48 A SURVEY OF ID TECHNOLOGY - WINTER 2016 - ISSUE 48
CONSUMER IDENTITY’S
DIRTY LITTLE SECRET
IT’S MORE MARKETING THAN SECURITY
From security features, such as color in polycarbonate and document verification, to new forms of identity, like digital driver’s licenses and ePassports, Gemalto is bringing innovation and trust to more than 100 government programs worldwide. GEMALTO.COM
IN AN INCREASINGLY CONNECTED SOCIETY GEMALTO IS THE LEADER IN MAKING DIGITAL INTERACTIONS SECURE AND EASY. LEARN MORE AT GEMALTO.COM
© Gemalto 2016. All rights reserved. Gemalto, the Gemalto logo, are trademarks and service marks of Gemalto and are registered in certain countries. November 2016 - CC
Providing innovative government services for millions of citizens
Certified Smart Card Industry Professional The industry’s only standardized certification program recognizing professionals with advanced smart card industry knowledge and experience
With the CSCIP credential, you are immediately recognized as having the most up-to-date knowledge of smart card technology. The designation distinguishes you as a certified professional with knowledge of both current smart card technology and applications and emerging trends.
GET CERTIFIED
BUILD YOUR
CAREER
The Smart Card Alliance offers three separate CSCIP credentials CSCIP The general CSCIP certification is for professionals who support all applications using smart card technology.
CSCIP/Government The CSCIP/G certification focuses on identity and security applications and government-specific smart card initiatives.
CSCIP/Payments The CSCIP/P certification focuses on payment applications including EMV chip, mobile, contactless and transportation.
All CSCIP certifications demonstrate proficiency in the following principles: • Smart card technology fundamentals • Security • Application/data management • Mobile and NFC usage models • Identity and access control usage models (CSCIP and CSCIP/G only) • Payments usage models (CSCIP and CSCIP/P only)
To learn more about CSCIP certification, training dates, and fees, visit: www.smartcardalliance.org/cscip 1-800-556-6828
“ I’m starting a new job, finishing my degree and I have a true passion for the arts. I’m proud of my work and the cards in my wallet represent my life.”
— Robert H. Marketing Director Corporate Technologies
Every person in your program has multiple identities, and securing and protecting those identities is no small task. Datacard® ID solutions empower enterprises to protect what’s most important to them in an increasingly connected world with trusted, long-lasting, secure ID cards.
Visit Datacard.com/ReID to learn more by downloading your free ID Solutions Guide.
© 2015 Entrust Datacard Corporation. All rights reserved.
DATACARD GROUP IS NOW ENTRUST DATACARD
30
Advanced card materials make embedded security features possible
14
COVER STORY
Consumer identity’s dirty little secret
‘Golden Age’ for iris recognition?
CONTENTS 4 Farewell gunmetal gray boxes New tech helps slow-to-change physical access control market find its groove
29
Moving towards identitycentric security
30
Advanced card materials make embedded security features possible Level 1, level 2 and level 3 security features key to fighting document fraud
32
What states need for secure ID success
34
New NSTIC pilots announced $15.5 million awarded for pilots to help states, students and patients
36
Hundreds implant NFC chips to explore privacy issues
38
Norway adding mobile to BankID Popular authentication tech adding mobile capabilities
6 ID Shorts News and posts from the web 14 Consumer identity’s dirty little secret Despite public desire to end data breaches, customer Identity and access management is more marketing than security 16
GDPR 101: Understanding the EU’s new data protection regs
18 Moving to tokenless physical access control 21 Women in Biometrics Awards recognize leaders from government and industry FBI, NIST, IBIA and MorpoTrak leaders honored during 2017 program
26
36 Hundreds implant NFC chips to explore privacy issues
26 ‘Golden Age’ for iris recognition? 27
Iris emerging on mobile devices
Winter 2016
5
ABOUT
FAREWELL GUNMETAL GRAY BOXES NEW TECH HELPS SLOW-TO-CHANGE PHYSICAL ACCESS CONTROL MARKET FIND ITS GROOVE CHRIS CORUM, EXECUTIVE EDITOR, AVISIAN PUBLICATIONS
EXECUTIVE EDITOR & PUBLISHER Chris Corum, chris@AVISIAN.com EDITOR Zack Martin, zack@AVISIAN.com ASSOCIATE EDITOR Andrew Hudson, andrew@AVISIAN.com CONTRIBUTING EDITORS Liset Cruz, Autumn Cafiero Giusti, Gina Jordan ART DIRECTOR Ryan Kline ADVERTISING SALES Chris Corum, chris@AVISIAN.com Sales Department, advertise@AVISIAN.com SUBSCRIPTIONS Regarding ID is available for the annual rate of $39 for U.S. addresses and $87 for non-U.S. addresses. Visit www.regardingID.com for subscription information. No subscription agency is authorized to solicit or take orders for subscriptions. To manage an existing subscription or address, visit http://subscriptions. avisian.com and enter the Customer Code printed on your mailing label. Postmaster: Send address changes to AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. ABOUT REGARDING ID MAGAZINE re: ID is published four times per year by AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Chris Corum, President and CEO. Circulation records are maintained at AVISIAN Inc., 315 E. Georgia Street, Tallahassee, Florida 32301. Copyright 2016 by AVISIAN Inc. All material contained herein is protected by copyright laws and owned by AVISIAN Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information storage and retrieval system, without written permission from the publisher. The inclusion or exclusion of any does not mean that the publisher advocates or rejects its use. While considerable care is taken in the production of this and all issues, no responsibility can be accepted for any errors or omissions, unsolicited manuscripts, photographs, artwork, etc. AVISIAN Inc. is not liable for the content or representations in submitted advertisements or for transcription or reproduction errors. EDITORIAL ADVISORY BOARD Submissions for positions on our editorial advisory board will be accepted by email only. Please send your qualifications to info@AVISIAN.com
6
Winter 2016
The latter part of the year always takes on a physical security focus for our editorial team as we cover a series of PACS-related events and conferences. This year was no exception. Our publications focus on identity, credentialing and security, but we are not a pure physical security pub. So these events can be a bit overwhelming as aisle after aisle of booths showcase “gunmetal gray” boxes filled circuit boards and wires. To fight the redundancy, I tend to gravitate to the non-traditional security technology. It is more colorful and it fits more closely with the mission of our publications … helping users maximize the security and utility of their ID cards and credentials. This was a breakout year on this front. I was introduced – or became better acquainted with – at least a half-dozen approaches to physical security that seem destined to make an impact on the future of PACS. Some change the way we architect traditional enterprise access control systems, others change the way we secure our homes and small businesses, and others take access control off of the door and into the field. In prior years, these relative newcomers might have been tucked in the back halls of the exhibit floor or presenting in the final session of the conference after most attendees had already fled for the airport. But this fall, I found them front and center, a sign to me that things may be changing in this slow-to-change world of access control. What are some of these new approaches? Cloud-based physical access control and mobile credentials for enterprises Smart electronic locks powered through mobile apps for home and small business Lockers, cylinders, padlocks and other non-traditional form factors that utilize existing contactless cards or mobile apps These approaches are exciting because they empower credentials – cards, mobile, or other digital IDs – to do more than just open the door. It seems we are on the verge of breaking the stranglehold that proprietary access control systems have had on enterprise security. New systems change the business model, change the architecture and vastly expand the possibilities. With an IT-centric approach we can analyze access control system data in new, innovative ways. Organizations can get out of the business of hosting servers and patching software and operating systems. New form factors like mobile move from pilots to mainstream, and multi-factor authentication – overt or covert – can be layered to improve security and convenience. And these massive shifts in enterprise security literally open new doors in home security as well. Smart electronic locks enable mobile keys to be shared and revoked with family, visitors and even temporary service providers. They integrate with next generation smart homes. Utilizing the same credential – card or mobile – to secure things other than doors provides strong ROI and investment justification for issuers. Lock your gates with smart padlocks, control your employee or student lockers with contactless cards, and let your kids lock their bikes up with a mobile app that sends you location data. That staid, traditional physical security industry had a lot on display this year that sure did not look traditional. Great for me as I had more fun on the show floors. Great for issuers as we can start prepping for some exciting new access options.
With PPG TESLIN substrate, there’s security in numbers ®
230,000,000 Driver’s Licenses
25
Years
25,000,000
500,000,000
90
e-Passports
Countries
240,000,000 National IDs
50,000,000
Other Secure Government Credentials
TESLIN substrate has been trusted for more than two decades by governments and other institutions around the world to make credentials more secure. ®
As a stand-alone material or as part of complex multi-component secure credentials, Teslin substrate can be embedded with program-specific security features to deter document forgery and enhance credential authentication. In addition to accepting printed high-resolution security features, Teslin substrate reproduces high-definition color photos, enables laser-engraving and forms exceptional bonds with security inks, laminates, coatings and patches to permanently expose any evidence of tampering. Durable, yet flexible, Teslin substrate also helps cushion and protect embedded eID electronics against mechanical stress, greatly increasing eID service life in ways that stiff printable plastics can’t. When you’re ready to design a secure and durable credential that’s easy to authenticate and difficult to replicate, visit teslin.com/numbers. And discover why, with Teslin substrate, there’s security in numbers.
© 2016 PPG Industries, Inc. All Rights Reserved. Teslin is a registered trademark of PPG Industries Ohio, Inc.
Certificates
ID SHORTS
ID SHORTS
HIGHLIGHTS FROM SECUREIDNEWS.COM
CAMEROON TAPS GEMALTO FOR POLYCARBONATE E-IDS Gemalto is helping the General Delegation for National Security in Cameroon to tackle fraud and document counterfeiting with the deployment of polycarbonate eID cards. This approach consists in laser engraving high-resolution color photos into the Sealys card body to provide Cameroon with the benefits of proof of identity for its 20 million citizens. Gemalto also contributes to the country’s identity modernization program with its Coesys enrollment solution, its personalization platform implementing color laser engraving technology and eID verification terminals. Gemalto’s Sealys eID offers the country anti-counterfeiting benefits compared to solutions that simply print a photograph on the surface of a card. Furthermore, the image is combined with a digital copy of the cardholder’s fingerprint stored within the embedded microprocessor. Additional levels of protection are provided by a series of visible and invisible document security features.
8
Winter 2016
The card body, which is entirely made of polycarbonate, guarantees a ten-year service life with outstanding resistance to extremes of temperature and mechanical stress. Gemalto will enable Cameroon to operate the system autonomously via training, maintenance and knowledge transfer program. The agency will therefore be in a position to take full responsibility for enrolling citizens and issuing personalized eID cards, then verifying eIDs on the terminals supplied.
LOGIN.GOV REPLACING CONNECT.GOV Connect.Gov will become Login.Gov, according to a notice published in the Federal Register as a notice of a new system that would fall under the U.S. Privacy Act of 1974. The notice is to inform the public of the change that will be subject to the 42-year-old law. The notice comes as the GSA is proposing a citizen identity platform that can be used to access government services. The platform will collet personal data
ID SHORTS
and provide identity proofing to agencies. Login.Gov replaces Connect.Gov, which was scrapped earlier this year. To enable access information must be collected to authenticate an individual’s identity. How much data will be collected will depend on the level of identity assurance necessary for the application. Login.Gov will use third-party identity services to proof an identity. For a level one credential a citizen will provide a email, password and phone number. For a level three credential they will be asked additional information. Full name, date of birth, address, phone number and Social Security number will be requested. The identity proofer will also ask the user credit and financial-related knowledge-based authentication questions. Login.gov will not retain the commercial identity verification information, questions asked of a user or the responses provided.
CALENDAR 2017 RSA Conference 2017 February 13 – 17, 2017 Moscone Convention Center San Francisco, Calif.
2017 Payments Summit/ICMA Expo 2017 March 28 – 30, 2017 Renaissance Orlando at Sea World Orlando, Fla.
National Association of Campus Card Users Annual Conference April 2 – 5, 2017 Disney’s Contemporay Resort Orlando, Fla.
ISC West April 5 – 7, 2017 Sands Expo Las Vegas, Nevada
Connect ID May 1 – 3, 2017 Walter E. Washington Convention Center Washington, D.C.
“Once proofed, the attribute bundle will be given a meaningless, but unique identifier number (MBUN) to identify the user in the system. The MBUN and attribute bundle will be asserted to the partner agency. The partner agency is granted access to user information only when the user logs in or specifically gives permission to transmit their information. The information in the system is contributed voluntarily by the user and cannot be accessed by the government without explicit consent of the user, except as provided in this notice,” the notice states. Not everyone is excited about the change. ID.me was one of the identity providers with Connect.Gov, and this new system has shut out most identity providers, says Blake Hall, co-founder and CEO at the company. He fears the new system will be honeypot for hackers wanting citizen information. “The idea of one government agency housing all citizen information
Securing Federal Identity 2017 June 6, 2017 Hamilton Crowne Plaza Washington, D.C.
Cloud Identity Summit June 19 – 22, 2017 Sheraton Grand Chicago Chicago, Ill.
Security Document World 2017 June 26 – 28, 2017 QEII Centre, Westminster London, UK
Winter 2016
9
ID SHORTS
and tracking activity online is scary,” Hall says. “It will be an immediate target for hostile state actors and opens the door to malicious use for domestic purposes too.” The system also seems to go against White House policy that originally states a government database of citizen information wouldn’t happen. “At the end of the day, the question that just confounds me: can a small group of technologists really just hijack executive policy and attempt to destroy an ecosystem of private sector companies that made huge investments in good faith to support this administration’s policy for trusted identities online?” Hall asks. The system was supposed to accept third-party identity credentials, however, the notice made no mention of that idea. “If Login.gov is the only way for citizens to interact with government services online and there is no choice between identity providers, then the system is de facto involuntary because there is
10
Winter 2016
only one option and no recourse provided for citizens to interact with their government,” Hall says. “My way or the highway doesn’t sound voluntary to me.”
EVOLIS LAUNCHES LAMINATION MODULE Evolis launched its new lamination module for plastic cards compatible with its desktop card printer Primacy. The Evolis card lamination module aims to prevent forgery and can increase the durability of government cards or access control badges. Since its creation in 2000, Evolis has deployed more than 370,000 printing systems across the world, enabling organizations and companies to issue plastic cards. In order to satisfy the requirements of those organizations for more secure and rapidly issued documents, Evolis created a lamination module connected
to its Primacy printer, which laminates national ID cards, military IDs, residency cards, employee badges or student cards immediately after printing. The new lamination module connects to the Evolis card printer Primacy through infrared communication, creating one single system for encoding – from magnetic stripes to smart card chips – printing and laminating plastic cards. The system, named Primacy Lamination, prints and laminates up to 215 single-sided cards or 110 double-sided cards per hour. Ribbons and lamination films are easily installed and are automatically recognized. A large range of lamination films with or without holograms completes this product offer. Evolis can also design and customize laminates to include secure hologram patterns. Therefore, official cards, such as driver licenses, national ID cards, etc. as well as access control badges obtain maximum durability and a very high level of security.
ID SHORTS
STATE DEPARTMENT AWARDS XTEC PIV CONTRACTS XTec announced that the Department of State awarded it a new task order to provide project management and technical support services for domestic and overseas locations in support of the agency’s enterprise Identity Management System (IDMS). The task order was awarded under XTec’s State department Blanket Purchase Agreement based on XTec’s Federal Supply Schedule contract with the General Services Administration. The Department uses XTec’s AuthentX Identity and Credential Management System for identity management and credential issuance including PIV cards for State Department employees and contractors. The award includes support for connectivity to DOD, DOJ and DHS agencies systems and Derived PIV Credentialing capabilities. The award constitutes a one-year base period and four six-month option periods, with a $60 million ceiling. XTec provides services for the entire identity and credential lifecycle for FIPS 201 Personal Identity Verification (PIV) credentials, PIV-Interoperable (PIV-I) credentials and Derived PIV credentials. In addition to providing the technical solutions, XTec also supports all pieces of the identity, credential and access control lifecycle from cardstock delivery to enrollment, credential issuance, maintenance, logical and physical access control as well as mobile usage.
NEW YORK ARRESTS 3,800 USING FACIAL RECOGNITION IN DMV The new facial recognition system used by the New York State DMV program has led to more than 100 arrests and 900 open cases since it launched in January, Gov.
SINCE THE ORIGINAL ROLLOUT IN 2010, MORE THAN 3,800 ARRESTS HAVE BEEN MADE USING FACIAL RECOGNITION IN NEW YORK Andrew M. Cuomo announced. Since the original rollout in 2010, more than 3,800 arrests have been made. The system combats identity theft and fraud and is designed to remove highrisk drivers from the road. The system New York upgraded to doubles the number of measurement points mapped to each digitized driver photograph from 64 to 128. This improves the system’s ability to match a photograph to one that already exists in DMV’s database. The system also enables the ability to overlay images, invert colors, and convert images to black and white to better see scars and identifying features on the face. Different hairstyles, glasses, and other features that change over time – including those that evolve as a subject ages – do not prevent the system from matching photographs. DMV will not issue a driver license or non-driver ID until the newly captured photograph is cleared through the facial recognition system. Since the facial recognition technology was implemented in 2010, more than 3,800 individuals have been arrested for possessing multiple licenses. Addition
ally, more than 10,800 facial recognition cases have been solved administratively, without the need for an arrest. If the transactions are too old to pursue criminal prosecution, DMV is still able to hold subjects accountable by revoking licenses and moving all tickets, convictions, and crashes to the individual’s true record. Nearly half of those arrested by DMV investigators are accused of using a stolen identity to obtain a license when their original license under their true name was suspended or revoked. Recent cases in which enhanced facial recognition technology has helped investigators catch perpetrators include: A man who is accused of filing for a license under a stolen identity allegedly stated that his information had not changed and that he has never had a suspended or revoked license. At the time of his application, his New Jersey commercial driver license under his true name was suspended for four alcoholrelated offenses. Nearly two dozen individuals who allegedly modified their names and dates of birth to obtain second-
Winter 2016
11
ID SHORTS
ary Social Security numbers and use them to get new licenses to bypass suspensions, revocations or higher insurance costs. Five individuals who attempted to take over someone else’s existing New York State DMV record. Individuals who are arrested based on facial recognition matches are typically charged with filing a false instrument, tampering with public records, and forgery. DMV also works with several other states, using facial recognition tech-
12
Winter 2016
nology to identify commercial driver license holders attempting to exploit the individual state licensing process to evade traffic tickets, commit insurance fraud, and/or avoid driver responsibility assessments.
TSA NEEDS TO WORK ON TWIC BACKGROUND CHECKS The Transportation Security Administration has issued more than 3.5 million bio-
metric credentials – otherwise known as TWIC – to individuals needing unescorted access to secure areas of the nation’s maritime facilities and vessels. According to a Homeland Security Office of Inspector General report, the TSA has not been providing enough oversight and guidance to ensure that the TWIC program operates properly. Specifically, there are problems with the background checks and threat assessments for the TWIC.
ID SHORTS
The inspector general’s report found that: Fraud detection techniques are not monitored and used in completing the background check Adjudicators may grant TWICs even if questionable circumstances exist Key quality assurance and internal control procedures are missing from the background check and terrorism vetting processes
New efforts tested for continuous vetting for disqualifying criminal or immigration offenses lack measures to determine the best solution. These issues exist, partly, because TSA leadership relies on the TWIC program office to implement necessary improvements. The TWIC program office, however, focuses more on customer service than effectiveness of the program. Additionally, because of TSA’s organizational structure, the TWIC program office lacks visibility into and authority over the other offices within TSA that support the TWIC program. As a result, there is a risk that someone with major criminal or immigration offenses maintains access to secured areas of maritime facilities. The report recommends that the TSA: Identify a coordinating entity with authority, responsibility and accountability to provide regular guidance and leadership across all security threat assessment processes and supporting offices. Conduct a risk analysis of the security threat assessment processes to identify areas needing additional internal controls and quality assurance procedures. Improve TWIC program-level performance metrics to ensure they align with the program’s core objectives and direct management officials to use these metrics for all the supporting offices. Review current TWIC Security Threat Assessment guidance to ensure it provides adjudicators the necessary information and authority to complete Security Threat Assessments. Establish measurable and comparable criteria to use in evaluating and selecting the best criminal and immigration recurrent vetting option.
The TSA concurred with the report and is implementing corrective actions.
SUREID LAUNCHES ENTERPRISE IAM SureID Inc. announced the launch of SureID Certified Enterprise to provide configurable identity assurance for government and private enterprises. With the ability to integrate into an organization’s existing systems, SureID offers identity solutions designed to enhance an organization’s confidence that it knows its third-party vendors and contractors who access critical systems and physical locations. Third parties being given access to systems they should not be able to access have been the cause of numerous data breaches. The SureID Certified Enterprise identity solution includes: SureID Certified Enterprise: For medium and large-sized businesses needing a high assurance identity for vendors and contractors. This identity can integrate within a commercial enterprise organization’s existing credential or identification badge system. SureID Certified Enterprise also includes a thorough background screen that can offer ongoing monitoring to an identity on a subscription basis. SureID Certified Management Portal: The portal offers full credential lifecycle management for thirdparty vendors and contractors. Features include registering, identity proofing, screening, credentialing, authenticating, reporting and notification management. The portal also provides real-time revocation allowing system administrators to status check and immediately revoke any credential. SureID Certified API: The Application Program Interfaces integrate
Winter 2016
13
ID SHORTS
to existing enterprise identity and access management systems, as well as to logical and physical access controls. SureID Certified PIV-I: For government contractors, the new SureID Personal Identity VerificationInteroperable (PIV-I) federated solution can integrate within an organization’s existing infrastructure, enable multifactor authentication and provide trusted access through the federal bridge. This trusted identity can also help Department of Defense (DoD) and other federal government contractors to achieve NIST SP 800-171 compliance.
14
Winter 2016
COSTA RICA DEPLOYING POLYCARBONATE NATIONAL IDS Oberthur Technologies announced that its Lasink solution has started to be deployed across Costa Rica, through a multi-year contract to provide highly secure national ID cards. This new ID card will provide the Costa Rican authorities with a foundation to develop a trusted identity environment. The issuance of the high security ID card has been delegated through a contract between the Supreme Electoral Court, the Costa Rican Electricity Institute and Oberthur Technologies. Some 600,000 of these cards will be issued every year in Costa Rica.
Oberthur has developed the LASINK solution to help to combat forgery of identity card photos and to provide governments with the necessary means to strengthen border identity checks and protection of citizens. LASINK enables the document holder’s color picture to be engraved directly within the polycarbonate card. The document is durable, with a life span of more than 10 years. The Lasink pattern is easily recognizable but difficult to replicate with a digital printer. Scanners or smartphones are able to authenticate the document portrait. This will reinforce trust in many types of transactions including security clearance or Know-Your-Customer processes.
ID SHORTS
COMPANY TO PAY $1.5 MILLION IN SUIT FILED UNDER ILLINOIS BIOMETRIC PRIVACY ACT The Illinois Biometric Information Privacy Act was enacted way back in 2008 and is still considered the country’s most stringent oversight of corporate use of biometrics. On Dec. 1, the first settlement or judgment in a case filed under the law occurred. A class action group that sued L.A. Tan, a tanning salon franchise that used fingerprint biometrics for member access to facilities, will receive $1.5 million via the settlement. The payout is just $125 per individual salon member, but the ramifications for the biometrics industry and companies that seek efficient and secure access control options are far more substantial. The nature of the case did not involve a breach or nefarious use of the biometric data, but rather under the law only required that L.A. Tan had not properly informed its members and obtained written consent to use the biometric. The Illinois law states: “No private entity may collect, capture, purchase, receive through trade, or oth-
THE CASE DID NOT INVOLVE A BREACH OR NEFARIOUS USE OF THE BIOMETRIC DATA, BUT RATHER ONLY REQUIRED THAT L.A. TAN HAD NOT OBTAINED WRITTEN CONSENT TO USE THE BIOMETRIC erwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first: informs the subject … in writing that a biometric … is being collected or stored; informs the subject … in writing of the specific purpose and length of term for which a biometric is being collected, stored, and used; and receives a written release executed by the subject …” In an article on the settlement, Bloomberg Law interviewed the plaintiff attorney who says he expects other states to enact similar legislation in the future. He also notes that his firm has filed suit against Facebook over its use of facial recognition technology, and Snapchat has also been sued under the Illinois law. In August, an Illinois federal district judge dismissed a case filed against
Smarte Carte for its failure to obtain consent from users of fingerprint-enabled lockers in a Chicago train station. According to the IllinoisPolicy.org, the judge cited lack of harm as the reason for dismissal suggesting that the Biometric Privacy Act might require more than just lack of consent to merit judgment. The judge referred to the Supreme Court’s May 2016 ruling in Spokeo vs. Robins, likely giving hope to biometric industry advocates. The Spokeo ruling held that a man who sued a search engine for publishing false information about him failed to show actual harm and thus was not entitled to compensation. This requirement to show actual harm, it seems, is extremely contentious and far from legally concluded. Thus, we will likely see more of these biometric-related cases and laws.
Winter 2016
15
CONSUMER IDENTITY’S
DIRTY LITTLE SECRET
DESPITE PUBLIC DESIRE TO END DATA BREACHES, CUSTOMER IDENTITY AND ACCESS MANAGEMENT IS MORE MARKETING THAN SECURITY ZACK MARTIN, EDITOR, AVISIAN PUBLICATIONS
The dirty little secret of consumer identity and access management is that security and authentication isn’t the priority. These systems are about enabling the organization to get as much information about consumers as possible in order to get them to come back to the site and buy more products.
16
Winter 2016
This makes managing consumer identity information a difficult job. Organizations need to strike a balance. The registration process can’t be too onerous or people won’t bother to go through with it. But they still have to provide enough data that the marketers have some picture of the consumer.
This is the age of the data breach, and many companies are realizing that storing loads of consumer data may not be the best idea. Some organizations are starting to look at federated identity schemes, which enable access, deliver some consumer data and often provide a better user experience.
A common approach to federated identity in the consumer space is social login, enabling credentials from Google, Facebook or other sites for access. This enables companies to outsource much of the IAM function and still get data about the consumer – but hopefully not enough to cause irreparable brand damage if breached. In the early years – say 2012 to 2015 – the knock against federated identity for user authentication was that consumers were not able to control the data they were giving up to an organization. Facebook famously took a beating from the privacy community for over sharing personal data in early social login rollouts. This has changed over the past couple of years and looks to change further by 2018 as regulations in Europe take hold. European regulation will require companies to give consumers access to any and all information they store about them as well as provide the ability to delete any data. The fines for violating the General Data Protection Regulations (GDPR) are steep, reaching 20 million euros or 4% of a company’s annual revenue whichever is greater. While these regulations can only be enforced in the European Union, U.S. companies that do business in Europe will have to comply. This could lead many to implement these systems globally.
FEDERATED IDENTITY ON THE RISE Web sites and companies want to adopt federated identity schemes because it improves the consumer experience, says Merritt Maxim, a senior analyst serving security & risk professionals at Forrester Research. Still, he estimates that less than 50% of all sites accept federated identities. The primary reason web sites go with federated identity is registration fatigue, Maxim says. Consumers are tired of filling out forms with the same information over and over again and having to remember a
75% OF ALL CONSUMERS ARE FRUSTRATED WITH PASSWORDS AND 58% OF CONSUMERS SAY A NEW PASSWORD KEEPS THEM FROM SIGNING UP FOR A NEW ACCOUNT. SOURCE: JANRAIN
new password. Federated identity simplifies the process; consumers just choose the identity provider they want to use and are granted access for browsing. Pharmaceutical companies are using these types of systems for consumers who are using statin drugs, Maxim explains. While the sites offer information about the drug it can also provide information on a healthy lifestyle, give coupons and other information. For this type of transaction the company wants to have some idea of whom they are communicating with, but they don’t have to have every single identity attribute. “The social identity is enough for browsing,” he adds. “A lot of the adoption of consumer identity and access management is driven by lower risk or lower transaction environments.” If a consumer wants to purchase something from a site, more identity information is needed and they typically have to provide an email address and payment card data, Maxim says. Where consumer IAM with social login becomes tricky is around the volume of attributes the relying party web site receives, Maxim says. The problem is twofold. Some sites, for example Facebook, enable the consumer to choose which attributes to share, such as email, friend’s list, etc. Other credential providers will give sites some attribute data for free but if they want more in-depth data the relying party site has to pay for it. “There can be friction as the identity provider wants money for providing identity attributes, otherwise they can restrict them,” he explains. While Maxim posits that just over half of web sites are deploying systems that enable social login, 95% of consumers report being aware of the technology, according to a
survey from Janrain. But on the downside 42% question its value. But the registration fatigue is real, the survey found that 75% of all consumers are frustrated by password and 58% say the requirement to establish a new password keeps them from signing up for a new account. While social logins can ease password issues, the survey shows that just more than 50% of consumers from all income levels are likely to use it. When using social logins, consumers want transparency and to know how data is being used. Nearly a quarter of consumers will share information if offered a gift or promotion, but twice as many – 47% – will share that same information if the company assures them they will not share the information further and if they know how that information is being used. Thankfully, it seems trust trumps freebies.
EUROPEAN REGULATIONS This trust model will continue to evolve as regulation in Europe impact U.S. companies with presence overseas. The GDPR require web site operators to enable consumers’ access to any and all data they have on the individual. The consumer will also be able to delete information from the site. While such regulations don’t exist in the U.S., Europe is laying down strict rules with stringent penalties for sites that are breached or don’t enable a consumer to control their personal information. This means consumer IAM vendors are creating products that enable companies to put the consumer in control of their data, says Derick Townsend, vice president of
Winter 2016
17
product marketing at Ping Identity. This future vision of consumer IAM is using one login to access a profile where a consumer can change any information. “In that profile I have my preference, the ability to opt in or out, my consent to share data and my ability to revoke my consent,” he explains. While these systems will be mandatory for companies doing business in the European Union, they may also appear in the states as companies that do business overseas work to comply. “We’ve been having this conversation with many of our more advanced clients,” says Jamie Beckland, vice president of marketing at customer IAM provider Janrain. “It’s forced a lot of people to get smart about this a lot more quickly.” A necessity with these new mandates will be a centralized compliance center where organizations can see across all their systems in one place, says Townsend. “Organizations will need policy engines in place to enforce these regulations,” he adds. U.S. organizations do have some regulations to comply with – it’s not the Wild West, Townsend says. The Children’s Online Privacy Protection Rule (COPPA)
MOST AMERICANS ADMIT NEEDING HELP ACCESSING ONLINE ACCOUNTS: EIGHT IN 10 HAVE ASKED FOR ASSISTANCE – HINTS, SECURITY QUESTIONS, RESETS – TO ACCESS THEIR ACCOUNTS OR APPS AT SOME POINT. MORE THAN SIX IN TEN NEEDED A HELPING HAND MULTIPLE TIMES A YEAR AND 23% SEEK HELP AT LEAST ONCE EACH MONTH. SOURCE: DASHLANE
imposes certain requirements on operators of websites or online services directed to children less than 13 years of age. Having these compliance and policy engines in place can make it easier to manage and report on how personal data is stored and used. While COPPA relates to handling information about children, there are no national regulations when it comes to overall consumer data. In the U.S. some states have different regulations impacting consumer privacy but nothing as rigorous as the GDPR, Beckland says.
The GDPR in Europe is likely the first volley of regulations that will protect consumer’s information, says Marisa Wang, vice president of products at Gigya. “Regulations are becoming onerous as organizations need to manage restrictions around user data and give users the ability to see their relationship with the organization,” she adds. This will lead to an extended definition of identity and the convergence of lead generation models for marketing coming together with consumer IAM, Wang says.
GDPR 101: Understanding the EU’s new data protection regs The European Union Council and Parliament adopted the General Data Protection Regulations (GDPR) with the idea of simplifying regulations and bringing consistency to data protection across Europe. The GDPR is an update and replaces the Data Protection Directive from 1995. Innovate Identity, a UK-based consultancy, released a paper that described how organizations might be impacted by the regulations along with some of the important changes:
18
Winter 2016
Any organization that targets EU citizens will fall under this new regulation, even if they are based outside of the EU The painful change is that fines for a breach of the GDPR are fairly substantial – reaching up to 4% of the total annual worldwide turnover of the company Organizations must prove accountability by bringing in safeguards and changing current organizational cultures of monitoring and reviewing data It is vital that consent is “explicit” from consumers with regards their data and it must
be given freely for a specific purpose With data breaches constantly popping up in the news, organizations will be under obligation to report any breaches without delay or within 72 hours to the Information Commissioner’s Office Innovate Identity recommends that organizations begin with a Privacy Impact Assessment. These assessments are conducted as part of the regulations when the company is undertaking risky or large scale processing of personal data.
This can be a minefield and it’s important to analyze and review current and future projects and documentation to ensure that levels of risk are low. After conducting the assessment the organization will have a report that covers all privacy risks, suggested changes to how you operate and how to ensure you remain compliant on an on-going basis. The GDPR takes effect in May 2018.
Some identity providers are trying to be proactive and enable consumers to choose what information is being given to relying parties. Facebook put this in place a few years ago and it may be a reason they are the most used credential for social login according to Janrain reports.
GOOD IAM COULD TRANSLATE TO MORE BUSINESS Companies typically see a loss of business if victim of a data breach. However, good stewardship of data, easy onboarding and authentication are all things that can be a competitive differentiator, Townsend says. “Showing you’re a good steward of data can translate into increased customer loyalty and trust.” But consumer authentication remains a tough nut to crack. As with all things, taking a risk-based approach is best, Wang says. “Rather than requiring a second factor for every use you need to evaluate the risk and then decide if additional authentication is necessary,” she explains. Even though more sites are moving to social login, when a consumer wants to conduct a higher value transaction, additional authentication is often required. With password fatigue at an all time high, consumers often don’t want to remember another one or get frustrated with the password reset process and simply abandon the transaction. Unfortunately, the common alternatives – particularly those that increase the security of the transactions – aren’t appealing to most consumers. “There’s not a one-size-fits-all approach,” Townsend says. “Some people don’t like social login, some people don’t like multi-factor and text message one-time passcodes because of sharing their mobile number.” A system that enables the individual to choose the authentication method can remedy this problem. “You need to support multiple approaches and let the consumer
choose which multi-factor authentication they want to use,” Townsend adds.
EMERGING APPROACHES TO CONSUMER AUTHENTICATION Adaptive authentications technologies – systems that check an IP address, geolocation and behavioral attributes – are being explored for consumers as well, says Tony Ball, senior vice president and general manager of Identity and Access Management at Entrust Datacard. “We need to replace the ways that authentication is
mation that would eventually complete a full profile, Wang says. This information could then be used to create a more sophisticated picture of the consumer, adds Beckland. Janrain is working on a tool that would take all the granular consumer data and put it together to create a picture of the consumer and empower marketing efforts. “There wouldn’t be one consumer journey, you might have six or 400 but it would be based on attributes the consumer provides,” he adds. Consumer identity management serves many masters and has a different purpose
WHEN IT COMES TO THE IDENTITIES CONSUMERS ARE USING, FACEBOOK DOMINATES ACCOUNTING FOR 45% OF ALL SOCIAL LOGINS. GOOGLE COMES IN SECOND WITH 26%, YAHOO AT 10% AND TWITTER WITH 9%. SOURCE: JANRAIN
being done,” he explains. “Identity needs to be changed, no more mother’s maiden name or Social Security number.” Adaptive authentication that uses behavioral attributes is the future of consumer identity and access management, Ball says. “This isn’t just biometrics like fingerprints but it also might bring voice into the equation, how you tap on the keyboard – they all help paint a picture of the user and how he asserts himself,” he adds. And this, like all things when dealing with the masses, has to be easy to use. “The user experience has to be intuitive, has to be red/green, yes and no, something that’s easy to navigate and makes you feel confident at the same time,” Ball says. Progressive profiling is another way to ease the consumer into authentication. On each visit a site would gather more infor-
for each. For the consumer it has to be easy to get onboard, easy to use and not overly laden with marketing messages. Of course, it also has to be secure. For the organization it needs to gather valuable information about consumers in a way that is not overly intrusive. It also has to be secure and enable the organization to paint a picture of the consumer even though they might only be getting piecemeal information. And lastly, it needs to enable the organization to comply with any regulations governing that particular jurisdiction. That’s a lot to ask, but as regulations promulgate and consumers demand easy access plus the ability to see and even control their data, these robust consumer identity and access management systems will become a necessity.
Winter 2016
19
MOVING TO TOKENLESS PHYSICAL ACCESS CONTROL AUTUMN CAFIERO GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
There’s little standing in the way of companies taking a cue from the opening sequence of “Get Smart” and setting up their doors to open when an authorized employee approaches. The technology exists for tokenless, or “frictionless” physical access control, which eliminates the need for an employee to carry around a token such as a badge or remember a PIN in order to gain entry into a building or office. Biometrics and radio frequency, technologies like Bluetooth can make this scenario possible. It’s just a matter of pushing adoption. Rick Focke, senior product manager for Tyco Security Products, says that he’s seeing customer demand for the concept of a virtual credential. “The industry is starting to go from the proof-of-concept stage to the deployment stage in a few different technologies,” he says. But just because this kind of system is possible doesn’t mean that everyone is ready to adopt it. The question of whether a company will go the tokenless route has more to do with its security policy than security technology, says Steve Van Till, CEO and founder of security systems provider Brivo. “Can it be done? Absolutely. Should it be done? That’s a separate question,” he says. It all goes back to the long-standing dilemma of security versus convenience. Some companies value one over the other, depending on what they’re trying to secure.
20
Winter 2016
There are products both in development and on the market that makes it possible for a door to open because it knows who is there. For example, some Bluetooth readers and mobile apps enable a door to open when a person is within a prescribed distance. “The good thing about that is it’s really convenient and really easy,” Van Till says of the Bluetooth systems. “The bad thing is that your phone is now effectively an access card, and anybody could use it to get in the door.” Being able to provide this level of convenience securely is where things get tricky. Biometrics has been touted as the solution to making tokenless physical access control systems secure. But the challenge the industry faces is how to make biometrics convenient, not to mention more affordable. “The holy grail of physical access control is to deliver on the promise of very high security and very high convenience simultaneously,” says Skip Cusack, chief technology officer and chief marketing officer of BluB0X Security Inc. Cusack believes that on the front end, there needs to be the right balance of security and convenience. “Until now, it’s really been all about convenience at the expense of security,” he says. “I think that’s changing now.” More people will be drawn to these systems because they won’t have to depend on a badge or card credential that they’re more
likely to leave at home, says Jonathan Mooney, business leader for electronic access control at security products provider Allegion. A biometric is impossible to leave at home, and people are very reluctant to go anywhere without their phones. “If you get halfway to work and realize you left your badge, you can probably convince yourself to continue on,” Mooney says, adding that with identification there will probably be people at your office or facility who can visually identify you or at least grant you partial access for the day. “But because you have your creature comforts on your phone, you’re more likely to turn around and go get it.”
A BACKUP FOR BIOMETRICS One tokenless physical access control system that’s in development and in use in a pilot program is the BluB0X Person Reader, a multi-factor, multi-biometric system designed to serve as a replacement for cards and card readers. The cloud-powered system relies primarily on facial recognition through a video sensor, but it can also employ secondary factors and biometrics to determine whether to let an individual through the door. The Person Reader is designed to enable an individual to walk up to a reader and gain instant access just by looking at it. The reader uses facial recognition video and compares it to other people in the database to see if there’s a match. The reader analyzes several biometric signals simultaneously based on the person’s appearance. If it’s not sure who the person is, depending on the security setting that is in play at that door, it may ask for a PIN or card. Cusack believes combining biometrics with other factor tests is what’s going to best enable frictionless access from a security standpoint. “Biometrics is very secure, but not perfect,” he says. “That, therefore, requires something to be brought to bear for those rare occasions when the biometrics need some help.” Cusack says the cloud is the key to enabling tokenless PAC systems in an efficient, cost-effective way. Being able to organize these systems in the cloud makes it easy for them to have one common database, making it possible for a company to have a variety of biometric systems and even a variety of traditional PAC systems. “That’s a big breakthrough for the industry, and I think one of the things that will drive cloud adoption,” he says.
SMARTPHONES: A GATEWAY TO TOKENLESS While biometrics continue on the road to adoption, smartphones are the most likely candidate for a first generation of frictionless physical access control systems. “Everyone has a phone, and they’re only going to become more and more powerful and capable. So it makes perfect sense to think about how we can use this to help solve problems in everyday life, including security,” Cusack says.
THE HOLY GRAIL OF PHYSICAL ACCESS CONTROL IS TO DELIVER ON THE PROMISE OF VERY HIGH SECURITY AND VERY HIGH CONVENIENCE SIMULTANEOUSLY In addition to phones, the wearable market – such as smart watches – are offering opportunities for a place to store the credential, or to work in concert with a mobile device to enable access. Bluetooth Low Energy tends to be the preferred way of communicating with mobile devices because it allows for a definable distance, and it can work in a few different applications. A Bluetooth reader could challenge a mobile device to determine whether to grant access. Or a person could walk up to a door and hold up a phone, and then the system would ask the person to enter a PIN on the phone to gain access. A PAC system could also combine both scenarios to create dual-factor authentication. One example of an existing mobile system is Brivo Mobile Pass, a cloud-based digital credential system that allows users to unlock doors with their smartphones. Instead of using a local reader at the door, Mobile Pass communicates with Brivo’s cloud system through a cellular network, or through Wi-Fi if available, and remotely commands the door to open up with a tap of a button. Brivo launched Mobile Pass about a year ago and made it available to its existing customer base so that they didn’t have to change out their reader equipment. Later this year, Brivo plans to introduce a Bluetooth capability for the app.
Winter 2016
21
HARDWARE UPGRADES NECESSARY The transition from plastic to virtual has to be planned out and managed, Focke says. That means educating users on how to use virtual credentials. “Most customers can’t just flip a switch and say, ‘OK, next week, we’re doing it all virtual,’ because there’s an installed base of plastic cards that have been issued to all the employees, and you can’t do it all at once,” he says. Transitioning to frictionless access will involve a greater shift in terms of hardware than software. “The majority of our players are already working with credentials, readers, electronic locks and biometrics,” Mooney says. “So I don’t think it’s going to be a significant leap on the software side.” Upgrading or changing out readers will be a necessary first step to enabling systems on the front end. “What you want to do is get a reader that still reads the old cards so that people transition – go from card to virtual credential – easily,” Focke says. Companies would also need to change out their back-office
having to remember their student ID when they enter and leave the dorms,” he says. Because using Bluetooth will require a new hardware installation, new buildings are another likely destination for tokenless systems. “A lot of people who already have a system that works with cards or something like that just aren’t going to feel that it’s worth spending thousands of dollars to have this feature added to their system,” Van Till says. Smaller companies are also more likely to go full bore into the virtual credential world simply because of their small scale, whereas larger companies tend to stick with trial runs so they can test out the technology in one part of the building, Focke says.
LOOKS WON’T CHANGE So how different will the physical access control systems of the future look? Probably not that different. From the outside, it’s likely that the systems will look similar to how they do now with just a reader near the door. Or, there might be no visible equipment at
PROPERTY MANAGERS HAVE SHOWN A GREAT DEAL OF INTEREST AS THEIR TENANTS LIKE HIGH-TECH AMENITIES. ENTERING A BUILDING WITH YOUR PHONE IS VERY ATTRACTIVE TO PROSPECTIVE TENANTS integration systems to upload credential information to the physical access system. Because of the logistical challenges of installing a new system, companies that are offering cloud-based products should have a much easier time getting these products to customers than companies offering traditional, on-premise systems, says Brivo’s Van Till. Improved standards could also help enable tokenless systems to make different systems and readers interchangeable. Right now, one vendor’s PAC system can work only with that same vendor’s readers. Focke says a Security Industry Association standards committee is in the works to develop a standard similar to its Open Supervised Device Protocol to cover virtual credentials.
EARLY ADOPTERS Tokenless physical access control systems more than likely will go into use in some types of businesses before they do in others. Property managers are one group that’s shown a great deal of interest in these kinds of features, as their tenants like the feeling of high-tech amenities. “These kinds of things, like entering a building with your phone, are perceived as very flashy amenities, and they’re very attractive to prospective tenants,” Van Till says. There’s also a strong uptake in the university market. “Students are really keen on using a virtual credential, as opposed to always
22
Winter 2016
all, because readers can be hidden behind walls or above ceilings. Alternately, a user might not see a reader, but a symbol or sticker on the wall to indicate that there is a system in place. Because they will rely on “smart” devices, tokenless systems could come equipped with more features that leverage their intelligence. Those features might include sensors that can collect data, both for the physical access control system and other uses. “They have power, and they have intelligence,” Cusack says of the readers. “And so it’s natural to think about how to take advantage of that for other applications as well.” Not everyone is ready to go charging into tokenless access just yet. Allegion is trying to promote the benefits of upgrading systems while still trying to make sure that its customers have everything they need to handle their current access control system. “We still have a large portion of the end user community that potentially may not be using electronic access control at all,” Mooney says. With physical access control systems dominated by cards and readers for the past three decades, biometrics has always tried to make inroads, yet the price has been high and adoption has been slow. “But now it does seem like a very exciting time as we look at different types of credentials and the whole identity management space,” Focke says.
WOMEN IN BIOMETRICS AWARDS RECOGNIZE LEADERS FROM GOVERNMENT AND INDUSTRY FBI, NIST, IBIA AND MORPOTRAK LEADERS HONORED DURING 2017 PROGRAM Scientist. Critical thinker. Marketer. Advocate. Visionary. Lightning rod. Collaborator. Catalyst. These are just a few words used by nominators to describe the four winners of the 2016 Women in Biometrics awards selected from a pool of more than 100 nominations. Individually, the efforts of each of these women have played a pivotal role advancing biometrics. But collectively, their efforts have enabled biometrics to advance other industries – from law enforcement and border control to payments and physical security. SecureIDNews and the Security Industry Association (SIA) presented the awards in New York City during SIA’s prestigious Honors Night celebration. Learn more about the finalists, the judging panel and the program at WomenInBiometrics.com.
JOANN BUSCAGLIA
Research Chemist, Counterterrorism and Forensic Science Research Unit FBI Laboratory JoAnn Buscaglia began her career in biometrics through forensic science research and development. In the early 2000s, she served as a research chemist in the FBI’s Laboratory Counterterrorism and Forensic Science Research Unit (CFSRU). While there, she assisted with latent fingerprint research to develop quantitative measurements and assess the scientific basis of identification conclusions in order to address court admissibility challenges to the discipline. In 2002, Buscaglia began working with automated fingerprint identification system (AFIS) algorithms as a tool for quantification of fingerprint features. She also wanted to explore the possibility of using image-based and other non-minutia-based algorithms
Winter 2016
23
for latent print searching and matching in AFIS. In 2004-2005, she served on an internal FBI Laboratory panel to assess the research needs of the latent print discipline, particularly related to the scientific basis of conclusions. That panel laid out a portfolio of research Buscaglia has led over the last decade, resulting in several high-profile publications on latent print decision analysis. When Buscaglia began to work in biometrics she was introduced as a “research chemist” when delivering presentations at conferences. She often found herself explaining why a chemist was doing biometrics. “My career path in biometrics is atypical of many in the field,” she explains. “My formal education – bachelor’s and master’s degrees – are in forensic science (criminalistics, in particular) with an emphasis on trace chemical composition and microscopy of trace evidentiary materials.” Buscaglia completed her PhD in 1999, with a dissertation also in the area of trace elemental analysis of materials. Prior to joining the FBI Laboratory, she worked for almost a decade in academia and as a consultant for both private and public sector forensic, environmental, and industrial hygiene laboratories. “Because of my strong foundation in forensic science – including pattern evidence analysis, research and statistics – I was assigned to assist
BUSCAGLIA’S WORK IS A FUNDAMENTAL PART OF NEARLY EVERY CRIMINAL CASE THAT CHALLENGES FINGERPRINT EVIDENCE. THANKS IN LARGE PART TO HER RESEARCH, FINGERPRINT EVIDENCE STANDS UP TO CRITICISM AND GENERALLY REMAINS ADMISSIBLE IN COURT.
24
Winter 2016
with latent print research in response to court challenges to the foundations of the discipline.” She now has more than 18 years with the FBI Laboratory’s CFSRU and nearly 14 years in biometrics research. Much of her biometric research has been supported through collaboration with the FBI Criminal Justice Information Systems Division Biometrics Center of Excellence. “In addition to biometric research in latent prints, I have led research for more than 10 years in the use of handwriting as a biometric, and in the development and testing of an automated handwriting identification system – FLASH ID – which is now deployed in the FBI Laboratory Questioned Documents Unit,” she adds. Buscaglia says her proudest accomplishment in biometrics is leading the FBI Laboratory “Black Box” latent print examiner decision analysis study, which quantified the accuracy, repeatability and reproducibility of LPE decisions. Black Box was the first, large-scale study to estimate error rates for latent print examiners. “Our first manuscript from this study was published in the Proceedings of the National Academy of Sciences and introduced as evidence in trial the day after its electronic publication,” she says. “It is both rare and gratifying to see that kind of immediate impact and transitioning of our research into practice.” This ongoing portfolio of research, with the follow-on “White Box” study, has resulted in several publications and has been part of nearly every criminal case involving challenges to fingerprint evidence, supporting the continued scientific admissibility of biometric fingerprint evidence in court. The Black Box and White Box research has been frequently cited by the judiciary system, the Department of Justice Inspector General, and in the scientific literature. Most recently, our work was recognized by the White House Office of Science and Technology-sponsored President’s Council of Advisors on Science and Technology (PCAST) in its September 2016 “Report to the President – Forensic Science in Criminal Courts: Ensuring the Scientific Validity of Feature-Based Comparison Methods.” The PCAST report cited her publications extensively and concluded that, “…the FBI Laboratory’s studies have significantly
advanced the field.” It has been an honor to lead such a highly qualified, dedicated research team and rewarding to see the impact of our work on criminal justice and security.
TOVAH LADIER
Managing Director International Biometrics + Identity Association (IBIA) It was late 2004 when Tovah LaDier was engaged to help manage and direct the International Biometrics + Identity Association (IBIA). Prior to that, she didn’t have any exposure to biometric technologies, having spent time practicing law and running a Washington DC think-tank. But the timing proved fortuitous. The biometrics industry was at an interesting point and LaDier helped advance the conversation and educate policy makers and the public about its benefits. “The discussion around the technology has evolved from a focus on explaining how the technology works to a far more sophisticated discussion around use cases and solutions that benefit end users and society. Back then no one dreamed the technology would evolve to touch millions of ordinary people through integration into smart phones or as an integral part of other devices that enhance security and convenience,” the managing director at the IBIA explains. Biometrics and privacy is still an area that requires a lot of education and outreach by IBIA. LaDier points to a recent discussion at the Future of Privacy Forum of biometric use by the United Nations High Commission on Refugees. The UNHCR is enrolling refugees’ face, finger and iris biometrics for identification and then enabling them to purchase food and other supplies at nearby stores. They authenticate their identity with the biometric to make purchases using electronic funds allocated to their account. Some were critical of this use case because the refugees didn’t have the ability to opt out. But most agreed that this is a valid use case because it enables someone who needs assistance to get it
LADIER HAS BEEN INSTRUMENTAL IN HELPING THE BIOMETRICS INDUSTRY FRAME – OR REFRAME – THE DISCUSSION WITH LEGISLATORS AND POLICYMAKERS, MOVING BEYOND A DISCUSSION OF TECHNOLOGY TO A DISCUSSION OF BENEFITS. and potentially stop abuse or fraud where an individual receives multiple benefits for which they are not entitled. Washington DC isn’t a static population of policymakers so lawmakers and others in government need to be kept up-to-date on the latest technology and application developments. LaDier’s association does that through white papers, webinars and informational meetings. One of her accomplishments is bringing new members to IBIA that broaden the conversation. “At the outset, the IBIA membership was comprised primarily of developers and manufacturers of the technology,” she explains. “Now, the diversity within the association has been expanded through the addition of system integrators, solution providers, consultants and users of the technology. This gives IBIA the ability to expand the discussion of how the technology can be applied to solve important identity-related issues and concerns.” “We need a much broader understanding of the technology and issues at stake,” LaDier says. “It’s not just about matching accuracy; we also have to understand and address what the end users need in real world applications as well as the needs of society.”
Winter 2016
25
ELHAM TABASSI
Electronics Engineer National Institute of Standards and Technology “Garbage in, garbage out,” is an old adage used to talk about biometric image quality and how if you start with a poor quality image you’re not going to get a quality match in return. Elham Tabassi, an electrical engineer at the National Institute of Standards and Technology, knows this phrase well as she broke ground on the creation of systems that evaluate the quality of fingerprint images before are matched. Her proudest accomplishment may be the NIST Fingerprint Image Quality (NFIQ) algorithm, an open source software solution that assigns a quality value to a fingerprint image and thereby allows enrollment operators to reject poor prints and system owners to monitor quality levels across their enterprise. In collaboration with industry and governmental organizations, Tabassi recently completed version 2.0 of the NFIQ software, which promises faster and more accurate quality assessment. Tabassi has a bachelor’s degree in signal processing and master’s degree in electrical engineering. She began working with facial recognition systems at NIST around 2001, she says. In 2002 when Homeland Security was launching US-VISIT – now the Office of Biometrics and Identity Management – they wanted to measure biometric sample quality for fingerprints. “The text book method of image quality was measured by sharpness,” she explains. “You can have a sharp image, but if there’s not enough data there it’s worthless.” She decided to look at the quality of the information present in a fingerprint image and build on that instead, Tabassi says. Out of that came the NFIQ, which tells an operator at the time of capture if the image is of sufficient quality. Tabassi worked on a similar image quality system for iris biometrics and is now working on one for latent fingerprints in the forensic world, she says.
26
Winter 2016
AFTER 9-11, DHS WANTED TO KNOW IF A FINGERPRINT IMAGE WOULD BE USABLE AT THE POINT OF CAPTURE, RATHER THAN FINDING OUT LATER WHEN THE IMAGE WAS PROCESSED OR MATCHED. TABASSI CREATED A NEW APPROACH CALLED THE NIST FINGERPRINT IMAGE QUALITY (NFIQ) ALGORITHM THAT IS NOW A KEY COMPONENT OF BIOMETRIC IMPLEMENTATIONS AROUND THE WORLD. She is active in the standards world, participating in the ISO/ IEC JTC 1 Subcommittee 37’s Working Group 3 on Biometric Data Interchange Formats, serving as editor of four international standards, and successfully advocating for quantitative evidencebased development as the cornerstone of the biometric standards making process. She has edited, co-edited and provided technical contributions to key fingerprint recognition standards including the ISO/IEC 19794-2 Finger minutiae data, the ISO/IEC 19794-4 Finger image data, and the ISO/IEC Technical Report 29198:2013 Information technology – Biometrics – Characterization and measurement of difficulty for fingerprint databases for technology evaluation.
TERESA WU
Director of Strategic Marketing and Government Relations MorphoTrak Teresa Wu, now director of Strategic Marketing and Government Relations at MorphoTrak, has spent her entire 15-year professional career in the biometrics industry. She started out as a marketing intern with Sagem Security – now known as Safran Identity and Security – working in the company’s biometric access control and secure payment terminal business unit. Throughout her career, Wu has been actively engaged in her field, and working to expand her responsibilities and expertise in marketing, business strategy, product management, and government relations. During the last 15 years, the biometrics market has changed, particularly with regard to the shift in marketing practices. When Wu started at Sagem, the company was mainly focused on engineering, and marketing was mainly tactical. “It was an emerging field,” Wu says. “I did a lot of work, studying how to communicate and figuring out where we should spend our time. From the start, I became very passionate about the technology because I realized how biometrics can help make the world a safer place.” In those early days, most marketing outreach was accomplished through traditional business-to-business channels, Wu says. Now, more is demanded of the marketing team. Not only does effective and compelling communication with partners and industry need to remain, but MorphoTrak also needs to communicate with those who are using the products. “We started having this push/pull approach and having to communicate at different levels such as social media,” Wu explains. “As the field of biometrics is going mainstream, industry best practices and interaction with policy makers have also grown in importance. Public perception, technology adoption, and technology education go hand in hand.” As of late, Wu has been praised for her work with government relations. “Besides having an in-depth technical knowledge of biometric technologies and markets in which they are deployed,
WU HAS GUIDED BIOMETRIC INDUSTRY MARKETING FROM AN EARLY FOCUS ON ‘BELLS AND WHISTLES’ TO SUSTAINABLE APPROACHES THAT FOCUS ON USER BENEFITS. SHE SAW THAT PUBLIC PERCEPTION WOULD ULTIMATELY DRIVE OR DERAIL BIOMETRIC ADOPTION, AND SHE HAS SPENT HER CAREER ENSURING THAT USER EDUCATION GOES HAND IN HAND WITH CORPORATE MARKETING. she also has the unique ability to convert complex information and issues into understandable explanations and arguments. This skill is fundamental when helping government officials and staff to readily understand the issues regardless of their pre-existing level of technical understanding,” says one nominator. Wu says her proudest accomplishment is changing the engineering focus mindset to be more user-oriented. Wu introduced a series of focus groups and collaboration projects with customers and industry influencers to collect the voice of customers and articulate best practices. Her active involvement with various industry and professional practitioner associations reflects her commitment to engage with industry partners, end-users and other stakeholders. “It is very rewarding to see how my analysis and insight helped to shape future roadmaps and thus affect our ability to better meet our customers’ needs,” says Wu. “I feel very fortunate and privileged to have worked with some of the most brilliant pioneers and scientific minds in the industry. Not only did I learn from the insights and vision, but I have the opportunity to further expand and grow,” she adds.
Winter 2016
27
‘GOLDEN AGE’ FOR IRIS RECOGNITION? MICHAEL GIUSTI, CONTRIBUTING EDITOR, AVISIAN PUBLICATIONS
All signs are pointing toward a pending golden age for iris recognition biometric technology. Citing falling costs, robust applications and more mature hardware, many experts predict the scanning of the colored portion of people’s eyes to become a widespread method of identification. “Iris is the golden biometric,” says Mark Clifton, president of the products and solutions division at SRI International. “Everybody wants to use it, but in the past it was too expensive and too hard to use, but that is changing.” From a product perspective, many iris scanning devices are now hitting a balance of ease of use, accuracy, price and performance, says Joey Pritikin, vice president of marketing and product management for biometrics firm, Tascent.
WHY IRIS? If you looked back just five years ago and spoke about viable, cost-effective and useful biometrics in the commercial marketplace, the only real contender would have been fingerprint, says Tim Meyerhoff,
28
Winter 2016
director of the North America division for Iris ID Systems. Iris never came up as part of the conversation because it was hard to use and expensive, Clifton says. But fingerprints have limits that iris does not. In fact, iris stands out in many ways above the other commercially viable biometric identifiers. From the age of two, an individual’s iris represents one of the most reliable biometric markers, Clifton says. That is because once your iris finishes developing, it is stable and changes only slightly as you age. The same can’t be said of fingerprints, which might be obscured temporarily by grease or moisture, or even damaged by scars, scratches or other impacts that arise from working with your hands. Irises are one of the few internal organs that are visible from a person’s exterior and thus hard to fake. And while the first generation iris scanners needed people to place their face against a device, the current generation of scanners no longer needs physical contact with the person it is reading. Now, it can be done reliably from a distance, adding to the speed and cleanliness of the process.
The scans are so accurate, Pritikin says, that they could be used in a tokenless environment with a very high level of confidence. Compared to other modalities, iris recognition boasts low false positive rates – more so even than fingerprints, he adds.
CURRENT APPLICATIONS Though its use has not yet been widespread, iris technology has already found numerous applications. In 2010, the Unique IDentification Authority of India launched an ambitious program to scan the irises of more than 1 billion residents. Chief among the project’s goals was to help weed out fraud in entitlements programs. Since 2003, the United Arab Emirates has been using iris technology to track people who have been expelled from the country. Border crossing experiments using iris technology have been piloted in the European Union and on the United States’ borders with Canada and Mexico. It has also been deployed in other highvolume applications, such as refugee processing and airport security at high-profile
locations including London’s Gatwick Airport. Access control and workforce time management are two other applications embracing by iris technology.
GROWING ACCESS A number of factors have combined to make iris technology increasingly accessible. The first is that many of the key patents covering iris biometrics – from capture to recognition – have recently expired. “Before the patents expired, there wasn’t a multi-vendor ecosystem,” Pritikin says. The underlying technology is also getting less expensive. From processors to cameras, the hardware needed to capture and process an iris biometric is embedded in most smartphones. “If you go back five or 10 years, iris technology required dedicated hardware that was quite expensive because it was custom made,” says Francis Mather, chief of computer vision and liveness detection at New York-based Hoyos Labs. With the miniaturization and mainstream adoption of underlying components, insiders predict iris identification platforms may soon be priced competitively with high-end fingerprint scanners.
NO MORE IRIS DANCE New higher end cameras have made the current generation of iris technology easier to use than early generations. A common joke among iris critics was that in order to capture a good image, subjects had to move back a little, then forward a little, then duck a little. “You had to be very close and do the chicken dance to get a good scan,” Pritikin says. The current technology is now “on the move.” It is on tablets and door locks and other devices that don’t require a stationary, perfectly posed subject. In fact, modern iris systems have become so flexible that some say false rejects are more often the result of an uneducated or uncooperative subject than a technical failure.
Iris emerging on mobile devices It’s finally happened. Iris recognition is embedded into a widely available mobile device. This technology was possible previously with additional peripherals, but the Samsung Galaxy Note 7 has the technology embedded into the handset. Early reviews of the iris recognition system are positive, saying it is easy to enroll – quicker than a fingerprint – and also easy to use for authentication. After enrolling, the user can choose which apps to secure using the iris system. Users swipe up, position their eyes and are subsequently enabled or denied access to the device or app. The Note 7 isn’t the first handset to enable iris recognition, but it is the first major brand model to do so. Fujitsu and NTT DOCOMO launched an irisenabled smartphone using Delta ID’s ActiveIRIS technology in May of 2015, and a couple other minor models had also incorporated the technology in the past. A recent consumer survey by Macromill of Japan asked users to share their experience using biometrics to unlock smartphones. Both iris and fingerprint enabled smartphones were considered from Fujitsu, Sony, Sharp, Samsung and Apple. The survey included several hundred users and found that: The number of consumers using biometric unlock was 50% higher for iris-enabled smartphones than fingerprint-enabled smartphones 90% of the users of iris unlock were satisfied with the functionality Speed and accuracy of iris unlock were the most appealing aspects.
Winter 2016
29
That isn’t to say that iris technology is foolproof. Mather points out that many iris solutions rely on infrared light to capture the subtle contours of the iris. When a sensor is outdoors and there is an abundance of infrared light from the sun, interference can become a problem. Another sun-related problem comes in the form of a human behavior – squinting. As people squeeze their eyes in the face of bright sunlight, enough of their iris can be obscured to cause false rejections.
WHERE NEXT So far, high-end and high-price applications have dominated the iris biometrics market. But that could also change. “We are going to see multiple classes of products – enterprise applications and also consumer applications – as the price continues coming down,” Pritikin says. SRI’s Clifton sees major potential for iris technology in health care identification. Iris scans may mean that the days of scammers presenting fraudulent credentials in order to receive care under someone else’s name may soon be gone, he explains. Any application that requires a secure identity is now a good candidate. Iris ID is working on college campuses to install iris scanners in dining halls to identify patrons and expedite lines. Meyerhoff says one school bought a license they thought would fit the population. They were conservative because the program was new and voluntary, and students didn’t have to opt in. “After the first week, they needed a bigger license because it was much more popular than expected,” Meyerhoff says. Agencies within the U.S. government have been reluctant to adopt iris because it was new and didn’t fit into procurement formulas, Meyerhoff says. But once the National Institute for Standards and Technology published its latest guidance – IREX V – procurement officers have been quicker to consider iris technology, Meyerhoff says.
U.S. GOVERNMENT AGENCIES HAVE BEEN RELUCTANT TO ADOPT IRIS BECAUSE IT WAS NEW AND DIDN’T FIT INTO PROCUREMENT FORMULAS, BUT ONCE NIST PUBLISHED ITS LATEST GUIDANCE – IREX V – THEY HAVE BEEN QUICKER TO CONSIDER THE TECHNOLOGY
CONSUMER ACCEPTANCE For a biometric modality to become mainstream, it all comes down to consumer acceptance. For decades, even fingerprints struggled to overcome the stigma of perceived criminality. Iris has its own hill to climb. “You get mixed opinions,” Clifton says. “Some people say ‘It’s just a picture of your eyes - no big deal.’ But others say it is creepy.”
30
Winter 2016
As iris scanners make it onto more and more devices and people see how simple and reliable they are to utilize, he believes adoption will quickly follow. Much of the stigma is the mere fact that it is new. “We still get people who think there is a laser in the scanner or you have to put your face on top of the camera,” Meyerhoff says. “There are still a lot of misconceptions.” As iris recognition is incorporated into mobile devices, these misconceptions are likely to fade, says Mather. A similar thing happened when fingerprint scanners showed up on the iPhone. “Familiarity will drive people’s acceptance,” he says. Manufacturers are already designing iris scanners into their handsets and platforms. The next phase will be things like consumer door locks, and even locks for things like laptops, or even conceivably, refrigerators, suggests Clifton. As the technology gets less expensive, the potential is going to grow. “Adoption will take some time, but there is a great future for iris biometrics,” Clifton says.
MOVING TOWARDS IDENTITYCENTRIC SECURITY LEWIS BARR, VICE PRESIDENT OF LEGAL AND PRIVACY, JANRAIN
This year, 6.4 billion connected devices will come online, up 30% from 2015, according to Gartner. While companies and consumers are excited about the possibilities this brings, it also increases new risks. In tandem with the explosion of connected devices is the growth in breaches. In just the first nine months of 2016, there were 687 reported data breaches, resulting in almost 29 million exposed user records, according to the Identity Theft Resource Center. There are massive breaches happening, some that we may not even learn about until years later, like what we saw with Yahoo and the more than 500 million user accounts subjected to a data breach. Data breaches are costly and can negatively impact customer trust and companies of all sizes are being compromised. Customers’ identities are critical assets, but with so many devices going online, the surface for attacks keeps growing. Against this backdrop, companies are focusing on scoped access to enhance data security and privacy. Scoped access ensures that only those employees and contractors who need access to data to do their work have access and that their access is limited to the data required for their work. In a recent security and privacy talk with Janrain, miaa Guard co-founder Carlo Schupp, discussed the importance of managing access for devices and people to protect secure customer identities. With a background in managed infrastructure security, Schupp cofounded miaa Guard six years ago. Based out of Belgium, the company provides managed access services.
DEVICE CONTROL Devices may be regarded as having their own identities, often associated with a human being that owns the device.
There is a client-device relationship and devices need to be secure to preserve the owner’s trust. “From a security standpoint, we are now treating devices the same way we treat individuals,” Schupp said. “So devices will also have their identity and then we will concentrate modern identity-centric security around those devices. You want to have the device control itself, rather than relying on some third party and hope that they do a good job.”
ACCESS AND POLICY With more data being gathered and becoming available, access and policy design and implementation are important to consider. Doctor access to patient records is an issue that needs appropriate policies and constraints. Consumer brands accessing customer data has to be controlled so not everyone working at these large companies has access to the data. Every industry is collecting
By understanding the regulatory and other business parameters that are important to your individual company, you can determine the best way to control access at your company.
KEEPING PERMISSIONS CURRENT WITH ROLES “Often times in the past, people were given permission to access certain data and then when people changed throughout the organization, nobody dared to take away those permissions,” Schupp said. “They would add permissions to access even more data and more applications, and the longer a person is with the company, the more permission they have.” It’s important to review security as identity-centric. You give a person certain business roles and that changes as they move throughout the organization. In regard to access and authorization management, you must think about the identity and make sure that you have a
WE ARE TREATING DEVICES THE SAME WAY WE TREAT INDIVIDUALS, EACH HAS AN IDENTITY AND WE CONCENTRATE MODERN IDENTITY-CENTRIC SECURITY AROUND THEM identity data and without scoped access and relevant, targeted and enforced policy choices, information can get into the wrong hands. “Access control relative to applications is often embedded in the application,” Schupp said. “Also, if the application is web-enabled, then it may be part of the web server. We see more and more trends to externalize the control of access out of the the applications, so that you can have a harmonized way of controlling access to different types of websites and applications.”
single identity for an individual. “You don’t want to have 4,000 accounts of one person and a gazillion number of access rights and permission spread all over the company,” Schupp said. Access control is a key component of Customer Identity and Access Management. And simple as it may be, the most important thing to remember is to actually make it a priority and establish protocols to ensure the privacy and security of your customer data.
Winter 2016
31
ADVANCED CARD MATERIALS MAKE EMBEDDED SECURITY FEATURES POSSIBLE LEVEL 1, LEVEL 2 AND LEVEL 3 SECURITY FEATURES KEY TO FIGHTING DOCUMENT FRAUD When it comes to security features on ID cards and other identity credentials, it’s often the holograms and ultra-violet inks that get a lot of the glory. But embedding security features into the advanced card materials that make up the card itself can go a long way toward confounding counterfeiters. Identity credentials include security features that fit into three categories: overt, covert and forensic. Overt security features, or Level 1 features, are visible to the naked eye or are tactile and can be felt via touch. They include elements such as holograms, colored inks and security threads. Covert security features, called Level 2 features, are only visible to trained examiners using basic, readily available tools such as lights or magnify-
32
Winter 2016
ing lenses. Covert features include ultraviolet images, hidden text or images and other hidden items embedded into a document. Forensic security features, Level 3 features, are ones that can only be viewed in laboratory settings using microscopes or other specialized equipment. Forensic features include nanotext and nanoimages, document DNA or substrate analysis. Embedding security features into advanced card material substrate can go a long way to improving the security of the credential by making it more difficult to counterfeit. “Having unique materials raises the bar against counterfeiters,” says Pierre Scaglia, global segment manager for Secure Credentials at PPG Industries. “And having card materials with embedded security features can be one of the
strongest elements in putting together a secure credential.” PPG produces Teslin, a paper-like substrate that can add durability to a credential and enable inclusion of secure printing and other security elements. Teslin can be printed with different ultra violet or infrared security elements that are unique to an issuer. “These are dots and particles that will give a visible response to infra red or ultra violet light,” Scaglia says. These types of powerful security options are commonly used in electronic passports, national IDs and driver licenses, but their use is also ideal for smaller issuers with high security needs. By embedding the element in the card substrate and making it unique to the issuer, counterfeiters have a much more difficult time spoofing the card or document. “Issuers need to take a holistic approach
to document security and integrate the different features in a way that makes it difficult to replicate,” Scaglia adds. You don’t need advanced card materials to produce a secure document, but it definitely helps, says Steve Purdy, director of business development and government affairs at Gemalto. “PVC, PET (polyester), Teslin and polycarbonate all have the ability to print security features with offset lithography and use specialty inks,” he explains. But the difference comes when you add data to the documents, Purdy says. With PVC and polyester composite cards the data is added to the core of the card and then protected with a laminate. Security features – like holograms – can be added to each of these layers but it adds complexity and cost to the credential. There’s also the challenge of making sure the security features on the document can be easily validated, says Wayne Fletcher, global director of government vertical marketing at Entrust Datacard. “We want to provide features that are easy to recognize and make alteration of the card difficult,” he explains. We ultimately strive to make Level 1 features – the visible, overt features – easy and quick to identify. If you’re a police officer trying to authentication a national ID card you might not have tools available to check other features.” Many high-security credential issuers are turning to polycarbonate for this reason. Polycarbonate cards can include high-security overt features that are extremely difficult to counterfeit without the correct equipment. Polycarbonate cards are laser engraved and can include personalized data in the form of raised text, which someone can feel when confirming the authenticity of the document, Fletcher says. “During personalization you can take the biographic data of the individual – name, date of birth, document number – and create a tactile features with the variable data,” Fletcher explains. “You can also
overlap this data with the laser engraved photo.” The tactile feature with the biographical data is a compelling overt security features, Purdy says. “This makes it much harder to modify,” he explains. “You can’t scratch it off and replace it and you don’t need a laminate to protect the data on top of it.” Prior to 9/11 the vast majority of driver licenses issued in the U.S. were done on desktop printers using PVC and a laminate, Purdy says. That made them somewhat susceptible to alteration as people could remove the laminate and scratch off the information below.
States have improved their driver license issuance in the past decade, with a majority now issuing composite cards with Teslin or other advanced materials. A few states have started to use polycarbonate with laser engraving in the last year or so, Purdy says. The improved Level 1 security features are a primary reason these moves are taking place. “The real drive is for those Level One security features, because that’s what’s checked 99% of the time,” he explains. “It’s the most important thing because it enables you to discern very quickly whether or not it’s a fake.”
Winter 2016
33
WHAT STATES NEED FOR SECURE ID SUCCESS ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY
Today there are more than two million apps in Apple’s App Store, Although the identity is initially checked with a single authoritawhich is why the phrase, “there’s an app for that” is so common. tive source, it raises a second security consideration: the need for In fact, some people don’t even carry a physical wallet at all times multiple trusted sources to verify the identity. If there is only one since “digital wallets” are such popular features on smartphones. source of authority and that source was to be compromised, then the Needless to say, there is an app for just about everything. Everything digital identities would be at risk. Therefore, strong authentication except for identity. is only achieved when multiple sources such as the DMV, banks, It needs to be said up front that mobile driver licenses (mDLs) mobile network operators, credit bureaus or others are able to will be very useful and powerful for consumers to interact with cross verify the identity. This eliminates the potential for the single State DMVs and everywhere identity authoritative source to ever be the fraud information is required – although there vector. As a result, both the individual are a lot of details to be worked out on and provider can have confidence that how these virtual identities will work. the identities are secure and legitimate. How will officers read and validate the As states consider what innovations information stored on the device? How are required for mDL, it is important will other relying parties? Work is unto consider what works well today and Driver license properties that need to be derway to put standards in place that what needs to be improved. improved: will make this all happen. The notion of combining digital ID The authenticity of the document cannot be Interesting, mDLs may not even be with street ID is quickly becoming a realchecked today by most destination services, used for driving. If pulled over for an inity. In order to ensure the use of mDLs like banks, rental agencies and airports fraction, giving your phone to the officer and other forms of verification – like to take back to the cruiser is problematic. passports and birth certificates – is as Credible fake documents are easy to pass off as legitimate, especially when they are from First, what is the implied consent for the secure as the physical entities themselves, out of state. officer to examine other things on the there needs to be a system of cross veriphone other than the mDL? And many fication by multiple sources. The DL provides too much data for many use people would want to use the phone to SecureKey is working with Canada’s cases. For example, name and address are occupy themselves while the officer is largest financial institutions, federal and not required to prove age at a bar. busy in the cruiser. provincial governments, telecom opera More than one valid document can be in Rather than on the road, mobile litors and other trusted partners to develop circulation. There is no way to take a lost or censes may find their greatest utility and deliver a national identity verificastolen document out of service. enabling citizens to verify their identity tion ecosystem in Canada that is being digitally. Ultimately, the goal is to have hailed as the largest consumer-centric The lack of a network service to demonstrate legitimate possession of the active card. It citizens’ primary proof of identity to be and privacy-by-design digital identity is the lack of network service that enables extended to the online world, enabling service initiative to date. The applicaeffortless identity theft today online transactions and state services tion utilizes blockchain technology and securely and efficiently. is built upon the success of SecureKey The implementation of digital identiConcierge, a secure federated authentiDriver license properties to keep: ties is well underway in more than a cation network SecureKey has already The DL is widely accepted across public and dozen states; however, there are security established in Canada. Additionally, it private sector as an identity document considerations that need to be addressed will also use biometrics to ensure the to ensure mDLs are protected and leidentity of the person logging in. The state does not know where the docugitimate. The first is the necessity for an The use of multiple trusted sources ment has been presented or how often authoritative source to verify the digital verifying the digital identity is the critical Issuing a card today means those that don’t identity. The mDL application needs to factor of this application, and what will want an mDL can continue on as they are verify that when a digital identity is crepotentially make it a model of success (for example, requiring a mobile phone to ated it indeed belongs to the true indifor others to follow. Once we reach that drive seems like an odd requirement). It will vidual. As of right now, the Department point, we’ll finally be able to answer the also take time for the rest of the economy to ready backend systems to accept mDL-driven of Motor Vehicles acts as the authoritative question of digital identity with “there’s processes. source, which solves the need for authoan app for that.” rization, but it’s not enough.
EVALUATING DRIVER LICENSE PROPERTIES
34
Winter 2016
NEW NSTIC PILOTS ANNOUNCED $15.5 MILLION AWARDED FOR PILOTS TO HELP STATES, STUDENTS AND PATIENTS The National Strategy for Trusted Identities in Cyberspace (NSTIC) announced six new multi-year pilots granting organizations more than $15.5 million to conquer different issues with digital identities. The focus of this year’s NSTIC winners is on secure online access to state and local services with another partnering with the U.S. Department of Health and Human Services for trusted identities in health care. The NSTIC pilots includes 24 projects and more than 150 total partners across 26 states and D.C.
36
Winter 2016
FLORIDA DEPARTMENT OF REVENUE, CHILD SUPPORT DIVISION (TALLAHASSEE, FLA.: $3,550,978) The Florida Department of Revenue aims to improve identity processes for online access to several Child Support Program applications. The new registration and authentication process will increase the number of online services available to customers, provide convenience through
a single login identity and improve security by offering customers device registration options. The solution will enable the Child Support Program to increase the efficiency and effectiveness of our services while meeting customer expectations and the growing desire to conduct business more efficiently and effectively through online interactions with government agencies.
THE FOCUS OF THIS YEAR’S NSTIC WINNERS IS ON SECURE ONLINE ACCESS TO STATE AND LOCAL SERVICES WITH ANOTHER PARTNERING WITH THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES FOR TRUSTED IDENTITIES IN HEALTH CARE
YUBICO (PALO ALTO, CALIF.: $2,273,125)
GEMALTO (AUSTIN, TEX.: $2,022,102)
Yubico will focus on enabling secure online access to educational resources for students in Wisconsin and to state services for residents of Colorado. In both states, Yubico will deploy FIDO Alliance Universal 2nd Factor-based YubiKeys and use OpenID Connect to develop an identity toolkit – with the goal of making the solution as simple to use and deploy as possible.
Gemalto will work with departments of motor vehicles to issue digital driver licenses to residents of Idaho, Maryland, Washington, D.C. and Colorado. Gemalto aims to improve the way people conveniently and securely present and prove their identities to business and government entities by offering a digital driver license, accessible via a mobile application. The benefits for citizens and relying parties is to be able to present and authenticate a trusted government-issued digital identity via mobile platforms that will facilitate and automate many applications that rely on the physical presentation of identity documents today.
STATE OF OHIO, DEPARTMENT OF ADMINISTRATIVE SERVICES (COLUMBUS, OHIO: $2,967,993) The State of Ohio Department of Administrative Services will implement a range of identity-related capabilities including multi-factor authentication to stronger identity proofing, for three state services. These services include enterprise e-licensing, online filing and payments for businesses in the state and tax-related transactions with the Ohio Department of Taxation.
ID.ME (MCLEAN, VA.: $3,750,000) ID.me will work with the City of Austin, Texas, to develop a city level blueprint for increased trust between participants in the sharing economy. The goal of the pilot is to demonstrate a viable model for strong
authentication that is acceptable to key stakeholders in the sharing economy and replicable in other municipalities. With the State of Maine, ID.me will implement a federated identity model for applications to increase citizen access to benefits and to demonstrate interoperable credentials at the federal and state level.
CEDARS-SINAI MEDICAL CENTER (LOS ANGELES, CALIF.: $999,836) Cedars-Sinai Medical Center will implement a federated identity, single sign on, multi-factor authentication solution across distinct health care systems for patients and providers. The solution aims to simplify patient transition from Cedars-Sinai Medical Center, an acute-care setting, to post-acute care settings, such as California Rehabilitation Institute. Patients and providers will have a single credential on a portal with the purpose of giving them easier access to information to improve quality of care.
Winter 2016
37
HUNDREDS IMPLANT NFC CHIPS TO EXPLORE PRIVACY ISSUES GINA JORDAN, CONTRIBUTIN EDITOR, AVISIAN PUBLICATIONS
It was late 2014, when a couple of Kasperksy Lab co-workers were sharing deep thoughts over beers. “We were having this conversation that people usually have late at night, like the galaxy is in trouble and we have to fix it. By morning, we had already tried to do something about it,” says Evgeny Chereshnev, director of Global Social Media at Kaspersky Labs. He and Povel Torudd, head of the lab’s European PR, took a deep dive into identifying modern society’s big problems. Privacy topped the list, which isn’t surprising since their employer is a global IT security company. “Customers’ data belongs to everyone but the customer or the user himself. Google has data, Apple has data, Amazon has data, Facebook, Twitter – everybody’s got data on everyone,” Chereshnev says. “But the user does not possess the information that he or she is creating every day in huge amounts.” That led the friends to ponder how the user experience might look in five or 10 years. What is fundamentally wrong today that could cause big problems in the future, they wondered. “We decided to perform an experiment with a biochip because the technology already exists,” Chereshnev says. “It can be an access tool or as a storage tool. Is it comfortable to have one? What would be your personal thoughts on that when there is something under your skin you cannot get rid of?”
UNLIMITED USE CASES FOR THE BIOCHIP Fast forward to February 2015 and the Kaspersky Security Analyst Summit (#TheSAS2015) in Cancun, Mexico. Kaspersky Labs teamed up with the Swedish bio-hacking community, BioNyfiken, to launch a chip implantation project and probe the realities of connecting our bodies to the Internet.
38
Winter 2016
Along with a few hundred other volunteers, Chereshnev and Torudd volunteered to be implanted at #TheSAS2015 to test the implants and explore possible uses as part of the yearlong project. Chereshnev took the summit stage and faced down a tattooed piercing master wielding a 3 millimeter needle. “I was stupid enough to reject the local anesthetic,” he says. Five seconds later, Chereshnev’s left hand contained a biochip – compatible with contactless smart cards and near field communication devices – hidden in a pocket just beneath the skin between his thumb and index finger. “At first the chip didn’t settle, so every day I could feel it moving. After a couple of weeks, it settled. So right now it’s been pretty much in the same place not moving at all, and it’s very comfortable.” BioNyfiken’s Hannes Sjöblad also volunteered to become “an upgraded person.” He spoke at the summit, laying out some use cases for what he calls Generation 1 smart implants: Activation: “If you have a handgun in your home, you may not want your kids to find it or a burglar to use it. It’s easy to put an NFC reader into the handle of a gun and enable only the person who has the chip in their hand to fire the gun.” Personalization: “Let’s say that my wife and I share the same car and we have very different body sizes. Whenever she’s been driving I have to reset the mirrors and the seats and all. When I grab the steering wheel, the car then recognizes me and adjusts the mirrors and seats.” Verification: “Since this involves a little bit higher level of security, it makes more sense to have an implant ID as part of two-factor verification. The implant may not replace the bankcard, but it may perhaps replace the PIN code. Let’s say I swipe my card but instead of the
PIN, I swipe my hand. It doesn’t matter if someone looks over my shoulder.” “I believe that a connected body is a concept that we need to be dealing with, that we need to understand,” Sjöblad told the audience in Cancun. He predicts three things will move under the skin in the coming years: 1) quick digital identification for easy public transport and health monitoring; 2) better data capture; and 3) digital logins and encryption to replace passwords and address privacy. Sjöblad acknowledged the myriad of security questions still to be answered, such as how health data should be kept safe and how to prevent people from hacking into someone else’s body to cause harm. But he believes a lot of technology will migrate to biochips out of convenience because the chip is always there, it’s hidden, and it works without needing a charge. “We carry too much stuff,” Sjöblad said. “What if we could make life a little less cluttered?”
will enable these chips to perform way more functions and tasks that we can conceive today.” Soto says biohackers and other pioneers are watching for possible complications and side effects, like infection at the implant site. “The technology is already available,” Soto says. “There is, however, a need for regulation and safety oversight if these chips become widely available for implantation.” Once proper security measures have been identified and put in place, Soto expects the chips will become popular. He thinks they’ll be handy for payments, access control, identification, medical monitoring and gun safety. Chereshnev is using his chip to go badgeless at work. He’s taking advantage of NFC-enabled locks and an NFC reader in the building’s restaurant that enable him to go cashless for lunch. “The beauty of the chip here is when it’s compromised, it can be replaced. With the fingerprint, the problem is that you only have ten attempts to stay unique,” Chereshnev says. “This puts us into conversations about multifactor identifica-
ONCE PROPER SECURITY MEASURES HAVE BEEN IDENTIFIED AND PUT IN PLACE, THE IMPLANTED NFC CHIPS COULD BE USED FOR PAYMENTS, ACCESS CONTROL, IDENTIFICATION, MEDICAL MONITORING AND GUN SAFETY
SECURING THE TECHNOLOGY The 13.56 MHz chip implanted in Chereshnev is surrounded by hypoallergenic bioglass. It’s approximately 2x12 millimeters, shaped like a tiny soda can with a tiny antenna. It contains a series of chipsets and can store 880 bytes, but there’s no containerization of information or encryption. It doesn’t require a source of power, so it has no batteries and can’t work at a distance. As long as the chipped hand touches the NFC enabled reader or device, the chip is activated. “We are in the starting stages of this type of technology,” says Rod Soto, security researcher with Hackmiami, a hackerspace focused on information technology and network security. “Further advances in miniaturization and processing power
tion. You can own a biochip in your hand and combine it with your fingerprint and maybe your voice for identification.” Chereshnev says he’s in no hurry to remove his biochip. He’s blogging about his experience under #BionicManDiary at blog.kaspersky.com/bionic-man-diary. “Maybe in the near future, the chips won’t be made of silicon or any other artificial material. If you think about it, the human cell itself has storage capacity. Maybe one human cell being that small can store gigabytes or terabytes of information,” Chereshnev says. “What we need to do is to learn the abilities of the human body or biology of those technologies in order to understand how to implement them correctly. I’m really fascinated to learn. It’s very cool to be like the Indiana Jones of biohacking.”
Winter 2016
39
NORWAY ADDING MOBILE TO ITS BANKID PROGRAM POPULAR AUTHENTICATION TECH ADDING MOBILE CAPABILITIES The issues surrounding digital identity are thought to be a recent problem. The U.S., UK and Canada are all taking different roads to solve these problems, but Norway is about to launch its second generation BankID, which the vast majority of Norwegians have and use. Since 2000 all Norwegian banks have been working together to create a PKIenabled identity system for customers, says Hege Steinsland, communications and marketing representative at BankID in Norway. The first credentials were issued in 2004 for access to banking services, and today 3.5 million Norwegians use it not just for banking but a range of other services. In 2015 BankID was used 430 million times, a number that has increased year by year as more services are made available. Customers can use their BankID to lease a car, rent an apartment or enroll for college. BankID is offered from the age of 15, but for those under 18, parents
40
Winter 2016
must give their approval before the bank issues a BankID. This can be done online with parents using their own BankID to sign the agreement. The bank identifies the customer in person, and the customer is subsequently issued the credential. It is a two-factorsolution, with a key fob-style token – or an optional mobile app – and a BankID password. Having BankID makes selfservice possible in many places, including the bank itself, applying for a student loan, getting a driver license and checking health records. The credential has even been enabled for electronic voting in a local municipality. Customers interact with the system similar to other two-factor authentication systems. They enter a username and password followed by the code from the token. The primary use of the token is for secure payments with Visa and MasterCard but people can also put in bids on houses, start new electric services
and interact with public agencies. BankID is also looking to enable the system for employee use in corporate environments. Almost 900,000 customers have opted to add BankID to their mobile device, a supplementary solution that enables them to use it when they have forgotten their key fobs. An upcoming step is to enable the credential to secure mobile apps residing on the handset. Encap Security was selected by BankID for the pilot program to test in-app authentication, taking advantage of Norway’s high level of smartphone penetration to create a mobile first, frictionless user experience. Encap’s ‘Smarter Authentication’ is a device-based, multi-factor platform that removes the need for key fobs by enabling authentication to take place inside an app. Encap takes advantage of the device’s authentication capability – Apple’s Touch ID for example – and lets that be used to verify the customer.