data from anywhere at anytime.

Some want to use smart cards to create derived credentials that can enable the mobile device to serve as an identification token. The U.S. government is exploring

Winter 2014

the use of derived credentials on mobile devices for access to networks and encrypted email, says Neville Pattinson, senior vice president for government sales at Gemalto North America. These credentials are cre-

ated from a separate parent credential, often a smart card, and then stored on the mobile device’s SIM. Government agencies are testing different implementations. Some pilots have the

credentials placed on the device using a trusted service manager, but the U.S. Defense Department is looking at using NFC and the Common Access Card to place the derived credentials on the handset, Pat-

Mobile’s other challenge: Securing data in a BYOD world The mobile device is going to play more of a role in identification and authentication in the future, but the policies surrounding what an employer can do with the devices are still evolving. “Companies are embracing BYOD, but there are privacy concerns about tracking and wiping of data,” says Chris Taylor, senior product manager at Entrust. Understandably, employees don’t want their bosses to be able to find their location at all times, and they certainly don’t want family pictures or personal apps deleted on a whim. Creating separate, secure containers is one way to deal with this issue, Taylor says. This solution places apps in a secure partition that the enterprise controls. If the partition is corrupted, the enterprise can then disable access for that specific area. These solutions use mobile device managers to monitor the device to make sure it’s not corrupted as well as place the apps on the device, says Garret Grajeck, CTO at SecureAuth. “You’re bringing a device into the enterprise, doing a risk analysis and attaching a user’s identity to it,” he says. But more needs to be done, he says; as mobile devices are becoming the prevalent way employees interact with enterprise systems. “App vendors don’t have a way to own a device so how do they establish an identity in the device?” Grajeck asks.

He proposes that the app redirect an identity request to an outside authentication server using the handset’s browser. This approach is already available in the business-to-consumer world as smart phones enable use of Facebook or Google+ identities on other apps. It’s just a matter of adding further assurance to that identity in the business-tobusiness world, Grajeck explains. When it comes to BYOD, enterprises need to support multiple platforms, says Taylor. Apple’s iOS had been the most prevalent option among employees and also popular with the enterprise. Apple does a good job of vetting apps and malware concerns are lower with iOS, Taylor says. Enterprises have been a little more hesitant when it comes to Android. “Google had taken a more laid back posture when it comes to apps but that has changed in the last six to 12 months,” Taylor adds. In the next couple of years, he believes Android will take over the enterprise market as the operating system becomes more stable and security of the apps improves.

Winter 2014

tinson says. In a Department of Defense pilot, employees tap the credential on to the handset to create the derived credential. The drawback to this model, however, is that all existing Common Access Cards and PIV credentials would have to be re-issued since the enhanced contactless interface isn’t a standard feature on previously issued smart cards. It is, however, being included on future credentials that adhere to the FIPS 201-2 specification.

ENABLING MOBILE’S MANY AUTHENTICATION MODALITIES IdentityX, a Daon company, is looking to take advantage of the biometric scanners and other features of the Apple and Android devices so they can be used as identity tokens, says Conor White, president at IdentityX. “Our view is that none of the technologies are perfect or better than the other. They each work in different

they wanted and also have a risk-based analysis on the back end, White says. So if an individual is trying to access a service from an IP address that’s atypical, it might ask for more authentication factors than if the individual logs on from their normal machine. The IdentityX app is stored in secure software on the handset and can work on iOS or Android. After the app is downloaded, users scan a QR code from their computer monitor and then enroll the various biometrics. Already, banks are using the solution to enable employee access to secure networks and the American Association of Airport Executives and certain AARP members are also using it as part of a pilot for the National Strategy for Trusted Identities in Cyberspace, White explains. When discussing IdentityX with financial institutions, White says they talk about enabling consumers to choose how they

THE PLAN IS TO ENROLL EVERYONE BUYING A VERIZON PHONE INTO THE UNIVERSAL IDENTITY SYSTEM AT THE STORE. THEN CONSUMERS WOULD BE ABLE TO USE THAT VETTED IDENTITY WITH STRONGER ASSURANCE AT PARTICIPATING SITES. situations, but the best route is to marry them all into one platform and enable the consumer to choose,” he says. The IdentityX platform enables authentication of the phone, a user’s face, a PIN and voice, White explains. A site that accepts IdentityX credentials can ping back to the consumer’s handset, authenticate the device and then ask them to read a random four-digit PIN while looking into a camera for facial recognition. “It validates the phone, the PIN, the face and the voice,” he says. Work is underway to integrate Apple’s Touch ID and Samsung’s fingerprint scanner into the platform. Services would enable the consumer to choose which authentication modality

Winter 2014

want to authenticate rather than mandating one method. “Banks want a higher level of security but a natural way to authenticate,” he explains. “They don’t want to tell consumers to do it a certain way for concern that they’ll switch banks.” Verizon Enterprise Solutions has also rolled out a mobile authentication solution that uses the handset as a token, says Tracy Hulver, chief identity strategist for the company. He stresses that mobile ID must be consumer focused. Using a second factor of authentication – be it a physical token or an app on a smart phone – adds a certain level of complexity to the log on process. Two-factor authentication can stop username and password

breaches, but voluntary adoption is in the single digits because users aren’t willing to do anything extra to gain access to their data, Hulver says. “It has to be easier than user name and password, certainly not harder,” he says. Verizon uses QR codes to make access easy. The user downloads the app on to their smart device, and when they visit a service on a laptop or compute, a QR code appears along with the typical username and password boxes. Instead of typing, the user opens the app on the handset, scans the code and is logged on to the site. Depending on different variables – cookies, IP address, transaction type – the system might prompt for additional authentication. “Relying parties can determine how secure they want it to be,” Hulver says. Verizon plans to add levels of assurance behind the identities by vetting user identities, Hulver says. Eventually the plan is to enroll everyone buying a Verizon phone into the Universal Identity System when they are at the store. Then consumers would be able to use that vetted identity with stronger assurance at sites that have deployed Universal Identity Systems. For those without Verizon, relying parties that choose to use the system could use knowledge-based authentication to get some level of assurance about users. After being vetted by one relying party, that identity could be used at other sites that use Verizon’s system, Hulver explains. Select enterprise clients are already using the system, and Verizon expects it to roll out in the business-to-consumer market early in 2015.

SECURING THE MOBILE FUTURE Handset manufacturers and solution providers are doing their best to bring law and order the wild west of BYOD and BYOID. The number of options to use the mobile as an identity credential is growing with biometrics, NFC and Bluetooth just the tip of the iceberg. As these technologies become ubiquitous, authentication will become invisible to the end user enabling quick, easy and secure access.

A CLOUD OVER REDMOND: MICROSOFT FOCUSES ON BYOD In a letter to Microsoft employees last June, CEO Satya Nadella told them they “live in a mobile-first and cloudfirst world,” where streams of data are constantly in the background. The company wants to seize the opportunity to hook up with all those Internet-connected devices. Key to this vision, Microsoft is turning to the cloud to provide consumers with more identity authentication options and help organizations embrace a bring-your–owndevice (BYOD) policy. It’s the next logical step as Microsoft tracks two global trends that are changing not only the way companies work, but also the kinds of IT investments they’re making. “The fist big trend obviously is the move to cloud computing,” says Alex Simons, director of program management for Microsoft’s Azure Active Directory. “People are moving workloads that they previously used on premise. But there’s also a lot of what I’d call unplanned movement to the cloud where different departments are just kind of whipping out their credit cards and buying SaaS applications for their use without involving central IT at all.” The second trend is the wave of people using a wider variety of devices to do work from anywhere. “They still use their PCs, but they’ll also use their iPhones, iPads, Android phones, Windows phones and a whole bunch of things to get work done,” Simons says. They expect to be able to do it all in a way that has the same ease of use that great cloud services in the consumer space have.” Blame Facebook and other social media sites for setting higher expectations for users, particularly millennials. “They’re looking for that same set of capabilities – mobile devices talking to cloud services that they can get to from anywhere in

Winter 2014

the world, any time of day or night,” Simons says. Microsoft now optimizes its software for users getting their work done on a phone at Starbucks. The company anticipates that 2 billion devices will be running its smart software next year. “Now a big chunk of those are PCs, and that’s kind of exciting, but an even bigger chunk of those are smart phones and tablets and things like that,” Simons say. “So for us, it’s a big new exciting opportunity to be able to expand the value that we provide in the directory space, for instance, out to a new world of smart devices.” Simons says mobile and the cloud need each other. It’s not an either-or proposition. “The majority of Microsoft’s employees, partners and customers will be using mobile devices, and they’ll be using them to access cloud services,” Simons says. But people lose things. “If you accidentally leave the iPad in the cab, you need to know that you can quickly turn off access to it and make sure that all the documents on it are secure,” Simons says. “And if somebody picks it up and starts using it, you have to ensure that there’s no way for them to get into your corporate network.” Microsoft Enterprise Mobility Suite, a cloud solution for BYOD policies, contains

a package of services to handle such a situation. It covers hybrid identity management, mobile device and PC management as well as information protection. “We are giving IT directors and chief security officers a new set of cloud services and tools,” Simons says. “I think of it as the new control panel for the Internet, where IT can once again get in control and know that things are secure while still taking advantage of this amazing opportunity of agile cloud services and anywhere, anytime access on any device.

MOBILE CHANGING RISK PROFILES IN FINANCIAL SERVICES DIDIER SERRA, EXECUTIVE VICE PRESIDENT, PARTNERSHIPS, SECUREKEY

Mobile apps provide an opportunity for banks and financial service providers to create a new foundation for security and convenience. To capitalize on the opportunity, institutions need to ensure that they are making the most of the device capabilities by enabling strong, cryptographic, device-based authentication.The goal, however, is to hide the security complexity from the user to both increase compliance and eliminate authentication hassles. When this hurdle is passed, mobile services can become the keystone of cross-channel user authentication. Mobile security is about much more than payments. Two primary trends driving both identity and financial services are the shift from payment card numbers to “tokenization” and the shift from passwords to device-based identities. Both will have a significant impact on how financial service providers understand and model risk profiles. John Hawley said, “Identity is the new perimeter.” It implies the need for a tight binding between the transaction and person conducting it. Mobile devices are well suited to serve both the user and the service – the key is having the right identity platform in place.

SHIFT #1: PAYMENT CARD NUMBERS TO TOKENIZATION Financial institutions are often on the leading edge of innovation to keep increasingly tech-savvy and mobile customers happy, yet they must always ensure the strongest security possible. The latest shift is towards tokenization. Organizations make tokens available for use on a given consumer device, at any given time, and for any given transaction. The tokens are basically limited-use numerical avatars of the real credentials. They are released by the consumer’s device once proper authentication has occurred using various methods such as a fingerprint biometric swipe or a user PIN entry. Without satisfactory authentication, the token won’t be released. Both the payments industry and card associations support tokenization. With Apple’s support for near field communication and tokenization of payment credentials, a spotlight is shining on the shift. Tokenization is fundamentally changing the risk profile for the payment credentials exchanged over the network. It will serve a vital role in delivering the security that financial services companies demand along with the convenience and mobility today’s consumers expect. This was a missing piece to mass adoption of mobile and NFC payment.

SHIFT #2: FROM SECURE MOBILE TO CLOUD Cloud services and mobility are the dynamic duo of usability for today’s connected consumer. Shifting from static user names and passwords to cloud-verified digital IDs, financial service companies can drastically increase consumer convenience and security. It enables customers to use their trusted devices to access online services without having to remember user credentials. Simplifying the security requirements means that consumers are likely to take appropriate measures rather than circumventing them in an attempt to avoid friction in the user experience. Financial service organizations are able to do more security work in the cloud and on the backend, while easing strain on the consumer. The key is to make it easy for customers and hard for crooks. Hide the security in the mobile device, and build your web service with a strong identity platform partner. Guessing passwords is easy for crooks, but getting the phone out of the customer’s hand is hard.

Winter 2014

“Costly and complex.” It’s the universal answer when insiders are asked why PIV-I and its less-assured little brother CIV aren’t being used in smart card deployments.

PIV-I, CIV CIRCLING THE DRAIN ENTERPRISE ID SPECS FAIL TO CATCH ON ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

From ‘identity standard of the future’ to a likely sad footnote for bygone smart card specifications, PIV-I has had quite a ride. Just three-years ago experts predicted it would be deployed not only for government contractors but across enterprises markets as well. Seven companies are cross-certified with the federal bridge to issue high-assurance PIV-I credentials on behalf of other organizations, but only a few of them are actually doing it. “Costly

Winter 2014

and complex” is the universal answer when insiders are asked why PIV-I and its less-assured little brother CIV aren’t being used in smart card deployments. The other issue is that despite the original promise, PIV-I credentials aren’t really authorized for use within the federal government. So while some government contractors might be using the specification, employees who are contracted at different agencies are still being issued separate

PIV credentials for access to facilities and systems. “There’s no mandate for PIV-I within the federal government,” says Steve Howard, vice president of credentials at CertiPath, a PIV-I issuer and one of the founders of the smart card specification. The idea for PIV-I began around 2006 when the Federal PKI Policy Chair, the Federal PKI Management Authority and CertiPath saw a need for a credential that could be carried by contractors and used

at federal agencies and within that contractor’s own physical and logical access systems. The spec was intended for government contractors working on a job for six months or less, as anything more than six months requires a background check and a PIV card. Two-years ago a group of contractors lobbied the White House Office of Management and Budget to change this rule so that contractors with PIV-I could use those credentials instead of having to receive a federal-issued PIV. The response was that agencies weren’t concerned, so there wasn’t a need to change the rule. Because federal agencies aren’t accepting PIV-I, there has been little issuance in that space. At one point, however, there was a lot of buzz around enterprises not associated with the federal government issuing credentials via the specification. Since PIV-I was standardized, the assumption was that products would be readily available, security would be high and as many organizations began using it, costs would fall. This belief gave rise to another acronym, CIV or Commercial Identity Verification. CIV leverages the PIV-I specifications, technology and data model, but it does not require cross certification to the Federal Bridge. Any enterprise can create, issue and use CIV credentials according to their own requirements. It’s basically PIV-I without the government-mandated identity assurance. This mass deployment of PIV-I and CIV, however, hasn’t come to pass. A few financial services companies and health care institutions are considering deployment because the PKI security is attractive to them, Howard says. But that is about it. Wells Fargo might be the largest to announce a PIV-I/CIV deployment, but the financial institution declined to provide an update on the project’s rollout. At the Smart Card Alliance’s Smart Cards in Government show in 2013, Brian Keltner, information security engineer for smart card access management at Wells Fargo, said that FIPS 201 and CIV were attractive

National Cancer Institute uses a ‘bit’ of CIV When the National Cancer Institute was building its new facility in Shady Grove, Maryland, the intention was to have the physical access control system be PIV compliant. This included making sure that all credentials – employee and visitor – were PIV-compliant, says Shane Hebert, facilities program manager for physical security at the National Cancer Institute. The institute deployed HID Global’s pivCLASS readers for physical security and needed a card that would be issued with that technology. And since the facility requires employees and visitors to badge in and badge out, it needed a visitor badge that would also work with the PIV-enabled system, Hebert says. Northrup Grumman was the prime contractor for the project and CertiPath was one of the team members. Hebert knew that CertiPath had a “CIV in a Box” product that could enable security to issue those cards to visitors or temporary workers. The institute rolled out 200 preprinted CIV cards that could be issued to visitors for temporary use. Concurrently, the U.S. Department of Health and Human Services decided to start issuing another type of credential called the Restricted Local Access badge. The credential serves the same purpose as the PIV, providing both physical and logical access for short-term staff of less than six months. “It’s a PIV alternative for when you don’t have the proper background check on someone or are waiting for another credential to be issued,” Hebert says. The CIV credentials are still being issued for visitors and to employees while they wait for a Restricted Local Access badge, Hebert says. “It’s a one-off solution when we need to track people coming in and out of the building,” he adds.

because it’s a standards-based solution, interoperable, federates and increases levels of assurance to make policy requirements. According to Keltner, the bank was issuing 5,000 credentials each month across the country. The IDs used PKI validation for both physical and logical access control. CIV Authentication Certificates were used for authentication to end points and network applications and for authentication at door readers. CIV was attractive because it was based on PIV and PIV-I standards but also enabled local policies to be added. Unless you’re a large organization needing the highest levels of security

there hasn’t been much of a call for the specifications. “Going down the PIV-I route requires a significant commitment,” says Randy Vanderhoof, executive director at the Smart Card Alliance “Cost is still a big barrier, as is complexity. Enterprises need to make tough business decisions on how much to invest and look at the alternatives out there.” Outside of select government contractors, Gemalto isn’t seeing a lot of call for PIV-I or CIV, says Neville Pattinson, vice president for of government affairs and business development at Gemalto North America.

Winter 2014

“Gemalto is deploying smart cards for the corporate enterprise but they’re .Net cards that are easier to integrate,” Pattinson explains. “Corporations looking for top of the line security want smart cards and then augment those with mobile devices.” Cost may be the largest barrier. “If you’re looking to cover a company’s basic needs in terms of logical access there are simpler and cheaper solutions on the market,” says Stefan Barbu, head of secure ID sales and marketing Americas at NXP Semiconductors. PIV-I credentials can cost as much as $50 a year due to certificate management and other issues, says Terry Gold, founder of IDAnalyst. The cost is high for a lot of the components in a system because they all

integrate with whoever is doing the proofing and vetting? “Likely it is going to be a manual workflow,” Gold says. “You have to source that service.” Moreover, the corporate enterprise doesn’t have the policies and processes in place for everything that has to be done with a specification like PIV-I. “PIV is well thought out on paper but not in practice,” Gold says. “It is only something that government could come up with since they are never accountable for inefficiency or failure metrics.” The corporate world doesn’t have this kind of latitude. Corporations also don’t have the time or money to change their processes to accommodate a credential. For a government contractor who had a

Ultimately you are dealing with a data model and products that are tuned for inefficiency.” Identiv CEO Jason Hart is blunt when it comes to CIV. “It doesn’t fill any business requirements,” he says. “CIV is fundamentally flawed to work in the commercial space, it’s too expensive for a company to stand up on their own.” Smart cards as a form factor may be waning, Hart says. Many corporations will always require some type of visual identification – a badge – for employees, but there are other form factors that work just as well if not better than smart cards. “I have an ID card because my company hasn’t gone away from visual identification, but I use my phone to tap on a contact-

FOR A GOVERNMENT CONTRACTOR WITH A LOT OF REVENUE COMING IN, PIV-I COULD BE CONSIDERED CUSTOMER RETENTION, RATHER THAN A SECURITY PROJECT. BUT FOR OTHERS IT’S SIMPLY NOT WORTH IT.

need to be certified and tested. The Certificate Authority alone can run $250,000 per year, and that doesn’t include startup costs, he says. “There are ways now to reduce the cost but they don’t cater to small organizations, don’t scale for larger ones and aren’t full function,” Gold adds. Part of the complexity of PIV-I and CIV solutions comes in putting together a complete system, Gold says. “Ultimately the most burdensome thing about it is there are no really good supported solutions out there that tie in the whole workflow – request, proofing, vetting, invoking records, issuance and lifecycle,” he explains. “The services are disjointed.” For example, one company might have a great card management system but will it

Winter 2014

lot of revenue coming in, it makes sense to make the change, but for others it’s simply not worth it, Gold says. “The contractors consider it part of doing business, customer retention, rather than truly a security project,” he adds. Gold has worked with customers considering PIV-I that bailed because they wanted to make slight changes that would keep them from being completely compliant. “When you explain that there is no such thing as 98% compliant, they abort,” he says. Logically, this should lead them to the CIV, but there are challenges there as well. “It’s not well thought out, as it takes root in inefficiency and does not consider requirements outside of the federal government,” Gold says. “CIV was never vetted.

less reader and then maybe to an OAuth authentication or a one-time passcode,” he explains. The future for PIV-I and CIV looks bleak. Unless rules change to enable – or even require – contractors to use the credentials within the federal enterprise, uptake in that space is unlikely. And unless something is done to overcome the cost and complexity of these systems for the corporate enterprise, uptake there will be slow or non-existent. It seems that cheaper, easier to use alternatives – though not based on government standards – are better able to serve enterprise needs. Thus, the death knell for these smart card specifications may ring far sooner than expected.

THE AIRPORT OF THE FUTURE IDENTITY AND AUTOMATION CUSTOMIZE TRAVEL EXPERIENCE AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Winter 2014

It’s 7 a.m. at your convention hotel, and you’re packed and ready for your midmorning flight. You’ve already checked in, so all you need to do before breakfast is to leave your luggage at the hotel’s bag drop station for automatic transport to your airline. When you arrive at the airport, you immediately receive a welcome notification on your phone, letting you know that your 10:30 a.m. flight is at Gate B37 and that you can proceed to security checkpoint No. 3 for the shortest wait. As you move through the airport, you receive another notification telling you that your flight is delayed by 30 minutes. The airline then sends a $5 food voucher to your phone for a restaurant in your concourse. When you finally arrive at the gate, you flash your phone on a reader at the selfboarding station and get on the plane. You pull up your device one last time before takeoff to check the status of your luggage. This is the airport of the future – where passenger identity consists of far more than a bar code and a flight number, and this new identity can get you where you need to go with much greater efficiency. Tech leaders predict that in as little as 10 years, airports will employ identification technologies such as biometrics, NFC and Bluetooth-enabled beacons to streamline, personalize and secure the passenger experience in these and many other ways. “The capabilities that you’ll have as you travel through the airport are limited only by your imagination,” says Jim Peters, chief technology officer of SITA, a global specialist in air transport communications and IT.

INNOVATIONS IN AUTOMATION Self-boarding and other automated systems are at the crux of what innovators hope to achieve with the passenger experience in the not-so-distant future.

TECH LEADERS PREDICT THAT IN AS LITTLE AS 10 YEARS, AIRPORTS WILL EMPLOY IDENTIFICATION TECHNOLOGIES SUCH AS BIOMETRICS, NFC AND BLUETOOTH-ENABLED BEACONS TO STREAMLINE, PERSONALIZE AND SECURE THE PASSENGER EXPERIENCE

Jim Slevin, managing director of aviation for Human Recognition Systems in Liverpool, says airline passengers desire greater self-service and automation. It translates to fewer check-in counters and a move to modernizations such as self-service bag drop units. “People don’t want to work with humans,” he says. Slevin believes that 80% or more of the airport journey will be automated, with only the residual 20% requiring assistance from human agents. Several airports are already experimenting with this automated future. At the Toulouse-Blagnac Airport a trial is enabling select Air France frequent fliers

to use NFC-enabled smart phones as their boarding passes on flights to Paris-Orly Airport. Passengers automatically receive their NFC boarding pass on their smart phones at check-in and can use them all the way through the airport. With Apple’s recent announcement that it has adopted NFC as a technology for payment on the iPhone 6, Peters suspects it’s only a matter of time before the iPhone can function for other purposes, including boarding. Wearable technology could also play a more significant role in boarding. SITA has been giving passengers the ability to board their flight by scanning a smart-

Winter 2014

watch, delivering boarding passes via an app on Android wearables.

TRAVEL WITHOUT A TICKET

THE AIRPORT OF THE FUTURE WILL BIOMETRICALLY IDENTIFY TRAVELERS AT AN AIRPORT’S CAR PARK BARRIER AND THE A SMART PHONE APP WILL COMMUNICATE PERSONALIZED INFORMATION, RANGING FROM CHECK-IN DETAILS TO CUSTOMERSPECIFIC RETAIL OFFERS

Ticketless or tokenless travel is another goal for airport innovators, and Slevin believes biometrics will be the primary mechanism for that change. “I can be my token, so I can just travel with my biometric,” he says. The main token passengers travel with today is a bar code, which they either print or download to a smart phone. The token serves as a proxy for the individual to be able to travel on that day. Slevin believes a bar code is a poor authentication mechanism. “What does this piece of paper actually say that can’t be said by me and the data behind me? That’s our fundamental difference,” he explains. Human Recognition Systems has been working closely with London Gatwick Airport, and Slevin notes that the CIO of Gatwick has gone on record calling biometrics a key to the airport’s future as other technologies are becoming obsolete. Last year, the company conducted a trial simulation of the passenger journey of the future at Gatwick Airport, using both biometrics and an airport passenger experience app. The experience began with passengers being biometrically identified at the airport’s car park barrier. The smart phone app then began communicating personalized information, ranging from check-in details to customer-specific retail offers. Gatwick also conducted the world’s first trial of an end-to-end biometric system to automate passenger identification on flights. Human Recognition Systems used iris technology to enroll passengers so that they could gain access to automated boarding and have the ability to deposit their luggage at designated self-service bag drops.

A NEW SYSTEM FOR BAGGAGE International travel industry leaders predict that 10 years from now, there will be a variety of bag drop locations – rail stations,

Winter 2014

hotels and airport parking lots – eliminating the need for bag-check counters and their Disney-esque queues. Passengers will be able to track their bags on their mobile devices and then pick up their luggage at a stored location when they are ready. Innovations to streamline the baggage process are already in the works. SITA, which provides baggage management for more than 125 airports and 450 airlines worldwide, uses bar codes and RFID tags to manage baggage flow. They offer an app that enables passengers to obtain a real-time status of a bag using either their name or bag tag number. Air France, British Airways and a host of other airlines are also testing digital luggage tags that enable passengers to use their smart phones to track bags. British Airways started testing the digital tags on its Seattle-to-London flights last October and plans to expand to more flights. SITA’s Peters predicts that, eventually, purchased luggage will come equipped with embedded permanent bag tags so that that the passenger doesn’t have to buy a separate tag. “I think you’ll see these technologies evolve with products coming out from various companies including suitcase manufacturers,” he says.

STREAMLINED BORDER CONTROL From baggage to borders, airports are notorious for bottlenecks. Just the mention of the word “customs” is likely to elicit a groan from any international traveler, with the term conjuring images of winding lines, excruciating waits and missed connecting flights. But there are efforts under way to automate the border control process through the use of kiosks and biometrics. SITA’s automated border control kiosks are in place at a number of airports worldwide, speeding the process of getting travelers through immigration. In February 2014, the Orlando International Airport became the first U.S. airport to implement Automated Passport Control

AIRPORTS ARE ROLLING OUT GATES THAT READ PASSENGER DEMOGRAPHIC AND BIOMETRIC DATA FROM EPASSPORTS CHIPS. THE GATES USE FACIAL RECOGNITION TO COMPARE A PASSENGER TO THE PHOTO STORED ON THE PASSPORT’S CHIP. Kiosks to serve visitors from 38 countries as part of the Visa Waiver Program. International passengers provide their travel documents, biometric data and customs declarations at the kiosks before speaking to a border patrol officer at an immigration counter. The kiosk features a reader where passengers place their passports, and it uses eye-finding technology to detect the passenger’s height so that the camera, fingerprint reader and other devices are properly positioned. SITA’s findings in Orlando suggest that the kiosks provide a more than 300% improvement on passenger throughput when operating at peak capacity. In Europe, airports are rolling out gates that support ePassports, reading the chip encoded with passenger demographic and biometric data. The ePassport gates use facial recognition technology to compare

a passenger’s face to the photo stored on the passport’s chip. ePassports have yet to achieve their full potential, though, because international standards still need to be implemented to protect the privacy of biometric information used from one country to another, Peters says. “These things tend to take decades rather than years,” he adds. Even as new identity technologies are reshaping passport inspections, some experts contend that a completely digital passport or biometric-based identification system is still a long way off. Tim Klabunde, director of solutions marketing for Datacard Group’s government vertical team, believes that efforts will continue to revolve around tangible passport booklets. “I think it will be a while before we see international travel using a mobile-based credential,” he says.

Winter 2014

BLUETOOTH BEACONS WILL TALK TO SMART PHONES DELIVERING NOTIFICATIONS, UPDATES AND EVEN COUPONS FOR AIRPORT CAFÉS. THEY CAN ALSO DISPLAY BOARDING PASSES AS THE PASSENGER ARRIVES AT THE GATE OR CAN LOCATE A PASSENGER WHO IS LATE FOR A FLIGHT.

There are still unanswered questions around the trust in mobile, and additional infrastructure is required to support mobility, says Mark Joynes, director of product management for PKI, government and international ID solutions at Entrust, an authentication software platform that is part of Datacard. “People are still very much in love with the physical,” Joynes says. Joynes points out that regardless of the amount of technology that goes into airport security, the bulk of people caught at border patrol are pulled out of line because of their behaviors, such as sweating or nervousness. “The personal, face-to-face element is really important,” Joynes says. Technologists have the capability to produce secure technologies that can be tied to a biometric for individuals. “We’re on the verge of capturing everything needed to facilitate a completely automated process. It’s the adoption of the back-end systems that still needs to be put in place,” Klabunde says. Still, systems will need to be set up for special cases, such as when a traveler warrants additional screening or a passenger is on a no-fly list.

BEACONS HOLD PROMISE The passenger experience of the future will certainly revolve around smart phones, and airports are starting to explore the potential of Bluetooth-enabled beacons. Beacons transmit signals to smart phones and can trigger the delivery of notifications to a passenger’s mobile device. Beacons could send coupons as the passenger enters a shop or airport café; they could trigger mobile boarding passes to display as the passenger arrives at the gate; or they could locate a passenger who is late for a flight. SITA is working with a major airline to trial the use of beacons in an airport environment, integrating Apple’s iBeacon technology with Passbook to display a personalized welcome message on passengers’ handset as they access different areas that require a boarding pass.

Winter 2014

Questions remain as to who will be responsible for deploying the beacons – the airport, the airlines, the ground handler or the retail operators.

TECHNOLOGY OUTPACES STANDARDS A big push will need to come on the standards front before many of these technologies can gain mainstream acceptance at airports. For there to be widespread use of NFC or biometrics for boarding, there needs to be a universal standard, Peters says. “Right now there isn’t a standard that says, ‘Here’s how NFC needs to work for a boarding pass,’” he explains. SITA has proposed a standard for NFC and has a committee of the International Air Transport Association working on it. “We hope to have something agreed on soon, but that’s just the first thing that will be needed to get NFC to work for boarding,” Peters says. Protocol could also come into play for airports working to integrate these technologies. Slevin believes that the gathering of information at airports isn’t what’s difficult; it’s the sharing of that data. There is sensitivity surrounding the sharing of data between different departments within an airport, including the airline, border patrol, handling agents and state and national police. “The sharing systems between those parties do not exist,” Slevin says. Although the individual airlines know their passengers, the airports do not know which passengers will turn up on a day-byday basis to travel. If the parties cooperate to share this type of data, it could lead to a more secure and robust passenger experience. “Technology isn’t as difficult as people make it out to be. Much harder is the will to actually share that information,” Slevin says. Still, he says advances in ticketless travel and an end-to-end biometric airport experience are within reach. “In a 10-year time frame, we fully expect it to be in place,” he says.

New bag tags make luggage smart The luggage tag is often an afterthought, only really considered if a traveler doesn’t have one and must scramble to fill one out before checking a bag. But as technology advances, so too does the humble luggage tag. British Airways partnered with Designworks and Densitron Displays to develop an electronic Bag Tag that would be a permanent, rewriteable alternative paper tags. British Airways is testing the new tags that are affixed to luggage to make sure bags arrive at their proper destination. Once checked in, customers hold an NFC-enabled smart phone over the electronic tag to automatically update the unique bar code detailing flight info and bag destination. The tag consists of an E Ink display encased in a plastic housing that’s designed to permanently be attached to the bag. The display is split into two sections, one showing the bar code that can be scanned and the other displaying flight details. In a separate deployment, Air France-KLM is rolling out to its FastTrack electronic tag to travellers. The electronic bag tag consists of two separate piece of hardware. The first is a tag placed outside the luggage that has two E Ink displays to show the bag’s destination and traveler information. When a traveler checks in online the flight information is transmitted to the tag via Bluetooth. The second piece of hardware is an electronic tracking device that is placed inside the luggage. It can be tracked via smart phones through GSM, GPS or Bluetooth and features an Auto Flight Mode that complies with worldwide air travel regulations so it doesn’t interfere with communications. The tracking feature enables travelers to know where the bag is at any time. They can also see when the bag has been taken off the airplane and when it’s arrived at a luggage carrousel. For the FastTrack project, Air France-KLM was presented with a 4th Future Travel Experience Awards for Best Baggage Initiative.

Winter 2014

END OF LIFE FOR FEDS’ FOUR LEVELS OF ASSURANCE KILL THEM? REVISE THEM? INDUSTRY PONDERS OPTIONS ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS

The four levels of identity assurance and risk assessment date back to 2003 when the White House Office of Management and Budget (OMB) released e-authentication guidance for federal agencies. In 2006, the National Institute of Standards and Technology updated the authentication guidance in Special Publication 800-63, which received a minor update in

Winter 2014

2013. Today, these four levels are often derided and mocked as out of touch, with one panelist at a trade show saying they should be “blown up.” While that may be an extreme point of view, many agree that the industry has reached a point where a decision has to be made. Either revise the levels or create new ones that are more ap-

propriate for the enterprise and consumer spaces. “800-63 was a specific reaction to a moment in time,” says Joni Brennan, executive director at the Kantara Initiative. “The feds didn’t envision how much it would be used and they didn’t write it for the scope of who is trying to use it.” Industry groups and NIST are taking notice that the cur-

rent model for determining identity and authentication assurance needs to be revisited. NIST will be releasing a request for information before the end of the year asking the industry to comment on revising 800-63, says Paul Grassi, senior standards and technology advisor at NIST. The hope is to come up with something that can account for and adapt to private

sector led innovation and the specific risk models of relying parties. “It’s time to look at things with a different lens,” Grassi adds. There’s a natural desire to have comparable mechanism for authentication – be it for use in a government system or an enterprise – but as time has passed the original four levels aren’t well suited for everyone. “You get the four levels, the top is mythical and the bottom is junk and the two in the middle aren’t ideal,” says Ian Glazer, a board member for the Identity Ecosystem Steering Group. “If you step away from the four levels, there could be three or there could be 300.”

ORIGINS OF THE LEVELS OMB took the idea of the four levels of assurance from the British – who stole it from the Canadians – who actually called it zero, one, two, three, says Peter Alterman, CEO at Safe-BioPharma and a former GSA official. “OMB felt like issuing a credential at trust levels zero wasn’t a politically wise move so they went with one instead,” he adds. NIST took the OMB memo and put together the special publication that maps technology and technology implementations against the different levels, Alterman says. Despite the 2013 revision, he says the special pub hasn’t received a significant update since it was first issued. The European Union is working toward an electronic

ID risk assessment and miti-

explains. “Do we stick with

open standard that we adopt

SP 800-63 defines the four levels of assurance In Special Publication 800-63 NIST gives guidance for identity assurance and the authentication technologies that meet each of the four levels it establishes in the document. Level One: A level one identity has little or no confidence in the asserted identity. This typically selfasserted identity is used for low value online transactions and relies on usernames and passwords as the authentication mechanism. Level Two: A level two identity has some confidence that the asserted identity is accurate and is used frequently for self-service applications. Proofing requirements are introduced that require presentation of identifying materials or information. A range of authentication technologies can be employed at level two, including single factor authentication,

gation framework that would use three levels: low, substantial and high, Alterman says. “The no-risk level is being taken off the table because it’s irrelevant,” he adds. All of these ideas are going to be on the board when NIST issues its request for information on 800-63, says Grassi. The levels certainly have their issues, and while these four levels might not be the sole problem, the processes and rigidity of 800-63 may have run their course, he adds. The hope is to get information from the private sector on how to either update 800-63 or create something new that can be used across the private sector. “We want to know what risk models and alternative techniques have worked but aren’t aligned with our current documents,” Grassi

pre-registered knowledge tokens, out of band tokens and one-time password devices. Level Three: Level three identities have high confidence in the asserted identity’s accuracy and are used to access restricted data. At least two authentication factors are required including software-based cryptographic tokens. Level Four: A level four identity has very high level of confidence in the asserted identity’s accuracy and is used to access highly restricted data. Level four is intended to provide the highest practical remote authentication assurance and is based on possession of a cryptographic key. At this level, in-person identity proofing is required. Level four is similar to level three except that only hardware-based cryptographic tokens are allowed. The PIV is a level four credential.

four levels? Collapse to less than four since we know there is no such thing as a secure password? Do some vector or gradient based assurance standard instead that takes into account the multiple

instead of different markets, including the U.S. government, having their own types of standards,” Grassi adds. The biggest knock against the four levels, as outlined in 800-63, is that they don’t scale

THE TOP LEVEL IS MYTHICAL, THE BOTTOM IS JUNK AND THE TWO IN THE MIDDLE AREN’T IDEAL. IF YOU STEP AWAY FROM THE FOUR LEVELS, THERE COULD BE THREE OR THERE COULD BE 300. components that comprise trust in online identities?” The request will be released before the end of 2014. “Hopefully we can use this to accelerate and catalyze the market to create a public,

to other industries. Finding authentication and risk management that works across all industries is the dream but is it possible? Andrew Nash, now CEO at identity alerting company

Winter 2014

Confyrm, previously ran consumer identity at PayPal and uses that company as an example. The company was driving billions of dollars in transactions and had to meet federally mandated “Know Your Customer” regulations that required assurance level three. But since only usernames and passwords were used for login – a level one authentication – the higher level of attained assurance was downgraded through the weaker authentication technique. “They don’t match how businesses run,” says Nash. “There’s a disconnect between the real world and how government works.” Creating a system that would compare authentication modalities and correlate them with risk assurance could help solve this problem, says Glazer. For example,

user names and passwords alone would be ranked low but using an OTP with some risk-based system running in the background checking the device and IP address would receive a higher score. “There’s no cookbook where it says I need these modalities and it gives me this score,” he adds. Glazer would like to see NIST, or another group, do lab testing on the different authentication modalities when deployed according to best practices. “It would be great to have a rough estimation of the relative strength of modalities and how they work,” he adds.

LEVEL 2.5 Flexibility is something the four levels are lacking. For example, from almost the moment the four levels were

released, people were clamoring for level 2.5. “It’s where you need to know who a consumer is but it’s not sensitive enough to where they’re going to drain a bank account,” says Mary Ruddy, research director at the Gartner Group. When discussing how to change the levels of assurance and authentication, two ideas frequently arise: step-up authentication and a modular/ vector based system, which often go hand in hand. Ruddy favors a step-up authentication system, wherein a consumer would use an existing account, such as Facebook, Google or Twitter. If the user wanted to access a bank account or other secure site there would be a mechanism to step up the authentication, answering some out-of-wallet questions or maybe an OTP to a mobile device.

InCommon tailors assurance levels for higher ed InCommon has launched an assurance program for higher education that offers two levels: bronze and silver. The bronze level is comparable to NIST Level of Assurance One and provides reasonable assurance that a particular credential represents the same person each time it is used. Bronze is roughly the same confidence associated with common Internet identity. Silver is the equivalent to NIST Level of Assurance Two. It has identity-proofing requirements that provide reasonable assurance of individual identity. Silver provides a security level roughly appropriate for basic financial transactions. While InCommon’s profiles are based on the four levels of identity assurance from NIST’s SP 800-63 they are tailed for the higher

Winter 2014

education audience. Virginia Tech is using the InCommon program for some employees and issues 64K USB keys with x.509 digital certificates. The university is using bronze and silver assurance profiles to access external services that require those levels and Virginia Tech services also have the option to require bronze or silver from local users. A few Virginia Tech research faculty members have already federated, and the Office of Sponsored Programs anticipates further use for grant submissions. Virginia Tech hopes that financial aid officers will be able to use their silver credentials to access services offered by the Department of Education and National Student Clearinghouse.

Identity vetting and issuing credentials can be an expensive proposition, but if consumers can use credentials they already have and step up the authentication it can make a system more usable. “The big challenge is getting credentials out there that are interoperable and reusable,” Ruddy says. The technology exists to have a higher level of assurance in customers with little to no effort from the customers themselves. Depending on what level of assurance a company wants to have it could be something as simple as sending an email to validate a pre-registered address or as complicated as an OTP, geo-location or device recognition, Ruddy says. “There’s a lot of innovation in mobile phone authentication,” she adds. This also goes along with a vector-based authentication. If a user has a Facebook login, and is accessing it from a typical device and IP address, those vectors point to him being whom he claims so less of a step-up authentication would be required. “Someday it will all be under the hood and invisible to the user,” says Kantara’s Brennan. The Kantara Initiative is talking about vector of trust, Brennan says. The group is looking at a framework that would be put together in a modular way to enable different levels of trust. “We’re trying to address as many communities as possible in order to avoid having multiple discussions in multiple places,” she says.

But who pays for this extra authentication? Nash says it should be the relying parties because they are the ones who get something out of it. The identity providers don’t realize any benefit from having assurance behind the identity while the relying parties do, he explains. This has been a fundamental flaw with the original four levels. In order to be certified to issue credentials that meet level three, an identity pro-

vider has to spend hundreds of thousands of dollars and that’s just for certification not issuing credentials, Nash says. The business model was set up to fail.

WHAT’S GOING TO HAPPEN? “My guess is we’re going to move toward three levels because level one doesn’t require any effort,” says SafeBioPharma’s Alterman. The

International Standards Organization and the Europeans are starting to align around three instead of four levels. These three levels will serve as a baseline with the ability to add specific riskbased factors. “Banks, credit card companies and hospitals might do their own thing but their efforts will be able to align with the baseline,” Alterman explains. It has been eleven years since the four levels made

an appearance within the U.S. federal government, and change is on the horizon. The results will most likely be assurance levels that aren’t as coarse and are able to accommodate a range of industries and authentication mechanisms that will hopefully afford consumers the ability to reuse identities across relying parties.

LEADER in IDENTITY SOLUTIONS ePassport Inlay

Identity Cards

Ebooster® Technology The Highest Reliability Inlay or eCover Compliant with all chips and OS Teslin® or paper Security Guaranteed Dual, Hybrid and Contactless Cards Decrease your Time to Market Unique Security Features www.s-p-s.com 85 avenue de la Plaine ZI de Rousset-Peynier 13790 France Tel : +33 4 42 53 84 40 - Fax : +33 4 42 53 84 48 - Email : contact@s-p-s.com

Winter 2014

THE TRUE COST OF IDENTITY

FROM MARKETERS TO BLACK MARKETERS, YOUR PERSONAL INFORMATION IS A VALUABLE COMMODITY AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Everyone wants a piece of you. From hackers who breach the data of corporate retail giants to social media sites that sell your information, identity is undoubtedly a hot commodity. The various aspects of an identity hold different value for different people. Social Security numbers and credit card data are going to be highly valuable to someone on the black market, whereas retailers want to analyze your Facebook likes, shopping habits and demographic information. “It generally seems to be whatever you can get out of it,” says Kevin Haley, director of security response for software giant Symantec Corp.

Winter 2014

NUMBER OF BREACHES WITH MORE THAN 10 MILLION IDENTITIES EXPOSED

2012 .... 1 2013 .... 8

INCREASE OF

700%

Source: Symantec, 2014 Internet Security Threat Report

Anyone with a stake in identity shares the same end goal: to make money. The difference is that the black market seeks out private identity information that can help them steal money, whereas retailers aim to boost sales by relying on information that individuals share about themselves. Social media sites have taken heat for selling users data, with critics calling it a clear invasion of privacy. Analytics consultants contend there’s a difference between the data that the legitimate world gathers to market products and the personally identifiable information criminals steal for nefarious purposes. “There’s value to the business of analyzing data from a monetary perspective, but it’s also valuable to the general public because your experience is going to be much more personalized,” says Steven Ramirez, CEO of Beyond the Arc, a data analytics-consulting firm.

BIG DATA, BIG VALUE It’s the old Amazon strategy of “If you like this, you’ll like that.” Retailers and their data analytics consultants use that strategy with the goal of making the consumer’s world completely personalized, says Joe Caserta, CEO of New York-based data analytics consulting firm Caserta Concepts. “When I go online, I want all of the content of every site I look at to be 100% specific to me,” says Caserta. “For companies to be able to do that, they need to know as much information about me as possible.” That is, however, with the exception of personally identifiable information, which should be encrypted and kept private. Data companies need only the individual’s characteristics and behavior patterns, not the identity. “They don’t need to know that Joe Caserta is doing this activity. They just need to know that someone with all the characteristics of Joe Caserta is doing this activity,” he explains. That information might include characteristics about the person – in Caserta’s case, a middle-aged, white male business owner and technologist – and all of the behavior and buying patterns associated with

that person through social media and payment card use. Analysts then compile that information to create a consumer profile. “That is incredibly valuable,” Caserta says. Big Data critics say there’s a Big Brother factor to having some unseen presence monitor which stores and websites you visit and deliver personalized ads moments later.

tively, criminals can steal the logins and passwords to bank accounts, and then start transferring money out. Today’s criminals are experts at finding ways to exploit the data that they accumulate, says Ramirez. They put together pieces of information like a puzzle. “Fraudsters are actively looking at how to gather data from different sources and

CREDIT CARD NUMBERS AREN’T WORTH AS MUCH ANY MORE BECAUSE THEY HAVE BEEN SO HEAVILY COMPROMISED AND HACKED – TODAY THEY ARE WORTH ABOUT $5 APIECE Caserta contends that won’t stop people from receiving the message. He recalls a time when he ordered a bottle of wine at a restaurant, and then received an email from a wine merchant the following day advertising a sale on the same bottle of wine. “Creepy? Yes. Effective? Yes, I went and bought it,” he says. There is always the danger of losing consumers over data collection. Ramirez says that if companies aren’t careful about how they sell data, they can sever a lifetime relationship with a customer.

THIEVES PIECE TOGETHER DATA Just as retailers are finding new and innovative ways to extract and monetize data, criminals are doing the same – and finding value in more pieces of data than ever before. Modern thieves don’t even have to do much legwork as individuals are leaving their information unprotected. Symantec’s 2014 Internet Security Threat Report details the top causes of data breaches in 2013: 34% were due to hackers 29% were because of information that was accidentally made public 27% were due to the theft or loss of a computer or drive The classic hacker move is to steal credit card numbers to sell, and then the person who buys them will use those numbers until they don’t work anymore. Alterna-

build more valuable profiles,” Ramirez explains. Even though people are afraid of identity theft, they unknowingly take risks with some of their most critical pieces of information, Caserta says. Few people think twice about giving a waiter their credit card with a signature and security code. “Most are perfectly comfortable with that,” he says. “But many fear putting a credit card on a secure, encrypted website.” Online financial services are one of the most embraced markets by the general public, yet it’s also one of the most risky, Caserta says. “That’s the most sensitive information you can have online. And that’s the one that’s the most popular,” he says. Caserta, whose company works with a number of financial institutions, points out that the data in bank servers and databases is fairly ironclad. What puts users’ financial information at risk is their choice and management of usernames and passwords.

BLACK MARKET ID VALUES A few years ago, Symantec developed an online tool that calculated roughly how much your identity would be worth on the black market. Depending on factors such as age, gender and the extent of your online account data, the answers were typically in the $20 to $30 range. Haley says a few things have changed since Symantec collected that information,

Winter 2014

and as a result the value of certain pieces of data can vary according to whom is selling what. “The bad guys have gotten more sophisticated,” he says. The black market consists of buyers and sellers with varying levels of sophistication. “The price depends on the reputation of the seller and the data’s perceived value,” Haley says. Haley says low-end hackers tend to be rip-off artists and can be found through Google. Their high-end counterparts gather in exclusive forums, in which you need a recommendation from a member in order to gain access. They use systems similar to what you might find on eBay, with rankings for the buyers and sellers listed. Prices might depend on how quickly a credit card could be shut down. The card data stolen from Target last year is far less valuable now than it was at the time of the breach. “The value sinks almost daily,” Haley says. And just like anything else, supply and demand influences cost. If a lot of stolen credit card numbers are flooding the market, the cost of those numbers will be less, Haley says.

MOST-WANTED INFORMATION The most sought-after pieces of identity information on the black market are anything that can help a criminal perform a financial transaction on someone else’s behalf. For hackers, that would be name, date of birth and Social Security number. In 2013, those ranked as the top three types of information breached, according to the Symantec report. “That information is all you need for identity theft. It’s used to set up credit cards, get into bank accounts and do many other things,” Haley says. A thief can get a lot of value from stealing credit card information, but it’s a onetime thing and then it goes away, Haley says. “A credit card is very easy to change. It’s very hard to change your date of birth or Social Security number,” he says. Other valuable pieces of information might include a mother’s maiden name, where you went for your honeymoon or a favorite movie. All of those details could

Winter 2014

contain answers to a security question, says Kayvan Alikhani, director of technology at Bedford, Mass.-based RSA, the security division of data storage firm EMC Corp. “That right now is being sold on an a la carte basis for $4 or $5 for each piece of info,” he says. Alikhani points out that credit card information isn’t worth as much any more because they have been so heavily compromised and hacked. Today card numbers are worth about $5 apiece, and the final price is influenced by the cardholder’s credit limit and balance, he explains.

identity because it includes not just single users, but also the authorizations each person uses. “It can wreak havoc on a company on a much larger scale. It becomes much more important to protect pieces of information,” Alikhani says. If a company loses that information to hackers, the business could be on the hook for any fraudulent transactions. There is also is the reputation risk and damage to the brand, like what Target experienced last year. “Fewer people have shopped at Target as a result of the hit they took to their reputation and their brand,” Ramirez says.

VALUE TO THEFT VICTIMS

MULTI-FACTOR DEFENSES

Banks and credit card companies can cover much of the loss a person suffers from an identity theft, but they can’t make up for the time and energy it takes to discover and correct those problems. “The anxiety that causes is tremendous. Those are things that can really shake people’s lives,” Haley says.

Security and data experts often cite consumer awareness as the best tactic for protecting identity. But Caserta contends that consumer data itself is playing a role, too. He believes Big Data analytics is helping prevent identity theft. Caserta cites what happened to him recently when he made a credit card transaction in a different state at odd hours. While he was standing at the counter checking out, he received a call from his credit card’s fraud protection division. “That’s 100% the result of Big Data analytics. They understand all of my buying habits, what hours I shop, and as soon as something outside of my normal behavior happens, they notify me,” he says.

TOP 10 TYPES OF INFORMATION BREACHED Real names Birth dates Government ID (Social Security) numbers Home address Medical records Phone numbers Financial information Email addresses Usernames and passwords Insurance Source: Symantec, 2014 Internet Security Threat Report

To the user, the value of their identity could be in the magnitude of about $5,000 because of the amount of time it takes to fix an ID theft issue, says RSA’s Alikhani. On the corporate side, the combination of different pieces of identity information is of much higher value than an individual’s

Caserta says he would like to see more innovations to prevent fraud, adding that up to 90% of all logins consist of a user ID and password. “That’s not enough,” he says. “If we really want to prove it’s Joe Caserta at the keyboard, there are much more advanced ways of doing it,” he says. Alikhani says multi-factor authentication forms set the bar higher so that hackers with information about you cannot impersonate your identity. With the scope of information now available to criminals, protecting identity in the modern age is more about defense, he says. “You should assume that your identity is already compromised and out there,” he says.

Sometimes it’s not enough that someone knows a password. Sometimes you need more certainty about who is accessing your facility, your records, your sensitive inventory — certainty that a password or smartcard cannot provide alone. Only biometric authentication veriﬁes who is present... and only multispectral imaging from Lumidigm provides the reliability, security and convenience required for your mission-critical application. When it’s important to have greater assurance of who is accessing your assets, choose Lumidigm.

www.lumidigm.com | sales@lumidigm.com | +1 (505) 272-7057

SECURING THE ELECTRIC GRID

NEW REGS PUT UTILITIES ON THE CLOCK TO BOOST PHYSICAL SECURITY MICKEY MCCARTER, SECURITY INDUSTRY ASSOCIATION

Around 1 a.m. on the morning of April 16, 2013, unknown gunmen attacked an electric substation near San Jose, Calif. For about 19 minutes, attackers fired more than 100 rounds into electricity infrastructure equipment owned and operated by Pacific Gas and Electric at the Metcalf power transmission station. The attack resulted in hundreds of thousands of dollars of damage. Although 17 transformers were hit, the attackers were gone by the time police arrived, and no suspects were ever identified. As a direct result of the attack, the Federal Energy Regulatory Commission (FERC) undertook the creation of mandatory regulation for the most critical substations in the electric sector. FERC is projected to publish the final rule in late 2014, setting in motion security upgrades intended to prevent such an attack from occurring again. The electric grid already had a great deal of redundancy built into it as well as some precautions to mitigate such damage, said Brian Harrell, director of the Electricity Sector Information Sharing and Analysis Center, North American Electric Reliability Corp. (NERC), during a webcast presented by the Security Industry Association. “It is very important to note that there was absolutely no electricity lost that day,” Harrell said. “That speaks to the significant resiliency of the bulk power system.

Winter 2014

We are very segmented, and we have the ability to reroute power.” Though similar attacks could cause pockets of outages, he explained the overall integrity of the power system would remain intact.

GRID SEES NEW PHYSICAL SECURITY STANDARDS AND REQUIREMENTS Consultant Bradley Schreiber, president of Homeland Security Solutions, described the requirements as outlined in FERC CIP-014, suggesting they will spark the adoption of new identification technologies across the electricity sector. First, owners and operators of electric utilities will identify critical transmission stations and substations as well as control centers. Consideration must be given to stations and substations that “if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation or cascading within an interconnection.” Effected control centers will include those that operate those specific stations and substations. After identification of these critical facilities, an unaffiliated third party must verify the selections. Once operators are informed that they manage a primary control center, they must evaluate the potential threats and vulnerabilities of a physical attack. Then, they must develop and implement physi-

cal security plans to protect those targets. Another third-party review then follows to determine gaps in the physical security plans. NERC is organized nationally in eight regions, employing a total of 63 critical infrastructure auditors. Under FERC CIP014, NERC auditors would visit utilities every one to three years to ensure compliance with the standards. They already do so under earlier guidance from FERC CIP006, which sets physical security standards for critical cyberassets. Ensuring compliance with the new standard will require more auditors and physical security expertise within NERC. Schreiber predicts that former military, law enforcement and intelligence personnel will move into electric sector to meet the demand. “A lot of utilities already have these professionals, but I think you’ll see a lot more pop up over the next year,” he said.

TIMELINE FOR IMPLEMENTATION The U.S. electric grid consists of more than 55,000 transmission substations of 100kV or higher, but the final FERC rule will be mandatory for less than 500 of these. Although only a small subset will be required to comply with the rule, Harrell suggests it will bring the conversation to the forefront and lead others to invest in physical

INSIGHTS Cutting-edge viewpoints on the use of security technology from the industry’s leading electronic physical security association. Learn more at securityindustry.org.

security measures whether required to do so or not. “To get an entire industry to wrap its head around a concept and have agreement by and large across sector was a significant lift,” he said. A directive on the physical security standards under FERC CP-014 was submitted to NERC in March and the approach for development of physical security plans was approved by industry in May. FERC published its notice of proposed rulemaking in July. NERC anticipates a final order in November or December, said Harrell, who was a member of the eight-person drafting team for the standard. The clock will start running for electric utilities upon publication of the final FERC rule, said David Batz, director of cyber and infrastructure Security at the Edison Electric Institute. The membership of the institute, which represents electric utilities owners and operators, is responsible for delivery of 70% of the electricity in the United States from generation to transmission and distribution. Those companies and others will have 180 days to identify their affected facilities and then another 90 days to gain thirdparty verification of those facilities. Over the next 120-180 days, utilities will have to produce threat analysis and security plans for their facilities. Then they have 90 days to again gain third-party verification of those plans. Sixty days later, utilities must begin implementation of their physical security plans. Batz estimated completion of final threat analysis and security plans sometime between July and September 2016.

MEETING DEMAND

ANTICIPATING COSTS

Utilities tend to be conservative when buying equipment to support their physical security plans, Batz said. “They don’t want to purchase and install a product that doesn’t have a track record,” he said. Manufacturers must demonstrate that their products can meet the needs of the utilities – perhaps by withstanding challenging climates or working with lowbandwidth communications for remote substations – and be able to speak to how they have performed in other sectors and at other installations, Batz explained. The FERC standard provides utilities with flexibility in the development of their physical security plans. This is important as every station will require something different to fulfill the requirements of their unique physical security plans, said Harrell. “There is no such thing as a cookie cutter substation – each has individual and specific challenges,” he warned. NERC looks at recommendations for compliance with the FERC standards as an exercise in protecting people, the industry’s most critical asset. Powerful security technologies are available including live video surveillance with intrusion deterrent technologies, limited access smart locks and access card systems, employee screening for insider threats as well as other countermeasures, Harrell said.

Electric utilities already have ideas as to what works and what doesn’t as well as how much physical security measures can cost. NERC previously published guidance for the development of physical security plans through its Critical Infrastructure Protection Committee and has held training exercises known as GridEx, which simulated breaches at power plants where attackers used improvised explosive devices. Utilities will rely on these experiences and others to request funding to cover their physical security plans, said Batz. They will go before a state public service commission, or in the case of municipalities, they would go before the local governing body to make a case for rate increases, he said. “There will need to be regulatory approval for investments made in this space,” he added. In general, regulators have been very supportive, but they may become concerned when incremental investments lead to higher utility bills for consumers. “It’s going to be a company-led effort versus a publicly funded effort,” Schreiber said. “There is no pool of money they are going to be able to draw from to do these major enhancements.”

Companies interested in learning more about this topic can contact Elizabeth Hunger, manager of government relations at the Security Industry Association, at ehunger@securityindustry.org.

Winter 2014

SENDING ACCESS CONTROL ENGINEERS BACK TO SCHOOL

GSA MANDATES NEW CERTIFICATION FOR PHYSICAL SECURITY CONTRACTORS ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS

Physical access control is a technical and complex business, and enterprise-wide implementation contracts are often incredibly valuable both in terms of security and cost. So ensuring these systems are deployed correctly is paramount. With this in mind, the U.S. GSA decided to mandate

training for any company that wants to be in the government physical access control business. To provide the training, the Smart Card Alliance developed the Certified System Engineer ICAM PACS (CSEIP) program. The training and certification program provides systems engineers with guid-

Acronym soup of certification program • • • • • • •

GSA – General Services Administration NIST – National Institute of Standards and Technology PKI – Public Key Infrastructure PACS – Physical Access Control System ICAM – Identity, Credential and Access Management PIV – Personal Identity Verification CSEIP – Certified System Engineer ICAM PACS

Winter 2014

ance on system set-up and testing to align with governmentwide specifications.

WHY CERTIFY? The training program is a necessary step toward more effective implementations, explains Lars Suneborn, the alliance’s director of training and lead for the CSEIP program. “It is crucial that the federal government, especially those responsible for writing procurement documents, as well as respondents to the requests have a clear understanding of the operation of these systems,” says Suneborn. “Too of-

ten it is not clearly understood or communicated properly, resulting in costly and time consuming post-installation system modifications.” This GSA-approved CSEIP program will provide the training and certification required for physical access control engineers employed by commercial organizations that intend to bid on government access control projects. The hope is that the training program will better ensure that implementations for GSA-managed facilities will be installed properly the first time around. The certification is designed to offer federal agencies a level

Prerequisites for the CSEIP course: • • • • •

One or more PACS manufacturer certifications for design and installation One year or more of PACS configuration and installation experience One or more completed PACS system implementation Knowledge and experience with contactless smart cards and readers Basic understanding of network technologies

Learning objectives: • Public key infrastructure basics • Biometrics for high assurance credentials • Credentials • PIV data model • High assurance credentials types • Cardholder populations • Trusted PACS • ICAM • Authentication methods • PKI Configuration for trusted PACS (both classroom exercises and hands-on computer training)

of assurance that companies responding to bids have the necessary understanding of the goals and objectives of federal ICAM, Suneborn explain. “It shows that the bidding company has the competency to engineer the system correctly so that the procuring agency can achieve compliance,” he adds. GSA now requires that all billable work performed on these systems must be done using certified system engineers. Federal mandates specify that agencies must procure physical access control equipment that complies with PIV and federal ICAM requirements. “This includes a long list of standards, performance specifications, operational parameters and language of a very technical and complex nature,” Suneborn says.

THE PROGRAM Developed in alignment with GSA and relevant NIST publications, the course provides systems engineers with the training to implement PKI and federal ICAM architectures for physical access control.

Trainees receive a set of course materials addressing system operation, PKI management and PIV credentials. A comprehensive three-day program includes both classroom training and a hands-on element to teach best practices for system set-up and testing. The first day is primarily lecture and discussion. The second day includes extensive hands-on lab training on a live physical access control system. The third day is for the written and practical exams to demonstrate understanding of the training principles and application of that knowledge by configuring a FIPS 201-enabled access control system.

GRADUATION Participants must score better than 70% on the written exam, while the practical exam is pass/fail based on successfully processing a valid credential and detecting an invalid credential on the test system. Graduates receive a certificate of completion and are added to an online directory of certified engineers. Federal contracting

agents will use the directory to verify that a commercial organization has met the minimum requirements for the bidding and awarding of a contract. The accreditation is not required for every individual on site, explains Suneborn. Those staff members responsible for system design and those who serve in a in a technical on-site lead capacity must carry the CSEIP certification. “For a small company on a small project, this may be one person, other installations may require more staff to be accredited,” he says. Because the subject matter is technical and fast developing, regular training refreshers will be made available. Recertification will be required every two years. The CSEIP program costs $2,495 per person, with Smart Card Alliance members paying a $1,995. The government rate carries a 28% discount at $1,795, and applies to government employees only, excluding commercially contracted employees working for government agencies. Cost of the program covers the entirety of the threeday training program, course materials and written and practical exams.

Winter 2014

TOUCHLESS FINGERPRINTS:

A NEW APPROACH TO AN OLD MODALITY ANDREW HUDSON, ASSOCIATE EDITOR, AVISIAN PUBLICATIONS

The stalwart of biometric authentication has long been the fingerprint, with implementations ranging from high-security physical access to unlocking a mobile phone. But while other biometric modalities have made public strides in recent years, the fingerprint has been quietly taken for granted as a secure authenticator. In reality, fingerprint technology has been steadily evolving, and the latest advancements are giving rise to a new touchless fingerprint. A touchless fingerprint sensor from MorphoTrak, known as Finger on the Fly, is taking a new approach to fingerprint enrollment and verification. “The impetus for this rapid touchless technology came from the federal government,” says Rob Horton, director of marketing and communications at MorphoTrak. “We were asked to develop a technology that was multi-modal – not

Winter 2014

just touchless fingerprint but also iris at a distance and facial recognition – that could be deployed at a moment’s notice and could enable a person to quickly walk through and be screened against multiple databases.” Fingerprint was the logical starting point. “We began showing touchless fingerprint at federal trade shows and there was significant interest from other markets particularly in settings where very rapid throughput is a priority,” says Horton.

CAPTURING MINUTIAE ON THE FLY In the realm of fingerprint, every detail is critical no matter how small. In fact, the miniscule details – the minutiae – lie at the heart of a successful authentication. Minutiae is a term that refers to the changes in ridge flow or the lines in a fin-

gerprint. There are two primary forms of minutiae that a fingerprint sensor identifies: ridge bifurcation, where a ridge will fork into two distinct paths, and a ridge ending, where the ridge terminates. Image contrast is key, and the better contrast, the better the likelihood is that the sensor will detect and identify the minutiae of a fingerprint. Cameras and motion sensors in the Finger on the Fly scanner are triggered when a hand moves across the read area. The device takes multiple photographs of the fingers as the hand passes through the scanner. The on-board computing does the rest, as the device selects the best images to conduct the authentication. As Horton explains, in its initial developments, the system would wait for the entire hand to pass through the scanner before segmenting and identifying the minutiae from each of the four fingers.

“Now, we start processing the minutiae of the first finger as soon as it passes over the scanner,” he explains. “This enables near-instantaneous response, we’ve gone from achieving a match in under a second to getting a match in just milliseconds.” But there’s more to touchless than just speed. “With Finger on the Fly we’re able to capture each fingerprint from multiple viewpoints,” says Gary Jones, director of biometric access and time solutions at MorphoTrak. “This allows us to essentially capture a 3D image of the print, which mirrors the manual process of rolling a fingerprint over a scanner.” This means more information for a better match. “By capturing multiple angles of each fingerprint, we are able to increase the number of possible minutiae that we can later detect during a scan,” explains Jones. “The more minutiae you have, the more flexibility you provide the user when they come back to authenticate.” “Through multiple studies, NIST has found that the accuracy of fingerprint biometrics increases with the number of fingers used,” explains Horton. “More fingers makes spoofing efforts more difficult,” Jones adds. “You would have to acquire as many as eight or ten of a person’s fingerprints to successfully spoof the system.” The security threshold that the system administrator establishes can authenticate a user based on any of their initially enrolled fingerprints, even if one is damaged or is lost. You could enroll all fingers and choose to accept only a single finger for authentication or choose to authenticate as many as ten.

EASING ENROLLMENT AND USE The hallmark for touchless, however, is its ease of use and throughput capabilities. It’s an easy and intuitive process that can even enable users to enroll without any operator assistance, Jones explains. Enrollment involves waving four fingers on each hand through the scanner. Traditionally, fingerprint systems would require

each finger to be applied two or three times to properly enroll. With Finger on the Fly, a user need only pass their hand through the device once to enroll all four fingers. “The system can also enroll and recognize thumbprints if desired, it just requires the user to hold their two thumbs together and wave them through,” Jones explains. The other advantage of multiple fingers is that some environments may present bandaged, damaged, or missing fingers. “If, for example, you only enrolled your index fingers and those fingers are damaged or bandaged, you introduce a significant wrinkle to the throughput capabilities of that system,” explains Horton. “Even in situations where you don’t need all four fingers, you still have the added convenience, assurance and accuracy that the additional data provides.” As Jones explains, even the wave motion across the sensor has a purpose, eliminating the possibility of user error at the time of enrollment and authentication. “Waving your hand across the surface area of the scanner ensures that each finger is going to be, in at least one of the frames, captured accurately,” says Jones. “If you were to make it more of a static motion, you run the risk of the user holding part of their hand outside of the scanner area and thus not being read.”

production time lost and time lost for the employee.” Jones says large tech companies have very much the same issues. “They have busloads of employees that show up to their premises at once and that have to get into the building at the same time,” he explains. Touchless can be applicable at the opposite end of the spectrum as well, as security for a small roster of employees is no less vital than it is for thousands. These environments often require increased security for which the matching of multiple fingerprints is ideal, Jones says. Correctional institutions, where lines and queues can be problematic, could also

THE WAVE MOTION ELIMINATES ERROR. A USER NEED ONLY PASS THEIR HAND THROUGH THE DEVICE ONCE TO ENROLL ALL FOUR FINGERS

FINDING A PLACE FOR TOUCHLESS According to Jones, there’s been a big demand for touchless biometrics in the physical access control and time and attendance worlds. “We have customers that have to get a single shift change of 5,000 or more employees through turnstiles into a manufacturing plant,” he explains. “Every second counts in that setting, because if employees have to wait in a 20-minute queue, that’s

benefit from a touchless solution with high throughput. “Inmates queue up and authenticate before entering cafeterias or common areas,” says Horton. “Wait times and line backups can leave these environments susceptible to disruptions and violence, so getting them through quickly can be vital.” Due to its federally driven roots, however, Horton posits that the best use case could be airport security. The U.S. government has a mandate to implement a biometric exit program for foreign travelers leaving the country. “For exit applications, the technology greatly facilitates fast and accurate boarding processes,” adds Horton.

FINISHING TOUCHES While touchless fingerprint sensors are yet to hit the market en masse, the technology is clearly making strides. The use cases are certainly there for biometric exits, time and attendance and high throughput access control. Time will tell if touchless is, in fact, a touch above the rest.

Winter 2014

CAMPUSES DEPLOY MULTI-FACTOR VIA HIGHER ED ‘COHORTIUM’ GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

Two years into a $1.8 million pilot award from the National Strategy for Trusted Identities in Cyberspace, Internet2 is busy helping higher education institutions embrace multi-factor authentication. The MFA “Cohortium” consists of 50 institutions – each in varying stages of rolling out multi-factor – that act as sounding boards and offer support. “We’re trying to move the needle for all institutions within the U.S. when it comes to multi-factor authentication,” says David Walker, a coordinator for the MFA Cohortium. “Some are just thinking I’ve heard of it and I’m not sure what I want to do. Others know they want to do something and they’re starting to build the business case for doing it. Then there are institutions that are actively deploying. We’re trying to work in all of those areas,” says Walker, who also works with Internet2’s InCommon, an identity federation for U.S. higher education institutions. Why cohortium? “It is a play on the word “cohort,” which is used a lot in higher education to indicate a group that moves thru a course, process or experience over the same time period,” says Michael Grady, project manager and coordinator for MFA Cohortium. The Cohortium is for gathering and creating as much information as possible around the business and use cases for multi-factor authentication in higher

Winter 2014

education, says Grady. “Many campuses have implemented a Web single sign-on system for authentication to campus enterprise services or cloud offered services,” Grady says. “The software typically used in higher education for accessing cloud services is called Shibboleth, which supports the SAML protocol. It’s an open-source effort that came out of Internet2.” Grady says the grant has helped fund a couple of software efforts: a connector in the Shibboleth identity provider that integrates various multi-factor technologies as well as similar functionality in Central Authentication Services – another single sign-on project that campuses use within the enterprise rather than externally with cloud services. “The project has helped fund software that makes it easy for an institution to plug in whatever multi-function authentication technology they want to use into that single sign-on system,” Grady says. The project also enables institutions to switch small batches of users, instead of

forcing everyone to switch over at once. “When you have very large communities – a quarter million students, staff and faculty – rolling out multi-factor to the whole community simultaneously can be very expensive and almost undoable,” Walker says. Grady says it comes down to risk versus cost. “When deploying multi-function authentication, institutions are looking for the areas of highest risk and which people are going to use that service,” Grady says. “That’s where we need to get it out to first.” “The day of relying on passwords alone is probably gone now,” he says. “But you can’t go from where you’re at today – from relying on passwords for everything – to having everybody at an institution use multi-function in a day, a month or even a year,” explains Grady. “Gradually it’s going to expand to include everybody, but we’re not there yet.”

UNIVERSITY OF ARIZONA Cohortium member, University of Arizona had been looking into multi-factor authentication for years. “We’ve been using it in various small areas and small projects,” says Gary Windham, senior enterprise systems architect in UITS. “We’ve wanted to deploy multifactor on a broader scale for quite some time, and we’ve recently done it.” The university offers multi-factor to students, faculty and staff on a voluntary

basis. Out of more than 50,000 potential users, less than 1,000 have opted in. But Windham says the users, who heard about it through word of mouth and very limited advertising, are sending positive feedback. “We expect to see that continue as we roll out two-factor authentication as a mandatory feature of certain enterprise systems,” Windham says. “They have the choice of enabling it for all services that utilize our campus single sign-on system.” When a member of the campus community authenticates with their username and password, the single sign-on system then checks our enterprise directory service to see if they opted in for the two-factor service, Windham says. There are several ways the university is enabling multi-factor authentication: Users can have a batch of 10 passcodes sent to their registered SMScapable device at any time; each passcode is good for one use, and getting a new batch of 10 expires any passcodes remaining in the previous batch. Users can generate a passcode via a mobile app. Users can generate a set of “bypass codes” via a self-service, two-factor authentication management portal that are good for one use – just like those received via SMS – but can be used if the user can’t find their device.

Users can use a Yubikey token to generate an OTP that can be used in place of standard passcodes. Those who’ve opted in will choose from a list of devices they registered for potential use, then answer a challenge question or enter a code. Windham says the university was early in its multi-factor implementation phase when it joined the Cohortium. He says it’s provided a sounding board for ideas and a sanity check during the deployment process. “There’s lots of areas I’m sure we haven’t thought of that other schools may have addressed,” says Windham, who wants to keep tabs on what the rest of higher education is doing with multi-factor best practices and offerings. “Consumers are starting to expect this level of security and identity verification because their banks and social media sites are doing it,” Windham says. “The data and applications that people interact with at higher education institutions can be just as sensitive, if not more so, than the personal data that you’re managing at financial institutions.”

UNIVERSITY OF CHICAGO The University of Chicago is offering multifactor on a voluntary basis to faculty and staff only, protecting the single sign-on system and nearly 200 Web applications, says David Langenberg, senior systems

programmer for identity and access management at the university. “A user can opt in to have all of their authentication protected by two-factor – kind of similar to turning on two-factor authentication on Google – or a service itself can elect to force use of two-factor authentication,” he says. Like the University of Arizona, they’re also in the early phase of rollout. About 400 users have signed up with nearly half opting to force all authentications to be two-factor. “We were interested in finding a group of universities who had done this so that we could share the pain and our experiences,” Langenberg says. “Along the way, we’ve certainly had some other universities assist us with vetting our ideas.” The University of Chicago is offering a couple of options for two-factor authentication. Users can receive a one-time code over SMS or have a service call them and read a code to use for login. The default method doesn’t require a code but instead sends a prompt to the mobile phone, alerting the user that their login is being used to access a particular system. Langenberg says the teamwork he’s found in the Cohortium is both useful and necessary. “The password is long dead, and you need to definitely move into a security stance that involves more than one factor for authentication,” Langenberg says. The Cohortium is made up mostly of colleges and universities, with some commercial members as well. It was created as a 15-month project, but it’s going strong with no hard ending date. Non-member institutions that want to roll out multifactor can benefit from the work of Internet2 through its InCommon Federation. InCommon represents end users across hundreds of institutions, creating bargaining power that leverages discounts with commercial software vendors and service providers.

Winter 2014

MORPHOTRUST, CONFYRM, GSMA WIN LATEST NSTIC PILOTS GINA JORDAN, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS

The U.S. Department of Commerce announced that three new pilots have been awarded in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC). The $3 million in grants will be shared among the three recipients – MorphoTrust, Confyrm and GSMA – as they pilot solutions exploring mobile devices instead of passwords for online authentication, minimization of loss from ID theft and improved access to state services. This is the third round of NSTIC pilots with seven awarded in 2013 and five in 2012.

MORPHOTRUST: STRONG IDENTITIES FOR N.C. RESIDENTS Through their recent grant, MorphoTrust is creating an electronic ID to help North Carolina citizens access online services. The goal is to authenticate identity online with the same security and privacy protection as in-person transactions – using a virtual ID that as trustworthy, low-cost and readily available as a driver license. Forty-two states use MorphoTrust solutions for driver license programs and state ID credentials. The company also provides face, fingerprint and iris biometric solutions to the federal government. Its enrollment services division registers people nationwide for a variety of programs including the Transportation Worker Identification Credential. MorphoTrust’s NSTIC pilot was born out of a specific problems the company thought it could address. “We thought we could help verify that people are who they claim to be online,” says Mark DiFraia, senior director of solutions strategy at MorphoTrust. “If that

Winter 2014

problem can be alleviated, obviously the risk associated with online transactions could be reduced, but it could also open up the doors for many more things to be accomplished online.” The MorphoTrust proposal consists of three main goals: Prove that an electronic ID can be created that carries the trust of a secure credential and can be used to eliminate in-person identity proofing requirements Demonstrate elevation of trust using biometric multi-factor authentication Define a framework through which state and commercial entities can trust each electronic ID in their transactions The two-year, $1.5 million pilot will be carried out in partnership with the North Carolina Department of Transportation and Department of Health and Human Services. Additional pilot partners include The University of Texas at Austin Center for Identity, Gluu, Toopher, miiCard and Privacy Engineer Debra Diener. The pilot will issue North Carolina residents an electronic identity when they get their driver license, says James Varga, CEO and founder at miiCard, an online identity service. “MiiCard isn’t a physical card, it’s a digital one. Think of it as a digital passport or a virtual version of your driver license that you use like you would a Facebook or a LinkedIn account to log into a site,” explains Varga. “As a miiCard user, you can decide what you want to share and what you don’t. This is one of the key objectives for us – to put consumers back in control of their identity.” A goal is to prove that the identity that Health and Human Services users have online can be extended to common com-

mercial use cases. “Then everyone in the online community can see just how these kinds of trusted identities can be leveraged in a wide variety of uses,” DiFraia says. Involvement in driver license programs across the country is likely one reason for the pilot win, DiFraia says. “Also, we’re solving a very real problem in North Carolina helping to bring people into the Health and Human Services’ Food and Nutrition Services Program online through new channels,” he adds. “If we can prove that this channel is viable and secure, it brings a new level of efficiency.” If the pilot is successful, DiFraia says the work will likely expand to other North Carolina agencies, other states and the commercial sector. “It allows the government to safely leverage strong identities to solve own problems,” says DiFraia. ”And it gives the consumer control of the highly trustworthy online identity token.” “The project has the opportunity to break through a threshold of trust that has so far been elusive in the online world,” says DiFraia. “We’re hopeful that we can have that kind of wide sweeping impact on how people do business online in the future.”

CONFYRM: CURBING LOSS FROM ACCOUNT TAKEOVER The two-year old UK identity company Confyrm is already making a big impact as a winner of one of the third round of NSTIC grants. Confyrm was awarded $2.4 million to demonstrate ways to minimize loss when criminals create fake accounts or take over online accounts. A key barrier to federated identity – where an identity

provider vouches for an individual at other sites – is the concern that accounts used may not be legitimate or in the control of their rightful owner. Account compromises and the subsequent misuse of identity often results in destruction of personal information, damage to individual reputations and financial loss. Confyrm will demonstrate how a “shared signals” model can mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, says Andrew Nash, founder and CEO of Confyrm. Nash says the fundamental infrastructure, software and technologies have already been built at a prototype level. The grant money will be used to demonstrate how companies and consumers can minimize losses when criminals create fake accounts or take over existing accounts. “You’ve had to hit the password reset button to get back into your online financial account,” Nash says. “The email address or SMS address that’s recorded for you in association with that account is used as a trusted communication channel.” Clicking on the link included in that message takes the user back to the site, providing a fairly high level of confidence that the user is the account owner. “All of this works fine right up until the point that the email account has been subverted. If someone else is in control of your email account, the person hitting the password reset is also the person who is about to get control of your financial account,” Nash says. “We’re creating a shared mechanism for passing information about accounts between various participants to detect these kinds of problems.” Confyrm isn’t releasing information yet about its half dozen partners in the pilot project. What is known, however, is that the company is working with an email provider, a mobile operator and

multiple e-commerce sites. “We are building out a series of use cases to look at how we can share information between these participants,” Nash says. The intent is to keep details about who publishes the event private in order to make participants feel comfortable sharing information. It is essential to ensure that the user’s privacy is maintained and kept separate from the communication, because there’s no way to be certain if the user is the actual account owner or the fraudster. One of the company’s first deliverables was a white paper for the Open Identity Exchange titled “The Shared Signals Model.” “We have been working from that model to come up with concrete mechanisms to talk about how identity information can be shared between participants in a way that allows parties to understand what’s going on across the ecosystem,” Nash says. As Confyrm worked on discovery projects with the UK government, this Shared Signals Model kept coming up as part of the concept of sharing technology between governments, Nash explains. He says that got the attention of the NSTIC folks, who encouraged Confyrm to apply for a pilot grant. “Initially I was somewhat reticent,” he says, knowing that applying for the grant would be a large undertaking. Now, however, he says they have the chance to make real-world changes. He provides another example of this real-world change. “Imagine that you have used an identity provider and you change your password at that identity provider, but you’ve still got sessions open with various relying parties,” Nash says. “At the moment, there’s no way to convey to the relying parties that a password reset has occurred and that they ought to tear down those sessions and reestablish them.”

Making sure that all the parties are aware of the change is crucial. “Something that happens at Apple can ultimately affect your Twitter account in terms of takeovers,” Nash explains. “So being able to share that information to avoid these cascading kinds of attacks is really useful.” Nash says the partners are excited about the potential to have a major impact on improving trust and privacy mechanisms in the identity space. “We need to be able to make this an operational reality,” Nash says. “We’ve got a lot to learn, but we think that we’ve got some pretty good starting points.”

GSMA: UNITING U.S. CARRIERS FOR MOBILE ID SCHEME GSMA has partnered with America’s four major mobile network operators to pilot a common approach – interoperable across all four operators – that will enable consumers and businesses to use mobile devices for secure, privacy-enhancing identity and access management. GSMA’s global Mobile Connect Initiative is the foundation for the pilot; the initiative will be augmented in the U.S. to align with NSTIC. By enabling any organization to easily accept identity solutions from any of the four operators, the solution would reduce a significant barrier to online service providers accepting mobile-based credentials. GSMA also will tackle user interface, user experience, security and privacy challenges, with a focus on creating an easy-to-use solution for consumers. At press time, the GSMA was unable to provide additional details on the pilot.

Winter 2014

AIRPORTS CONFRONT PHYSICAL ACCESS CHALLENGES AJAY JAIN, PRESIDENT AND CEO, QUANTUM SECURE

In the last several years, there has been an intense focus on the safety and security of airports, as the challenges these facilities face are ever evolving. Despite tight security in and around the gate areas, airport facilities are by their nature open to the publicÂ â&#x20AC;&#x201C; a fact that poses a major hurdle when it comes to physical security. Another significant challenge is the host of rules and regulations that govern security clearance, identification and access for airport and airline employees, vendors and tenants, which in many cases are complicated by the siloed systems and processes that are used to manage the necessary credentials for facility access. The security needs and the challenges they present are not new; they have exist-

Winter 2014

ed for as long as there have been airports, though certainly they have intensified in the last two decades. TSA regulation and internal security procedures have dictated that certain facets of security needed to be addressed in specific ways, but in some cases these requirements have further complicated the security process. The manual processes many airports once employed made it difficult, if not impossible, for them to meet even the minimum requirements, both internally and from the TSA. In short, many airports simply werenâ&#x20AC;&#x2122;t meeting their security thresholds. Thankfully, there are solutions that relieve the burden of manual processes and provide a means to achieve security

goals. Chief among these solutions are physical identity and access management solutions, which can assist with unifying identity management, integrating disparate physical security systems, automating processes and simplifying control of access for employees, vendors and other identities. Within the aviation industry, there has been an increased understanding of physical identity and access management systems and their potential to not only provide badges or credentials, but to also serve as a crossairport solution. Identity management software enables airports to manage the lifecycle of identities related to physical access, including synchronized on- and off-boarding across

all systems harboring an identity record. When integrated with other systems – such as mass notification, IT, physical security information management and other event management systems – identity management software provides airports with a larger umbrella under which data management solutions can be combined to deliver deeper levels of security. Many of these systems have traditionally been separate from each other, which prevented data sharing between them. When integrated with one another, however, they have the ability to multiply the effectiveness of security and provide enhanced capabilities that allow airports to achieve more with fewer challenges and less complication. For example, if an event were to occur at an airport, the mass notification solution would provide alerts to travelers and employees. Integrating that system with an identity management solution provides a complete data set about that incident that could enable an airport worker to pull up information on who is involved in the incident and determine what areas of the facility they can access based on their credentials. This information could then be used to provide direction via the mass notification system to those within the airport about where they should go, as well as determine how security should handle the incident. So while airports have struggled to achieve just the security basics, with manual identity management processes, solutions like physical identity and access management automate these processes to provide an increased level of security. These systems can also assist in other strategic areas that have the potential to improve airports’ overall operations as well. Among these are customer service, internal business threats, compliance and auditing.

A prime example of operational goals that can be addressed with physical identity and access management is customer service – with regard to vendors, who are business customers of the airport itself. This is one area that can pose major problems for airports. The main challenge from an identity management standpoint is that all employees of these vendors require badged access to certain areas within the airport. When a new employee is hired, there’s a detailed process that follows, starting with the vendor’s authorized signatory – the person from the particular vendor who is responsible for the new employee. Airports require these individuals to complete certain tasks to begin the badging process, which can be a very long and tedious manual process in the absence of an automated solution. In addition to being time-consuming, the process also requires a significant amount of paperwork, making it highly error prone. As part of the process, potential employees are subject to background checks and training that can also be laborious with a paper-based system. In the meantime, these employees are not able to report for work until the process has been completed, which costs vendors time and money. Additional delays caused by blanks on forms or unfiled training reports only add to these losses. Automating these processes with a Web-based portal for signatories, for example, makes it possible to enter information quickly and efficiently. Because the information doesn’t need to be re-entered by other departments, the potential for error is greatly reduced. This also drastically expedites the hiring process and decreases the financial toll on vendors, which makes the airport a far more business-friendly environment. Through a unified system, vendors and airport employees can view the current status of any transaction during and after the badging process.

The software can automatically submit applicants’ information for automation of security threat assessments and monitor status in real-time to tie it to activation of an electronic airport badge. Software systems also enable operators to set prices for employer interactions for direct billing or regular invoicing of charges such as badging, background checks, penalties, violations, training and lost assets like keys or cards. Automation can recoup operational costs for transactions that would not be cost-effective to recoup using manual methods. Related to compliance monitoring, software can generate reports on an asneeded basis – nightly, weekly, monthly and on-demand – in the format required by the Transportation Security Clearinghouse and other channel service providers. It can also provide real-time auditing capabilities, eliminating the need for manual audits. It stands to reason that the more complexity there is in the security system, the more difficult it is to monitor, understand and respond to incidents. Physical identity and access management solutions remove much of the complexity associated with identity management and other strategic processes, boosting operational efficiency, lowering costs and achieving a higher level of security. By replacing manual offline processes with automated software, airports are able to relieve many of their traditional pain points. Physical identity and access management solutions provide the tools to streamline workflows, automate processes and integrate disparate systems. They also reduce risks associated with manual, error-prone systems and practices, improve compliance and increase efficiencies. As a result of the increased efficiency, lower costs and proactive compliance management, airports are safer for everyone. And in the end, that’s what matters most.

Winter 2014

NEW TOOLS FOR MODERN IDENTITY ADAPTIVE AND MOBILE BIOMETRIC TECHNIQUES USHER IN A MORE SECURE FUTURE MARK DIODATI, TECHNICAL DIRECTOR – OFFICE OF THE CTO, PING IDENTITY

Do you feel the acceleration of change in identity management? Modern identity presents many new challenges – particularly with user authentication. Two new technologies are here to stay to help address the new challenges – adaptive and mobile biometric authentication.

THE GOOD OLD DAYS Gone are the days of managing the user’s computing environment, which delivered some semblance of device security posture. Workstations were bound to a trusted Active Directory environment; Windows Group Policy delivered centralized policy management, and at times, credential management; Enterprises could push the latest anti-virus scanner software to most of their devices with a mouse click. These tools aren’t as effective in this era of modern identity that is characterized by device-anywhere access, expanded user constituencies and delegated authentication.

DEVICE-ANYWHERE ACCESS We are now in the era of “device anywhere” access, a term that implies great heterogeneity for the user computing environment and network topology. The result is a loss of control. Devices like PCs, tablets, and smart phones have different operating systems and therefore varying security capabilities. Device ownership matters, too. There is a loss of control moving from corporate-owned laptops to COPE (corporate-owned, personallyenabled) devices, to BYOD (bring your own device).

Winter 2014

PARTNER AND CONSUMER CONSTITUENCIES Additional user constituencies are forcing changes to how we authenticate users. In the good old days, user constituencies with meaningful access to applications included employees and maybe contractors. Enterprises now must craft a strategy for newer constituencies like partners and consumers because they require more meaningful access to applications. And as the “distance” increases between the organization and the user constituency, fewer authentication options are possible. Smart cards or other hardware authentication methods may be tolerated by your employees and contractors but not by your partners and customers. Yet these new constituencies need an appropriate authentication method that is commensurate with their increased access.

DELEGATED AUTHENTICATION Delegated authentication forces us to think outside the monolithic box of authentication and application access. First, there is the pressure to leverage social network logins for access to enterprise applications. This is coming from by all user constituencies including employees. But the problem is one of “impedance mismatch.” Social logins alone don’t provide enough assurance for access to corporate applications, so something else is required to make them useful for the enterprise. Second, your partners and contractors may be using a federation system to

authenticate their users for connection to your applications. Federated authentications may be browser-based by using the SAML protocol, or API-based using OAuth.

NEW SCHOOL AUTHENTICATION TECHNIQUES Two relatively new authentication techniques can help overcome the challenges of authenticating users in the modern identity area – adaptive and local mobile biometric authentication.

ADAPTIVE AUTHENTICATION Adaptive authentication – sometimes called contextual authentication – is a passive, second-factor method. Its job is to bolster the assurance level of the primary authentication method – typically passwords. In most cases, the user is unaware that adaptive authentication is occurring. It originates from the fraud detection systems used with credit cards. Credit card companies will contact the consumer when there is unusual activity that doesn’t correspond to typical transactions – either by geography, nature of items purchased or amount of transaction. Financial institutions began using commercialized adaptive authentications around 2005 to reduce fraud and comply with new guidance from the Federal Financial Institutions Examination Council. Financial institutions are very concerned about customer experience, and despite this concern they failed on usability with early attempts to saddle U.S

consumers with hardware authenticators. In contrast, adaptive authentication happens behind the scenes, leaving users unaware of the techniques. The system inspects device characteristics like fingerprinting, geolocation and IP address for matching against blacklists. In addition, the system looks at user behavior, such as time of day, day

the challenge of inserting an adaptive authentication system between the workstation and Active Directory is daunting. As users become untethered from workstations, adaptive authentication becomes possible. At the same time, the new school trademarks of user access – device-anywhere, external user constituencies and delegated authenti-

THE HOLY GRAIL – RAISING ASSURANCE LEVELS FOR ENTERPRISE SYSTEMS VIA ADAPTIVE AUTHENTICATION – IS AN ONGOING JOURNEY

of week, transaction amount and transaction frequency. A risk score is calculated from the device characteristics and user behavior. Depending upon the risk score, the institution may authenticate the user a different way – sometimes called step-up authentication. The institution may opt to stop the transaction in its tracks. After a bumpy start – with excessive false rejects that annoyed both banks and customers – adaptive authentication has become ubiquitous for consumer authentication for financial transactions. Adaptive authentication deployments didn’t stop at banking. Financial services, retail, and social networks leverage adaptive authentication, particularly device characteristics. The Holy Grail – raising the assurance levels of enterprise authentication systems via adaptive – is an ongoing journey. Adaptive authentication systems typically rely on browser-based interactions, but enterprises want to use device identification for user logon to Active Directory. Two hurdles have precluded this use case: adaptive authentication systems require browser interaction, and

cation – make adaptive authentication much more valuable for the enterprise. The result is that adaptive authentication is finding its rightful place in federation, Web access management and multi-factor solutions.

MOBILE BIOMETRIC AUTHENTICATION When looking at the techniques that constitute adaptive authentication, it is easy to conclude that adaptive authentication is really biometric authentication. After all, it leverages device attributes and user activity and has false positives and negatives. This provides a nice segue to the next game changer – mobile biometric authentication in which the biometric match occurs locally on the device, rather than on a remote server. The smart phone is suitable for biometric authentication because it has a variety of sensors – camera, microphone, accelerometer, touch screen and often a fingerprint scanner. The phone is almost always in the hand of the user, which overcomes a common problem associated with traditional hardware authentication.

But how can mobile biometric authentication – something that happens on the device – become useful for authentication to applications? Enter the Fast IDentity Online (FIDO) authentication standard. One of the FIDO protocols is the Universal Authentication Framework (UAF), which provides a way for mobile biometrics to transition to applications using a standards-based approach. In brief, a successful on-device authentication enables the client to authenticate to a specific application via public key technology. Unlike smart cards with a handful of private keys for different uses, a specific private key exists for every application. Or for greater interoperability, the user can authenticate to a service that understands the FIDO system rather than relying a specific private key for every application. After a successful authentication, the service provides credentials like SAML for browser-based sessions or OAuth access tokens for API-style transactions.

WRAP UP The proliferation of adaptive and mobile biometric authentication is inevitable to address the challenges associated with modern identity management. Of the two new authentication techniques, adaptive authentication will be most ubiquitous because it is a second factor. It can raise the assurance levels of primary authentication methods with minimal user friction. Mobile biometric authentication is also here to stay and can improve assurance for all user constituencies, including employees and consumers. Regardless of the authentication methods in play, they become more valuable when they can interoperate with standards-based credentials like SAML and OAuth.

Winter 2014

APARTMENTS, RESIDENCES EXPLORE CLOUD-BASED PHYSICAL ACCESS CONTROL ENTERPRISE TECHNOLOGIES ALSO SECURING THE HOME

MORE THAN 89 ACCESS CONTROL READERS ARE DEPLOYED ACROSS APARTMENT ENTRY POINTS, ELEVATORS, THE PARKING GARAGE AND AT STRATEGIC LOCATIONS IN THE RETAIL SHOPS AND RESTAURANTS

Winter 2014

Tapping a card to get into the front door of an office might be an everyday occurrence, but using that same technology to get into an apartment building isn’t quite as common. Newer residential buildings, however, are looking to enterprise access control for tenants. North Bethesda Market in Maryland has deployed a cloud-based access control system from Brivo Systems that uses proximity key fobs to enable access to the front door and common areas within the building. North Bethesda Market has 400 residential apartments but also boasts 200,000 square feet of retail space including Whole Foods Market, LA Fitness, Arhaus, Brio and Seasons 52. Making sure that only residents can gain access to the apartment floors was a primary concern for property manager JBG Companies, says Jessica Hendrix, general manager at North Bethesda Market. The development project tapped Brivo OnAir cloud-based access control throughout the complex. The solution was installed as construction on the new facility progressed throughout 2010 and 2011. Brivo OnAir gives the facility the flexibility to easily manage the property, Hendrix says. The development consists of primarily rental properties so there are a lot of residents moving in and out. The system is easy to use, enabling the property managers to turn off access for resident who have moved out of the building. The web site where the property managers add and revoke access is easy to use as well, Hendrix says. More than 89 access control readers are deployed at the site, including all entry points for the apartments, the elevators, the parking garage and at strategic locations in the retail shops and restaurants, says Igor Gravoc, sales manager at ResponseTECH, the systems integrator on the project. Residents use the key fobs to get in the front door and the parking garage at North Bethesda, Hendrix says. They

are also used in the elevator and for access to common areas. Keys are still used to get into specific apartments. The Brivo system keeps an audit trail of when residents use the system, enabling property mangers to know who accesses different common areas at different times in case a problem is reported. Newer rental properties are looking at different card technologies to enable access to buildings, says Gravoc. With the amount of turnover and traffic in some of these larger buildings, issuing cards or key fobs is easier and cheaper than metal keys. Also, if a resident doesn’t turn in the keys after moving out, only one door has to be rekeyed and not multiple ones.

Advantages of cloud-based physical access for multi-use dwellings: • • • • • • •

Ease of use makes administrator training simple 24/7 system access from any location Configure cards for exactly the level and location of access needed No need to manage servers or software Scalable for one additional access point or one thousand Audit trail and reporting functions provide detailed logs Control access to common spaces

WITH HIGH TURNOVER IN LARGE APARTMENT BUILDINGS, ISSUING CARDS IS EASIER AND CHEAPER THAN METAL KEYS

Winter 2014

VANDERBILT, VODAFONE PILOT EMERGING ACCESS CONTROL TECH TAKE YOUR PICK – BLUETOOTH OR NFC FOR PHYSICAL SECURITY HID Global is piloting a new system called Mobile Access on both sides of the world, enabling virtually any smartphone to function as a physical access credential using either near field communication or Bluetooth low energy. Both Vodafone in New Zealand and Vanderbilt University in Nashville are using the solution to provision credentials to smart phones. At Vanderbilt, 15 pilot participants used their Bluetoothequipped smart phones to open doors at six campus entry points and parking garages. Participants used their own existing handsets, including Apple iPhone 4S, 5, 5C and 5S devices and Androidbased Samsung Galaxy S4 and Mini 3S handsets. Vanderbilt University uses The CBORD Group’s CS Access system with VertX access control panels from HID. No changes were required to the CBORD system to use the smart phone-based credentials. Entry points were equipped with HID’s iCLASS SE readers, configured to accept both existing iCLASS smart cards and the HID mobile IDs. Pilot participants cited convenience as the top attribute of the system and also highlighted the benefit of using their phone as a backup in cases where their card was lost or stolen. They enjoyed using HID Global’s “Twist and Go” gesture technology to open the parking gate as they drove up to the reader – without even having to roll down their window. And finally, respondents noted that installing and registering the mobile app was simple and took just five minutes or less to complete. Vodafone is using Mobile Access but is enabling employees to choose NFC or Bluetooth depending on the handset. Thirty employees have tested the app at Vodafone’s Viaduct office in Auckland, New Zealand and it’s a 50/50 split between NFC and Bluetooth. Employees receive a message and then download an app that provisions the credential. The Vodafone Security Team adds the mobile ID key to the Vodafone Access Control System and the credential is ready to be used. The system can be remotely provisioned for contractors so swipe cards don’t have to be issued and access can be revoked without having to turn in a card. For employees using NFC, the mobile device is held close to the reader, similar to the presentation of a plastic card. For Bluetooth, however, when a user is two to three feet away, the handset is twisted back and forth to trigger the authentication. For both NFC and Bluetooth, the app does not have to be opened to gain access, but the phone must be powered on and awake.

Winter 2014

FOR NFC, THE MOBILE IS HELD CLOSE TO THE READER. FOR BLUETOOTH, FROM TWO TO THREE FEET AWAY, THE HANDSET IS TWISTED BACK AND FORTH TO TRIGGER THE AUTHENTICATION.